Extraneous whitespace. Darnit.

Still trying to get the docs to line up.
And, having figured that out, make the documentation match.
2024-11-01 14:56:00 -07:00 · 2024-11-01 14:55:32 -07:00 · 2024-11-01 14:54:36 -07:00 · 2024-11-01 14:53:29 -07:00 · 2024-11-01 14:50:38 -07:00 · 2024-11-01 14:45:01 -07:00
183 changed files with 10800 additions and 4673 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.5
+current_version = 2024.10.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -35,7 +35,7 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install --sync
+        poetry install
        cd web && npm ci
    - name: Generate config
      shell: poetry run python {0}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -18,7 +18,7 @@ jobs:
          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
          docker buildx install
          mkdir -p ./gen-ts-api
-          docker build --no-cache -t testing:latest .
+          docker build -t testing:latest .
          echo "AUTHENTIK_IMAGE=testing" >> .env
          echo "AUTHENTIK_TAG=latest" >> .env
          docker compose up --no-start
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2024.10.5"
+__version__ = "2024.10.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }}
 {% endblock %}
 {% block head %}
-<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
+{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@ -27,8 +27,7 @@ def blueprint_tester(file_name: Path) -> Callable:
        base = Path("blueprints/")
        rel_path = Path(file_name).relative_to(base)
        importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        validation, logs = importer.validate()
+        self.assertTrue(importer.validate()[0])
        self.assertTrue(validation, logs)
        self.assertTrue(importer.apply())
    return tester
--- a/authentik/brands/middleware.py
+++ b/authentik/brands/middleware.py
@ -4,7 +4,7 @@ from collections.abc import Callable
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate
 from authentik.brands.utils import get_brand_for_request
@ -18,12 +18,10 @@ class BrandMiddleware:
        self.get_response = get_response
    def __call__(self, request: HttpRequest) -> HttpResponse:
        locale_to_set = None
        if not hasattr(request, "brand"):
            brand = get_brand_for_request(request)
            request.brand = brand
            locale = brand.default_locale
            if locale != "":
-                locale_to_set = locale
+                activate(locale)
-        with override(locale_to_set):
+        return self.get_response(request)
            return self.get_response(request)
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -1,6 +1,5 @@
 """Authenticator Devices API Views"""
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from rest_framework.fields import (
@ -41,11 +40,7 @@ class DeviceSerializer(MetaNameSerializer):
    def get_extra_description(self, instance: Device) -> str:
        """Get extra description"""
        if isinstance(instance, WebAuthnDevice):
-            return (
+            return instance.device_type.description
                instance.device_type.description
                if instance.device_type
                else _("Extra description not available")
            )
        if isinstance(instance, EndpointDevice):
            return instance.data.get("deviceSignals", {}).get("deviceModel")
        return ""
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -5,7 +5,7 @@ from contextvars import ContextVar
 from uuid import uuid4
 from django.http import HttpRequest, HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@ -31,19 +31,17 @@ class ImpersonateMiddleware:
    def __call__(self, request: HttpRequest) -> HttpResponse:
        # No permission checks are done here, they need to be checked before
        # SESSION_KEY_IMPERSONATE_USER is set.
        locale_to_set = None
        if request.user.is_authenticated:
            locale = request.user.locale(request)
            if locale != "":
-                locale_to_set = locale
+                activate(locale)
        if SESSION_KEY_IMPERSONATE_USER in request.session:
            request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
            # Ensure that the user is active, otherwise nothing will work
            request.user.is_active = True
-        with override(locale_to_set):
+        return self.get_response(request)
            return self.get_response(request)
 class RequestIDMiddleware:
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -129,11 +129,6 @@ class SourceFlowManager:
            )
            new_connection.user = self.request.user
            new_connection = self.update_user_connection(new_connection, **kwargs)
            if existing := self.user_connection_type.objects.filter(
                source=self.source, identifier=self.identifier
            ).first():
                existing = self.update_user_connection(existing)
                return Action.AUTH, existing
            return Action.LINK, new_connection
        action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -15,8 +15,8 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
+        {% versioned_script "dist/poly-%v.js" %}
-        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
+        {% versioned_script "dist/standalone/loading/index-%v.js" %}
        {% block head %}
        {% endblock %}
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-<script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/admin/AdminInterface-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-<script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/user/UserInterface-%v.js" %}
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@ -2,6 +2,7 @@
 from django import template
 from django.templatetags.static import static as static_loader
 from django.utils.safestring import mark_safe
 from authentik import get_full_version
@ -11,4 +12,10 @@ register = template.Library()
@register.simple_tag()
 def versioned_script(path: str) -> str:
    """Wrapper around {% static %} tag that supports setting the version"""
-    return static_loader(path.replace("%v", get_full_version()))
+    returned_lines = [
        (
            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
            '" type="module"></script>'
        ),
    ]
    return mark_safe("".join(returned_lines))  # nosec
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.providers.saml.models import SAMLProvider
@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
        self.user = create_test_admin_user()
        self.provider = OAuth2Provider.objects.create(
            name="test",
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
+            redirect_uris="http://some-other-domain",
            authorization_flow=create_test_flow(),
        )
        self.allowed: Application = Application.objects.create(
--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@ -81,22 +81,6 @@ class TestSourceFlowManager(TestCase):
            reverse("authentik_core:if-user") + "#/settings;page-sources",
        )
    def test_authenticated_auth(self):
        """Test authenticated user linking"""
        user = User.objects.create(username="foo", email="foo@bar.baz")
        UserOAuthSourceConnection.objects.create(
            user=user, source=self.source, identifier=self.identifier
        )
        request = get_request("/", user=user)
        flow_manager = OAuthSourceFlowManager(
            self.source, request, self.identifier, {"info": {}}, {}
        )
        action, connection = flow_manager.get_action()
        self.assertEqual(action, Action.AUTH)
        self.assertIsNotNone(connection.pk)
        response = flow_manager.get_flow()
        self.assertEqual(response.status_code, 302)
    def test_unauthenticated_link(self):
        """Test un-authenticated user linking"""
        flow_manager = OAuthSourceFlowManager(
--- a/authentik/core/tests/test_transactional_applications_api.py
+++ b/authentik/core/tests/test_transactional_applications_api.py
@ -31,7 +31,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                    "redirect_uris": [],
                },
            },
        )
@ -58,7 +57,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
                    "name": uid,
                    "authorization_flow": "",
                    "invalidation_flow": "",
                    "redirect_uris": [],
                },
            },
        )
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -24,7 +24,6 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
@ -182,10 +181,7 @@ class CertificateDataSerializer(PassiveSerializer):
 class CertificateGenerationSerializer(PassiveSerializer):
    """Certificate generation parameters"""
-    common_name = CharField(
+    common_name = CharField()
        validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())],
        source="name",
    )
    subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
    validity_days = IntegerField(initial=365)
    alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
@ -246,10 +242,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def generate(self, request: Request) -> Response:
        """Generate a new, self-signed certificate-key pair"""
        data = CertificateGenerationSerializer(data=request.data)
-        data.is_valid(raise_exception=True)
+        if not data.is_valid():
            return Response(data.errors, status=400)
        raw_san = data.validated_data.get("subject_alt_name", "")
        sans = raw_san.split(",") if raw_san != "" else []
-        builder = CertificateBuilder(data.validated_data["name"])
+        builder = CertificateBuilder(data.validated_data["common_name"])
        builder.alg = data.validated_data["alg"]
        builder.build(
            subject_alt_names=sans,
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 class TestCrypto(APITestCase):
@ -89,17 +89,6 @@ class TestCrypto(APITestCase):
        self.assertIsInstance(ext[1], DNSName)
        self.assertEqual(ext[1].value, "baz")
    def test_builder_api_duplicate(self):
        """Test Builder (via API)"""
        cert = create_test_cert()
        self.client.force_login(create_test_admin_user())
        res = self.client.post(
            reverse("authentik_api:certificatekeypair-generate"),
            data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3},
        )
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]})
    def test_builder_api_empty_san(self):
        """Test Builder (via API)"""
        self.client.force_login(create_test_admin_user())
@ -274,7 +263,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
@ -306,7 +295,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
--- a/authentik/enterprise/middleware.py
+++ b/authentik/enterprise/middleware.py
@ -6,7 +6,6 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
@ -60,9 +59,6 @@ class EnterpriseMiddleware:
        # Flow executor is mounted as an API path but explicitly allowed
        if request.resolver_match._func_path == class_to_path(FlowExecutorView):
            return True
        # Always allow making changes to users, even in case the license has ben exceeded
        if request.resolver_match._func_path == class_to_path(UserViewSet):
            return True
        # Only apply these restrictions to the API
        if "authentik_api" not in request.resolver_match.app_names:
            return True
--- a/authentik/enterprise/providers/rac/api/providers.py
+++ b/authentik/enterprise/providers/rac/api/providers.py
@ -16,28 +16,13 @@ class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
    class Meta:
        model = RACProvider
-        fields = [
+        fields = ProviderSerializer.Meta.fields + [
            "pk",
            "name",
            "authentication_flow",
            "authorization_flow",
            "property_mappings",
            "component",
            "assigned_application_slug",
            "assigned_application_name",
            "assigned_backchannel_application_slug",
            "assigned_backchannel_application_name",
            "verbose_name",
            "verbose_name_plural",
            "meta_model_name",
            "settings",
            "outpost_set",
            "connection_expiry",
            "delete_token_on_disconnect",
        ]
-        extra_kwargs = {
+        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
            "authorization_flow": {"required": True, "allow_null": False},
        }
 class RACProviderViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-<script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
+{% versioned_script "dist/enterprise/rac/index-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon }}">
--- a/authentik/enterprise/providers/rac/tests/test_api.py
+++ b/authentik/enterprise/providers/rac/tests/test_api.py
@ -1,46 +0,0 @@
 """Test RAC Provider"""
 from datetime import timedelta
 from time import mktime
 from unittest.mock import MagicMock, patch
 from django.urls import reverse
 from django.utils.timezone import now
 from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import License
 from authentik.lib.generators import generate_id
 class TestAPI(APITestCase):
    """Test Provider API"""
    def setUp(self) -> None:
        self.user = create_test_admin_user()
    @patch(
        "authentik.enterprise.license.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
                name=generate_id(),
                internal_users=100,
                external_users=100,
            )
        ),
    )
    def test_create(self):
        """Test creation of RAC Provider"""
        License.objects.create(key=generate_id())
        self.client.force_login(self.user)
        response = self.client.post(
            reverse("authentik_api:racprovider-list"),
            data={
                "name": generate_id(),
                "authorization_flow": create_test_flow().pk,
            },
        )
        self.assertEqual(response.status_code, 201)
--- a/authentik/enterprise/providers/rac/tests/test_endpoints_api.py
+++ b/authentik/enterprise/providers/rac/tests/test_endpoints_api.py
@ -68,6 +68,7 @@ class TestEndpointsAPI(APITestCase):
                            "name": self.provider.name,
                            "authentication_flow": None,
                            "authorization_flow": None,
                            "invalidation_flow": None,
                            "property_mappings": [],
                            "connection_expiry": "hours=8",
                            "delete_token_on_disconnect": False,
@ -120,6 +121,7 @@ class TestEndpointsAPI(APITestCase):
                            "name": self.provider.name,
                            "authentication_flow": None,
                            "authorization_flow": None,
                            "invalidation_flow": None,
                            "property_mappings": [],
                            "component": "ak-provider-rac-form",
                            "assigned_application_slug": self.app.slug,
@ -149,6 +151,7 @@ class TestEndpointsAPI(APITestCase):
                            "name": self.provider.name,
                            "authentication_flow": None,
                            "authorization_flow": None,
                            "invalidation_flow": None,
                            "property_mappings": [],
                            "component": "ak-provider-rac-form",
                            "assigned_application_slug": self.app.slug,
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
@ -4,9 +4,7 @@ from typing import Any
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@ -28,7 +26,6 @@ HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
 DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
@method_decorator(xframe_options_sameorigin, name="dispatch")
 class GoogleChromeDeviceTrustConnector(View):
    """Google Chrome Device-trust connector based endpoint authenticator"""
--- a/authentik/enterprise/tests/test_read_only.py
+++ b/authentik/enterprise/tests/test_read_only.py
@ -215,49 +215,3 @@ class TestReadOnly(FlowTestCase):
            {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
        )
        self.assertEqual(response.status_code, 400)
    @patch(
        "authentik.enterprise.license.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=expiry_valid,
                name=generate_id(),
                internal_users=100,
                external_users=100,
            )
        ),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
        MagicMock(return_value=1000),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.get_external_user_count",
        MagicMock(return_value=1000),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.record_usage",
        MagicMock(),
    )
    def test_manage_users(self):
        """Test that managing users is still possible"""
        License.objects.create(key=generate_id())
        usage = LicenseUsage.objects.create(
            internal_user_count=100,
            external_user_count=100,
            status=LicenseUsageStatus.VALID,
        )
        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
        usage.save(update_fields=["record_date"])
        admin = create_test_admin_user()
        self.client.force_login(admin)
        # Reading is always allowed
        response = self.client.get(reverse("authentik_api:user-list"))
        self.assertEqual(response.status_code, 200)
        # Writing should also be allowed
        response = self.client.patch(reverse("authentik_api:user-detail", kwargs={"pk": admin.pk}))
        self.assertEqual(response.status_code, 200)
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -2,7 +2,6 @@
 from typing import TYPE_CHECKING
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
@ -225,14 +224,6 @@ class ChallengeStageView(StageView):
                full_errors[field].append(field_error)
        challenge_response.initial_data["response_errors"] = full_errors
        if not challenge_response.is_valid():
            if settings.TEST:
                raise StageInvalidException(
                    (
                        f"Invalid challenge response: \n\t{challenge_response.errors}"
                        f"\n\nValidated data:\n\t {challenge_response.data}"
                        f"\n\nInitial data:\n\t {challenge_response.initial_data}"
                    ),
                )
            self.logger.error(
                "f(ch): invalid challenge response",
                errors=challenge_response.errors,
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -18,7 +18,7 @@ window.authentik.flow = {
 {% endblock %}
 {% block head %}
-<script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/flow/FlowInterface-%v.js" %}
 <style>
 :root {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -5,7 +5,6 @@ import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
 from copy import deepcopy
 from dataclasses import dataclass, field
 from enum import Enum
 from glob import glob
@ -337,58 +336,6 @@ def redis_url(db: int) -> str:
    return _redis_url
 def django_db_config(config: ConfigLoader | None = None) -> dict:
    if not config:
        config = CONFIG
    db = {
        "default": {
            "ENGINE": "authentik.root.db",
            "HOST": config.get("postgresql.host"),
            "NAME": config.get("postgresql.name"),
            "USER": config.get("postgresql.user"),
            "PASSWORD": config.get("postgresql.password"),
            "PORT": config.get("postgresql.port"),
            "OPTIONS": {
                "sslmode": config.get("postgresql.sslmode"),
                "sslrootcert": config.get("postgresql.sslrootcert"),
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
            },
            "TEST": {
                "NAME": config.get("postgresql.test.name"),
            },
        }
    }
    if config.get_bool("postgresql.use_pgpool", False):
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
    if config.get_bool("postgresql.use_pgbouncer", False):
        # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
        # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
        db["default"]["CONN_MAX_AGE"] = None  # persistent
    for replica in config.get_keys("postgresql.read_replicas"):
        _database = deepcopy(db["default"])
        for setting, current_value in db["default"].items():
            if isinstance(current_value, dict):
                continue
            override = config.get(
                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
            )
            if override is not UNSET:
                _database[setting] = override
        for setting in db["default"]["OPTIONS"].keys():
            override = config.get(
                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
            )
            if override is not UNSET:
                _database["OPTIONS"][setting] = override
        db[f"replica_{replica}"] = _database
    return db
 if __name__ == "__main__":
    if len(argv) < 2:  # noqa: PLR2004
        print(dumps(CONFIG.raw, indent=4, cls=AttrEncoder))
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -9,14 +9,7 @@ from unittest import mock
 from django.conf import ImproperlyConfigured
 from django.test import TestCase
-from authentik.lib.config import (
+from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
    ENV_PREFIX,
    UNSET,
    Attr,
    AttrEncoder,
    ConfigLoader,
    django_db_config,
 )
 class TestConfig(TestCase):
@ -182,201 +175,3 @@ class TestConfig(TestCase):
        config = ConfigLoader()
        config.set("foo.bar", "baz")
        self.assertEqual(list(config.get_keys("foo")), ["bar"])
    def test_db_default(self):
        """Test default DB Config"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                }
            },
        )
    def test_db_read_replicas(self):
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
    def test_db_read_replicas_pgpool(self):
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        config.set("postgresql.use_pgpool", True)
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        # This isn't supported
        config.set("postgresql.read_replicas.0.use_pgpool", False)
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "DISABLE_SERVER_SIDE_CURSORS": True,
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "DISABLE_SERVER_SIDE_CURSORS": True,
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
    def test_db_read_replicas_diff_ssl(self):
        """Test read replicas (with different SSL Settings)"""
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        config.set("postgresql.read_replicas.0.sslcert", "bar")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "bar",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -89,10 +89,6 @@ class PasswordPolicy(Policy):
    def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
        """Check static rules"""
        error_message = self.error_message
        if error_message == "":
            error_message = _("Invalid password.")
        if len(password) < self.length_min:
            LOGGER.debug("password failed", check="static", reason="length")
            return PolicyResult(False, self.error_message)
--- a/authentik/providers/ldap/api.py
+++ b/authentik/providers/ldap/api.py
@ -159,10 +159,7 @@ class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet):
        access_response = PolicyResult(result.passing)
        response = self.LDAPCheckAccessSerializer(
            instance={
-                "has_search_permission": (
+                "has_search_permission": request.user.has_perm("search_full_directory", provider),
                    request.user.has_perm("search_full_directory", provider)
                    or request.user.has_perm("authentik_providers_ldap.search_full_directory")
                ),
                "access": access_response,
            }
        )
--- a/authentik/providers/oauth2/api/providers.py
+++ b/authentik/providers/oauth2/api/providers.py
@ -1,18 +1,15 @@
 """OAuth2Provider API Views"""
 from copy import copy
 from re import compile
 from re import error as RegexError
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ChoiceField
+from rest_framework.fields import CharField
 from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -23,39 +20,13 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
 from authentik.core.models import Provider
 from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
    AccessToken,
    OAuth2Provider,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.rbac.decorators import permission_required
 class RedirectURISerializer(PassiveSerializer):
    """A single allowed redirect URI entry"""
    matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
    url = CharField()
 class OAuth2ProviderSerializer(ProviderSerializer):
    """OAuth2Provider Serializer"""
    redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
    def validate_redirect_uris(self, data: list) -> list:
        for entry in data:
            if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
                url = entry.get("url")
                try:
                    compile(url)
                except RegexError:
                    raise ValidationError(
                        _("Invalid Regex Pattern: {url}".format(url=url))
                    ) from None
        return data
    class Meta:
        model = OAuth2Provider
        fields = ProviderSerializer.Meta.fields + [
@ -108,6 +79,7 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
        "refresh_token_validity",
        "include_claims_in_id_token",
        "signing_key",
        "redirect_uris",
        "sub_mode",
        "property_mappings",
        "issuer_mode",
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from authentik.events.models import Event, EventAction
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.views import bad_request_message
-from authentik.providers.oauth2.models import GrantTypes, RedirectURI
+from authentik.providers.oauth2.models import GrantTypes
 class OAuth2Error(SentryIgnoredException):
@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
    )
    provided_uri: str
-    allowed_uris: list[RedirectURI]
+    allowed_uris: list[str]
-    def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
+    def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None:
        super().__init__()
        self.provided_uri = provided_uri
        self.allowed_uris = allowed_uris
--- a/authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
@ -11,16 +11,13 @@ class Migration(migrations.Migration):
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
-    # Original preserved
+    operations = [
-    # See https://github.com/goauthentik/authentik/issues/11874
+        migrations.AddIndex(
-    # operations = [
+            model_name="accesstoken",
-    #     migrations.AddIndex(
+            index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
-    #         model_name="accesstoken",
+        ),
-    #         index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
+        migrations.AddIndex(
-    #     ),
+            model_name="refreshtoken",
-    #     migrations.AddIndex(
+            index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
-    #         model_name="refreshtoken",
+        ),
-    #         index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
+    ]
    #     ),
    # ]
    operations = []
--- a/authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
@ -11,24 +11,21 @@ class Migration(migrations.Migration):
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
-    # Original preserved
+    operations = [
-    # See https://github.com/goauthentik/authentik/issues/11874
+        migrations.RemoveIndex(
-    # operations = [
+            model_name="accesstoken",
-    #     migrations.RemoveIndex(
+            name="authentik_p_token_4bc870_idx",
-    #         model_name="accesstoken",
+        ),
-    #         name="authentik_p_token_4bc870_idx",
+        migrations.RemoveIndex(
-    #     ),
+            model_name="refreshtoken",
-    #     migrations.RemoveIndex(
+            name="authentik_p_token_1a841f_idx",
-    #         model_name="refreshtoken",
+        ),
-    #         name="authentik_p_token_1a841f_idx",
+        migrations.AddIndex(
-    #     ),
+            model_name="accesstoken",
-    #     migrations.AddIndex(
+            index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
-    #         model_name="accesstoken",
+        ),
-    #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
+        migrations.AddIndex(
-    #     ),
+            model_name="refreshtoken",
-    #     migrations.AddIndex(
+            index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
-    #         model_name="refreshtoken",
+        ),
-    #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
+    ]
    #     ),
    # ]
    operations = []
--- a/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py
+++ b/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py
@ -37,7 +37,7 @@ def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
 class Migration(migrations.Migration):
    dependencies = [
-        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
+        ("authentik_core", "0040_provider_invalidation_flow"),
        ("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"),
    ]
--- a/authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py
+++ b/authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py
@ -1,31 +0,0 @@
 # Generated by Django 5.0.9 on 2024-10-31 14:28
 import django.contrib.postgres.indexes
 from django.conf import settings
 from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
        ("authentik_providers_oauth2", "0022_remove_accesstoken_session_id_and_more"),
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
    operations = [
        migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_f99422_idx;"),
        migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_a1d921_idx;"),
        migrations.AddIndex(
            model_name="accesstoken",
            index=django.contrib.postgres.indexes.HashIndex(
                fields=["token"], name="authentik_p_token_e00883_hash"
            ),
        ),
        migrations.AddIndex(
            model_name="refreshtoken",
            index=django.contrib.postgres.indexes.HashIndex(
                fields=["token"], name="authentik_p_token_32e2b7_hash"
            ),
        ),
    ]
--- a/authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py
+++ b/authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py
@ -1,49 +0,0 @@
 # Generated by Django 5.0.9 on 2024-11-04 12:56
 from dataclasses import asdict
 from django.apps.registry import Apps
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from django.db import migrations, models
 def migrate_redirect_uris(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    from authentik.providers.oauth2.models import RedirectURI, RedirectURIMatchingMode
    OAuth2Provider = apps.get_model("authentik_providers_oauth2", "oauth2provider")
    db_alias = schema_editor.connection.alias
    for provider in OAuth2Provider.objects.using(db_alias).all():
        uris = []
        for old in provider.old_redirect_uris.split("\n"):
            mode = RedirectURIMatchingMode.STRICT
            if old == "*" or old == ".*":
                mode = RedirectURIMatchingMode.REGEX
            uris.append(asdict(RedirectURI(mode, url=old)))
        provider._redirect_uris = uris
        provider.save()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0023_alter_accesstoken_refreshtoken_use_hash_index"),
    ]
    operations = [
        migrations.RenameField(
            model_name="oauth2provider",
            old_name="redirect_uris",
            new_name="old_redirect_uris",
        ),
        migrations.AddField(
            model_name="oauth2provider",
            name="_redirect_uris",
            field=models.JSONField(default=dict, verbose_name="Redirect URIs"),
        ),
        migrations.RunPython(migrate_redirect_uris, lambda *args: ...),
        migrations.RemoveField(
            model_name="oauth2provider",
            name="old_redirect_uris",
        ),
    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -3,7 +3,7 @@
 import base64
 import binascii
 import json
-from dataclasses import asdict, dataclass
+from dataclasses import asdict
 from functools import cached_property
 from hashlib import sha256
 from typing import Any
@ -12,9 +12,7 @@ from urllib.parse import urlparse, urlunparse
 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from dacite import Config
 from dacite.core import from_dict
 from django.contrib.postgres.indexes import HashIndex
 from django.db import models
 from django.http import HttpRequest
 from django.templatetags.static import static
@ -78,25 +76,11 @@ class IssuerMode(models.TextChoices):
    """Configure how the `iss` field is created."""
    GLOBAL = "global", _("Same identifier is used for all providers")
-    PER_PROVIDER = (
+    PER_PROVIDER = "per_provider", _(
-        "per_provider",
+        "Each provider has a different issuer, based on the application slug."
        _("Each provider has a different issuer, based on the application slug."),
    )
 class RedirectURIMatchingMode(models.TextChoices):
    STRICT = "strict", _("Strict URL comparison")
    REGEX = "regex", _("Regular Expression URL matching")
@dataclass
 class RedirectURI:
    """A single redirect URI entry"""
    matching_mode: RedirectURIMatchingMode
    url: str
 class ResponseTypes(models.TextChoices):
    """Response Type required by the client."""
@ -171,9 +155,11 @@ class OAuth2Provider(WebfingerProvider, Provider):
        verbose_name=_("Client Secret"),
        default=generate_client_secret,
    )
-    _redirect_uris = models.JSONField(
+    redirect_uris = models.TextField(
-        default=dict,
+        default="",
        blank=True,
        verbose_name=_("Redirect URIs"),
        help_text=_("Enter each URI on a new line."),
    )
    include_claims_in_id_token = models.BooleanField(
@ -284,33 +270,12 @@ class OAuth2Provider(WebfingerProvider, Provider):
        except Provider.application.RelatedObjectDoesNotExist:
            return None
    @property
    def redirect_uris(self) -> list[RedirectURI]:
        uris = []
        for entry in self._redirect_uris:
            uris.append(
                from_dict(
                    RedirectURI,
                    entry,
                    config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
                )
            )
        return uris
    @redirect_uris.setter
    def redirect_uris(self, value: list[RedirectURI]):
        cleansed = []
        for entry in value:
            cleansed.append(asdict(entry))
        self._redirect_uris = cleansed
    @property
    def launch_url(self) -> str | None:
        """Guess launch_url based on first redirect_uri"""
-        redirects = self.redirect_uris
+        if self.redirect_uris == "":
        if len(redirects) < 1:
            return None
-        main_url = redirects[0].url
+        main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
        try:
            launch_url = urlparse(main_url)._replace(path="")
            return urlunparse(launch_url)
@ -453,7 +418,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
    class Meta:
        indexes = [
-            HashIndex(fields=["token"]),
+            models.Index(fields=["token", "provider"]),
        ]
        verbose_name = _("OAuth2 Access Token")
        verbose_name_plural = _("OAuth2 Access Tokens")
@ -499,7 +464,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
    class Meta:
        indexes = [
-            HashIndex(fields=["token"]),
+            models.Index(fields=["token", "provider"]),
        ]
        verbose_name = _("OAuth2 Refresh Token")
        verbose_name_plural = _("OAuth2 Refresh Tokens")
--- a/authentik/providers/oauth2/tests/test_api.py
+++ b/authentik/providers/oauth2/tests/test_api.py
@ -10,13 +10,7 @@ from rest_framework.test import APITestCase
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 class TestAPI(APITestCase):
@ -27,7 +21,7 @@ class TestAPI(APITestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
        self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
@ -56,29 +50,9 @@ class TestAPI(APITestCase):
    @skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
    def test_launch_url(self):
        """Test launch_url"""
-        self.provider.redirect_uris = [
+        self.provider.redirect_uris = (
-            RedirectURI(
+            "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n"
-                RedirectURIMatchingMode.REGEX,
+        )
                "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/",
            ),
        ]
        self.provider.save()
        self.provider.refresh_from_db()
        self.assertIsNone(self.provider.launch_url)
    def test_validate_redirect_uris(self):
        """Test redirect_uris API"""
        response = self.client.post(
            reverse("authentik_api:oauth2provider-list"),
            data={
                "name": generate_id(),
                "authorization_flow": create_test_flow().pk,
                "invalidation_flow": create_test_flow().pk,
                "redirect_uris": [
                    {"matching_mode": "strict", "url": "http://goauthentik.io"},
                    {"matching_mode": "regex", "url": "**"},
                ],
            },
        )
        self.assertJSONEqual(response.content, {"redirect_uris": ["Invalid Regex Pattern: **"]})
        self.assertEqual(response.status_code, 400)
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -19,8 +19,6 @@ from authentik.providers.oauth2.models import (
    AuthorizationCode,
    GrantTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -41,7 +39,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
@ -66,7 +64,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
@ -86,7 +84,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -108,7 +106,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
+            redirect_uris="data:local.invalid",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
@ -127,7 +125,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[],
+            redirect_uris="",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -142,7 +140,7 @@ class TestAuthorize(OAuthTestCase):
        )
        OAuthAuthorizationParams.from_request(request)
        provider.refresh_from_db()
-        self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
+        self.assertEqual(provider.redirect_uris, "+")
    def test_invalid_redirect_uri_regex(self):
        """test missing/invalid redirect URI"""
@ -150,7 +148,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
+            redirect_uris="http://local.invalid?",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -172,7 +170,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
+            redirect_uris="+",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -215,7 +213,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -303,7 +301,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -345,7 +343,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -422,7 +420,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
            encryption_key=self.keypair,
        )
@ -488,7 +486,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -543,7 +541,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id=generate_id(),
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -601,7 +599,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id=generate_id(),
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
--- a/authentik/providers/oauth2/tests/test_device_init.py
+++ b/authentik/providers/oauth2/tests/test_device_init.py
@ -3,7 +3,6 @@
 from urllib.parse import urlencode
 from django.urls import reverse
 from rest_framework.test import APIClient
 from authentik.core.models import Application, Group
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
@ -35,10 +34,7 @@ class TesOAuth2DeviceInit(OAuthTestCase):
        self.brand.flow_device_code = self.device_flow
        self.brand.save()
-        self.api_client = APIClient()
+    def test_device_init(self):
        self.api_client.force_login(self.user)
    def test_device_init_get(self):
        """Test device init"""
        res = self.client.get(reverse("authentik_providers_oauth2_root:device-login"))
        self.assertEqual(res.status_code, 302)
@ -52,76 +48,6 @@ class TesOAuth2DeviceInit(OAuthTestCase):
            ),
        )
    def test_device_init_post(self):
        """Test device init"""
        res = self.api_client.get(reverse("authentik_providers_oauth2_root:device-login"))
        self.assertEqual(res.status_code, 302)
        self.assertEqual(
            res.url,
            reverse(
                "authentik_core:if-flow",
                kwargs={
                    "flow_slug": self.device_flow.slug,
                },
            ),
        )
        res = self.api_client.get(
            reverse(
                "authentik_api:flow-executor",
                kwargs={
                    "flow_slug": self.device_flow.slug,
                },
            ),
        )
        self.assertEqual(res.status_code, 200)
        self.assertJSONEqual(
            res.content,
            {
                "component": "ak-provider-oauth2-device-code",
                "flow_info": {
                    "background": "/static/dist/assets/images/flow_background.jpg",
                    "cancel_url": "/flows/-/cancel/",
                    "layout": "stacked",
                    "title": self.device_flow.title,
                },
            },
        )
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
        )
        Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        token = DeviceToken.objects.create(
            provider=provider,
        )
        res = self.api_client.post(
            reverse(
                "authentik_api:flow-executor",
                kwargs={
                    "flow_slug": self.device_flow.slug,
                },
            ),
            data={
                "component": "ak-provider-oauth2-device-code",
                "code": token.user_code,
            },
        )
        self.assertEqual(res.status_code, 200)
        self.assertJSONEqual(
            res.content,
            {
                "component": "xak-flow-redirect",
                "to": reverse(
                    "authentik_core:if-flow",
                    kwargs={
                        "flow_slug": provider.authorization_flow.slug,
                    },
                ),
            },
        )
    def test_no_flow(self):
        """Test no flow"""
        self.brand.flow_device_code = None
--- a/authentik/providers/oauth2/tests/test_introspect.py
+++ b/authentik/providers/oauth2/tests/test_introspect.py
@ -11,14 +11,7 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
    AccessToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    RefreshToken,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -30,7 +23,7 @@ class TesOAuth2Introspection(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        self.app = Application.objects.create(
@ -125,7 +118,7 @@ class TesOAuth2Introspection(OAuthTestCase):
        provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
--- a/authentik/providers/oauth2/tests/test_jwks.py
+++ b/authentik/providers/oauth2/tests/test_jwks.py
@ -13,7 +13,7 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.crypto.builder import PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 TEST_CORDS_CERT = """
@ -49,7 +49,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=create_test_cert(),
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
@ -68,7 +68,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
        response = self.client.get(
@ -82,7 +82,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
@ -99,7 +99,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
            encryption_key=create_test_cert(PrivateKeyAlg.ECDSA),
        )
@ -122,7 +122,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=cert,
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
--- a/authentik/providers/oauth2/tests/test_revoke.py
+++ b/authentik/providers/oauth2/tests/test_revoke.py
@ -10,14 +10,7 @@ from django.utils import timezone
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
    AccessToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    RefreshToken,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -29,7 +22,7 @@ class TesOAuth2Revoke(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        self.app = Application.objects.create(
--- a/authentik/providers/oauth2/tests/test_token.py
+++ b/authentik/providers/oauth2/tests/test_token.py
@ -22,8 +22,6 @@ from authentik.providers.oauth2.models import (
    AccessToken,
    AuthorizationCode,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    RefreshToken,
    ScopeMapping,
 )
@ -44,7 +42,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://TestServer")],
+            redirect_uris="http://TestServer",
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -71,7 +69,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -92,7 +90,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -120,7 +118,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        # Needs to be assigned to an application for iss to be set
@ -159,7 +157,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
            encryption_key=self.keypair,
        )
@ -190,7 +188,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -252,7 +250,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -310,7 +308,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
--- a/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
@ -19,12 +19,7 @@ from authentik.providers.oauth2.constants import (
    SCOPE_OPENID_PROFILE,
    TOKEN_TYPE,
 )
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 from authentik.providers.oauth2.views.jwks import JWKSView
 from authentik.sources.oauth.models import OAuthSource
@ -59,7 +54,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=self.cert,
        )
        self.provider.jwks_sources.add(self.source)
--- a/authentik/providers/oauth2/tests/test_token_cc_standard.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_standard.py
@ -19,13 +19,7 @@ from authentik.providers.oauth2.constants import (
    TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
    AccessToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -39,7 +33,7 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
@ -113,48 +107,6 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
            {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
        )
    def test_incorrect_scopes(self):
        """test scope that isn't configured"""
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE} extra_scope",
                "client_id": self.provider.client_id,
                "client_secret": self.provider.client_secret,
            },
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["token_type"], TOKEN_TYPE)
        token = AccessToken.objects.filter(
            provider=self.provider, token=body["access_token"]
        ).first()
        self.assertSetEqual(
            set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE}
        )
        _, alg = self.provider.jwt_key
        jwt = decode(
            body["access_token"],
            key=self.provider.signing_key.public_key,
            algorithms=[alg],
            audience=self.provider.client_id,
        )
        self.assertEqual(
            jwt["given_name"], "Autogenerated user from application test (client credentials)"
        )
        self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
        jwt = decode(
            body["id_token"],
            key=self.provider.signing_key.public_key,
            algorithms=[alg],
            audience=self.provider.client_id,
        )
        self.assertEqual(
            jwt["given_name"], "Autogenerated user from application test (client credentials)"
        )
        self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
    def test_successful(self):
        """test successful"""
        response = self.client.post(
--- a/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py
@ -20,12 +20,7 @@ from authentik.providers.oauth2.constants import (
    TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -39,7 +34,7 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
--- a/authentik/providers/oauth2/tests/test_token_cc_user_pw.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_user_pw.py
@ -19,12 +19,7 @@ from authentik.providers.oauth2.constants import (
    TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -38,7 +33,7 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
--- a/authentik/providers/oauth2/tests/test_token_device.py
+++ b/authentik/providers/oauth2/tests/test_token_device.py
@ -9,19 +9,8 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_code_fixed_length, generate_id
-from authentik.providers.oauth2.constants import (
+from authentik.providers.oauth2.constants import GRANT_TYPE_DEVICE_CODE
-    GRANT_TYPE_DEVICE_CODE,
+from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider, ScopeMapping
    SCOPE_OPENID,
    SCOPE_OPENID_EMAIL,
 )
 from authentik.providers.oauth2.models import (
    AccessToken,
    DeviceToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -35,7 +24,7 @@ class TestTokenDeviceCode(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
@ -91,28 +80,3 @@ class TestTokenDeviceCode(OAuthTestCase):
            },
        )
        self.assertEqual(res.status_code, 200)
    def test_code_mismatched_scope(self):
        """Test code with user (mismatched scopes)"""
        device_token = DeviceToken.objects.create(
            provider=self.provider,
            user_code=generate_code_fixed_length(),
            device_code=generate_id(),
            user=self.user,
            scope=[SCOPE_OPENID, SCOPE_OPENID_EMAIL],
        )
        res = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            data={
                "client_id": self.provider.client_id,
                "grant_type": GRANT_TYPE_DEVICE_CODE,
                "device_code": device_token.device_code,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} invalid",
            },
        )
        self.assertEqual(res.status_code, 200)
        body = loads(res.content)
        token = AccessToken.objects.filter(
            provider=self.provider, token=body["access_token"]
        ).first()
        self.assertSetEqual(set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL})
--- a/authentik/providers/oauth2/tests/test_token_pkce.py
+++ b/authentik/providers/oauth2/tests/test_token_pkce.py
@ -10,12 +10,7 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
    AuthorizationCode,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -35,7 +30,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -98,7 +93,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -159,7 +154,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -215,7 +210,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
--- a/authentik/providers/oauth2/tests/test_userinfo.py
+++ b/authentik/providers/oauth2/tests/test_userinfo.py
@ -11,14 +11,7 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, ScopeMapping
    AccessToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -32,7 +25,7 @@ class TestUserinfo(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -56,8 +56,6 @@ from authentik.providers.oauth2.models import (
    AuthorizationCode,
    GrantTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ResponseMode,
    ResponseTypes,
    ScopeMapping,
@ -189,39 +187,40 @@ class OAuthAuthorizationParams:
    def check_redirect_uri(self):
        """Redirect URI validation."""
-        allowed_redirect_urls = self.provider.redirect_uris
+        allowed_redirect_urls = self.provider.redirect_uris.split()
        if not self.redirect_uri:
            LOGGER.warning("Missing redirect uri.")
            raise RedirectUriError("", allowed_redirect_urls)
-        if len(allowed_redirect_urls) < 1:
+        if self.provider.redirect_uris == "":
            LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
-            self.provider.redirect_uris = [
+            self.provider.redirect_uris = self.redirect_uri
                RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
            ]
            self.provider.save()
-            allowed_redirect_urls = self.provider.redirect_uris
+            allowed_redirect_urls = self.provider.redirect_uris.split()
-        match_found = False
+        if self.provider.redirect_uris == "*":
-        for allowed in allowed_redirect_urls:
+            LOGGER.info("Converting redirect_uris to regex", redirect=self.redirect_uri)
-            if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
+            self.provider.redirect_uris = ".*"
-                if self.redirect_uri == allowed.url:
+            self.provider.save()
-                    match_found = True
+            allowed_redirect_urls = self.provider.redirect_uris.split()
-                    break
+
-            if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
+        try:
-                try:
+            if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
-                    if fullmatch(allowed.url, self.redirect_uri):
+                LOGGER.warning(
-                        match_found = True
+                    "Invalid redirect uri (regex comparison)",
-                        break
+                    redirect_uri_given=self.redirect_uri,
-                except RegexError as exc:
+                    redirect_uri_expected=allowed_redirect_urls,
-                    LOGGER.warning(
+                )
-                        "Failed to parse regular expression",
+                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-                        exc=exc,
+        except RegexError as exc:
-                        url=allowed.url,
+            LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
-                        provider=self.provider,
+            if not any(x == self.redirect_uri for x in allowed_redirect_urls):
-                    )
+                LOGGER.warning(
-        if not match_found:
+                    "Invalid redirect uri (strict comparison)",
-            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
+                    redirect_uri_given=self.redirect_uri,
                    redirect_uri_expected=allowed_redirect_urls,
                )
                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) from None
        # Check against forbidden schemes
        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
--- a/authentik/providers/oauth2/views/device_init.py
+++ b/authentik/providers/oauth2/views/device_init.py
@ -5,7 +5,7 @@ from typing import Any
 from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField
+from rest_framework.fields import CharField, IntegerField
 from structlog.stdlib import get_logger
 from authentik.brands.models import Brand
@ -47,9 +47,6 @@ class CodeValidatorView(PolicyAccessView):
        self.provider = self.token.provider
        self.application = self.token.provider.application
    def post(self, request: HttpRequest, *args, **kwargs):
        return self.get(request, *args, **kwargs)
    def get(self, request: HttpRequest, *args, **kwargs):
        scope_descriptions = UserInfoView().get_scope_descriptions(self.token.scope, self.provider)
        planner = FlowPlanner(self.provider.authorization_flow)
@ -125,7 +122,7 @@ class OAuthDeviceCodeChallenge(Challenge):
 class OAuthDeviceCodeChallengeResponse(ChallengeResponse):
    """Response that includes the user-entered device code"""
-    code = CharField()
+    code = IntegerField()
    component = CharField(default="ak-provider-oauth2-device-code")
    def validate_code(self, code: int) -> HttpResponse | None:
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -162,5 +162,5 @@ class ProviderInfoView(View):
            OAuth2Provider, pk=application.provider_id
        )
        response = super().dispatch(request, *args, **kwargs)
-        cors_allow(request, response, *[x.url for x in self.provider.redirect_uris])
+        cors_allow(request, response, *self.provider.redirect_uris.split("\n"))
        return response
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -58,9 +58,7 @@ from authentik.providers.oauth2.models import (
    ClientTypes,
    DeviceToken,
    OAuth2Provider,
    RedirectURIMatchingMode,
    RefreshToken,
    ScopeMapping,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
 from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
@ -79,7 +77,7 @@ class TokenParams:
    redirect_uri: str
    grant_type: str
    state: str
-    scope: set[str]
+    scope: list[str]
    provider: OAuth2Provider
@ -114,26 +112,11 @@ class TokenParams:
            redirect_uri=request.POST.get("redirect_uri", ""),
            grant_type=request.POST.get("grant_type", ""),
            state=request.POST.get("state", ""),
-            scope=set(request.POST.get("scope", "").split()),
+            scope=request.POST.get("scope", "").split(),
            # PKCE parameter.
            code_verifier=request.POST.get("code_verifier"),
        )
    def __check_scopes(self):
        allowed_scope_names = set(
            ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
                "scope_name", flat=True
            )
        )
        scopes_to_check = self.scope
        if not scopes_to_check.issubset(allowed_scope_names):
            LOGGER.info(
                "Application requested scopes not configured, setting to overlap",
                scope_allowed=allowed_scope_names,
                scope_given=self.scope,
            )
            self.scope = self.scope.intersection(allowed_scope_names)
    def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs):
        with start_span(
            op="authentik.providers.oauth2.token.policy",
@ -166,7 +149,7 @@ class TokenParams:
                    client_id=self.provider.client_id,
                )
                raise TokenError("invalid_client")
-        self.__check_scopes()
+
        if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
            with start_span(
                op="authentik.providers.oauth2.post.parse.code",
@ -196,7 +179,42 @@ class TokenParams:
            LOGGER.warning("Missing authorization code")
            raise TokenError("invalid_grant")
-        self.__check_redirect_uri(request)
+        allowed_redirect_urls = self.provider.redirect_uris.split()
        # At this point, no provider should have a blank redirect_uri, in case they do
        # this will check an empty array and raise an error
        try:
            if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
                LOGGER.warning(
                    "Invalid redirect uri (regex comparison)",
                    redirect_uri=self.redirect_uri,
                    expected=allowed_redirect_urls,
                )
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
                    message="Invalid redirect URI used by provider",
                    provider=self.provider,
                    redirect_uri=self.redirect_uri,
                    expected=allowed_redirect_urls,
                ).from_http(request)
                raise TokenError("invalid_client")
        except RegexError as exc:
            LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
            if not any(x == self.redirect_uri for x in allowed_redirect_urls):
                LOGGER.warning(
                    "Invalid redirect uri (strict comparison)",
                    redirect_uri=self.redirect_uri,
                    expected=allowed_redirect_urls,
                )
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
                    message="Invalid redirect_uri configured",
                    provider=self.provider,
                ).from_http(request)
                raise TokenError("invalid_client") from None
        # Check against forbidden schemes
        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
            raise TokenError("invalid_request")
        self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
        if not self.authorization_code:
@ -236,48 +254,6 @@ class TokenParams:
        if not self.authorization_code.code_challenge and self.code_verifier:
            raise TokenError("invalid_grant")
    def __check_redirect_uri(self, request: HttpRequest):
        allowed_redirect_urls = self.provider.redirect_uris
        # At this point, no provider should have a blank redirect_uri, in case they do
        # this will check an empty array and raise an error
        match_found = False
        for allowed in allowed_redirect_urls:
            if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
                if self.redirect_uri == allowed.url:
                    match_found = True
                    break
            if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
                try:
                    if fullmatch(allowed.url, self.redirect_uri):
                        match_found = True
                        break
                except RegexError as exc:
                    LOGGER.warning(
                        "Failed to parse regular expression",
                        exc=exc,
                        url=allowed.url,
                        provider=self.provider,
                    )
                    Event.new(
                        EventAction.CONFIGURATION_ERROR,
                        message="Invalid redirect_uri configured",
                        provider=self.provider,
                    ).from_http(request)
        if not match_found:
            Event.new(
                EventAction.CONFIGURATION_ERROR,
                message="Invalid redirect URI used by provider",
                provider=self.provider,
                redirect_uri=self.redirect_uri,
                expected=allowed_redirect_urls,
            ).from_http(request)
            raise TokenError("invalid_client")
        # Check against forbidden schemes
        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
            raise TokenError("invalid_request")
    def __post_init_refresh(self, raw_token: str, request: HttpRequest):
        if not raw_token:
            LOGGER.warning("Missing refresh token")
@ -521,7 +497,7 @@ class TokenView(View):
        response = super().dispatch(request, *args, **kwargs)
        allowed_origins = []
        if self.provider:
-            allowed_origins = [x.url for x in self.provider.redirect_uris]
+            allowed_origins = self.provider.redirect_uris.split("\n")
        cors_allow(self.request, response, *allowed_origins)
        return response
@ -734,7 +710,7 @@ class TokenView(View):
            "id_token": access_token.id_token.to_jwt(self.provider),
        }
-        if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
+        if SCOPE_OFFLINE_ACCESS in self.params.scope:
            refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
            refresh_token = RefreshToken(
                user=self.params.device_code.user,
--- a/authentik/providers/oauth2/views/userinfo.py
+++ b/authentik/providers/oauth2/views/userinfo.py
@ -108,7 +108,7 @@ class UserInfoView(View):
        response = super().dispatch(request, *args, **kwargs)
        allowed_origins = []
        if self.token:
-            allowed_origins = [x.url for x in self.token.provider.redirect_uris]
+            allowed_origins = self.token.provider.redirect_uris.split("\n")
        cors_allow(self.request, response, *allowed_origins)
        return response
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -13,7 +13,6 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.api.providers import RedirectURISerializer
 from authentik.providers.oauth2.models import ScopeMapping
 from authentik.providers.oauth2.views.provider import ProviderInfoView
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
@ -40,7 +39,7 @@ class ProxyProviderSerializer(ProviderSerializer):
    """ProxyProvider Serializer"""
    client_id = CharField(read_only=True)
-    redirect_uris = RedirectURISerializer(many=True, read_only=True, source="_redirect_uris")
+    redirect_uris = CharField(read_only=True)
    outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
    def validate_basic_auth_enabled(self, value: bool) -> bool:
@ -122,6 +121,7 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
        "basic_auth_password_attribute": ["iexact"],
        "basic_auth_user_attribute": ["iexact"],
        "mode": ["iexact"],
        "redirect_uris": ["iexact"],
        "cookie_domain": ["iexact"],
    }
    search_fields = ["name"]
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@ -13,13 +13,7 @@ from rest_framework.serializers import Serializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.models import DomainlessURLValidator
 from authentik.outposts.models import OutpostModel
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
    ClientTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 SCOPE_AK_PROXY = "ak_proxy"
 OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback"
@ -30,14 +24,14 @@ def get_cookie_secret():
    return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32))
-def _get_callback_url(uri: str) -> list[RedirectURI]:
+def _get_callback_url(uri: str) -> str:
-    return [
+    return "\n".join(
-        RedirectURI(
+        [
-            RedirectURIMatchingMode.STRICT,
+            urljoin(uri, "outpost.goauthentik.io/callback")
-            urljoin(uri, "outpost.goauthentik.io/callback") + f"?{OUTPOST_CALLBACK_SIGNATURE}=true",
+            + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
-        ),
+            uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
-        RedirectURI(RedirectURIMatchingMode.STRICT, uri + f"?{OUTPOST_CALLBACK_SIGNATURE}=true"),
+        ]
-    ]
+    )
 class ProxyMode(models.TextChoices):
--- a/authentik/providers/scim/clients/schema.py
+++ b/authentik/providers/scim/clients/schema.py
@ -19,7 +19,6 @@ SCIM_GROUP_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Group"
 class User(BaseUser):
    """Modified User schema with added externalId field"""
    id: str | int | None = None
    schemas: list[str] = [SCIM_USER_SCHEMA]
    externalId: str | None = None
    meta: dict | None = None
@ -28,7 +27,6 @@ class User(BaseUser):
 class Group(BaseGroup):
    """Modified Group schema with added externalId field"""
    id: str | int | None = None
    schemas: list[str] = [SCIM_GROUP_SCHEMA]
    externalId: str | None = None
    meta: dict | None = None
--- a/authentik/rbac/api/rbac_roles.py
+++ b/authentik/rbac/api/rbac_roles.py
@ -53,7 +53,7 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
        except LookupError:
            return None
        objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class)
-        obj = objects.filter(pk=instance.object_pk).first()
+        obj = objects.first()
        if not obj:
            return None
        return str(obj)
--- a/authentik/rbac/api/rbac_users.py
+++ b/authentik/rbac/api/rbac_users.py
@ -53,7 +53,7 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
        except LookupError:
            return None
        objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class)
-        obj = objects.filter(pk=instance.object_pk).first()
+        obj = objects.first()
        if not obj:
            return None
        return str(obj)
--- a/authentik/root/monitoring.py
+++ b/authentik/root/monitoring.py
@ -1,8 +1,6 @@
 """Metrics view"""
-from hmac import compare_digest
+from base64 import b64encode
 from pathlib import Path
 from tempfile import gettempdir
 from django.conf import settings
 from django.db import connections
@ -18,21 +16,22 @@ monitoring_set = Signal()
 class MetricsView(View):
-    """Wrapper around ExportToDjangoView with authentication, accessed by the authentik router"""
+    """Wrapper around ExportToDjangoView, using http-basic auth"""
    def __init__(self, **kwargs):
        _tmp = Path(gettempdir())
        with open(_tmp / "authentik-core-metrics.key") as _f:
            self.monitoring_key = _f.read()
    def get(self, request: HttpRequest) -> HttpResponse:
        """Check for HTTP-Basic auth"""
        auth_header = request.META.get("HTTP_AUTHORIZATION", "")
        auth_type, _, given_credentials = auth_header.partition(" ")
-        authed = auth_type == "Bearer" and compare_digest(given_credentials, self.monitoring_key)
+        credentials = f"monitor:{settings.SECRET_KEY}"
        expected = b64encode(str.encode(credentials)).decode()
        authed = auth_type == "Basic" and given_credentials == expected
        if not authed and not settings.DEBUG:
-            return HttpResponse(status=401)
+            response = HttpResponse(status=401)
            response["WWW-Authenticate"] = 'Basic realm="authentik-monitoring"'
            return response
        monitoring_set.send_robust(self)
        return ExportToDjangoView(request)
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -12,7 +12,7 @@ from sentry_sdk import set_tag
 from xmlsec import enable_debug_trace
 from authentik import __version__
-from authentik.lib.config import CONFIG, django_db_config, redis_url
+from authentik.lib.config import CONFIG, redis_url
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
@ -38,6 +38,7 @@ LANGUAGE_COOKIE_NAME = "authentik_language"
 SESSION_COOKIE_NAME = "authentik_session"
 SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
 APPEND_SLASH = False
 X_FRAME_OPTIONS = "SAMEORIGIN"
 AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
@ -295,7 +296,45 @@ CHANNEL_LAYERS = {
 # https://docs.djangoproject.com/en/2.1/ref/settings/#databases
 ORIGINAL_BACKEND = "django_prometheus.db.backends.postgresql"
-DATABASES = django_db_config()
+DATABASES = {
    "default": {
        "ENGINE": "authentik.root.db",
        "HOST": CONFIG.get("postgresql.host"),
        "NAME": CONFIG.get("postgresql.name"),
        "USER": CONFIG.get("postgresql.user"),
        "PASSWORD": CONFIG.get("postgresql.password"),
        "PORT": CONFIG.get("postgresql.port"),
        "SSLMODE": CONFIG.get("postgresql.sslmode"),
        "SSLROOTCERT": CONFIG.get("postgresql.sslrootcert"),
        "SSLCERT": CONFIG.get("postgresql.sslcert"),
        "SSLKEY": CONFIG.get("postgresql.sslkey"),
        "TEST": {
            "NAME": CONFIG.get("postgresql.test.name"),
        },
    }
 }
 if CONFIG.get_bool("postgresql.use_pgpool", False):
    DATABASES["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
 if CONFIG.get_bool("postgresql.use_pgbouncer", False):
    # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
    DATABASES["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
    # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
    DATABASES["default"]["CONN_MAX_AGE"] = None  # persistent
 for replica in CONFIG.get_keys("postgresql.read_replicas"):
    _database = DATABASES["default"].copy()
    for setting in DATABASES["default"].keys():
        default = object()
        if setting in ("TEST",):
            continue
        override = CONFIG.get(
            f"postgresql.read_replicas.{replica}.{setting.lower()}", default=default
        )
        if override is not default:
            _database[setting] = override
    DATABASES[f"replica_{replica}"] = _database
 DATABASE_ROUTERS = (
    "authentik.tenants.db.FailoverRouter",
--- a/authentik/root/tests.py
+++ b/authentik/root/tests.py
@ -1,9 +1,8 @@
 """root tests"""
-from pathlib import Path
+from base64 import b64encode
 from secrets import token_urlsafe
 from tempfile import gettempdir
 from django.conf import settings
 from django.test import TestCase
 from django.urls import reverse
@ -11,16 +10,6 @@ from django.urls import reverse
 class TestRoot(TestCase):
    """Test root application"""
    def setUp(self):
        _tmp = Path(gettempdir())
        self.token = token_urlsafe(32)
        with open(_tmp / "authentik-core-metrics.key", "w") as _f:
            _f.write(self.token)
    def tearDown(self):
        _tmp = Path(gettempdir())
        (_tmp / "authentik-core-metrics.key").unlink()
    def test_monitoring_error(self):
        """Test monitoring without any credentials"""
        response = self.client.get(reverse("metrics"))
@ -28,7 +17,8 @@ class TestRoot(TestCase):
    def test_monitoring_ok(self):
        """Test monitoring with credentials"""
-        auth_headers = {"HTTP_AUTHORIZATION": f"Bearer {self.token}"}
+        creds = "Basic " + b64encode(f"monitor:{settings.SECRET_KEY}".encode()).decode("utf-8")
        auth_headers = {"HTTP_AUTHORIZATION": creds}
        response = self.client.get(reverse("metrics"), **auth_headers)
        self.assertEqual(response.status_code, 200)
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@ -332,7 +332,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
            serializer = SelectableStageSerializer(
                data={
                    "pk": stage.pk,
-                    "name": getattr(stage, "friendly_name", stage.name) or stage.name,
+                    "name": getattr(stage, "friendly_name", stage.name),
                    "verbose_name": str(stage._meta.verbose_name)
                    .replace("Setup Stage", "")
                    .strip(),
--- a/authentik/stages/authenticator_validate/tests/test_stage.py
+++ b/authentik/stages/authenticator_validate/tests/test_stage.py
@ -4,7 +4,6 @@ from unittest.mock import MagicMock, patch
 from django.test.client import RequestFactory
 from django.urls.base import reverse
 from django.utils.timezone import now
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation, FlowStageBinding, NotConfiguredAction
@ -14,7 +13,6 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
 from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage, TOTPDigits
 from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_validate.stage import PLAN_CONTEXT_DEVICE_CHALLENGES
@ -78,8 +76,8 @@ class AuthenticatorValidateStageTests(FlowTestCase):
        conf_stage = AuthenticatorStaticStage.objects.create(
            name=generate_id(),
        )
-        conf_stage2 = AuthenticatorTOTPStage.objects.create(
+        conf_stage2 = AuthenticatorStaticStage.objects.create(
-            name=generate_id(), digits=TOTPDigits.SIX
+            name=generate_id(),
        )
        stage = AuthenticatorValidateStage.objects.create(
            name=generate_id(),
@ -155,14 +153,10 @@ class AuthenticatorValidateStageTests(FlowTestCase):
            {
                "device_class": "static",
                "device_uid": "1",
                "challenge": {},
                "last_used": now(),
            },
            {
                "device_class": "totp",
                "device_uid": "2",
                "challenge": {},
                "last_used": now(),
            },
        ]
        session[SESSION_KEY_PLAN] = plan
--- a/authentik/stages/captcha/api.py
+++ b/authentik/stages/captcha/api.py
@ -17,7 +17,6 @@ class CaptchaStageSerializer(StageSerializer):
            "private_key",
            "js_url",
            "api_url",
            "interactive",
            "score_min_threshold",
            "score_max_threshold",
            "error_on_invalid_score",
--- a/authentik/stages/captcha/migrations/0004_captchastage_interactive.py
+++ b/authentik/stages/captcha/migrations/0004_captchastage_interactive.py
@ -1,18 +0,0 @@
 # Generated by Django 5.0.9 on 2024-10-30 14:28
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_stages_captcha", "0003_captchastage_error_on_invalid_score_and_more"),
    ]
    operations = [
        migrations.AddField(
            model_name="captchastage",
            name="interactive",
            field=models.BooleanField(default=False),
        ),
    ]
--- a/authentik/stages/captcha/models.py
+++ b/authentik/stages/captcha/models.py
@ -9,13 +9,11 @@ from authentik.flows.models import Stage
 class CaptchaStage(Stage):
-    """Verify the user is human using Google's reCaptcha/other compatible CAPTCHA solutions."""
+    """Verify the user is human using Google's reCaptcha."""
    public_key = models.TextField(help_text=_("Public key, acquired your captcha Provider."))
    private_key = models.TextField(help_text=_("Private key, acquired your captcha Provider."))
    interactive = models.BooleanField(default=False)
    score_min_threshold = models.FloatField(default=0.5)  # Default values for reCaptcha
    score_max_threshold = models.FloatField(default=1.0)  # Default values for reCaptcha
--- a/authentik/stages/captcha/stage.py
+++ b/authentik/stages/captcha/stage.py
@ -3,7 +3,7 @@
 from django.http.response import HttpResponse
 from django.utils.translation import gettext as _
 from requests import RequestException
-from rest_framework.fields import BooleanField, CharField
+from rest_framework.fields import CharField
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
@ -24,12 +24,10 @@ PLAN_CONTEXT_CAPTCHA = "captcha"
 class CaptchaChallenge(WithUserInfoChallenge):
    """Site public key"""
    site_key = CharField()
    js_url = CharField()
    component = CharField(default="ak-stage-captcha")
    site_key = CharField(required=True)
    js_url = CharField(required=True)
    interactive = BooleanField(required=True)
 def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
    """Validate captcha token"""
@ -105,7 +103,6 @@ class CaptchaStageView(ChallengeStageView):
            data={
                "js_url": self.executor.current_stage.js_url,
                "site_key": self.executor.current_stage.public_key,
                "interactive": self.executor.current_stage.interactive,
            }
        )
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@ -26,7 +26,6 @@ from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET
 from authentik.lib.avatars import DEFAULT_AVATAR
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.root.middleware import ClientIPMiddleware
@ -77,7 +76,7 @@ class IdentificationChallenge(Challenge):
    allow_show_password = BooleanField(default=False)
    application_pre = CharField(required=False)
    flow_designation = ChoiceField(FlowDesignation.choices)
-    captcha_stage = CaptchaChallenge(required=False, allow_null=True)
+    captcha_stage = CaptchaChallenge(required=False)
    enroll_url = CharField(required=False)
    recovery_url = CharField(required=False)
@ -224,9 +223,6 @@ class IdentificationStageView(ChallengeStageView):
                    {
                        "js_url": current_stage.captcha_stage.js_url,
                        "site_key": current_stage.captcha_stage.public_key,
                        "interactive": current_stage.captcha_stage.interactive,
                        "pending_user": "",
                        "pending_user_avatar": DEFAULT_AVATAR,
                    }
                    if current_stage.captcha_stage
                    else None
--- a/authentik/stages/password/stage.py
+++ b/authentik/stages/password/stage.py
@ -21,7 +21,7 @@ from authentik.flows.challenge import (
    WithUserInfoChallenge,
 )
 from authentik.flows.exceptions import StageInvalidException
-from authentik.flows.models import Flow, Stage
+from authentik.flows.models import Flow, FlowDesignation, Stage
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.reflection import path_to_class
@ -141,11 +141,11 @@ class PasswordStageView(ChallengeStageView):
                "allow_show_password": self.executor.current_stage.allow_show_password,
            }
        )
-        recovery_flow: Flow | None = self.request.brand.flow_recovery
+        recovery_flow = Flow.objects.filter(designation=FlowDesignation.RECOVERY)
-        if recovery_flow:
+        if recovery_flow.exists():
            recover_url = reverse(
                "authentik_core:if-flow",
-                kwargs={"flow_slug": recovery_flow.slug},
+                kwargs={"flow_slug": recovery_flow.first().slug},
            )
            challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(recover_url)
        return challenge
--- a/authentik/stages/password/tests.py
+++ b/authentik/stages/password/tests.py
@ -5,7 +5,7 @@ from unittest.mock import MagicMock, patch
 from django.core.exceptions import PermissionDenied
 from django.urls import reverse
-from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
@ -57,9 +57,6 @@ class TestPasswordStage(FlowTestCase):
    def test_recovery_flow_link(self):
        """Test link to the default recovery flow"""
        flow = create_test_flow(designation=FlowDesignation.RECOVERY)
        brand = create_test_brand()
        brand.flow_recovery = flow
        brand.save()
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
        session = self.client.session
--- a/blueprints/default/flow-oobe.yaml
+++ b/blueprints/default/flow-oobe.yaml
@ -101,6 +101,7 @@ entries:
    - !KeyOf prompt-field-email
    - !KeyOf prompt-field-password
    - !KeyOf prompt-field-password-repeat
    validation_policies: []
  id: stage-default-oobe-password
  identifiers:
    name: stage-default-oobe-password
--- a/blueprints/default/flow-password-change.yaml
+++ b/blueprints/default/flow-password-change.yaml
@ -2,17 +2,6 @@ version: 1
 metadata:
  name: Default - Password change flow
 entries:
 - attrs:
    check_static_rules: true
    check_zxcvbn: true
    length_min: 8
    password_field: password
    zxcvbn_score_threshold: 2
    error_message: Password needs to be 8 characters or longer.
  identifiers:
    name: default-password-change-password-policy
  model: authentik_policies_password.passwordpolicy
  id: default-password-change-password-policy
 - attrs:
    designation: stage_configuration
    name: Change Password
@ -50,8 +39,6 @@ entries:
    fields:
    - !KeyOf prompt-field-password
    - !KeyOf prompt-field-password-repeat
    validation_policies:
    - !KeyOf default-password-change-password-policy
  identifiers:
    name: default-password-change-prompt
  id: default-password-change-prompt
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.10.5 Blueprint schema",
+    "title": "authentik 2024.10.0 Blueprint schema",
    "required": [
        "version",
        "entries"
@ -5570,30 +5570,9 @@
                    "description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs."
                },
                "redirect_uris": {
-                    "type": "array",
+                    "type": "string",
-                    "items": {
+                    "title": "Redirect URIs",
-                        "type": "object",
+                    "description": "Enter each URI on a new line."
                        "properties": {
                            "matching_mode": {
                                "type": "string",
                                "enum": [
                                    "strict",
                                    "regex"
                                ],
                                "title": "Matching mode"
                            },
                            "url": {
                                "type": "string",
                                "minLength": 1,
                                "title": "Url"
                            }
                        },
                        "required": [
                            "matching_mode",
                            "url"
                        ]
                    },
                    "title": "Redirect uris"
                },
                "sub_mode": {
                    "type": "string",
@ -6995,7 +6974,7 @@
                "spnego_server_name": {
                    "type": "string",
                    "title": "Spnego server name",
-                    "description": "Force the use of a specific server name for SPNEGO. Must be in the form HTTP@hostname"
+                    "description": "Force the use of a specific server name for SPNEGO"
                },
                "spnego_keytab": {
                    "type": "string",
@ -9802,10 +9781,6 @@
                    "minLength": 1,
                    "title": "Api url"
                },
                "interactive": {
                    "type": "boolean",
                    "title": "Interactive"
                },
                "score_min_threshold": {
                    "type": "number",
                    "title": "Score min threshold"
@ -13408,6 +13383,12 @@
                    "title": "Authorization flow",
                    "description": "Flow used when authorizing this provider."
                },
                "invalidation_flow": {
                    "type": "string",
                    "format": "uuid",
                    "title": "Invalidation flow",
                    "description": "Flow used ending the session from a provider."
                },
                "property_mappings": {
                    "type": "array",
                    "items": {
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
    restart: unless-stopped
    command: server
    environment:
@ -52,7 +52,7 @@ services:
      - postgresql
      - redis
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -29,7 +29,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024083.13
+	goauthentik.io/api/v3 v3.2024100.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.23.0
 	golang.org/x/sync v0.8.0
--- a/go.sum
+++ b/go.sum
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024083.13 h1:xKh3feJYUeLw583zZ5ifgV0qjD37ZCOzgXPfbHQSbHM=
+goauthentik.io/api/v3 v3.2024100.1 h1:ve8xiaKOyUD5oCkNAsu1o3nc7aolt9bKTTR2qMI1iU4=
-goauthentik.io/api/v3 v3.2024083.13/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024100.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
-const VERSION = "2024.10.5"
+const VERSION = "2024.10.0"
--- a/internal/outpost/ldap/ldap.go
+++ b/internal/outpost/ldap/ldap.go
@ -65,7 +65,7 @@ func (ls *LDAPServer) StartLDAPServer() error {
 		ls.log.WithField("listen", listen).WithError(err).Warning("Failed to listen (SSL)")
 		return err
 	}
-	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
+	proxyListener := &proxyproto.Listener{Listener: ln}
 	defer proxyListener.Close()
 	ls.log.WithField("listen", listen).Info("Starting LDAP server")
--- a/internal/outpost/ldap/ldap_tls.go
+++ b/internal/outpost/ldap/ldap_tls.go
@ -48,7 +48,7 @@ func (ls *LDAPServer) StartLDAPTLSServer() error {
 		return err
 	}
-	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
+	proxyListener := &proxyproto.Listener{Listener: ln}
 	defer proxyListener.Close()
 	tln := tls.NewListener(proxyListener, tlsConfig)
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -23,7 +23,6 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/api/v3"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
 	"goauthentik.io/internal/outpost/proxyv2/hs256"
@ -122,14 +121,6 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
 	bs := string(h.Sum([]byte(*p.ClientId)))
 	sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])
 	// When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match
 	// otherwise we use the internally configured authentik_host
 	tokenEndpointHost := server.API().Outpost.Config["authentik_host"].(string)
 	if config.Get().AuthentikHostBrowser != "" {
 		tokenEndpointHost = config.Get().AuthentikHostBrowser
 	}
 	publicHTTPClient := web.NewHostInterceptor(c, tokenEndpointHost)
 	a := &Application{
 		Host:                 externalHost.Host,
 		log:                  muxLogger,
@ -140,7 +131,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
 		tokenVerifier:        verifier,
 		proxyConfig:          p,
 		httpClient:           c,
-		publicHostHTTPClient: publicHTTPClient,
+		publicHostHTTPClient: web.NewHostInterceptor(c, server.API().Outpost.Config["authentik_host"].(string)),
 		mux:                  mux,
 		errorTemplates:       templates.GetTemplates(),
 		ak:                   server.API(),
--- a/internal/outpost/proxyv2/proxyv2.go
+++ b/internal/outpost/proxyv2/proxyv2.go
@ -129,7 +129,7 @@ func (ps *ProxyServer) ServeHTTP() {
 		ps.log.WithField("listen", listenAddress).WithError(err).Warning("Failed to listen")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: listener, ConnPolicy: utils.GetProxyConnectionPolicy()}
+	proxyListener := &proxyproto.Listener{Listener: listener}
 	defer proxyListener.Close()
 	ps.log.WithField("listen", listenAddress).Info("Starting HTTP server")
@ -148,7 +148,7 @@ func (ps *ProxyServer) ServeHTTPS() {
 		ps.log.WithError(err).Warning("Failed to listen (TLS)")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
+	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
 	defer proxyListener.Close()
 	tlsListener := tls.NewListener(proxyListener, tlsConfig)
--- a/internal/utils/proxy.go
+++ b/internal/utils/proxy.go
@ -1,34 +0,0 @@
 package utils
 import (
 	"net"
 	"github.com/pires/go-proxyproto"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/config"
 )
 func GetProxyConnectionPolicy() proxyproto.ConnPolicyFunc {
 	nets := []*net.IPNet{}
 	for _, rn := range config.Get().Listen.TrustedProxyCIDRs {
 		_, cidr, err := net.ParseCIDR(rn)
 		if err != nil {
 			continue
 		}
 		nets = append(nets, cidr)
 	}
 	return func(connPolicyOptions proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {
 		host, _, err := net.SplitHostPort(connPolicyOptions.Upstream.String())
 		if err == nil {
 			// remoteAddr will be nil if the IP cannot be parsed
 			remoteAddr := net.ParseIP(host)
 			for _, allowedCidr := range nets {
 				if remoteAddr != nil && allowedCidr.Contains(remoteAddr) {
 					log.WithField("remoteAddr", remoteAddr).WithField("cidr", allowedCidr.String()).Trace("Using remote IP from proxy protocol")
 					return proxyproto.USE, nil
 				}
 			}
 		}
 		return proxyproto.SKIP, nil
 	}
 }
--- a/internal/utils/web/http_host_interceptor.go
+++ b/internal/utils/web/http_host_interceptor.go
@ -14,10 +14,8 @@ type hostInterceptor struct {
 }
 func (t hostInterceptor) RoundTrip(r *http.Request) (*http.Response, error) {
-	if r.Host != t.host {
+	r.Host = t.host
-		r.Host = t.host
+	r.Header.Set("X-Forwarded-Proto", t.scheme)
 		r.Header.Set("X-Forwarded-Proto", t.scheme)
 	}
 	return t.inner.RoundTrip(r)
 }
--- a/internal/web/metrics.go
+++ b/internal/web/metrics.go
@ -1,15 +1,11 @@
 package web
 import (
 	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/securecookie"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@ -18,25 +14,14 @@ import (
 	"goauthentik.io/internal/utils/sentry"
 )
 const MetricsKeyFile = "authentik-core-metrics.key"
 var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
 	Name: "authentik_main_request_duration_seconds",
 	Help: "API request latencies in seconds",
 }, []string{"dest"})
 func (ws *WebServer) runMetricsServer() {
 	l := log.WithField("logger", "authentik.router.metrics")
 	tmp := os.TempDir()
 	key := base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64))
 	keyPath := path.Join(tmp, MetricsKeyFile)
 	err := os.WriteFile(keyPath, []byte(key), 0o600)
 	if err != nil {
 		l.WithError(err).Warning("failed to save metrics key")
 		return
 	}
 	m := mux.NewRouter()
 	l := log.WithField("logger", "authentik.router.metrics")
 	m.Use(sentry.SentryNoSampleMiddleware)
 	m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		promhttp.InstrumentMetricHandler(
@ -51,7 +36,7 @@ func (ws *WebServer) runMetricsServer() {
 			l.WithError(err).Warning("failed to get upstream metrics")
 			return
 		}
-		re.Header.Set("Authorization", fmt.Sprintf("Bearer %s", key))
+		re.SetBasicAuth("monitor", config.Get().SecretKey)
 		res, err := ws.upstreamHttpClient().Do(re)
 		if err != nil {
 			l.WithError(err).Warning("failed to get upstream metrics")
@ -64,13 +49,9 @@ func (ws *WebServer) runMetricsServer() {
 		}
 	})
 	l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
-	err = http.ListenAndServe(config.Get().Listen.Metrics, m)
+	err := http.ListenAndServe(config.Get().Listen.Metrics, m)
 	if err != nil {
 		l.WithError(err).Warning("Failed to start metrics server")
 	}
 	l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
 	err = os.Remove(keyPath)
 	if err != nil {
 		l.WithError(err).Warning("failed to remove metrics key file")
 	}
 }
--- a/internal/web/static.go
+++ b/internal/web/static.go
@ -42,11 +42,8 @@ func (ws *WebServer) configureStatic() {
 	// Media files, if backend is file
 	if config.Get().Storage.Media.Backend == "file" {
-		fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
+		fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))
-		staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		staticRouter.PathPrefix("/media/").Handler(http.StripPrefix("/media", fsMedia))
 		    w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
 		    fsMedia.ServeHTTP(w, r)
 		})
 	}
 	staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))
--- a/internal/web/web_tls.go
+++ b/internal/web/web_tls.go
@ -45,7 +45,7 @@ func (ws *WebServer) listenTLS() {
 		ws.log.WithError(err).Warning("failed to listen (TLS)")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
+	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
 	defer proxyListener.Close()
 	tlsListener := tls.NewListener(proxyListener, tlsConfig)
--- a/internal/web/web.go
+++ b/internal/web/web.go
@ -19,7 +19,6 @@ import (
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/gounicorn"
 	"goauthentik.io/internal/outpost/proxyv2"
 	"goauthentik.io/internal/utils"
 	"goauthentik.io/internal/utils/web"
 	"goauthentik.io/internal/web/brand_tls"
 )
@ -53,7 +52,7 @@ func NewWebServer() *WebServer {
 	loggingHandler.Use(web.NewLoggingHandler(l, nil))
 	tmp := os.TempDir()
-	socketPath := path.Join(tmp, UnixSocketName)
+	socketPath := path.Join(tmp, "authentik-core.sock")
 	// create http client to talk to backend, normal client if we're in debug more
 	// and a client that connects to our socket when in non debug mode
@ -150,7 +149,7 @@ func (ws *WebServer) listenPlain() {
 		ws.log.WithError(err).Warning("failed to listen")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
+	proxyListener := &proxyproto.Listener{Listener: ln}
 	defer proxyListener.Close()
 	ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-10-23 16:39+0000\n"
+"POT-Creation-Date: 2024-10-28 00:09+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -2614,12 +2614,7 @@ msgid "Captcha Stages"
 msgstr ""
 #: authentik/stages/captcha/stage.py
-msgid "Unknown error"
+msgid "Invalid captcha response. Retrying may solve this issue."
 msgstr ""
 #: authentik/stages/captcha/stage.py
 #, python-brace-format
 msgid "Failed to validate token: {error}"
 msgstr ""
 #: authentik/stages/captcha/stage.py
--- a/locale/it/LC_MESSAGES/django.po
+++ b/locale/it/LC_MESSAGES/django.po
@ -11,15 +11,17 @@
 # Marco Vitale, 2024
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2024
 # albanobattistella <albanobattistella@gmail.com>, 2024
 # Nicola Mersi, 2024
 # tom max, 2024
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-10-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-28 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: albanobattistella <albanobattistella@gmail.com>, 2024\n"
+"Last-Translator: tom max, 2024\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -583,6 +585,28 @@ msgstr "Limite massimo di connessioni raggiunto."
 msgid "(You are already connected in another tab/window)"
 msgstr "(Sei già connesso in un'altra scheda/finestra)"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
 "Fase di autenticazione per la verifica dispositivo Google tramite endpoint"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stages"
 msgstr ""
 "Fasi di autenticazione per la verifica dispositivo Google tramite endpoint"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Device"
 msgstr "Dispositivo di Accesso"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Devices"
 msgstr "Dispositivi di Accesso"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
 msgid "Verifying your browser..."
 msgstr "Verifica del tuo browser..."
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -2017,6 +2041,124 @@ msgstr ""
 msgid "Used recovery-link to authenticate."
 msgstr "Utilizzato il link di recupero per autenticarsi."
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos realm"
 msgstr "Dominio Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Custom krb5.conf to use. Uses the system one by default"
 msgstr ""
 "krb5.conf personalizzato da usare. Usa la configurazione di sistema per "
 "default"
 #: authentik/sources/kerberos/models.py
 msgid "Sync users from Kerberos into authentik"
 msgstr "Sincronizza utenti da Kerberos a authentik"
 #: authentik/sources/kerberos/models.py
 msgid "When a user changes their password, sync it back to Kerberos"
 msgstr "Quando un utente cambia la sua password, sincronizzala in Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Principal to authenticate to kadmin for sync."
 msgstr "Entità da autenticare su kadmin per la sincronizzazione."
 #: authentik/sources/kerberos/models.py
 msgid "Password to authenticate to kadmin for sync"
 msgstr "Password per autenticarsi in kadmin per sincronizzare"
 #: authentik/sources/kerberos/models.py
 msgid ""
 "Keytab to authenticate to kadmin for sync. Must be base64-encoded or in the "
 "form TYPE:residual"
 msgstr ""
 "Keytab per autenticarsi su kadmin per la sincronizzazione. Deve essere con "
 "codifica base64 o nel formato TYPE:residual"
 #: authentik/sources/kerberos/models.py
 msgid ""
 "Credentials cache to authenticate to kadmin for sync. Must be in the form "
 "TYPE:residual"
 msgstr ""
 "Credenziali memorizzate nella cache per autenticarsi su kadmin per la "
 "sincronizzazione. Devono essere nel formato TYPE:residual"
 #: authentik/sources/kerberos/models.py
 msgid ""
 "Force the use of a specific server name for SPNEGO. Must be in the form "
 "HTTP@hostname"
 msgstr ""
 "Forza l'uso di un nome server specifico per SPNEGO. Deve essere nel formato "
 "HTTP@nomehost"
 #: authentik/sources/kerberos/models.py
 msgid "SPNEGO keytab base64-encoded or path to keytab in the form FILE:path"
 msgstr ""
 "keytab SPNEGO con codifica base64 o percorso del keytab nel formato "
 "FILE:percorso"
 #: authentik/sources/kerberos/models.py
 msgid "Credential cache to use for SPNEGO in form type:residual"
 msgstr ""
 "Cache delle credenziali da utilizzare per SPNEGO nella forma  type:residual"
 #: authentik/sources/kerberos/models.py
 msgid ""
 "If enabled, the authentik-stored password will be updated upon login with "
 "the Kerberos password backend"
 msgstr ""
 "Se abilitato, la password memorizzata in authentik verrà aggiornata al login"
 " nel backend Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Source"
 msgstr "Sorgente Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Sources"
 msgstr "Sorgenti Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Source Property Mapping"
 msgstr "Mappa delle proprietà della sorgente kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Source Property Mappings"
 msgstr "Mappe delle proprietà della sorgente kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "User Kerberos Source Connection"
 msgstr "Connessione sorgente dell'utente kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "User Kerberos Source Connections"
 msgstr " Connessioni alle sorgente dell'utente kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Group Kerberos Source Connection"
 msgstr " Connessione sorgente del gruppo kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Group Kerberos Source Connections"
 msgstr "Connessioni alle sorgenti del gruppo kerberos"
 #: authentik/sources/kerberos/views.py
 msgid "SPNEGO authentication required"
 msgstr "autenticazione  SPNEGO necessaria"
 #: authentik/sources/kerberos/views.py
 msgid ""
 "\n"
 "                    Make sure you have valid tickets (obtainable via kinit)\n"
 "                    and configured the browser correctly.\n"
 "                    Please contact your administrator.\n"
 "                "
 msgstr ""
 "\n"
 "Assicurati di avere un ticket valido (ottenibile tramite kinit)\n"
 " e di aver configurato correttamente il browser. \n"
 "Contatta il tuo amministratore."
 #: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
@ -2735,13 +2877,10 @@ msgid "Captcha Stages"
 msgstr "Fasi Captcha"
 #: authentik/stages/captcha/stage.py
-msgid "Unknown error"
+msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr "Errore sconosciuto"
+msgstr ""
-
+"Risposta captcha non valida. Un nuovo tentativo potrebbe risolvere il "
-#: authentik/stages/captcha/stage.py
+"problema."
 #, python-brace-format
 msgid "Failed to validate token: {error}"
 msgstr "Impossibile convalidare il token: {error}"
 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
@ -3114,6 +3253,10 @@ msgstr "Database utente + password app"
 msgid "User database + LDAP password"
 msgstr "Database utenti + password LDAP"
 #: authentik/stages/password/models.py
 msgid "User database + Kerberos password"
 msgstr "Database utenti + password Kerberos"
 #: authentik/stages/password/models.py
 msgid "Selection of backends to test the password against."
 msgstr "Selezione di backend su cui testare la password."
--- a/locale/zh-Hans/LC_MESSAGES/django.mo
+++ b/locale/zh-Hans/LC_MESSAGES/django.mo
--- a/locale/zh-Hans/LC_MESSAGES/django.po
+++ b/locale/zh-Hans/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-10-23 16:39+0000\n"
+"POT-Creation-Date: 2024-10-28 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@ -2649,13 +2649,8 @@ msgid "Captcha Stages"
 msgstr "验证码阶段"
 #: authentik/stages/captcha/stage.py
-msgid "Unknown error"
+msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr "未知错误"
+msgstr "无效的验证码响应。重试可能会解决此问题。"
 #: authentik/stages/captcha/stage.py
 #, python-brace-format
 msgid "Failed to validate token: {error}"
 msgstr "验证令牌失败：{error}"
 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
--- a/locale/zh_CN/LC_MESSAGES/django.po
+++ b/locale/zh_CN/LC_MESSAGES/django.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-10-23 16:39+0000\n"
+"POT-Creation-Date: 2024-10-28 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@ -2648,13 +2648,8 @@ msgid "Captcha Stages"
 msgstr "验证码阶段"
 #: authentik/stages/captcha/stage.py
-msgid "Unknown error"
+msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr "未知错误"
+msgstr "无效的验证码响应。重试可能会解决此问题。"
 #: authentik/stages/captcha/stage.py
 #, python-brace-format
 msgid "Failed to validate token: {error}"
 msgstr "验证令牌失败：{error}"
 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2024.10.5",
+    "version": "2024.10.0",
    "private": true
 }
--- a/poetry.lock
+++ b/poetry.lock
@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.5 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
 [[package]]
 name = "aiohappyeyeballs"
@ -3896,13 +3896,13 @@ pytest = ">=4.0.0"
 [[package]]
 name = "pytest-randomly"
-version = "3.15.0"
+version = "3.16.0"
 description = "Pytest plugin to randomly order tests and control random.seed."
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
 files = [
-    {file = "pytest_randomly-3.15.0-py3-none-any.whl", hash = "sha256:0516f4344b29f4e9cdae8bce31c4aeebf59d0b9ef05927c33354ff3859eeeca6"},
+    {file = "pytest_randomly-3.16.0-py3-none-any.whl", hash = "sha256:8633d332635a1a0983d3bba19342196807f6afb17c3eef78e02c2f85dade45d6"},
-    {file = "pytest_randomly-3.15.0.tar.gz", hash = "sha256:b908529648667ba5e54723088edd6f82252f540cc340d748d1fa985539687047"},
+    {file = "pytest_randomly-3.16.0.tar.gz", hash = "sha256:11bf4d23a26484de7860d82f726c0629837cf4064b79157bd18ec9d41d7feb26"},
 ]
 [package.dependencies]
@ -4354,13 +4354,13 @@ django-query = ["django (>=3.2)"]
 [[package]]
 name = "selenium"
-version = "4.25.0"
+version = "4.26.0"
 description = "Official Python bindings for Selenium WebDriver"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "selenium-4.25.0-py3-none-any.whl", hash = "sha256:3798d2d12b4a570bc5790163ba57fef10b2afee958bf1d80f2a3cf07c4141f33"},
+    {file = "selenium-4.26.0-py3-none-any.whl", hash = "sha256:48013f36e812de5b3948ef53d04e73f77bc923ee3e1d7d99eaf0618179081b99"},
-    {file = "selenium-4.25.0.tar.gz", hash = "sha256:95d08d3b82fb353f3c474895154516604c7f0e6a9a565ae6498ef36c9bac6921"},
+    {file = "selenium-4.26.0.tar.gz", hash = "sha256:f0780f85f10310aa5d085b81e79d73d3c93b83d8de121d0400d543a50ee963e8"},
 ]
 [package.dependencies]
@ -4425,13 +4425,13 @@ tornado = ["tornado (>=6)"]
 [[package]]
 name = "service-identity"
-version = "24.1.0"
+version = "24.2.0"
 description = "Service identity verification for pyOpenSSL & cryptography."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "service_identity-24.1.0-py3-none-any.whl", hash = "sha256:a28caf8130c8a5c1c7a6f5293faaf239bbfb7751e4862436920ee6f2616f568a"},
+    {file = "service_identity-24.2.0-py3-none-any.whl", hash = "sha256:6b047fbd8a84fd0bb0d55ebce4031e400562b9196e1e0d3e0fe2b8a59f6d4a85"},
-    {file = "service_identity-24.1.0.tar.gz", hash = "sha256:6829c9d62fb832c2e1c435629b0a8c476e1929881f28bee4d20bc24161009221"},
+    {file = "service_identity-24.2.0.tar.gz", hash = "sha256:b8683ba13f0d39c6cd5d625d2c5f65421d6d707b013b375c355751557cbe8e09"},
 ]
 [package.dependencies]
@ -4441,7 +4441,7 @@ pyasn1 = "*"
 pyasn1-modules = "*"
 [package.extras]
-dev = ["pyopenssl", "service-identity[idna,mypy,tests]"]
+dev = ["coverage[toml] (>=5.0.2)", "idna", "mypy", "pyopenssl", "pytest", "types-pyopenssl"]
 docs = ["furo", "myst-parser", "pyopenssl", "sphinx", "sphinx-notfound-page"]
 idna = ["idna"]
 mypy = ["idna", "mypy", "types-pyopenssl"]
@ -4549,19 +4549,19 @@ test = ["pytest"]
 [[package]]
 name = "setuptools"
-version = "69.1.1"
+version = "72.1.0"
 description = "Easily download, build, install, upgrade, and uninstall Python packages"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "setuptools-69.1.1-py3-none-any.whl", hash = "sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56"},
+    {file = "setuptools-72.1.0-py3-none-any.whl", hash = "sha256:5a03e1860cf56bb6ef48ce186b0e557fdba433237481a9a625176c2831be15d1"},
-    {file = "setuptools-69.1.1.tar.gz", hash = "sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"},
+    {file = "setuptools-72.1.0.tar.gz", hash = "sha256:8d243eff56d095e5817f796ede6ae32941278f542e0f941867cc05ae52b162ec"},
 ]
 [package.extras]
-docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
+core = ["importlib-metadata (>=6)", "importlib-resources (>=5.10.2)", "jaraco.text (>=3.7)", "more-itertools (>=8.8)", "ordered-set (>=3.1.1)", "packaging (>=24)", "platformdirs (>=2.6.2)", "tomli (>=2.0.1)", "wheel (>=0.43.0)"]
-testing = ["build[virtualenv]", "filelock (>=3.4.0)", "flake8-2020", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pip (>=19.1)", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-timeout", "pytest-xdist", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
+doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
-testing-integration = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"]
+test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "importlib-metadata", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "jaraco.test", "mypy (==1.11.*)", "packaging (>=23.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy", "pytest-perf", "pytest-ruff (<0.4)", "pytest-ruff (>=0.2.1)", "pytest-ruff (>=0.3.2)", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
 [[package]]
 name = "six"
@ -4751,13 +4751,13 @@ wsproto = ">=0.14"
 [[package]]
 name = "twilio"
-version = "9.3.5"
+version = "9.3.6"
 description = "Twilio API client and TwiML generator"
 optional = false
 python-versions = ">=3.7.0"
 files = [
-    {file = "twilio-9.3.5-py2.py3-none-any.whl", hash = "sha256:d6a97a77b98cc176a61c960f11894af385bc1c11b93e2e8b79fdfb9601788fb0"},
+    {file = "twilio-9.3.6-py2.py3-none-any.whl", hash = "sha256:c5d7f4cfeb50a7928397b8f819c8f7fb2bb956a1a2cabbda1df1d7a40f9ce1d7"},
-    {file = "twilio-9.3.5.tar.gz", hash = "sha256:608d78a903d403465aac1840c58a6546a090b7e222d2bf539a93c3831072880c"},
+    {file = "twilio-9.3.6.tar.gz", hash = "sha256:d42691f7fe1faaa5ba82942f169bfea4d7f01a0a542a456d82018fb49bd1f5b2"},
 ]
 [package.dependencies]
@ -5565,4 +5565,4 @@ files = [
 [metadata]
 lock-version = "2.0"
 python-versions = "~3.12"
-content-hash = "32f3901cb944de57ed5cb11dde3a2010de845b04adf557b7e3a701581e260613"
+content-hash = "10aa88f2f0e56cddd91adba8c39c52de92763429fb615a27c3dc218952cff808"
--- a/Show More
+++ b/Show More