initial steps for concurrent execution

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
website/integrations: jellyfin: update OIDC plugin installation (#13544 )
2025-03-19 23:03:59 +00:00 · 2025-03-19 20:49:26 +01:00 · 2025-03-19 20:38:27 +01:00 · 2025-03-19 19:23:42 +00:00 · 2025-03-19 19:23:19 +00:00 · 2025-03-19 16:46:35 +00:00
517 changed files with 22448 additions and 9316 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.12.3
+current_version = 2025.2.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize =
+serialize = 
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}

 [bumpversion:part:rc_t]
-values =
+values = 
 	rc
 	final
 optional_value = final
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -28,7 +28,11 @@ Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**

-   authentik version: [e.g. 2021.8.5]
+<!--
+Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
+-->
+
+-   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]

 **Additional context**
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -20,7 +20,12 @@ Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**

-   authentik version: [e.g. 2021.8.5]
+<!--
+Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
+-->
+
+
+-   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]

 **Additional context**
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -9,17 +9,22 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Install poetry & deps
+    - name: Install apt deps
      shell: bash
      run: |
-        pipx install poetry || true
        sudo apt-get update
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
-    - name: Setup python and restore poetry
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        enable-cache: true
+    - name: Setup python
      uses: actions/setup-python@v5
      with:
        python-version-file: "pyproject.toml"
-        cache: "poetry"
+    - name: Install Python deps
+      shell: bash
+      run: uv sync --all-extras --dev --frozen
    - name: Setup node
      uses: actions/setup-node@v4
      with:
@ -30,15 +35,18 @@ runs:
      uses: actions/setup-go@v5
      with:
        go-version-file: "go.mod"
+    - name: Setup docker cache
+      uses: ScribeMD/docker-cache@0.5.0
+      with:
+        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
      shell: bash
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install --sync
        cd web && npm ci
    - name: Generate config
-      shell: poetry run python {0}
+      shell: uv run python {0}
      run: |
        from authentik.lib.generators import generate_id
        from yaml import safe_dump
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@ -11,7 +11,7 @@ services:
      - 5432:5432
    restart: always
  redis:
-    image: docker.io/library/redis
+    image: docker.io/library/redis:7
    ports:
      - 6379:6379
    restart: always
--- a/.github/codespell-words.txt
+++ b/.github/codespell-words.txt
@ -1,7 +1,32 @@
+akadmin
+asgi
+assertIn
+authentik
+authn
+crate
+docstrings
+entra
+goauthentik
+gunicorn
+hass
+jwe
+jwks
 keypair
 keypairs
-hass
-warmup
+kubernetes
+oidc
 ontext
+openid
+passwordless
+plex
+saml
+scim
 singed
-assertIn
+slo
+sso
+totp
+traefik
+# https://github.com/codespell-project/codespell/issues/1224
+upToDate
+warmup
+webauthn
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -82,6 +82,12 @@ updates:
      docusaurus:
        patterns:
          - "@docusaurus/*"
+      build:
+        patterns:
+          - "@swc/*"
+          - "swc-*"
+          - "lightningcss*"
+          - "@rspack/binding*"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
@ -92,7 +98,7 @@ updates:
      prefix: "lifecycle/aws:"
    labels:
      - dependencies
-  - package-ecosystem: pip
+  - package-ecosystem: uv
    directory: "/"
    schedule:
      interval: daily
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -40,7 +40,7 @@ jobs:
      attestations: write
    steps:
      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.4.0
+      - uses: docker/setup-qemu-action@v3.6.0
      - uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -33,7 +33,7 @@ jobs:
          npm ci
      - name: Check changes have been applied
        run: |
-          poetry run make aws-cfn
+          uv run make aws-cfn
          git diff --exit-code
  ci-aws-cfn-mark:
    if: always()
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@ -15,8 +15,8 @@ jobs:
      matrix:
        version:
          - docs
+          - version-2025-2
          - version-2024-12
-          - version-2024-10
    steps:
      - uses: actions/checkout@v4
      - run: |
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -34,7 +34,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
-        run: poetry run make ci-${{ matrix.job }}
+        run: uv run make ci-${{ matrix.job }}
  test-migrations:
    runs-on: ubuntu-latest
    steps:
@ -42,7 +42,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
-        run: poetry run python -m lifecycle.migrate
+        run: uv run python -m lifecycle.migrate
  test-make-seed:
    runs-on: ubuntu-latest
    steps:
@ -69,19 +69,21 @@ jobs:
          fetch-depth: 0
      - name: checkout stable
        run: |
-          # Delete all poetry envs
-          rm -rf /home/runner/.cache/pypoetry
          # Copy current, latest config to local
+          # Temporarly comment the .github backup while migrating to uv
          cp authentik/lib/default.yml local.env.yml
-          cp -R .github ..
+          # cp -R .github ..
          cp -R scripts ..
          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
-          rm -rf .github/ scripts/
-          mv ../.github ../scripts .
+          # rm -rf .github/ scripts/
+          # mv ../.github ../scripts .
+          rm -rf scripts/
+          mv ../scripts .
      - name: Setup authentik env (stable)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
+        continue-on-error: true
      - name: run migrations to stable
        run: poetry run python -m lifecycle.migrate
      - name: checkout current code
@ -91,15 +93,13 @@ jobs:
          git reset --hard HEAD
          git clean -d -fx .
          git checkout $GITHUB_SHA
-          # Delete previous poetry env
-          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
      - name: Setup authentik env (ensure latest deps are installed)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: migrate to latest
        run: |
-          poetry run python -m lifecycle.migrate
+          uv run python -m lifecycle.migrate
      - name: run tests
        env:
          # Test in the main database that we just migrated from the previous stable version
@ -108,7 +108,7 @@ jobs:
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          poetry run make ci-test
+          uv run make ci-test
  test-unittest:
    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
    runs-on: ubuntu-latest
@ -133,7 +133,7 @@ jobs:
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          poetry run make ci-test
+          uv run make ci-test
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@ -156,8 +156,8 @@ jobs:
        uses: helm/kind-action@v1.12.0
      - name: run integration
        run: |
-          poetry run coverage run manage.py test tests/integration
-          poetry run coverage xml
+          uv run coverage run manage.py test tests/integration
+          uv run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@ -214,8 +214,8 @@ jobs:
          npm run build
      - name: run e2e
        run: |
-          poetry run coverage run manage.py test ${{ matrix.job.glob }}
-          poetry run coverage xml
+          uv run coverage run manage.py test ${{ matrix.job.glob }}
+          uv run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -82,7 +82,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -2,7 +2,7 @@ name: authentik-gen-update-webauthn-mds
 on:
  workflow_dispatch:
  schedule:
-    - cron: '30 1 1,15 * *'
+    - cron: "30 1 1,15 * *"

 env:
  POSTGRES_DB: authentik
@ -24,7 +24,7 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - run: poetry run ak update_webauthn_mds
+      - run: uv run ak update_webauthn_mds
      - uses: peter-evans/create-pull-request@v7
        id: cpr
        with:
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@ -21,8 +21,8 @@ jobs:
        uses: ./.github/actions/setup
      - name: generate docs
        run: |
-          poetry run make migrate
-          poetry run ak build_source_docs
+          uv run make migrate
+          uv run ak build_source_docs
      - name: Publish
        uses: netlify/actions/cli@master
        with:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -42,7 +42,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -186,7 +186,7 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@v1
+        uses: getsentry/action-release@v3
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -1,9 +1,13 @@
 ---
-name: authentik-backend-translate-extract-compile
+name: authentik-translate-extract-compile
 on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight
  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - version-*

 env:
  POSTGRES_DB: authentik
@ -15,23 +19,30 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
+        if: ${{ github.event_name != 'pull_request' }}
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: actions/checkout@v4
+        if: ${{ github.event_name != 'pull_request' }}
        with:
          token: ${{ steps.generate_token.outputs.token }}
+      - uses: actions/checkout@v4
+        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - name: Generate API
+        run: make gen-client-ts
      - name: run extract
        run: |
-          poetry run make i18n-extract
+          uv run make i18n-extract
      - name: run compile
        run: |
-          poetry run ak compilemessages
+          uv run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
+        if: ${{ github.event_name != 'pull_request' }}
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,26 +1,4 @@
 {
-    "cSpell.words": [
-        "akadmin",
-        "asgi",
-        "authentik",
-        "authn",
-        "entra",
-        "goauthentik",
-        "jwe",
-        "jwks",
-        "kubernetes",
-        "oidc",
-        "openid",
-        "passwordless",
-        "plex",
-        "saml",
-        "scim",
-        "slo",
-        "sso",
-        "totp",
-        "traefik",
-        "webauthn"
-    ],
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
    "yaml.customTags": [
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -3,8 +3,13 @@
    "tasks": [
        {
            "label": "authentik/core: make",
-            "command": "poetry",
-            "args": ["run", "make", "lint-fix", "lint"],
+            "command": "uv",
+            "args": [
+                "run",
+                "make",
+                "lint-fix",
+                "lint"
+            ],
            "presentation": {
                "panel": "new"
            },
@ -12,8 +17,12 @@
        },
        {
            "label": "authentik/core: run",
-            "command": "poetry",
-            "args": ["run", "ak", "server"],
+            "command": "uv",
+            "args": [
+                "run",
+                "ak",
+                "server"
+            ],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -23,13 +32,17 @@
        {
            "label": "authentik/web: make",
            "command": "make",
-            "args": ["web"],
+            "args": [
+                "web"
+            ],
            "group": "build"
        },
        {
            "label": "authentik/web: watch",
            "command": "make",
-            "args": ["web-watch"],
+            "args": [
+                "web-watch"
+            ],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -39,19 +52,26 @@
        {
            "label": "authentik: install",
            "command": "make",
-            "args": ["install", "-j4"],
+            "args": [
+                "install",
+                "-j4"
+            ],
            "group": "build"
        },
        {
            "label": "authentik/website: make",
            "command": "make",
-            "args": ["website"],
+            "args": [
+                "website"
+            ],
            "group": "build"
        },
        {
            "label": "authentik/website: watch",
            "command": "make",
-            "args": ["website-watch"],
+            "args": [
+                "website-watch"
+            ],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -60,8 +80,12 @@
        },
        {
            "label": "authentik/api: generate",
-            "command": "poetry",
-            "args": ["run", "make", "gen"],
+            "command": "uv",
+            "args": [
+                "run",
+                "make",
+                "gen"
+            ],
            "group": "build"
        }
    ]
--- a/2
+++ b/2
@ -10,7 +10,7 @@ schemas/                        @goauthentik/backend
 scripts/                        @goauthentik/backend
 tests/                          @goauthentik/backend
 pyproject.toml                  @goauthentik/backend
-poetry.lock                     @goauthentik/backend
+uv.lock                         @goauthentik/backend
 go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
+identity and expression, level of experience, education, socioeconomic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.

--- a/85
+++ b/85
@ -93,53 +93,59 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    mkdir -p /usr/share/GeoIP && \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

-# Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps
+# Stage 5: Download uv
+FROM ghcr.io/astral-sh/uv:0.6.8 AS uv
+# Stage 6: Base python image
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-base
+
+ENV VENV_PATH="/ak-root/.venv" \
+    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
+    UV_COMPILE_BYTECODE=1 \
+    UV_LINK_MODE=copy \
+    UV_NATIVE_TLS=1 \
+    UV_PYTHON_DOWNLOADS=0
+
+WORKDIR /ak-root/
+
+COPY --from=uv /uv /uvx /bin/
+
+# Stage 7: Python dependencies
+FROM python-base AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT

-WORKDIR /ak-root/poetry
-
-ENV VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false \
-    PATH="/ak-root/venv/bin:$PATH"
-
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

+ENV PATH="/root/.cargo/bin:$PATH"
+
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
-
-RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
-    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
-    --mount=type=cache,target=/root/.cache/pip \
-    --mount=type=cache,target=/root/.cache/pypoetry \
-    pip install --no-cache cffi && \
-    apt-get update && \
    apt-get install -y --no-install-recommends \
-        build-essential libffi-dev \
-        # Required for cryptography
-        curl pkg-config \
-        # Required for lxml
-        libxslt-dev zlib1g-dev \
-        # Required for xmlsec
-        libltdl-dev \
-        # Required for kadmin
-        sccache clang && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
-    . "$HOME/.cargo/env" && \
-    python -m venv /ak-root/venv/ && \
-    bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip poetry && \
-    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
-    poetry install --only=main --no-ansi --no-interaction --no-root && \
-    pip uninstall cryptography -y && \
-    poetry install --only=main --no-ansi --no-interaction --no-root"
+    # Build essentials
+    build-essential pkg-config libffi-dev git \
+    # cryptography
+    curl \
+    # libxml
+    libxslt-dev zlib1g-dev \
+    # postgresql
+    libpq-dev \
+    # python-kadmin-rs
+    clang libkrb5-dev sccache \
+    # xmlsec
+    libltdl-dev && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y

-# Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image
+ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
+
+RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
+    --mount=type=bind,target=uv.lock,src=uv.lock \
+    --mount=type=cache,target=/root/.cache/uv \
+    uv sync --frozen --no-install-project --no-dev
+
+# Stage 8: Run
+FROM python-base AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
@ -171,7 +177,7 @@ RUN apt-get update && \

 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
-COPY ./poetry.lock /
+COPY ./uv.lock /
 COPY ./schemas /schemas
 COPY ./locale /locale
 COPY ./tests /tests
@ -180,7 +186,7 @@ COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
-COPY --from=python-deps /ak-root/venv /ak-root/venv
+COPY --from=python-deps /ak-root/.venv /ak-root/.venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
 COPY --from=website-builder /work/website/build/ /website/help/
@ -191,9 +197,6 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
-    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
-    VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false \
    GOFIPS=1

 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
--- a/72
+++ b/72
@ -4,34 +4,17 @@
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.npm_version)
+NPM_VERSION = $(shell python -m scripts.generate_semver)
 PY_SOURCES = authentik tests scripts lifecycle .github
-GO_SOURCES = cmd internal
-WEB_SOURCES = web/src web/packages
 DOCKER_IMAGE ?= "authentik:test"

 GEN_API_TS = "gen-ts-api"
 GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"

-pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
-
-CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
-		-I .github/codespell-words.txt \
-		-S 'web/src/locales/**' \
-		-S 'website/docs/developer-docs/api/reference/**' \
-		-S '**/node_modules/**' \
-		-S '**/dist/**' \
-		$(PY_SOURCES) \
-		$(GO_SOURCES) \
-		$(WEB_SOURCES) \
-		website/src \
-		website/blog \
-		website/docs \
-		website/integrations \
-		website/src
+pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)

 all: lint-fix lint test gen web  ## Lint, build, and test everything

@ -49,34 +32,37 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...

 test: ## Run the server tests and produce a coverage report (locally)
-	coverage run manage.py test --keepdb authentik
-	coverage html
-	coverage report
+	uv run coverage run manage.py test --keepdb authentik
+	uv run coverage html
+	uv run coverage report

 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	black $(PY_SOURCES)
-	ruff check --fix $(PY_SOURCES)
+	uv run black $(PY_SOURCES)
+	uv run ruff check --fix $(PY_SOURCES)

 lint-codespell:  ## Reports spelling errors.
-	codespell -w $(CODESPELL_ARGS)
+	uv run codespell -w

 lint: ## Lint the python and golang sources
-	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
+	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
 	golangci-lint run -v

 core-install:
-	poetry install
+	uv sync --frozen

 migrate: ## Run the Authentik Django server's migrations
-	python -m lifecycle.migrate
+	uv run python -m lifecycle.migrate

 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

 aws-cfn:
 	cd lifecycle/aws && npm run aws-cfn

+run:  ## Run the main authentik server process
+	uv run ak server
+
 core-i18n-extract:
-	ak makemessages \
+	uv run ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@ -107,11 +93,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		ak make_blueprint_schema > blueprints/schema.json
+		uv run ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		ak spectacular --file schema.yml
+		uv run ak spectacular --file schema.yml

 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@ -162,7 +148,7 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
@ -190,7 +176,7 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/

 gen-dev-config:  ## Generate a local development config file
-	python -m scripts.generate_config
+	uv run scripts/generate_config.py

 gen: gen-build gen-client-ts

@ -271,21 +257,21 @@ ci--meta-debug:
 	node --version

 ci-black: ci--meta-debug
-	black --check $(PY_SOURCES)
+	uv run black --check $(PY_SOURCES)

 ci-ruff: ci--meta-debug
-	ruff check $(PY_SOURCES)
+	uv run ruff check $(PY_SOURCES)

 ci-codespell: ci--meta-debug
-	codespell $(CODESPELL_ARGS) -s
+	uv run codespell -s

 ci-bandit: ci--meta-debug
-	bandit -r $(PY_SOURCES)
+	uv run bandit -r $(PY_SOURCES)

 ci-pending-migrations: ci--meta-debug
-	ak makemigrations --check
+	uv run ak makemigrations --check

 ci-test: ci--meta-debug
-	coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	coverage report
-	coverage xml
+	uv run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	uv run coverage report
+	uv run coverage xml
--- a/SECURITY.md
+++ b/SECURITY.md
@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di

 ## Independent audits and pentests

-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).

 ## What authentik classifies as a CVE

@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
-| 2024.10.x | ✅        |
 | 2024.12.x | ✅        |
+| 2025.2.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.12.3"
+__version__ = "2025.2.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -50,7 +50,6 @@ from authentik.enterprise.providers.microsoft_entra.models import (
    MicrosoftEntraProviderGroup,
    MicrosoftEntraProviderUser,
 )
-from authentik.enterprise.providers.rac.models import ConnectionToken
 from authentik.enterprise.providers.ssf.models import StreamEvent
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    EndpointDevice,
@ -72,6 +71,7 @@ from authentik.providers.oauth2.models import (
    DeviceToken,
    RefreshToken,
 )
+from authentik.providers.rac.models import ConnectionToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -5,6 +5,7 @@ from collections.abc import Iterable
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
@ -154,6 +155,17 @@ class SourceViewSet(
            matching_sources.append(source_settings.validated_data)
        return Response(matching_sources)

+    def destroy(self, request: Request, *args, **kwargs):
+        """Prevent deletion of built-in sources"""
+        instance: Source = self.get_object()
+
+        if instance.managed == Source.MANAGED_INBUILT:
+            raise ValidationError(
+                {"detail": "Built-in sources cannot be deleted"}, code="protected"
+            )
+
+        return super().destroy(request, *args, **kwargs)
+

 class UserSourceConnectionSerializer(SourceSerializer):
    """User source connection"""
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@ -32,5 +32,5 @@ class AuthentikCoreConfig(ManagedAppConfig):
                "name": "authentik Built-in",
                "slug": "authentik-built-in",
            },
-            managed="goauthentik.io/sources/inbuilt",
+            managed=Source.MANAGED_INBUILT,
        )
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -678,6 +678,8 @@ class SourceGroupMatchingModes(models.TextChoices):
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""

+    MANAGED_INBUILT = "goauthentik.io/sources/inbuilt"
+
    name = models.TextField(help_text=_("Source's display Name."))
    slug = models.SlugField(help_text=_("Internal source name, used in URLs."), unique=True)

--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -35,8 +35,7 @@ from authentik.flows.planner import (
    FlowPlanner,
 )
 from authentik.flows.stage import StageView
-from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
-from authentik.lib.utils.urls import redirect_with_qs
+from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
 from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_values
@ -47,8 +46,9 @@ from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH

 LOGGER = get_logger()

-SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
+SESSION_KEY_SOURCE_FLOW_STAGES = "authentik/flows/source_flow_stages"
+SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec


 class MessageStage(StageView):
@ -219,28 +219,28 @@ class SourceFlowManager:
            }
        )
        flow_context.update(self.policy_context)
-        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
-            token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
-            self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
-            plan = token.plan
-            plan.context[PLAN_CONTEXT_IS_RESTORED] = token
-            plan.context.update(flow_context)
-            for stage in self.get_stages_to_append(flow):
-                plan.append_stage(stage)
-            if stages:
-                for stage in stages:
-                    plan.append_stage(stage)
-            self.request.session[SESSION_KEY_PLAN] = plan
-            flow_slug = token.flow.slug
-            token.delete()
-            return redirect_with_qs(
-                "authentik_core:if-flow",
-                self.request.GET,
-                flow_slug=flow_slug,
-            )
        flow_context.setdefault(PLAN_CONTEXT_REDIRECT, final_redirect)

        if not flow:
+            # We only check for the flow token here if we don't have a flow, otherwise we rely on
+            # SESSION_KEY_SOURCE_FLOW_STAGES to delegate the usage of this token and dynamically add
+            # stages that deal with this token to return to another flow
+            if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
+                token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
+                self._logger.info(
+                    "Replacing source flow with overridden flow", flow=token.flow.slug
+                )
+                plan = token.plan
+                plan.context[PLAN_CONTEXT_IS_RESTORED] = token
+                plan.context.update(flow_context)
+                for stage in self.get_stages_to_append(flow):
+                    plan.append_stage(stage)
+                if stages:
+                    for stage in stages:
+                        plan.append_stage(stage)
+                redirect = plan.to_redirect(self.request, token.flow)
+                token.delete()
+                return redirect
            return bad_request_message(
                self.request,
                _("Configured flow does not exist."),
@ -259,6 +259,8 @@ class SourceFlowManager:
        if stages:
            for stage in stages:
                plan.append_stage(stage)
+        for stage in self.request.session.get(SESSION_KEY_SOURCE_FLOW_STAGES, []):
+            plan.append_stage(stage)
        return plan.to_redirect(self.request, flow)

    def handle_auth(
@ -295,6 +297,8 @@ class SourceFlowManager:
        # When request isn't authenticated we jump straight to auth
        if not self.request.user.is_authenticated:
            return self.handle_auth(connection)
+        # When an override flow token exists we actually still use a flow for link
+        # to continue the existing flow we came from
        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
            return self._prepare_flow(None, connection)
        connection.save()
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -67,6 +67,8 @@ def clean_expired_models(self: SystemTask):
                raise ImproperlyConfigured(
                    "Invalid session_storage setting, allowed values are db and cache"
                )
+    if CONFIG.get("session_storage", "cache") == "db":
+        DBSessionStore.clear_expired()
    LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)

    messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -11,6 +11,7 @@
        build: "{{ build }}",
        api: {
            base: "{{ base_url }}",
+            relBase: "{{ base_url_rel }}",
        },
    };
    window.addEventListener("DOMContentLoaded", function () {
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -8,6 +8,8 @@
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
+        {# Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we default to a dark theme based on preferred colour-scheme #}
+        <meta name="darkreader-lock">
        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
        <link rel="icon" href="{{ brand.branding_favicon_url }}">
        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -55,7 +55,7 @@ class RedirectToAppLaunch(View):
            )
        except FlowNonApplicableException:
            raise Http404 from None
-        plan.insert_stage(in_memory_stage(RedirectToAppStage))
+        plan.append_stage(in_memory_stage(RedirectToAppStage))
        return plan.to_redirect(request, flow)


--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -53,6 +53,7 @@ class InterfaceView(TemplateView):
        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
+        kwargs["base_url_rel"] = CONFIG.get("web.path", "/")
        return super().get_context_data(**kwargs)


--- a/authentik/enterprise/providers/google_workspace/api/providers.py
+++ b/authentik/enterprise/providers/google_workspace/api/providers.py
@ -37,6 +37,7 @@ class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSeriali
            "user_delete_action",
            "group_delete_action",
            "default_group_email_domain",
+            "dry_run",
        ]
        extra_kwargs = {}

--- a/authentik/enterprise/providers/google_workspace/clients/base.py
+++ b/authentik/enterprise/providers/google_workspace/clients/base.py
@ -8,9 +8,10 @@ from httplib2 import HttpLib2Error, HttpLib2ErrorWithResponse

 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
    BadRequestSyncException,
+    DryRunRejected,
    NotFoundSyncException,
    ObjectExistsSyncException,
    StopSync,
@ -43,6 +44,8 @@ class GoogleWorkspaceSyncClient[TModel: Model, TConnection: Model, TSchema: dict
            self.domains.append(domain_name)

    def _request(self, request: HttpRequest):
+        if self.provider.dry_run and request.method.upper() not in SAFE_METHODS:
+            raise DryRunRejected(request.uri, request.method, request.body)
        try:
            response = request.execute()
        except GoogleAuthError as exc:
--- a/authentik/enterprise/providers/google_workspace/migrations/0004_googleworkspaceprovider_dry_run.py
+++ b/authentik/enterprise/providers/google_workspace/migrations/0004_googleworkspaceprovider_dry_run.py
@ -0,0 +1,24 @@
+# Generated by Django 5.0.12 on 2025-02-24 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_providers_google_workspace",
+            "0003_googleworkspaceprovidergroup_attributes_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="googleworkspaceprovider",
+            name="dry_run",
+            field=models.BooleanField(
+                default=False,
+                help_text="When enabled, provider will not modify or create objects in the remote system.",
+            ),
+        ),
+    ]
--- a/authentik/enterprise/providers/microsoft_entra/api/providers.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/providers.py
@ -36,6 +36,7 @@ class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializ
            "filter_group",
            "user_delete_action",
            "group_delete_action",
+            "dry_run",
        ]
        extra_kwargs = {}

--- a/authentik/enterprise/providers/microsoft_entra/clients/base.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/base.py
@ -3,6 +3,7 @@ from collections.abc import Coroutine
 from dataclasses import asdict
 from typing import Any

+import httpx
 from azure.core.exceptions import (
    ClientAuthenticationError,
    ServiceRequestError,
@ -12,6 +13,7 @@ from azure.identity.aio import ClientSecretCredential
 from django.db.models import Model
 from django.http import HttpResponseBadRequest, HttpResponseNotFound
 from kiota_abstractions.api_error import APIError
+from kiota_abstractions.request_information import RequestInformation
 from kiota_authentication_azure.azure_identity_authentication_provider import (
    AzureIdentityAuthenticationProvider,
 )
@ -21,13 +23,15 @@ from msgraph.generated.models.o_data_errors.o_data_error import ODataError
 from msgraph.graph_request_adapter import GraphRequestAdapter, options
 from msgraph.graph_service_client import GraphServiceClient
 from msgraph_core import GraphClientFactory
+from opentelemetry import trace

 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
 from authentik.events.utils import sanitize_item
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
    BadRequestSyncException,
+    DryRunRejected,
    NotFoundSyncException,
    ObjectExistsSyncException,
    StopSync,
@ -35,20 +39,24 @@ from authentik.lib.sync.outgoing.exceptions import (
 )


-def get_request_adapter(
-    credentials: ClientSecretCredential, scopes: list[str] | None = None
-) -> GraphRequestAdapter:
-    if scopes:
-        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials, scopes=scopes)
-    else:
-        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)
+class AuthentikRequestAdapter(GraphRequestAdapter):
+    def __init__(self, auth_provider, provider: MicrosoftEntraProvider, client=None):
+        super().__init__(auth_provider, client)
+        self._provider = provider

-    return GraphRequestAdapter(
-        auth_provider=auth_provider,
-        client=GraphClientFactory.create_with_default_middleware(
-            options=options, client=KiotaClientFactory.get_default_client()
-        ),
-    )
+    async def get_http_response_message(
+        self,
+        request_info: RequestInformation,
+        parent_span: trace.Span,
+        claims: str = "",
+    ) -> httpx.Response:
+        if self._provider.dry_run and request_info.http_method.value.upper() not in SAFE_METHODS:
+            raise DryRunRejected(
+                url=request_info.url,
+                method=request_info.http_method.value,
+                body=request_info.content.decode("utf-8"),
+            )
+        return await super().get_http_response_message(request_info, parent_span, claims=claims)


 class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict](
@ -63,9 +71,27 @@ class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict]
        self.credentials = provider.microsoft_credentials()
        self.__prefetch_domains()

+    def get_request_adapter(
+        self, credentials: ClientSecretCredential, scopes: list[str] | None = None
+    ) -> AuthentikRequestAdapter:
+        if scopes:
+            auth_provider = AzureIdentityAuthenticationProvider(
+                credentials=credentials, scopes=scopes
+            )
+        else:
+            auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)
+
+        return AuthentikRequestAdapter(
+            auth_provider=auth_provider,
+            provider=self.provider,
+            client=GraphClientFactory.create_with_default_middleware(
+                options=options, client=KiotaClientFactory.get_default_client()
+            ),
+        )
+
    @property
    def client(self):
-        return GraphServiceClient(request_adapter=get_request_adapter(**self.credentials))
+        return GraphServiceClient(request_adapter=self.get_request_adapter(**self.credentials))

    def _request[T](self, request: Coroutine[Any, Any, T]) -> T:
        try:
--- a/authentik/enterprise/providers/microsoft_entra/migrations/0003_microsoftentraprovider_dry_run.py
+++ b/authentik/enterprise/providers/microsoft_entra/migrations/0003_microsoftentraprovider_dry_run.py
@ -0,0 +1,24 @@
+# Generated by Django 5.0.12 on 2025-02-24 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_providers_microsoft_entra",
+            "0002_microsoftentraprovidergroup_attributes_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="microsoftentraprovider",
+            name="dry_run",
+            field=models.BooleanField(
+                default=False,
+                help_text="When enabled, provider will not modify or create objects in the remote system.",
+            ),
+        ),
+    ]
--- a/authentik/enterprise/providers/microsoft_entra/tests/test_users.py
+++ b/authentik/enterprise/providers/microsoft_entra/tests/test_users.py
@ -32,7 +32,6 @@ class MicrosoftEntraUserTests(APITestCase):

    @apply_blueprint("system/providers-microsoft-entra.yaml")
    def setUp(self) -> None:
-
        # Delete all users and groups as the mocked HTTP responses only return one ID
        # which will cause errors with multiple users
        Tenant.objects.update(avatars="none")
@ -97,6 +96,38 @@ class MicrosoftEntraUserTests(APITestCase):
            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
            user_create.assert_called_once()

+    def test_user_create_dry_run(self):
+        """Test user creation (dry run)"""
+        self.provider.dry_run = True
+        self.provider.save()
+        uid = generate_id()
+        with (
+            patch(
+                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
+                MagicMock(return_value={"credentials": self.creds}),
+            ),
+            patch(
+                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
+                AsyncMock(
+                    return_value=OrganizationCollectionResponse(
+                        value=[
+                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
+                        ]
+                    )
+                ),
+            ),
+        ):
+            user = User.objects.create(
+                username=uid,
+                name=f"{uid} {uid}",
+                email=f"{uid}@goauthentik.io",
+            )
+            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
+                provider=self.provider, user=user
+            ).first()
+            self.assertIsNone(microsoft_user)
+            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
+
    def test_user_not_created(self):
        """Test without property mappings, no group is created"""
        self.provider.property_mappings.clear()
--- a/authentik/enterprise/providers/rac/apps.py
+++ b/authentik/enterprise/providers/rac/apps.py
@ -1,14 +0,0 @@
-"""RAC app config"""
-
-from authentik.enterprise.apps import EnterpriseConfig
-
-
-class AuthentikEnterpriseProviderRAC(EnterpriseConfig):
-    """authentik enterprise rac app config"""
-
-    name = "authentik.enterprise.providers.rac"
-    label = "authentik_providers_rac"
-    verbose_name = "authentik Enterprise.Providers.RAC"
-    default = True
-    mountpoint = ""
-    ws_mountpoint = "authentik.enterprise.providers.rac.urls"
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -16,7 +16,6 @@ TENANT_APPS = [
    "authentik.enterprise.audit",
    "authentik.enterprise.providers.google_workspace",
    "authentik.enterprise.providers.microsoft_entra",
-    "authentik.enterprise.providers.rac",
    "authentik.enterprise.providers.ssf",
    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
    "authentik.enterprise.stages.source",
--- a/authentik/enterprise/stages/source/stage.py
+++ b/authentik/enterprise/stages/source/stage.py
@ -9,13 +9,16 @@ from django.utils.timezone import now
 from guardian.shortcuts import get_anonymous_user

 from authentik.core.models import Source, User
-from authentik.core.sources.flow_manager import SESSION_KEY_OVERRIDE_FLOW_TOKEN
+from authentik.core.sources.flow_manager import (
+    SESSION_KEY_OVERRIDE_FLOW_TOKEN,
+    SESSION_KEY_SOURCE_FLOW_STAGES,
+)
 from authentik.core.types import UILoginButton
 from authentik.enterprise.stages.source.models import SourceStage
 from authentik.flows.challenge import Challenge, ChallengeResponse
-from authentik.flows.models import FlowToken
+from authentik.flows.models import FlowToken, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED
-from authentik.flows.stage import ChallengeStageView
+from authentik.flows.stage import ChallengeStageView, StageView
 from authentik.lib.utils.time import timedelta_from_string

 PLAN_CONTEXT_RESUME_TOKEN = "resume_token"  # nosec
@ -49,6 +52,7 @@ class SourceStageView(ChallengeStageView):
    def get_challenge(self, *args, **kwargs) -> Challenge:
        resume_token = self.create_flow_token()
        self.request.session[SESSION_KEY_OVERRIDE_FLOW_TOKEN] = resume_token
+        self.request.session[SESSION_KEY_SOURCE_FLOW_STAGES] = [in_memory_stage(SourceStageFinal)]
        return self.login_button.challenge

    def create_flow_token(self) -> FlowToken:
@ -77,3 +81,19 @@ class SourceStageView(ChallengeStageView):

    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        return self.executor.stage_ok()
+
+
+class SourceStageFinal(StageView):
+    """Dynamic stage injected in the source flow manager. This is injected in the
+    flow the source flow manager picks (authentication or enrollment), and will run at the end.
+    This stage uses the override flow token to resume execution of the initial flow the
+    source stage is bound to."""
+
+    def dispatch(self, *args, **kwargs):
+        token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
+        self.logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
+        plan = token.plan
+        plan.context[PLAN_CONTEXT_IS_RESTORED] = token
+        response = plan.to_redirect(self.request, token.flow)
+        token.delete()
+        return response
--- a/authentik/enterprise/stages/source/tests.py
+++ b/authentik/enterprise/stages/source/tests.py
@ -4,7 +4,8 @@ from django.urls import reverse

 from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.enterprise.stages.source.models import SourceStage
-from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken
+from authentik.enterprise.stages.source.stage import SourceStageFinal
+from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
@ -87,6 +88,7 @@ class TestSourceStage(FlowTestCase):
        self.assertIsNotNone(flow_token)
        session = self.client.session
        plan: FlowPlan = session[SESSION_KEY_PLAN]
+        plan.insert_stage(in_memory_stage(SourceStageFinal), index=0)
        plan.context[PLAN_CONTEXT_IS_RESTORED] = flow_token
        session[SESSION_KEY_PLAN] = plan
        session.save()
@ -96,4 +98,6 @@ class TestSourceStage(FlowTestCase):
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}), follow=True
        )
        self.assertEqual(response.status_code, 200)
-        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
+        self.assertStageRedirects(
+            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
+        )
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -54,6 +54,7 @@ class Challenge(PassiveSerializer):

    flow_info = ContextualFlowInfo(required=False)
    component = CharField(default="")
+    xid = CharField(required=False)

    response_errors = DictField(
        child=ErrorDetailSerializer(many=True), allow_empty=True, required=False
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -76,10 +76,10 @@ class FlowPlan:
        self.bindings.append(binding)
        self.markers.append(marker or StageMarker())

-    def insert_stage(self, stage: Stage, marker: StageMarker | None = None):
+    def insert_stage(self, stage: Stage, marker: StageMarker | None = None, index=1):
        """Insert stage into plan, as immediate next stage"""
-        self.bindings.insert(1, FlowStageBinding(stage=stage, order=0))
-        self.markers.insert(1, marker or StageMarker())
+        self.bindings.insert(index, FlowStageBinding(stage=stage, order=0))
+        self.markers.insert(index, marker or StageMarker())

    def redirect(self, destination: str):
        """Insert a redirect stage as next stage"""
@ -143,10 +143,12 @@ class FlowPlan:
        request: HttpRequest,
        flow: Flow,
        allowed_silent_types: list["StageView"] | None = None,
+        **get_params,
    ) -> HttpResponse:
        """Redirect to the flow executor for this flow plan"""
        from authentik.flows.views.executor import (
            SESSION_KEY_PLAN,
+            FlowContainer,
            FlowExecutorView,
        )

@ -157,6 +159,7 @@ class FlowPlan:
            # No unskippable stages found, so we can directly return the response of the last stage
            final_stage: type[StageView] = self.bindings[-1].stage.view
            temp_exec = FlowExecutorView(flow=flow, request=request, plan=self)
+            temp_exec.container = FlowContainer(request)
            temp_exec.current_stage = self.bindings[-1].stage
            temp_exec.current_stage_view = final_stage
            temp_exec.setup(request, flow.slug)
@ -174,6 +177,9 @@ class FlowPlan:
        ):
            get_qs["inspector"] = "available"

+        for key, value in get_params:
+            get_qs[key] = value
+
        return redirect_with_qs(
            "authentik_core:if-flow",
            get_qs,
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -191,6 +191,7 @@ class ChallengeStageView(StageView):
                )
                flow_info.is_valid()
                challenge.initial_data["flow_info"] = flow_info.data
+            challenge.initial_data["xid"] = self.executor.container.exec_id
            if isinstance(challenge, WithUserInfoChallenge):
                # If there's a pending user, update the `username` field
                # this field is only used by password managers.
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -28,7 +28,7 @@ window.authentik.flow = {

 {% block body %}
 <ak-message-container></ak-message-container>
-<ak-flow-executor flowSlug="{{ flow.slug }}">
+<ak-flow-executor flowSlug="{{ flow.slug }}" xid="{{ xid }}">
    <ak-loading></ak-loading>
 </ak-flow-executor>
 {% endblock %}
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -1,6 +1,7 @@
 """authentik multi-stage authentication engine"""

 from copy import deepcopy
+from uuid import uuid4

 from django.conf import settings
 from django.contrib.auth.mixins import LoginRequiredMixin
@ -64,6 +65,7 @@ from authentik.policies.engine import PolicyEngine
 LOGGER = get_logger()
 # Argument used to redirect user after login
 NEXT_ARG_NAME = "next"
+SESSION_KEY_PLAN_CONTAINER = "authentik/flows/plan_container/%s"
 SESSION_KEY_PLAN = "authentik/flows/plan"
 SESSION_KEY_APPLICATION_PRE = "authentik/flows/application_pre"
 SESSION_KEY_GET = "authentik/flows/get"
@ -71,6 +73,7 @@ SESSION_KEY_POST = "authentik/flows/post"
 SESSION_KEY_HISTORY = "authentik/flows/history"
 QS_KEY_TOKEN = "flow_token"  # nosec
 QS_QUERY = "query"
+QS_EXEC_ID = "xid"


 def challenge_types():
@ -97,6 +100,88 @@ class InvalidStageError(SentryIgnoredException):
    """Error raised when a challenge from a stage is not valid"""


+class FlowContainer:
+    """Allow for multiple concurrent flow executions in the same session"""
+
+    def __init__(self, request: HttpRequest, exec_id: str | None = None) -> None:
+        self.request = request
+        self.exec_id = exec_id
+
+    @staticmethod
+    def new(request: HttpRequest):
+        exec_id = str(uuid4())
+        request.session[SESSION_KEY_PLAN_CONTAINER % exec_id] = {}
+        return FlowContainer(request, exec_id)
+
+    def exists(self) -> bool:
+        """Check if flow exists in container/session"""
+        return SESSION_KEY_PLAN in self.session
+
+    def save(self):
+        self.request.session.modified = True
+
+    @property
+    def session(self):
+        # Backwards compatibility: store session plan/etc directly in session
+        if not self.exec_id:
+            return self.request.session
+        self.request.session.setdefault(SESSION_KEY_PLAN_CONTAINER % self.exec_id, {})
+        return self.request.session.get(SESSION_KEY_PLAN_CONTAINER % self.exec_id, {})
+
+    @property
+    def plan(self) -> FlowPlan:
+        return self.session.get(SESSION_KEY_PLAN)
+
+    def to_redirect(
+        self,
+        request: HttpRequest,
+        flow: Flow,
+        allowed_silent_types: list[StageView] | None = None,
+        **get_params,
+    ) -> HttpResponse:
+        get_params[QS_EXEC_ID] = self.exec_id
+        return self.plan.to_redirect(
+            request, flow, allowed_silent_types=allowed_silent_types, **get_params
+        )
+
+    @plan.setter
+    def plan(self, value: FlowPlan):
+        self.session[SESSION_KEY_PLAN] = value
+        self.request.session.modified = True
+        self.save()
+
+    @property
+    def application_pre(self):
+        return self.session.get(SESSION_KEY_APPLICATION_PRE)
+
+    @property
+    def get(self) -> QueryDict:
+        return self.session.get(SESSION_KEY_GET)
+
+    @get.setter
+    def get(self, value: QueryDict):
+        self.session[SESSION_KEY_GET] = value
+        self.save()
+
+    @property
+    def post(self) -> QueryDict:
+        return self.session.get(SESSION_KEY_POST)
+
+    @post.setter
+    def post(self, value: QueryDict):
+        self.session[SESSION_KEY_POST] = value
+        self.save()
+
+    @property
+    def history(self) -> list[FlowPlan]:
+        return self.session.get(SESSION_KEY_HISTORY)
+
+    @history.setter
+    def history(self, value: list[FlowPlan]):
+        self.session[SESSION_KEY_HISTORY] = value
+        self.save()
+
+
@method_decorator(xframe_options_sameorigin, name="dispatch")
 class FlowExecutorView(APIView):
    """Flow executor, passing requests to Stage Views"""
@ -104,8 +189,9 @@ class FlowExecutorView(APIView):
    permission_classes = [AllowAny]

    flow: Flow = None
-
    plan: FlowPlan | None = None
+    container: FlowContainer
+
    current_binding: FlowStageBinding | None = None
    current_stage: Stage
    current_stage_view: View
@ -160,10 +246,12 @@ class FlowExecutorView(APIView):
            if QS_KEY_TOKEN in get_params:
                plan = self._check_flow_token(get_params[QS_KEY_TOKEN])
                if plan:
-                    self.request.session[SESSION_KEY_PLAN] = plan
+                    container = FlowContainer.new(request)
+                    container.plan = plan
            # Early check if there's an active Plan for the current session
-            if SESSION_KEY_PLAN in self.request.session:
-                self.plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
+            self.container = FlowContainer(request, request.GET.get(QS_EXEC_ID))
+            if self.container.exists():
+                self.plan: FlowPlan = self.container.plan
                if self.plan.flow_pk != self.flow.pk.hex:
                    self._logger.warning(
                        "f(exec): Found existing plan for other flow, deleting plan",
@ -176,13 +264,14 @@ class FlowExecutorView(APIView):
                    self._logger.debug("f(exec): Continuing existing plan")

            # Initial flow request, check if we have an upstream query string passed in
-            request.session[SESSION_KEY_GET] = get_params
+            self.container.get = get_params
            # Don't check session again as we've either already loaded the plan or we need to plan
            if not self.plan:
-                request.session[SESSION_KEY_HISTORY] = []
+                self.container.history = []
                self._logger.debug("f(exec): No active Plan found, initiating planner")
                try:
                    self.plan = self._initiate_plan()
+                    self.container.plan = self.plan
                except FlowNonApplicableException as exc:
                    self._logger.warning("f(exec): Flow not applicable to current user", exc=exc)
                    return self.handle_invalid_flow(exc)
@ -254,12 +343,19 @@ class FlowExecutorView(APIView):
        request=OpenApiTypes.NONE,
        parameters=[
            OpenApiParameter(
-                name="query",
+                name=QS_QUERY,
                location=OpenApiParameter.QUERY,
                required=True,
                description="Querystring as received",
                type=OpenApiTypes.STR,
-            )
+            ),
+            OpenApiParameter(
+                name=QS_EXEC_ID,
+                location=OpenApiParameter.QUERY,
+                required=False,
+                description="Flow execution ID",
+                type=OpenApiTypes.STR,
+            ),
        ],
        operation_id="flows_executor_get",
    )
@ -286,7 +382,7 @@ class FlowExecutorView(APIView):
                span.set_data("authentik Stage", self.current_stage_view)
                span.set_data("authentik Flow", self.flow.slug)
                stage_response = self.current_stage_view.dispatch(request)
-                return to_stage_response(request, stage_response)
+                return to_stage_response(request, stage_response, self.container.exec_id)
        except Exception as exc:
            return self.handle_exception(exc)

@ -305,12 +401,19 @@ class FlowExecutorView(APIView):
        ),
        parameters=[
            OpenApiParameter(
-                name="query",
+                name=QS_QUERY,
                location=OpenApiParameter.QUERY,
                required=True,
                description="Querystring as received",
                type=OpenApiTypes.STR,
-            )
+            ),
+            OpenApiParameter(
+                name=QS_EXEC_ID,
+                location=OpenApiParameter.QUERY,
+                required=True,
+                description="Flow execution ID",
+                type=OpenApiTypes.STR,
+            ),
        ],
        operation_id="flows_executor_solve",
    )
@ -337,14 +440,15 @@ class FlowExecutorView(APIView):
                span.set_data("authentik Stage", self.current_stage_view)
                span.set_data("authentik Flow", self.flow.slug)
                stage_response = self.current_stage_view.dispatch(request)
-                return to_stage_response(request, stage_response)
+                return to_stage_response(request, stage_response, self.container.exec_id)
        except Exception as exc:
            return self.handle_exception(exc)

    def _initiate_plan(self) -> FlowPlan:
        planner = FlowPlanner(self.flow)
        plan = planner.plan(self.request)
-        self.request.session[SESSION_KEY_PLAN] = plan
+        container = FlowContainer.new(self.request)
+        container.plan = plan
        try:
            # Call the has_stages getter to check that
            # there are no issues with the class we might've gotten
@ -368,7 +472,7 @@ class FlowExecutorView(APIView):
        except FlowNonApplicableException as exc:
            self._logger.warning("f(exec): Flow restart not applicable to current user", exc=exc)
            return self.handle_invalid_flow(exc)
-        self.request.session[SESSION_KEY_PLAN] = plan
+        self.container.plan = plan
        kwargs = self.kwargs
        kwargs.update({"flow_slug": self.flow.slug})
        return redirect_with_qs("authentik_api:flow-executor", self.request.GET, **kwargs)
@ -390,9 +494,13 @@ class FlowExecutorView(APIView):
        )
        self.cancel()
        if next_param and not is_url_absolute(next_param):
-            return to_stage_response(self.request, redirect_with_qs(next_param))
+            return to_stage_response(
+                self.request, redirect_with_qs(next_param), self.container.exec_id
+            )
        return to_stage_response(
-            self.request, self.stage_invalid(error_message=_("Invalid next URL"))
+            self.request,
+            self.stage_invalid(error_message=_("Invalid next URL")),
+            self.container.exec_id,
        )

    def stage_ok(self) -> HttpResponse:
@ -406,7 +514,7 @@ class FlowExecutorView(APIView):
            self.current_stage_view.cleanup()
        self.request.session.get(SESSION_KEY_HISTORY, []).append(deepcopy(self.plan))
        self.plan.pop()
-        self.request.session[SESSION_KEY_PLAN] = self.plan
+        self.container.plan = self.plan
        if self.plan.bindings:
            self._logger.debug(
                "f(exec): Continuing with next stage",
@ -449,6 +557,7 @@ class FlowExecutorView(APIView):

    def cancel(self):
        """Cancel current flow execution"""
+        # TODO: Clean up container
        keys_to_delete = [
            SESSION_KEY_APPLICATION_PRE,
            SESSION_KEY_PLAN,
@ -471,8 +580,8 @@ class CancelView(View):

    def get(self, request: HttpRequest) -> HttpResponse:
        """View which canels the currently active plan"""
-        if SESSION_KEY_PLAN in request.session:
-            del request.session[SESSION_KEY_PLAN]
+        if FlowContainer(request, request.GET.get(QS_EXEC_ID)).exists():
+            del request.session[SESSION_KEY_PLAN_CONTAINER % request.GET.get(QS_EXEC_ID)]
            LOGGER.debug("Canceled current plan")
        return redirect("authentik_flows:default-invalidation")

@ -520,19 +629,12 @@ class ToDefaultFlow(View):

    def dispatch(self, request: HttpRequest) -> HttpResponse:
        flow = self.get_flow()
-        # If user already has a pending plan, clear it so we don't have to later.
-        if SESSION_KEY_PLAN in self.request.session:
-            plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
-            if plan.flow_pk != flow.pk.hex:
-                LOGGER.warning(
-                    "f(def): Found existing plan for other flow, deleting plan",
-                    flow_slug=flow.slug,
-                )
-                del self.request.session[SESSION_KEY_PLAN]
-        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
+        get_qs = request.GET.copy()
+        get_qs[QS_EXEC_ID] = str(uuid4())
+        return redirect_with_qs("authentik_core:if-flow", get_qs, flow_slug=flow.slug)


-def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpResponse:
+def to_stage_response(request: HttpRequest, source: HttpResponse, xid: str) -> HttpResponse:
    """Convert normal HttpResponse into JSON Response"""
    if (
        isinstance(source, HttpResponseRedirect)
@ -551,6 +653,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
            RedirectChallenge(
                {
                    "to": str(redirect_url),
+                    "xid": xid,
                }
            )
        )
@ -559,6 +662,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
            ShellChallenge(
                {
                    "body": source.render().content.decode("utf-8"),
+                    "xid": xid,
                }
            )
        )
@ -568,6 +672,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
            ShellChallenge(
                {
                    "body": source.content.decode("utf-8"),
+                    "xid": xid,
                }
            )
        )
@ -599,4 +704,6 @@ class ConfigureFlowInitView(LoginRequiredMixin, View):
        except FlowNonApplicableException:
            LOGGER.warning("Flow not applicable to user")
            raise Http404 from None
-        return plan.to_redirect(request, stage.configure_flow)
+        container = FlowContainer.new(request)
+        container.plan = plan
+        return container.to_redirect(request, stage.configure_flow)
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -7,6 +7,7 @@ from ua_parser.user_agent_parser import Parse

 from authentik.core.views.interface import InterfaceView
 from authentik.flows.models import Flow
+from authentik.flows.views.executor import QS_EXEC_ID


 class FlowInterfaceView(InterfaceView):
@ -15,6 +16,7 @@ class FlowInterfaceView(InterfaceView):
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        kwargs["inspector"] = "inspector" in self.request.GET
+        kwargs["xid"] = self.request.GET.get(QS_EXEC_ID)
        return super().get_context_data(**kwargs)

    def compat_needs_sfe(self) -> bool:
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -282,16 +282,14 @@ class ConfigLoader:

    def get_optional_int(self, path: str, default=None) -> int | None:
        """Wrapper for get that converts value into int or None if set"""
-        value = self.get(path, default)
+        value = self.get(path, UNSET)
        if value is UNSET:
            return default
        try:
            return int(value)
        except (ValueError, TypeError) as exc:
            if value is None or (isinstance(value, str) and value.lower() == "null"):
-                return default
-            if value is UNSET:
-                return default
+                return None
            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
            return default

@ -372,9 +370,9 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
            },
-            "CONN_MAX_AGE": CONFIG.get_optional_int("postgresql.conn_max_age", 0),
-            "CONN_HEALTH_CHECKS": CONFIG.get_bool("postgresql.conn_health_checks", False),
-            "DISABLE_SERVER_SIDE_CURSORS": CONFIG.get_bool(
+            "CONN_MAX_AGE": config.get_optional_int("postgresql.conn_max_age", 0),
+            "CONN_HEALTH_CHECKS": config.get_bool("postgresql.conn_health_checks", False),
+            "DISABLE_SERVER_SIDE_CURSORS": config.get_bool(
                "postgresql.disable_server_side_cursors", False
            ),
            "TEST": {
@ -383,8 +381,8 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
        }
    }

-    conn_max_age = CONFIG.get_optional_int("postgresql.conn_max_age", UNSET)
-    disable_server_side_cursors = CONFIG.get_bool("postgresql.disable_server_side_cursors", UNSET)
+    conn_max_age = config.get_optional_int("postgresql.conn_max_age", UNSET)
+    disable_server_side_cursors = config.get_bool("postgresql.disable_server_side_cursors", UNSET)
    if config.get_bool("postgresql.use_pgpool", False):
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
        if disable_server_side_cursors is not UNSET:
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -64,6 +64,8 @@ debugger: false
 log_level: info

 session_storage: cache
+sessions:
+  unauthenticated_age: days=1

 error_reporting:
  enabled: false
--- a/authentik/lib/sync/outgoing/api.py
+++ b/authentik/lib/sync/outgoing/api.py
@ -33,6 +33,7 @@ class SyncObjectSerializer(PassiveSerializer):
        )
    )
    sync_object_id = CharField()
+    override_dry_run = BooleanField(default=False)


 class SyncObjectResultSerializer(PassiveSerializer):
@ -98,6 +99,7 @@ class OutgoingSyncProviderStatusMixin:
            page=1,
            provider_pk=provider.pk,
            pk=params.validated_data["sync_object_id"],
+            override_dry_run=params.validated_data["override_dry_run"],
        ).get()
        return Response(SyncObjectResultSerializer(instance={"messages": res}).data)

--- a/authentik/lib/sync/outgoing/base.py
+++ b/authentik/lib/sync/outgoing/base.py
@ -28,6 +28,14 @@ class Direction(StrEnum):
    remove = "remove"


+SAFE_METHODS = [
+    "GET",
+    "HEAD",
+    "OPTIONS",
+    "TRACE",
+]
+
+
 class BaseOutgoingSyncClient[
    TModel: "Model", TConnection: "Model", TSchema: dict, TProvider: "OutgoingSyncProvider"
 ]:
--- a/authentik/lib/sync/outgoing/exceptions.py
+++ b/authentik/lib/sync/outgoing/exceptions.py
@ -21,6 +21,22 @@ class BadRequestSyncException(BaseSyncException):
    """Exception when invalid data was sent to the remote system"""


+class DryRunRejected(BaseSyncException):
+    """When dry_run is enabled and a provider dropped a mutating request"""
+
+    def __init__(self, url: str, method: str, body: dict):
+        super().__init__()
+        self.url = url
+        self.method = method
+        self.body = body
+
+    def __repr__(self):
+        return self.__str__()
+
+    def __str__(self):
+        return f"Dry-run rejected request: {self.method} {self.url}"
+
+
 class StopSync(BaseSyncException):
    """Exception raised when a configuration error should stop the sync process"""

--- a/authentik/lib/sync/outgoing/models.py
+++ b/authentik/lib/sync/outgoing/models.py
@ -1,8 +1,9 @@
 from typing import Any, Self

 import pglock
-from django.db import connection
+from django.db import connection, models
 from django.db.models import Model, QuerySet, TextChoices
+from django.utils.translation import gettext_lazy as _

 from authentik.core.models import Group, User
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
@ -18,6 +19,14 @@ class OutgoingSyncDeleteAction(TextChoices):


 class OutgoingSyncProvider(Model):
+    """Base abstract models for providers implementing outgoing sync"""
+
+    dry_run = models.BooleanField(
+        default=False,
+        help_text=_(
+            "When enabled, provider will not modify or create objects in the remote system."
+        ),
+    )

    class Meta:
        abstract = True
@ -32,7 +41,7 @@ class OutgoingSyncProvider(Model):

    @property
    def sync_lock(self) -> pglock.advisory:
-        """Postgres lock for syncing SCIM to prevent multiple parallel syncs happening"""
+        """Postgres lock for syncing to prevent multiple parallel syncs happening"""
        return pglock.advisory(
            lock_id=f"goauthentik.io/{connection.schema_name}/providers/outgoing-sync/{str(self.pk)}",
            timeout=0,
--- a/authentik/lib/sync/outgoing/tasks.py
+++ b/authentik/lib/sync/outgoing/tasks.py
@ -20,6 +20,7 @@ from authentik.lib.sync.outgoing import PAGE_SIZE, PAGE_TIMEOUT
 from authentik.lib.sync.outgoing.base import Direction
 from authentik.lib.sync.outgoing.exceptions import (
    BadRequestSyncException,
+    DryRunRejected,
    StopSync,
    TransientSyncException,
 )
@ -105,7 +106,9 @@ class SyncTasks:
                return
        task.set_status(TaskStatus.SUCCESSFUL, *messages)

-    def sync_objects(self, object_type: str, page: int, provider_pk: int, **filter):
+    def sync_objects(
+        self, object_type: str, page: int, provider_pk: int, override_dry_run=False, **filter
+    ):
        _object_type = path_to_class(object_type)
        self.logger = get_logger().bind(
            provider_type=class_to_path(self._provider_model),
@ -116,6 +119,10 @@ class SyncTasks:
        provider = self._provider_model.objects.filter(pk=provider_pk).first()
        if not provider:
            return messages
+        # Override dry run mode if requested, however don't save the provider
+        # so that scheduled sync tasks still run in dry_run mode
+        if override_dry_run:
+            provider.dry_run = False
        try:
            client = provider.client_for_model(_object_type)
        except TransientSyncException:
@ -132,6 +139,22 @@ class SyncTasks:
            except SkipObjectException:
                self.logger.debug("skipping object due to SkipObject", obj=obj)
                continue
+            except DryRunRejected as exc:
+                messages.append(
+                    asdict(
+                        LogEvent(
+                            _("Dropping mutating request due to dry run"),
+                            log_level="info",
+                            logger=f"{provider._meta.verbose_name}@{object_type}",
+                            attributes={
+                                "obj": sanitize_item(obj),
+                                "method": exc.method,
+                                "url": exc.url,
+                                "body": exc.body,
+                            },
+                        )
+                    )
+                )
            except BadRequestSyncException as exc:
                self.logger.warning("failed to sync object", exc=exc, obj=obj)
                messages.append(
@ -231,8 +254,10 @@ class SyncTasks:
                raise Retry() from exc
            except SkipObjectException:
                continue
+            except DryRunRejected as exc:
+                self.logger.info("Rejected dry-run event", exc=exc)
            except StopSync as exc:
-                self.logger.warning(exc, provider_pk=provider.pk)
+                self.logger.warning("Stopping sync", exc=exc, provider_pk=provider.pk)

    def sync_signal_m2m(self, group_pk: str, action: str, pk_set: list[int]):
        self.logger = get_logger().bind(
@ -263,5 +288,7 @@ class SyncTasks:
                raise Retry() from exc
            except SkipObjectException:
                continue
+            except DryRunRejected as exc:
+                self.logger.info("Rejected dry-run event", exc=exc)
            except StopSync as exc:
-                self.logger.warning(exc, provider_pk=provider.pk)
+                self.logger.warning("Stopping sync", exc=exc, provider_pk=provider.pk)
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -158,6 +158,18 @@ class TestConfig(TestCase):
            test_obj = Test()
            dumps(test_obj, indent=4, cls=AttrEncoder)

+    def test_get_optional_int(self):
+        config = ConfigLoader()
+        self.assertEqual(config.get_optional_int("foo", 21), 21)
+        self.assertEqual(config.get_optional_int("foo"), None)
+        config.set("foo", "21")
+        self.assertEqual(config.get_optional_int("foo"), 21)
+        self.assertEqual(config.get_optional_int("foo", 0), 21)
+        self.assertEqual(config.get_optional_int("foo", "null"), 21)
+        config.set("foo", "null")
+        self.assertEqual(config.get_optional_int("foo"), None)
+        self.assertEqual(config.get_optional_int("foo", 21), None)
+
    @mock.patch.dict(environ, check_deprecations_env_vars)
    def test_check_deprecations(self):
        """Test config key re-write for deprecated env vars"""
@ -221,6 +233,16 @@ class TestConfig(TestCase):
            },
        )

+    def test_db_conn_max_age(self):
+        """Test DB conn_max_age Config"""
+        config = ConfigLoader()
+        config.set("postgresql.conn_max_age", "null")
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf["default"]["CONN_MAX_AGE"],
+            None,
+        )
+
    def test_db_read_replicas(self):
        """Test read replicas"""
        config = ConfigLoader()
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@ -19,7 +19,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
 from authentik.core.models import Provider
 from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.providers.rac.models import RACProvider
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
 from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
@ -31,6 +30,7 @@ from authentik.outposts.models import (
 )
 from authentik.providers.ldap.models import LDAPProvider
 from authentik.providers.proxy.models import ProxyProvider
+from authentik.providers.rac.models import RACProvider
 from authentik.providers.radius.models import RadiusProvider


--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -1,5 +1,6 @@
 """Base Kubernetes Reconciler"""

+import re
 from dataclasses import asdict
 from json import dumps
 from typing import TYPE_CHECKING, Generic, TypeVar
@ -67,7 +68,8 @@ class KubernetesObjectReconciler(Generic[T]):
    @property
    def name(self) -> str:
        """Get the name of the object this reconciler manages"""
-        return (
+
+        base_name = (
            self.controller.outpost.config.object_naming_template
            % {
                "name": slugify(self.controller.outpost.name),
@ -75,6 +77,16 @@ class KubernetesObjectReconciler(Generic[T]):
            }
        ).lower()

+        formatted = slugify(base_name)
+        formatted = re.sub(r"[^a-z0-9-]", "-", formatted)
+        formatted = re.sub(r"-+", "-", formatted)
+        formatted = formatted[:63]
+
+        if not formatted:
+            formatted = f"outpost-{self.controller.outpost.uuid.hex}"[:63]
+
+        return formatted
+
    def get_patched_reference_object(self) -> T:
        """Get patched reference object"""
        reference = self.get_reference_object()
@ -112,7 +124,6 @@ class KubernetesObjectReconciler(Generic[T]):
            try:
                current = self.retrieve()
            except (OpenApiException, HTTPError) as exc:
-
                if isinstance(exc, ApiException) and exc.status == HttpResponseNotFound.status_code:
                    self.logger.debug("Failed to get current, triggering recreate")
                    raise NeedsRecreate from exc
@ -156,7 +167,6 @@ class KubernetesObjectReconciler(Generic[T]):
            self.delete(current)
            self.logger.debug("Removing")
        except (OpenApiException, HTTPError) as exc:
-
            if isinstance(exc, ApiException) and exc.status == HttpResponseNotFound.status_code:
                self.logger.debug("Failed to get current, assuming non-existent")
                return
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@ -61,9 +61,14 @@ class KubernetesController(BaseController):
    client: KubernetesClient
    connection: KubernetesServiceConnection

-    def __init__(self, outpost: Outpost, connection: KubernetesServiceConnection) -> None:
+    def __init__(
+        self,
+        outpost: Outpost,
+        connection: KubernetesServiceConnection,
+        client: KubernetesClient | None = None,
+    ) -> None:
        super().__init__(outpost, connection)
-        self.client = KubernetesClient(connection)
+        self.client = client if client else KubernetesClient(connection)
        self.reconcilers = {
            SecretReconciler.reconciler_name(): SecretReconciler,
            DeploymentReconciler.reconciler_name(): DeploymentReconciler,
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -18,8 +18,6 @@ from kubernetes.config.kube_config import KUBE_CONFIG_DEFAULT_LOCATION
 from structlog.stdlib import get_logger
 from yaml import safe_load

-from authentik.enterprise.providers.rac.controllers.docker import RACDockerController
-from authentik.enterprise.providers.rac.controllers.kubernetes import RACKubernetesController
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.lib.config import CONFIG
@ -41,6 +39,8 @@ from authentik.providers.ldap.controllers.docker import LDAPDockerController
 from authentik.providers.ldap.controllers.kubernetes import LDAPKubernetesController
 from authentik.providers.proxy.controllers.docker import ProxyDockerController
 from authentik.providers.proxy.controllers.kubernetes import ProxyKubernetesController
+from authentik.providers.rac.controllers.docker import RACDockerController
+from authentik.providers.rac.controllers.kubernetes import RACKubernetesController
 from authentik.providers.radius.controllers.docker import RadiusDockerController
 from authentik.providers.radius.controllers.kubernetes import RadiusKubernetesController
 from authentik.root.celery import CELERY_APP
--- a/authentik/outposts/tests/test_controller_k8s.py
+++ b/authentik/outposts/tests/test_controller_k8s.py
@ -0,0 +1,44 @@
+"""Kubernetes controller tests"""
+
+from django.test import TestCase
+
+from authentik.blueprints.tests import reconcile_app
+from authentik.lib.generators import generate_id
+from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
+from authentik.outposts.controllers.kubernetes import KubernetesController
+from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType
+
+
+class KubernetesControllerTests(TestCase):
+    """Kubernetes controller tests"""
+
+    @reconcile_app("authentik_outposts")
+    def setUp(self) -> None:
+        self.outpost = Outpost.objects.create(
+            name="test",
+            type=OutpostType.PROXY,
+        )
+        self.integration = KubernetesServiceConnection(name="test")
+
+    def test_gen_name(self):
+        """Ensure the generated name is valid"""
+        controller = KubernetesController(
+            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(),
+            self.integration,
+            # Pass something not-none as client so we don't
+            # attempt to connect to K8s as that's not needed
+            client=self,
+        )
+        rec = DeploymentReconciler(controller)
+        self.assertEqual(rec.name, "ak-outpost-authentik-embedded-outpost")
+
+        controller.outpost.name = generate_id()
+        self.assertLess(len(rec.name), 64)
+
+        # Test custom naming template
+        _cfg = controller.outpost.config
+        _cfg.object_naming_template = ""
+        controller.outpost.config = _cfg
+        self.assertEqual(rec.name, f"outpost-{controller.outpost.uuid.hex}")
+        self.assertLess(len(rec.name), 64)
--- a/authentik/policies/geoip/models.py
+++ b/authentik/policies/geoip/models.py
@ -128,7 +128,7 @@ class GeoIPPolicy(Policy):
                (geoip_data["lat"], geoip_data["long"]),
            )
            if self.check_history_distance and dist.km >= (
-                self.history_max_distance_km - self.distance_tolerance_km
+                self.history_max_distance_km + self.distance_tolerance_km
            ):
                return PolicyResult(
                    False, _("Distance from previous authentication is larger than threshold.")
@ -139,7 +139,7 @@ class GeoIPPolicy(Policy):
            # clamped to be at least 1 hour
            rel_time_hours = max(int((_now - previous_login.created).total_seconds() / 3600), 1)
            if self.check_impossible_travel and dist.km >= (
-                (MAX_DISTANCE_HOUR_KM * rel_time_hours) - self.distance_tolerance_km
+                (MAX_DISTANCE_HOUR_KM * rel_time_hours) + self.distance_tolerance_km
            ):
                return PolicyResult(False, _("Distance is further than possible."))
        return PolicyResult(True)
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -148,10 +148,10 @@ class PasswordPolicy(Policy):
            user_inputs.append(request.user.email)
        if request.http_request:
            user_inputs.append(request.http_request.brand.branding_title)
-        # Only calculate result for the first 100 characters, as with over 100 char
+        # Only calculate result for the first 72 characters, as with over 100 char
        # long passwords we can be reasonably sure that they'll surpass the score anyways
        # See https://github.com/dropbox/zxcvbn#runtime-latency
-        results = zxcvbn(password[:100], user_inputs)
+        results = zxcvbn(password[:72], user_inputs)
        LOGGER.debug("password failed", check="zxcvbn", score=results["score"])
        result = PolicyResult(results["score"] > self.zxcvbn_score_threshold)
        if not result.passing:
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -9,7 +9,12 @@ from hashlib import sha256
 from typing import Any
 from urllib.parse import urlparse, urlunparse

-from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
+from cryptography.hazmat.primitives.asymmetric.ec import (
+    SECP256R1,
+    SECP384R1,
+    SECP521R1,
+    EllipticCurvePrivateKey,
+)
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from dacite import Config
@ -114,6 +119,22 @@ class JWTAlgorithms(models.TextChoices):
    HS256 = "HS256", _("HS256 (Symmetric Encryption)")
    RS256 = "RS256", _("RS256 (Asymmetric Encryption)")
    ES256 = "ES256", _("ES256 (Asymmetric Encryption)")
+    ES384 = "ES384", _("ES384 (Asymmetric Encryption)")
+    ES512 = "ES512", _("ES512 (Asymmetric Encryption)")
+
+    @classmethod
+    def from_private_key(cls, private_key: PrivateKeyTypes | None) -> str:
+        if isinstance(private_key, RSAPrivateKey):
+            return cls.RS256
+        if isinstance(private_key, EllipticCurvePrivateKey):
+            curve = private_key.curve
+            if isinstance(curve, SECP256R1):
+                return cls.ES256
+            if isinstance(curve, SECP384R1):
+                return cls.ES384
+            if isinstance(curve, SECP521R1):
+                return cls.ES512
+        raise ValueError(f"Invalid private key type: {type(private_key)}")


 class ScopeMapping(PropertyMapping):
@ -263,11 +284,7 @@ class OAuth2Provider(WebfingerProvider, Provider):
            return self.client_secret, JWTAlgorithms.HS256
        key: CertificateKeyPair = self.signing_key
        private_key = key.private_key
-        if isinstance(private_key, RSAPrivateKey):
-            return private_key, JWTAlgorithms.RS256
-        if isinstance(private_key, EllipticCurvePrivateKey):
-            return private_key, JWTAlgorithms.ES256
-        raise ValueError(f"Invalid private key type: {type(private_key)}")
+        return private_key, JWTAlgorithms.from_private_key(private_key)

    def get_issuer(self, request: HttpRequest) -> str | None:
        """Get issuer, based on request"""
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -254,10 +254,10 @@ class OAuthAuthorizationParams:
            raise AuthorizeError(self.redirect_uri, "invalid_scope", self.grant_type, self.state)
        if SCOPE_OFFLINE_ACCESS in self.scope:
            # https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
-            if PROMPT_CONSENT not in self.prompt:
-                # Instead of ignoring the `offline_access` scope when `prompt`
-                # isn't set to `consent`, we set override it ourselves
-                self.prompt.add(PROMPT_CONSENT)
+            # Don't explicitly request consent with offline_access, as the spec allows for
+            # "other conditions for processing the request permitting offline access to the
+            # requested resources are in place"
+            # which we interpret as "the admin picks an authorization flow with or without consent"
            if self.response_type not in [
                ResponseTypes.CODE,
                ResponseTypes.CODE_TOKEN,
--- a/authentik/providers/oauth2/views/device_init.py
+++ b/authentik/providers/oauth2/views/device_init.py
@ -71,7 +71,7 @@ class CodeValidatorView(PolicyAccessView):
        except FlowNonApplicableException:
            LOGGER.warning("Flow not applicable to user")
            return None
-        plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
+        plan.append_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
        return plan.to_redirect(self.request, self.token.provider.authorization_flow)


--- a/authentik/providers/oauth2/views/end_session.py
+++ b/authentik/providers/oauth2/views/end_session.py
@ -34,5 +34,5 @@ class EndSessionView(PolicyAccessView):
                PLAN_CONTEXT_APPLICATION: self.application,
            },
        )
-        plan.insert_stage(in_memory_stage(SessionEndStage))
+        plan.append_stage(in_memory_stage(SessionEndStage))
        return plan.to_redirect(self.request, self.flow)
--- a/authentik/providers/oauth2/views/jwks.py
+++ b/authentik/providers/oauth2/views/jwks.py
@ -75,10 +75,7 @@ class JWKSView(View):
        key_data = {}

        if use == "sig":
-            if isinstance(private_key, RSAPrivateKey):
-                key_data["alg"] = JWTAlgorithms.RS256
-            elif isinstance(private_key, EllipticCurvePrivateKey):
-                key_data["alg"] = JWTAlgorithms.ES256
+            key_data["alg"] = JWTAlgorithms.from_private_key(private_key)
        elif use == "enc":
            key_data["alg"] = "RSA-OAEP-256"
            key_data["enc"] = "A256CBC-HS512"
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@ -36,17 +36,17 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
    def reconciler_name() -> str:
        return "ingress"

-    def _check_annotations(self, reference: V1Ingress):
+    def _check_annotations(self, current: V1Ingress, reference: V1Ingress):
        """Check that all annotations *we* set are correct"""
-        for key, value in self.get_ingress_annotations().items():
-            if key not in reference.metadata.annotations:
+        for key, value in reference.metadata.annotations.items():
+            if key not in current.metadata.annotations:
                raise NeedsUpdate()
-            if reference.metadata.annotations[key] != value:
+            if current.metadata.annotations[key] != value:
                raise NeedsUpdate()

    def reconcile(self, current: V1Ingress, reference: V1Ingress):
        super().reconcile(current, reference)
-        self._check_annotations(reference)
+        self._check_annotations(current, reference)
        # Create a list of all expected host and tls hosts
        expected_hosts = []
        expected_hosts_tls = []
--- a/authentik/enterprise/providers/rac/init.py
+++ b/authentik/enterprise/providers/rac/init.py
--- a/authentik/enterprise/providers/rac/api/init.py
+++ b/authentik/enterprise/providers/rac/api/init.py
--- a/authentik/enterprise/providers/rac/api/connection_tokens.py
+++ b/authentik/enterprise/providers/rac/api/connection_tokens.py
@ -6,13 +6,12 @@ from rest_framework.viewsets import GenericViewSet
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
-from authentik.enterprise.api import EnterpriseRequiredMixin
-from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
-from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
-from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.providers.rac.api.endpoints import EndpointSerializer
+from authentik.providers.rac.api.providers import RACProviderSerializer
+from authentik.providers.rac.models import ConnectionToken


-class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
+class ConnectionTokenSerializer(ModelSerializer):
    """ConnectionToken Serializer"""

    provider_obj = RACProviderSerializer(source="provider", read_only=True)
--- a/authentik/enterprise/providers/rac/api/endpoints.py
+++ b/authentik/enterprise/providers/rac/api/endpoints.py
@ -14,10 +14,9 @@ from structlog.stdlib import get_logger
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Provider
-from authentik.enterprise.api import EnterpriseRequiredMixin
-from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
-from authentik.enterprise.providers.rac.models import Endpoint
 from authentik.policies.engine import PolicyEngine
+from authentik.providers.rac.api.providers import RACProviderSerializer
+from authentik.providers.rac.models import Endpoint
 from authentik.rbac.filters import ObjectFilter

 LOGGER = get_logger()
@ -28,7 +27,7 @@ def user_endpoint_cache_key(user_pk: str) -> str:
    return f"goauthentik.io/providers/rac/endpoint_access/{user_pk}"


-class EndpointSerializer(EnterpriseRequiredMixin, ModelSerializer):
+class EndpointSerializer(ModelSerializer):
    """Endpoint Serializer"""

    provider_obj = RACProviderSerializer(source="provider", read_only=True)
--- a/authentik/enterprise/providers/rac/api/property_mappings.py
+++ b/authentik/enterprise/providers/rac/api/property_mappings.py
@ -10,7 +10,7 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.property_mappings import PropertyMappingSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField
-from authentik.enterprise.providers.rac.models import RACPropertyMapping
+from authentik.providers.rac.models import RACPropertyMapping


 class RACPropertyMappingSerializer(PropertyMappingSerializer):
--- a/authentik/enterprise/providers/rac/api/providers.py
+++ b/authentik/enterprise/providers/rac/api/providers.py
@ -5,11 +5,10 @@ from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.enterprise.api import EnterpriseRequiredMixin
-from authentik.enterprise.providers.rac.models import RACProvider
+from authentik.providers.rac.models import RACProvider


-class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+class RACProviderSerializer(ProviderSerializer):
    """RACProvider Serializer"""

    outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
--- a/authentik/providers/rac/apps.py
+++ b/authentik/providers/rac/apps.py
@ -0,0 +1,14 @@
+"""RAC app config"""
+
+from authentik.blueprints.apps import ManagedAppConfig
+
+
+class AuthentikProviderRAC(ManagedAppConfig):
+    """authentik rac app config"""
+
+    name = "authentik.providers.rac"
+    label = "authentik_providers_rac"
+    verbose_name = "authentik Providers.RAC"
+    default = True
+    mountpoint = ""
+    ws_mountpoint = "authentik.providers.rac.urls"
--- a/authentik/enterprise/providers/rac/consumer_client.py
+++ b/authentik/enterprise/providers/rac/consumer_client.py
@ -7,22 +7,22 @@ from channels.generic.websocket import AsyncWebsocketConsumer
 from django.http.request import QueryDict
 from structlog.stdlib import BoundLogger, get_logger

-from authentik.enterprise.providers.rac.models import ConnectionToken, RACProvider
 from authentik.outposts.consumer import OUTPOST_GROUP_INSTANCE
 from authentik.outposts.models import Outpost, OutpostState, OutpostType
+from authentik.providers.rac.models import ConnectionToken, RACProvider

 # Global broadcast group, which messages are sent to when the outpost connects back
 # to authentik for a specific connection
 # The `RACClientConsumer` consumer adds itself to this group on connection,
 # and removes itself once it has been assigned a specific outpost channel
-RAC_CLIENT_GROUP = "group_enterprise_rac_client"
+RAC_CLIENT_GROUP = "group_rac_client"
 # A group for all connections in a given authentik session ID
 # A disconnect message is sent to this group when the session expires/is deleted
-RAC_CLIENT_GROUP_SESSION = "group_enterprise_rac_client_%(session)s"
+RAC_CLIENT_GROUP_SESSION = "group_rac_client_%(session)s"
 # A group for all connections with a specific token, which in almost all cases
 # is just one connection, however this is used to disconnect the connection
 # when the token is deleted
-RAC_CLIENT_GROUP_TOKEN = "group_enterprise_rac_token_%(token)s"  # nosec
+RAC_CLIENT_GROUP_TOKEN = "group_rac_token_%(token)s"  # nosec

 # Step 1: Client connects to this websocket endpoint
 # Step 2: We prepare all the connection args for Guac
--- a/authentik/enterprise/providers/rac/consumer_outpost.py
+++ b/authentik/enterprise/providers/rac/consumer_outpost.py
@ -3,7 +3,7 @@
 from channels.exceptions import ChannelFull
 from channels.generic.websocket import AsyncWebsocketConsumer

-from authentik.enterprise.providers.rac.consumer_client import RAC_CLIENT_GROUP
+from authentik.providers.rac.consumer_client import RAC_CLIENT_GROUP


 class RACOutpostConsumer(AsyncWebsocketConsumer):
--- a/authentik/enterprise/providers/rac/controllers/init.py
+++ b/authentik/enterprise/providers/rac/controllers/init.py
--- a/authentik/enterprise/providers/rac/controllers/docker.py
+++ b/authentik/enterprise/providers/rac/controllers/docker.py
--- a/authentik/enterprise/providers/rac/controllers/kubernetes.py
+++ b/authentik/enterprise/providers/rac/controllers/kubernetes.py
--- a/authentik/enterprise/providers/rac/migrations/0001_initial.py
+++ b/authentik/enterprise/providers/rac/migrations/0001_initial.py
--- a/authentik/enterprise/providers/rac/migrations/0001_squashed_0003_alter_connectiontoken_options_and_more.py
+++ b/authentik/enterprise/providers/rac/migrations/0001_squashed_0003_alter_connectiontoken_options_and_more.py
--- a/authentik/enterprise/providers/rac/migrations/0002_endpoint_maximum_connections.py
+++ b/authentik/enterprise/providers/rac/migrations/0002_endpoint_maximum_connections.py
--- a/authentik/enterprise/providers/rac/migrations/0003_alter_connectiontoken_options_and_more.py
+++ b/authentik/enterprise/providers/rac/migrations/0003_alter_connectiontoken_options_and_more.py
--- a/authentik/enterprise/providers/rac/migrations/0004_alter_connectiontoken_expires.py
+++ b/authentik/enterprise/providers/rac/migrations/0004_alter_connectiontoken_expires.py
--- a/authentik/enterprise/providers/rac/migrations/0005_alter_racpropertymapping_options.py
+++ b/authentik/enterprise/providers/rac/migrations/0005_alter_racpropertymapping_options.py
--- a/authentik/enterprise/providers/rac/migrations/0006_connectiontoken_authentik_p_expires_91f148_idx_and_more.py
+++ b/authentik/enterprise/providers/rac/migrations/0006_connectiontoken_authentik_p_expires_91f148_idx_and_more.py
--- a/authentik/enterprise/providers/rac/migrations/init.py
+++ b/authentik/enterprise/providers/rac/migrations/init.py
--- a/authentik/enterprise/providers/rac/models.py
+++ b/authentik/enterprise/providers/rac/models.py
@ -74,7 +74,7 @@ class RACProvider(Provider):

    @property
    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
+        from authentik.providers.rac.api.providers import RACProviderSerializer

        return RACProviderSerializer

@ -100,7 +100,7 @@ class Endpoint(SerializerModel, PolicyBindingModel):

    @property
    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
+        from authentik.providers.rac.api.endpoints import EndpointSerializer

        return EndpointSerializer

@ -129,7 +129,7 @@ class RACPropertyMapping(PropertyMapping):

    @property
    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.rac.api.property_mappings import (
+        from authentik.providers.rac.api.property_mappings import (
            RACPropertyMappingSerializer,
        )

--- a/authentik/enterprise/providers/rac/signals.py
+++ b/authentik/enterprise/providers/rac/signals.py
@ -4,18 +4,17 @@ from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.contrib.auth.signals import user_logged_out
 from django.core.cache import cache
-from django.db.models import Model
-from django.db.models.signals import post_save, pre_delete
+from django.db.models.signals import post_delete, post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest

 from authentik.core.models import User
-from authentik.enterprise.providers.rac.api.endpoints import user_endpoint_cache_key
-from authentik.enterprise.providers.rac.consumer_client import (
+from authentik.providers.rac.api.endpoints import user_endpoint_cache_key
+from authentik.providers.rac.consumer_client import (
    RAC_CLIENT_GROUP_SESSION,
    RAC_CLIENT_GROUP_TOKEN,
 )
-from authentik.enterprise.providers.rac.models import ConnectionToken, Endpoint
+from authentik.providers.rac.models import ConnectionToken, Endpoint


@receiver(user_logged_out)
@ -46,12 +45,8 @@ def pre_delete_connection_token_disconnect(sender, instance: ConnectionToken, **
    )


-@receiver(post_save, sender=Endpoint)
-def post_save_endpoint(sender: type[Model], instance, created: bool, **_):
-    """Clear user's endpoint cache upon endpoint creation"""
-    if not created:  # pragma: no cover
-        return
-
-    # Delete user endpoint cache
+@receiver([post_save, post_delete], sender=Endpoint)
+def post_save_post_delete_endpoint(**_):
+    """Clear user's endpoint cache upon endpoint creation or deletion"""
    keys = cache.keys(user_endpoint_cache_key("*"))
    cache.delete_many(keys)
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@ -3,7 +3,7 @@
 {% load authentik_core %}

 {% block head %}
-<script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
+<script src="{% versioned_script 'dist/rac/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon_url }}">
--- a/authentik/enterprise/providers/rac/tests/init.py
+++ b/authentik/enterprise/providers/rac/tests/init.py
--- a/authentik/enterprise/providers/rac/tests/test_api.py
+++ b/authentik/enterprise/providers/rac/tests/test_api.py
@ -1,16 +1,9 @@
 """Test RAC Provider"""

-from datetime import timedelta
-from time import mktime
-from unittest.mock import MagicMock, patch
-
 from django.urls import reverse
-from django.utils.timezone import now
 from rest_framework.test import APITestCase

 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import License
 from authentik.lib.generators import generate_id


@ -20,21 +13,8 @@ class TestAPI(APITestCase):
    def setUp(self) -> None:
        self.user = create_test_admin_user()

-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
    def test_create(self):
        """Test creation of RAC Provider"""
-        License.objects.create(key=generate_id())
        self.client.force_login(self.user)
        response = self.client.post(
            reverse("authentik_api:racprovider-list"),
--- a/authentik/enterprise/providers/rac/tests/test_endpoints_api.py
+++ b/authentik/enterprise/providers/rac/tests/test_endpoints_api.py
@ -5,10 +5,10 @@ from rest_framework.test import APITestCase

 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.enterprise.providers.rac.models import Endpoint, Protocols, RACProvider
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
+from authentik.providers.rac.models import Endpoint, Protocols, RACProvider


 class TestEndpointsAPI(APITestCase):
--- a/authentik/enterprise/providers/rac/tests/test_models.py
+++ b/authentik/enterprise/providers/rac/tests/test_models.py
@ -4,14 +4,14 @@ from django.test import TransactionTestCase

 from authentik.core.models import Application, AuthenticatedSession
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.enterprise.providers.rac.models import (
+from authentik.lib.generators import generate_id
+from authentik.providers.rac.models import (
    ConnectionToken,
    Endpoint,
    Protocols,
    RACPropertyMapping,
    RACProvider,
 )
-from authentik.lib.generators import generate_id


 class TestModels(TransactionTestCase):
--- a/authentik/enterprise/providers/rac/tests/test_views.py
+++ b/authentik/enterprise/providers/rac/tests/test_views.py
@ -1,23 +1,17 @@
 """RAC Views tests"""

-from datetime import timedelta
 from json import loads
-from time import mktime
-from unittest.mock import MagicMock, patch

 from django.urls import reverse
-from django.utils.timezone import now
 from rest_framework.test import APITestCase

 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import License
-from authentik.enterprise.providers.rac.models import Endpoint, Protocols, RACProvider
 from authentik.lib.generators import generate_id
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
+from authentik.providers.rac.models import Endpoint, Protocols, RACProvider


 class TestRACViews(APITestCase):
@ -39,21 +33,8 @@ class TestRACViews(APITestCase):
            provider=self.provider,
        )

-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
    def test_no_policy(self):
        """Test request"""
-        License.objects.create(key=generate_id())
        self.client.force_login(self.user)
        response = self.client.get(
            reverse(
@ -70,18 +51,6 @@ class TestRACViews(APITestCase):
        final_response = self.client.get(next_url)
        self.assertEqual(final_response.status_code, 200)

-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
    def test_app_deny(self):
        """Test request (deny on app level)"""
        PolicyBinding.objects.create(
@ -89,7 +58,6 @@ class TestRACViews(APITestCase):
            policy=DummyPolicy.objects.create(name="deny", result=False, wait_min=1, wait_max=2),
            order=0,
        )
-        License.objects.create(key=generate_id())
        self.client.force_login(self.user)
        response = self.client.get(
            reverse(
@ -99,18 +67,6 @@ class TestRACViews(APITestCase):
        )
        self.assertIsInstance(response, AccessDeniedResponse)

-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
    def test_endpoint_deny(self):
        """Test request (deny on endpoint level)"""
        PolicyBinding.objects.create(
@ -118,7 +74,6 @@ class TestRACViews(APITestCase):
            policy=DummyPolicy.objects.create(name="deny", result=False, wait_min=1, wait_max=2),
            order=0,
        )
-        License.objects.create(key=generate_id())
        self.client.force_login(self.user)
        response = self.client.get(
            reverse(
--- a/Show More
+++ b/Show More