release: 2022.10.4

web: backport API update
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-23 14:19:17 +01:00 · 2022-12-23 14:19:10 +01:00 · 2022-12-23 14:18:13 +01:00 · 2022-12-23 14:18:09 +01:00 · 2022-12-02 23:01:17 +02:00 · 2022-12-02 22:51:09 +02:00
416 changed files with 8872 additions and 17541 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2022.12.2
+current_version = 2022.10.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
--- a/.dockerignore
+++ b/.dockerignore
@ -1,8 +1,8 @@
 env
+static
 htmlcov
 *.env.yml
 **/node_modules
 dist/**
 build/**
 build_docs/**
-Dockerfile
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -13,7 +13,7 @@ runs:
    - name: Setup python and restore poetry
      uses: actions/setup-python@v3
      with:
-        python-version: '3.11'
+        python-version: '3.10'
        cache: 'poetry'
    - name: Setup node
      uses: actions/setup-node@v3.1.0
@ -25,7 +25,7 @@ runs:
      shell: bash
      run: |
        docker-compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry env use python3.11
+        poetry env use python3.10
        poetry install
        cd web && npm ci
    - name: Generate config
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -46,7 +46,6 @@ jobs:
        run: poetry run python -m lifecycle.migrate
  test-migrations-from-stable:
    runs-on: ubuntu-latest
-    continue-on-error: true
    steps:
      - uses: actions/checkout@v3
        with:
@ -84,10 +83,17 @@ jobs:
      - uses: actions/checkout@v3
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
      - name: run unittest
        run: |
          poetry run make test
          poetry run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [unittest]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v3
        with:
@ -98,12 +104,19 @@ jobs:
      - uses: actions/checkout@v3
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.5.0
+        uses: helm/kind-action@v1.4.0
      - name: run integration
        run: |
          poetry run make test-integration
          poetry run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [integration]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v3
        with:
@ -114,6 +127,9 @@ jobs:
      - uses: actions/checkout@v3
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
      - name: Setup e2e env (chrome, etc)
        run: |
          docker-compose -f tests/e2e/docker-compose.yml up -d
@ -133,6 +149,10 @@ jobs:
        run: |
          poetry run make test-e2e-provider
          poetry run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [e2e-provider]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v3
        with:
@ -143,6 +163,9 @@ jobs:
      - uses: actions/checkout@v3
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
      - name: Setup e2e env (chrome, etc)
        run: |
          docker-compose -f tests/e2e/docker-compose.yml up -d
@ -162,6 +185,10 @@ jobs:
        run: |
          poetry run make test-e2e-rest
          poetry run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [e2e-rest]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v3
        with:
@ -208,9 +235,6 @@ jobs:
      - name: Building Docker Image
        uses: docker/build-push-action@v3
        with:
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -27,22 +27,6 @@ jobs:
      - name: Eslint
        working-directory: web/
        run: npm run lint
-  lint-build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.5.1
-        with:
-          node-version: '16'
-          cache: 'npm'
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: TSC
-        working-directory: web/
-        run: npm run tsc
  lint-prettier:
    runs-on: ubuntu-latest
    steps:
@ -85,7 +69,6 @@ jobs:
      - lint-eslint
      - lint-prettier
      - lint-lit-analyse
-      - lint-build
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -31,9 +31,6 @@ jobs:
        uses: docker/build-push-action@v3
        with:
          push: ${{ github.event_name == 'release' }}
-          secrets:
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          tags: |
            beryju/authentik:${{ steps.ev.outputs.version }},
            beryju/authentik:${{ steps.ev.outputs.versionFamily }},
@ -42,8 +39,7 @@ jobs:
            ghcr.io/goauthentik/server:${{ steps.ev.outputs.versionFamily }},
            ghcr.io/goauthentik/server:latest
          platforms: linux/amd64,linux/arm64
-          build-args: |
-            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
+          context: .
  build-outpost:
    runs-on: ubuntu-latest
    strategy:
@ -88,11 +84,6 @@ jobs:
            ghcr.io/goauthentik/${{ matrix.type }}:latest
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
  build-outpost-binary:
    timeout-minutes: 120
    runs-on: ubuntu-latest
@ -170,9 +161,11 @@ jobs:
        if: ${{ github.event_name == 'release' }}
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_ORG: authentik-security-inc
+          SENTRY_ORG: beryjuorg
          SENTRY_PROJECT: authentik
+          SENTRY_URL: https://sentry.beryju.org
        with:
          version: authentik@${{ steps.ev.outputs.version }}
+          environment: beryjuorg-prod
          sourcemaps: './web/dist'
          url_prefix: '~/static/dist'
--- a/.gitignore
+++ b/.gitignore
@ -194,9 +194,11 @@ pip-selfcheck.json
 /static/
 local.env.yml

+# Selenium Screenshots
+selenium_screenshots/
+backups/
 media/
 *mmdb

 .idea/
 /gen-*/
-data/
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -22,13 +22,7 @@
    "python.formatting.provider": "black",
    "yaml.customTags": [
        "!Find sequence",
-        "!KeyOf scalar",
-        "!Context scalar",
-        "!Context sequence",
-        "!Format sequence",
-        "!Condition sequence",
-        "!Env sequence",
-        "!Env scalar"
+        "!KeyOf scalar"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
@ -36,13 +30,5 @@
    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
-    },
-    "gitlens.autolinks": [
-        {
-            "alphanumeric": true,
-            "prefix": "#<num>",
-            "url": "https://github.com/goauthentik/authentik/issues/<num>",
-            "ignoreCase": false
-        }
-    ]
+    }
 }
--- a/26
+++ b/26
@ -20,7 +20,7 @@ WORKDIR /work/web
 RUN npm ci && npm run build

 # Stage 3: Poetry to requirements.txt export
-FROM docker.io/python:3.11.1-slim-bullseye AS poetry-locker
+FROM docker.io/python:3.10.7-slim-bullseye AS poetry-locker

 WORKDIR /work
 COPY ./pyproject.toml /work
@ -31,7 +31,7 @@ RUN pip install --no-cache-dir poetry && \
    poetry export -f requirements.txt --dev --output requirements-dev.txt

 # Stage 4: Build go proxy
-FROM docker.io/golang:1.19.4-bullseye AS go-builder
+FROM docker.io/golang:1.19.2-bullseye AS go-builder

 WORKDIR /work

@ -46,22 +46,8 @@ COPY ./go.sum /work/go.sum

 RUN go build -o /work/authentik ./cmd/server/

-# Stage 5: MaxMind GeoIP
-FROM docker.io/maxmindinc/geoipupdate:v4.10 as geoip
-
-ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
-
-RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
-    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
-    mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "\
-        export GEOIPUPDATE_ACCOUNT_ID=$(cat /run/secrets/GEOIPUPDATE_ACCOUNT_ID); \
-        export GEOIPUPDATE_LICENSE_KEY=$(cat /run/secrets/GEOIPUPDATE_LICENSE_KEY); \
-        /usr/bin/entry.sh || exit 0 \
-    "
-
-# Stage 6: Run
-FROM docker.io/python:3.11.1-slim-bullseye AS final-image
+# Stage 5: Run
+FROM docker.io/python:3.10.7-slim-bullseye AS final-image

 LABEL org.opencontainers.image.url https://goauthentik.io
 LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
@ -74,11 +60,10 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH

 COPY --from=poetry-locker /work/requirements.txt /
 COPY --from=poetry-locker /work/requirements-dev.txt /
-COPY --from=geoip /usr/share/GeoIP /geoip

 RUN apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev && \
+    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev && \
    # Required for runtime
    apt-get install -y --no-install-recommends libxmlsec1-openssl libmaxminddb0 && \
    # Required for bootstrap & healtcheck
@ -96,7 +81,6 @@ RUN apt-get update && \
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
 COPY ./xml /xml
-COPY ./locale /locale
 COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
--- a/687
+++ b/687
@ -1,21 +1,674 @@
-MIT License
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007

-Copyright (c) 2022 Jens Langhammer
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.

-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+                            Preamble

-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.

-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
--- a/10
+++ b/10
@ -69,7 +69,7 @@ gen-build:
 	AUTHENTIK_DEBUG=true ak spectacular --file schema.yml

 gen-diff:
-	git show $(shell git describe --abbrev=0):schema.yml > old_schema.yml
+	git show $(shell git tag -l | tail -n 1):schema.yml > old_schema.yml
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
@ -126,7 +126,7 @@ gen: gen-build gen-clean gen-client-ts
 web-build: web-install
 	cd web && npm run build

-web: web-lint-fix web-lint web-check-compile
+web: web-lint-fix web-lint

 web-install:
 	cd web && npm ci
@ -144,9 +144,6 @@ web-lint:
 	cd web && npm run lint
 	cd web && npm run lit-analyse

-web-check-compile:
-	cd web && npm run tsc
-
 web-extract:
 	cd web && npm run extract

@ -200,4 +197,7 @@ dev-reset:
 	dropdb -U postgres -h localhost authentik
 	createdb -U postgres -h localhost authentik
 	redis-cli -n 0 flushall
+	redis-cli -n 1 flushall
+	redis-cli -n 2 flushall
+	redis-cli -n 3 flushall
 	make migrate
--- a/README.md
+++ b/README.md
@ -5,13 +5,14 @@
 ---

 [![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
-[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-main.yml?branch=main&label=core%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-main.yml)
-[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-outpost.yml?branch=main&label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
-[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-main?label=core%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-main.yml)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-outpost?label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-web?label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
+[![Testspace tests](https://img.shields.io/testspace/total/goauthentik/goauthentik:authentik/main?style=for-the-badge)](https://goauthentik.testspace.com/)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=for-the-badge)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=for-the-badge)
-[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
+[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/beryjuorg/authentik/)

 ## What is authentik?

--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,8 +6,8 @@ Authentik takes security very seriously. We follow the rules of [responsible dis

 | Version   | Supported          |
 | --------- | ------------------ |
+| 2022.10.x | :white_check_mark: |
 | 2022.11.x | :white_check_mark: |
-| 2022.12.x | :white_check_mark: |

 ## Reporting a Vulnerability

@ -41,4 +41,4 @@ To report a vulnerability, send an email to [security@goauthentik.io](mailto:sec

 ## Getting security notifications

-To get security notifications, subscribe to the mailing list [here](https://groups.google.com/g/authentik-security-announcements) or join the [discord](https://goauthentik.io/discord) server.
+To get security notifications, join the [discord](https://goauthentik.io/discord) server. In the future there will be a mailing list too.
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,14 +2,16 @@
 from os import environ
 from typing import Optional

-__version__ = "2022.12.2"
+__version__ = "2022.10.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


 def get_build_hash(fallback: Optional[str] = None) -> str:
    """Get build hash"""
    build_hash = environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
-    return fallback if build_hash == "" and fallback else build_hash
+    if build_hash == "" and fallback:
+        return fallback
+    return build_hash


 def get_full_version() -> str:
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -8,6 +8,7 @@ from typing import TypedDict
 from django.utils.timezone import now
 from drf_spectacular.utils import extend_schema
 from gunicorn import version_info as gunicorn_version
+from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
 from rest_framework.fields import SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
@ -15,7 +16,6 @@ from rest_framework.response import Response
 from rest_framework.views import APIView

 from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost

@ -69,7 +69,7 @@ class SystemSerializer(PassiveSerializer):
        return {
            "python_version": python_version,
            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
-            "environment": get_env(),
+            "environment": "kubernetes" if SERVICE_HOST_ENV_NAME in os.environ else "compose",
            "architecture": platform.machine(),
            "platform": platform.platform(),
            "uname": " ".join(platform.uname()),
--- a/authentik/api/apps.py
+++ b/authentik/api/apps.py
@ -31,5 +31,4 @@ class AuthentikAPIConfig(AppConfig):
                    "type": "apiKey",
                    "in": "header",
                    "name": "Authorization",
-                    "scheme": "bearer",
                }
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -11,6 +11,7 @@ from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
+from authentik.providers.oauth2.models import RefreshToken

 LOGGER = get_logger()

@ -32,8 +33,6 @@ def validate_auth(header: bytes) -> Optional[str]:

 def bearer_auth(raw_header: bytes) -> Optional[User]:
    """raw_header in the Format of `Bearer ....`"""
-    from authentik.providers.oauth2.models import RefreshToken
-
    auth_credentials = validate_auth(raw_header)
    if not auth_credentials:
        return None
--- a/authentik/api/authorization.py
+++ b/authentik/api/authorization.py
@ -1,15 +1,9 @@
 """API Authorization"""
-from django.conf import settings
 from django.db.models import Model
 from django.db.models.query import QuerySet
-from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework.authentication import get_authorization_header
 from rest_framework.filters import BaseFilterBackend
 from rest_framework.permissions import BasePermission
 from rest_framework.request import Request
-from rest_framework_guardian.filters import ObjectPermissionsFilter
-
-from authentik.api.authentication import validate_auth


 class OwnerFilter(BaseFilterBackend):
@ -23,20 +17,6 @@ class OwnerFilter(BaseFilterBackend):
        return queryset.filter(**{self.owner_key: request.user})


-class SecretKeyFilter(DjangoFilterBackend):
-    """Allow access to all objects when authenticated with secret key as token.
-
-    Replaces both DjangoFilterBackend and ObjectPermissionsFilter"""
-
-    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
-        auth_header = get_authorization_header(request)
-        token = validate_auth(auth_header)
-        if token and token == settings.SECRET_KEY:
-            return queryset
-        queryset = ObjectPermissionsFilter().filter_queryset(request, queryset, view)
-        return super().filter_queryset(request, queryset, view)
-
-
 class OwnerPermissions(BasePermission):
    """Authorize requests by an object's owner matching the requesting user"""

--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -35,7 +35,6 @@ class ErrorReportingConfigSerializer(PassiveSerializer):
    """Config for error reporting"""

    enabled = BooleanField(read_only=True)
-    sentry_dsn = CharField(read_only=True)
    environment = CharField(read_only=True)
    send_pii = BooleanField(read_only=True)
    traces_sample_rate = FloatField(read_only=True)
@ -68,7 +67,7 @@ class ConfigView(APIView):
            caps.append(Capabilities.CAN_GEO_IP)
        if CONFIG.y_bool("impersonation"):
            caps.append(Capabilities.CAN_IMPERSONATE)
-        if settings.DEBUG:  # pragma: no cover
+        if settings.DEBUG:
            caps.append(Capabilities.CAN_DEBUG)
        return caps

@ -78,7 +77,6 @@ class ConfigView(APIView):
            {
                "error_reporting": {
                    "enabled": CONFIG.y("error_reporting.enabled"),
-                    "sentry_dsn": CONFIG.y("error_reporting.sentry_dsn"),
                    "environment": CONFIG.y("error_reporting.environment"),
                    "send_pii": CONFIG.y("error_reporting.send_pii"),
                    "traces_sample_rate": float(CONFIG.y("error_reporting.sample_rate", 0.4)),
--- a/authentik/api/v3/urls.py
+++ b/authentik/api/v3/urls.py
@ -49,12 +49,11 @@ from authentik.policies.hibp.api import HaveIBeenPwendPolicyViewSet
 from authentik.policies.password.api import PasswordPolicyViewSet
 from authentik.policies.reputation.api import ReputationPolicyViewSet, ReputationViewSet
 from authentik.providers.ldap.api import LDAPOutpostConfigViewSet, LDAPProviderViewSet
-from authentik.providers.oauth2.api.providers import OAuth2ProviderViewSet
-from authentik.providers.oauth2.api.scopes import ScopeMappingViewSet
+from authentik.providers.oauth2.api.provider import OAuth2ProviderViewSet
+from authentik.providers.oauth2.api.scope import ScopeMappingViewSet
 from authentik.providers.oauth2.api.tokens import AuthorizationCodeViewSet, RefreshTokenViewSet
 from authentik.providers.proxy.api import ProxyOutpostConfigViewSet, ProxyProviderViewSet
-from authentik.providers.saml.api.property_mapping import SAMLPropertyMappingViewSet
-from authentik.providers.saml.api.providers import SAMLProviderViewSet
+from authentik.providers.saml.api import SAMLPropertyMappingViewSet, SAMLProviderViewSet
 from authentik.sources.ldap.api import LDAPPropertyMappingViewSet, LDAPSourceViewSet
 from authentik.sources.oauth.api.source import OAuthSourceViewSet
 from authentik.sources.oauth.api.source_connection import UserOAuthSourceConnectionViewSet
--- a/authentik/blueprints/management/commands/schema_template.json
+++ b/authentik/blueprints/management/commands/schema_template.json
@ -53,21 +53,6 @@
                    "id": {
                        "type": "string"
                    },
-                    "state": {
-                        "type": "string",
-                        "enum": [
-                            "absent",
-                            "present",
-                            "created"
-                        ],
-                        "default": "present"
-                    },
-                    "conditions": {
-                        "type": "array",
-                        "items": {
-                            "type": "boolean"
-                        }
-                    },
                    "attrs": {
                        "type": "object",
                        "properties": {
--- a/authentik/blueprints/models.py
+++ b/authentik/blueprints/models.py
@ -92,7 +92,7 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
        if ":" in url.path:
            path, _, ref = path.partition(":")
        client = NewClient(
-            f"https://{url.hostname}",
+            f"{url.scheme}://{url.hostname}",
            WithUserAgent(authentik_user_agent()),
            WithUsernamePassword(url.username, url.password),
            WithDefaultName(path),
@ -135,11 +135,12 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):

    def retrieve(self) -> str:
        """Retrieve blueprint contents"""
-        if self.path.startswith("oci://"):
-            return self.retrieve_oci()
        full_path = Path(CONFIG.y("blueprints_dir")).joinpath(Path(self.path))
-        with full_path.open("r", encoding="utf-8") as _file:
-            return _file.read()
+        if full_path.exists():
+            LOGGER.debug("Blueprint path exists locally", instance=self)
+            with full_path.open("r", encoding="utf-8") as _file:
+                return _file.read()
+        return self.retrieve_oci()

    @property
    def serializer(self) -> Serializer:
--- a/authentik/blueprints/tests/init.py
+++ b/authentik/blueprints/tests/init.py
@ -7,6 +7,7 @@ from django.apps import apps

 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.blueprints.models import BlueprintInstance
+from authentik.lib.config import CONFIG


 def apply_blueprint(*files: str):
@ -45,13 +46,3 @@ def reconcile_app(app_name: str):
        return wrapper

    return wrapper_outer
-
-
-def load_yaml_fixture(path: str, **kwargs) -> str:
-    """Load yaml fixture, optionally formatting it with kwargs"""
-    with open(Path(__file__).resolve().parent / Path(path), "r", encoding="utf-8") as _fixture:
-        fixture = _fixture.read()
-        try:
-            return fixture % kwargs
-        except TypeError:
-            return fixture
--- a/authentik/blueprints/tests/fixtures/conditions_fulfilled.yaml
+++ b/authentik/blueprints/tests/fixtures/conditions_fulfilled.yaml
@ -1,21 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          name: "%(id1)s"
-          slug: "%(id1)s"
-      model: authentik_flows.flow
-      conditions:
-          - true
-      attrs:
-          designation: stage_configuration
-          title: foo
-    - identifiers:
-          name: "%(id2)s"
-          slug: "%(id2)s"
-      model: authentik_flows.flow
-      conditions:
-          - true
-          - true
-      attrs:
-          designation: stage_configuration
-          title: foo
--- a/authentik/blueprints/tests/fixtures/conditions_not_fulfilled.yaml
+++ b/authentik/blueprints/tests/fixtures/conditions_not_fulfilled.yaml
@ -1,21 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          name: "%(id1)s"
-          slug: "%(id1)s"
-      model: authentik_flows.flow
-      conditions:
-          - false
-      attrs:
-          designation: stage_configuration
-          title: foo
-    - identifiers:
-          name: "%(id2)s"
-          slug: "%(id2)s"
-      model: authentik_flows.flow
-      conditions:
-          - true
-          - false
-      attrs:
-          designation: stage_configuration
-          title: foo
--- a/authentik/blueprints/tests/fixtures/state_absent.yaml
+++ b/authentik/blueprints/tests/fixtures/state_absent.yaml
@ -1,13 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          name: "%(id)s"
-          slug: "%(id)s"
-      model: authentik_flows.flow
-      state: absent
-    - identifiers:
-          name: "%(id)s"
-          expression: |
-            return True
-      model: authentik_policies_expression.expressionpolicy
-      state: absent
--- a/authentik/blueprints/tests/fixtures/state_created.yaml
+++ b/authentik/blueprints/tests/fixtures/state_created.yaml
@ -1,10 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          name: "%(id)s"
-          slug: "%(id)s"
-      model: authentik_flows.flow
-      state: created
-      attrs:
-          designation: stage_configuration
-          title: foo
--- a/authentik/blueprints/tests/fixtures/state_present.yaml
+++ b/authentik/blueprints/tests/fixtures/state_present.yaml
@ -1,10 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          name: "%(id)s"
-          slug: "%(id)s"
-      model: authentik_flows.flow
-      state: present
-      attrs:
-          designation: stage_configuration
-          title: foo
--- a/authentik/blueprints/tests/fixtures/static_prompt_export.yaml
+++ b/authentik/blueprints/tests/fixtures/static_prompt_export.yaml
@ -1,12 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          pk: cb954fd4-65a5-4ad9-b1ee-180ee9559cf4
-      model: authentik_stages_prompt.prompt
-      attrs:
-          field_key: username
-          label: Username
-          type: username
-          required: true
-          placeholder: Username
-          order: 0
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@ -1,101 +0,0 @@
-version: 1
-context:
-    foo: bar
-    policy_property: name
-    policy_property_value: foo-bar-baz-qux
-entries:
-    - model: !Format ["%s", authentik_sources_oauth.oauthsource]
-      state: !Format ["%s", present]
-      identifiers:
-          slug: test
-      attrs:
-          name: test
-          provider_type: github
-          consumer_key: !Env foo
-          consumer_secret: !Env [bar, baz]
-          authentication_flow:
-              !Find [
-                  authentik_flows.Flow,
-                  [slug, default-source-authentication],
-              ]
-          enrollment_flow:
-              !Find [authentik_flows.Flow, [slug, default-source-enrollment]]
-    - attrs:
-          expression: return True
-      identifiers:
-          name: !Format [foo-%s-%s-%s, !Context foo, !Context bar, qux]
-      id: policy
-      model: authentik_policies_expression.expressionpolicy
-    - attrs:
-          attributes:
-              policy_pk1:
-                  !Format [
-                      "%s-%s",
-                      !Find [
-                          authentik_policies_expression.expressionpolicy,
-                          [
-                              !Context policy_property,
-                              !Context policy_property_value,
-                          ],
-                          [expression, return True],
-                      ],
-                      suffix,
-                  ]
-              policy_pk2: !Format ["%s-%s", !KeyOf policy, suffix]
-              boolAnd:
-                  !Condition [AND, !Context foo, !Format ["%s", "a_string"], 1]
-              boolNand:
-                  !Condition [NAND, !Context foo, !Format ["%s", "a_string"], 1]
-              boolOr:
-                  !Condition [
-                      OR,
-                      !Context foo,
-                      !Format ["%s", "a_string"],
-                      null,
-                  ]
-              boolNor:
-                  !Condition [
-                      NOR,
-                      !Context foo,
-                      !Format ["%s", "a_string"],
-                      null,
-                  ]
-              boolXor:
-                  !Condition [XOR, !Context foo, !Format ["%s", "a_string"], 1]
-              boolXnor:
-                  !Condition [XNOR, !Context foo, !Format ["%s", "a_string"], 1]
-              boolComplex:
-                  !Condition [
-                      XNOR,
-                      !Condition [AND, !Context non_existing],
-                      !Condition [NOR, a string],
-                      !Condition [XOR, null],
-                  ]
-              if_true_complex:
-                  !If [
-                      true,
-                      {
-                          dictionary:
-                              {
-                                  with: { keys: "and_values" },
-                                  and_nested_custom_tags:
-                                      !Format ["foo-%s", !Context foo],
-                              },
-                      },
-                      null,
-                  ]
-              if_false_complex:
-                  !If [
-                      !Condition [AND, false],
-                      null,
-                      [list, with, items, !Format ["foo-%s", !Context foo]],
-                  ]
-              if_true_simple: !If [!Context foo, true, text]
-              if_false_simple: !If [null, false, 2]
-      identifiers:
-          name: test
-      conditions:
-          - !Condition [AND, true, true, text]
-          - true
-          - text
-      model: authentik_core.group
--- a/authentik/blueprints/tests/test_models.py
+++ b/authentik/blueprints/tests/test_models.py
@ -16,7 +16,7 @@ def serializer_tester_factory(test_model: Type[SerializerModel]) -> Callable:
    """Test serializer"""

    def tester(self: TestModels):
-        if test_model._meta.abstract:  # pragma: no cover
+        if test_model._meta.abstract:
            return
        model_class = test_model()
        self.assertTrue(isinstance(model_class, SerializerModel))
--- a/authentik/blueprints/tests/test_oci.py
+++ b/authentik/blueprints/tests/test_oci.py
@ -26,8 +26,8 @@ class TestBlueprintOCI(TransactionTestCase):

            self.assertEqual(
                BlueprintInstance(
-                    path="oci://ghcr.io/goauthentik/blueprints/test:latest"
-                ).retrieve(),
+                    path="https://ghcr.io/goauthentik/blueprints/test:latest"
+                ).retrieve_oci(),
                "foo",
            )

@ -40,7 +40,7 @@ class TestBlueprintOCI(TransactionTestCase):

            with self.assertRaises(BlueprintRetrievalFailed):
                BlueprintInstance(
-                    path="oci://ghcr.io/goauthentik/blueprints/test:latest"
+                    path="https://ghcr.io/goauthentik/blueprints/test:latest"
                ).retrieve_oci()

    def test_manifests_error_response(self):
@ -53,7 +53,7 @@ class TestBlueprintOCI(TransactionTestCase):

            with self.assertRaises(BlueprintRetrievalFailed):
                BlueprintInstance(
-                    path="oci://ghcr.io/goauthentik/blueprints/test:latest"
+                    path="https://ghcr.io/goauthentik/blueprints/test:latest"
                ).retrieve_oci()

    def test_no_matching_blob(self):
@ -72,7 +72,7 @@ class TestBlueprintOCI(TransactionTestCase):
            )
            with self.assertRaises(BlueprintRetrievalFailed):
                BlueprintInstance(
-                    path="oci://ghcr.io/goauthentik/blueprints/test:latest"
+                    path="https://ghcr.io/goauthentik/blueprints/test:latest"
                ).retrieve_oci()

    def test_blob_error(self):
@ -93,5 +93,5 @@ class TestBlueprintOCI(TransactionTestCase):

            with self.assertRaises(BlueprintRetrievalFailed):
                BlueprintInstance(
-                    path="oci://ghcr.io/goauthentik/blueprints/test:latest"
+                    path="https://ghcr.io/goauthentik/blueprints/test:latest"
                ).retrieve_oci()
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -1,20 +1,41 @@
 """Test blueprints v1"""
-from os import environ
-
 from django.test import TransactionTestCase

-from authentik.blueprints.tests import load_yaml_fixture
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
-from authentik.core.models import Group
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.lib.generators import generate_id
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from authentik.stages.user_login.models import UserLoginStage

+STATIC_PROMPT_EXPORT = """version: 1
+entries:
+- identifiers:
+    pk: cb954fd4-65a5-4ad9-b1ee-180ee9559cf4
+  model: authentik_stages_prompt.prompt
+  attrs:
+    field_key: username
+    label: Username
+    type: username
+    required: true
+    placeholder: Username
+    order: 0
+"""
+
+YAML_TAG_TESTS = """version: 1
+context:
+    foo: bar
+entries:
+- attrs:
+    expression: return True
+  identifiers:
+    name: !Format [foo-%s-%s, !Context foo, !Context bar]
+  id: default-source-enrollment-if-username
+  model: authentik_policies_expression.expressionpolicy
+"""
+

 class TestBlueprintsV1(TransactionTestCase):
    """Test Blueprints"""
@ -30,61 +51,6 @@ class TestBlueprintsV1(TransactionTestCase):
            )
        )
        self.assertFalse(importer.validate()[0])
-        importer = Importer(
-            (
-                '{"version": 1, "entries": [{"attrs": {"name": "test"}, '
-                '"identifiers": {}, '
-                '"model": "authentik_core.Group"}]}'
-            )
-        )
-        self.assertFalse(importer.validate()[0])
-
-    def test_validated_import_dict_identifiers(self):
-        """Test importing blueprints with dict identifiers."""
-        Group.objects.filter(name__istartswith="test").delete()
-
-        Group.objects.create(
-            name="test1",
-            attributes={
-                "key": ["value"],
-                "other_key": ["a_value", "other_value"],
-            },
-        )
-        Group.objects.create(
-            name="test2",
-            attributes={
-                "key": ["value"],
-                "other_key": ["diff_value", "other_diff_value"],
-            },
-        )
-
-        importer = Importer(
-            (
-                '{"version": 1, "entries": [{"attrs": {"name": "test999", "attributes": '
-                '{"key": ["updated_value"]}}, "identifiers": {"attributes": {"other_key": '
-                '["other_value"]}}, "model": "authentik_core.Group"}]}'
-            )
-        )
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        self.assertTrue(
-            Group.objects.filter(
-                name="test2",
-                attributes={
-                    "key": ["value"],
-                    "other_key": ["diff_value", "other_diff_value"],
-                },
-            )
-        )
-        self.assertTrue(
-            Group.objects.filter(
-                name="test999",
-                # All attributes used as identifiers are kept and merged with the
-                # new attributes declared in the blueprint
-                attributes={"key": ["updated_value"], "other_key": ["other_value"]},
-            )
-        )
-        self.assertFalse(Group.objects.filter(name="test1"))

    def test_export_validate_import(self):
        """Test export and validate it"""
@ -119,58 +85,25 @@ class TestBlueprintsV1(TransactionTestCase):
        """Test export and import it twice"""
        count_initial = Prompt.objects.filter(field_key="username").count()

-        importer = Importer(load_yaml_fixture("fixtures/static_prompt_export.yaml"))
+        importer = Importer(STATIC_PROMPT_EXPORT)
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())

        count_before = Prompt.objects.filter(field_key="username").count()
        self.assertEqual(count_initial + 1, count_before)

-        importer = Importer(load_yaml_fixture("fixtures/static_prompt_export.yaml"))
+        importer = Importer(STATIC_PROMPT_EXPORT)
        self.assertTrue(importer.apply())

        self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)

    def test_import_yaml_tags(self):
        """Test some yaml tags"""
-        ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").delete()
-        Group.objects.filter(name="test").delete()
-        environ["foo"] = generate_id()
-        importer = Importer(load_yaml_fixture("fixtures/tags.yaml"), {"bar": "baz"})
+        ExpressionPolicy.objects.filter(name="foo-foo-bar").delete()
+        importer = Importer(YAML_TAG_TESTS, {"bar": "baz"})
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
-        policy = ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").first()
-        self.assertTrue(policy)
-        self.assertTrue(
-            Group.objects.filter(
-                attributes={
-                    "policy_pk1": str(policy.pk) + "-suffix",
-                    "policy_pk2": str(policy.pk) + "-suffix",
-                    "boolAnd": True,
-                    "boolNand": False,
-                    "boolOr": True,
-                    "boolNor": False,
-                    "boolXor": True,
-                    "boolXnor": False,
-                    "boolComplex": True,
-                    "if_true_complex": {
-                        "dictionary": {
-                            "with": {"keys": "and_values"},
-                            "and_nested_custom_tags": "foo-bar",
-                        }
-                    },
-                    "if_false_complex": ["list", "with", "items", "foo-bar"],
-                    "if_true_simple": True,
-                    "if_false_simple": 2,
-                }
-            )
-        )
-        self.assertTrue(
-            OAuthSource.objects.filter(
-                slug="test",
-                consumer_key=environ["foo"],
-            )
-        )
+        self.assertTrue(ExpressionPolicy.objects.filter(name="foo-foo-bar"))

    def test_export_validate_import_policies(self):
        """Test export and validate it"""
--- a/authentik/blueprints/tests/test_v1_conditions.py
+++ b/authentik/blueprints/tests/test_v1_conditions.py
@ -1,43 +0,0 @@
-"""Test blueprints v1"""
-from django.test import TransactionTestCase
-
-from authentik.blueprints.tests import load_yaml_fixture
-from authentik.blueprints.v1.importer import Importer
-from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-
-
-class TestBlueprintsV1Conditions(TransactionTestCase):
-    """Test Blueprints conditions attribute"""
-
-    def test_conditions_fulfilled(self):
-        """Test conditions fulfilled"""
-        flow_slug1 = generate_id()
-        flow_slug2 = generate_id()
-        import_yaml = load_yaml_fixture(
-            "fixtures/conditions_fulfilled.yaml", id1=flow_slug1, id2=flow_slug2
-        )
-
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        # Ensure objects exist
-        flow: Flow = Flow.objects.filter(slug=flow_slug1).first()
-        self.assertEqual(flow.slug, flow_slug1)
-        flow: Flow = Flow.objects.filter(slug=flow_slug2).first()
-        self.assertEqual(flow.slug, flow_slug2)
-
-    def test_conditions_not_fulfilled(self):
-        """Test conditions not fulfilled"""
-        flow_slug1 = generate_id()
-        flow_slug2 = generate_id()
-        import_yaml = load_yaml_fixture(
-            "fixtures/conditions_not_fulfilled.yaml", id1=flow_slug1, id2=flow_slug2
-        )
-
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        # Ensure objects do not exist
-        self.assertFalse(Flow.objects.filter(slug=flow_slug1))
-        self.assertFalse(Flow.objects.filter(slug=flow_slug2))
--- a/authentik/blueprints/tests/test_v1_state.py
+++ b/authentik/blueprints/tests/test_v1_state.py
@ -1,82 +0,0 @@
-"""Test blueprints v1"""
-from django.test import TransactionTestCase
-
-from authentik.blueprints.tests import load_yaml_fixture
-from authentik.blueprints.v1.importer import Importer
-from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-
-
-class TestBlueprintsV1State(TransactionTestCase):
-    """Test Blueprints state attribute"""
-
-    def test_state_present(self):
-        """Test state present"""
-        flow_slug = generate_id()
-        import_yaml = load_yaml_fixture("fixtures/state_present.yaml", id=flow_slug)
-
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        # Ensure object exists
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertEqual(flow.slug, flow_slug)
-
-        # Update object
-        flow.title = "bar"
-        flow.save()
-
-        flow.refresh_from_db()
-        self.assertEqual(flow.title, "bar")
-
-        # Ensure importer updates it
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertEqual(flow.title, "foo")
-
-    def test_state_created(self):
-        """Test state created"""
-        flow_slug = generate_id()
-        import_yaml = load_yaml_fixture("fixtures/state_created.yaml", id=flow_slug)
-
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        # Ensure object exists
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertEqual(flow.slug, flow_slug)
-
-        # Update object
-        flow.title = "bar"
-        flow.save()
-
-        flow.refresh_from_db()
-        self.assertEqual(flow.title, "bar")
-
-        # Ensure importer doesn't update it
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertEqual(flow.title, "bar")
-
-    def test_state_absent(self):
-        """Test state absent"""
-        flow_slug = generate_id()
-        import_yaml = load_yaml_fixture("fixtures/state_created.yaml", id=flow_slug)
-
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        # Ensure object exists
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertEqual(flow.slug, flow_slug)
-
-        import_yaml = load_yaml_fixture("fixtures/state_absent.yaml", id=flow_slug)
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertIsNone(flow)
--- a/authentik/blueprints/tests/test_v1_tasks.py
+++ b/authentik/blueprints/tests/test_v1_tasks.py
@ -67,30 +67,25 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
    @CONFIG.patch("blueprints_dir", TMP)
    def test_valid_updated(self):
        """Test valid file"""
-        BlueprintInstance.objects.filter(name="foo").delete()
        with NamedTemporaryFile(mode="w+", suffix=".yaml", dir=TMP) as file:
            file.write(
                dump(
                    {
                        "version": 1,
                        "entries": [],
-                        "metadata": {
-                            "name": "foo",
-                        },
                    }
                )
            )
            file.flush()
            blueprints_discover()  # pylint: disable=no-value-for-parameter
-            blueprint = BlueprintInstance.objects.filter(name="foo").first()
            self.assertEqual(
-                blueprint.last_applied_hash,
+                BlueprintInstance.objects.first().last_applied_hash,
                (
-                    "b86ec439b3857350714f070d2833490e736d9155d3d97b2cac13f3b352223e5a"
-                    "1adbf8ec56fa616d46090cc4773ff9e46c4e509fde96b97de87dd21fa329ca1a"
+                    "e52bb445b03cd36057258dc9f0ce0fbed8278498ee1470e45315293e5f026d1b"
+                    "d1f9b3526871c0003f5c07be5c3316d9d4a08444bd8fed1b3f03294e51e44522"
                ),
            )
-            self.assertEqual(blueprint.metadata, {"labels": {}, "name": "foo"})
+            self.assertEqual(BlueprintInstance.objects.first().metadata, {})
            file.write(
                dump(
                    {
@ -98,28 +93,24 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                        "entries": [],
                        "metadata": {
                            "name": "foo",
-                            "labels": {
-                                "foo": "bar",
-                            },
                        },
                    }
                )
            )
            file.flush()
            blueprints_discover()  # pylint: disable=no-value-for-parameter
-            blueprint.refresh_from_db()
            self.assertEqual(
-                blueprint.last_applied_hash,
+                BlueprintInstance.objects.first().last_applied_hash,
                (
-                    "87b68b10131d2c9751ed308bba38f04734b9e2cdf8532ed617bc52979b063c49"
-                    "2564f33f3d20ab9d5f0fd9e6eb77a13942e060199f147789cb7afab9690e72b5"
+                    "fc62fea96067da8592bdf90927246d0ca150b045447df93b0652a0e20a8bc327"
+                    "681510b5db37ea98759c61f9a98dd2381f46a3b5a2da69dfb45158897f14e824"
                ),
            )
            self.assertEqual(
-                blueprint.metadata,
+                BlueprintInstance.objects.first().metadata,
                {
                    "name": "foo",
-                    "labels": {"foo": "bar"},
+                    "labels": {},
                },
            )

--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -2,10 +2,7 @@
 from collections import OrderedDict
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
-from functools import reduce
-from operator import ixor
-from os import getenv
-from typing import Any, Literal, Optional, Union
+from typing import Any, Optional
 from uuid import UUID

 from django.apps import apps
@ -44,23 +41,11 @@ class BlueprintEntryState:
    instance: Optional[Model] = None


-class BlueprintEntryDesiredState(Enum):
-    """State an entry should be reconciled to"""
-
-    ABSENT = "absent"
-    PRESENT = "present"
-    CREATED = "created"
-
-
@dataclass
 class BlueprintEntry:
    """Single entry of a blueprint"""

-    model: Union[str, "YAMLTag"]
-    state: Union[BlueprintEntryDesiredState, "YAMLTag"] = field(
-        default=BlueprintEntryDesiredState.PRESENT
-    )
-    conditions: list[Any] = field(default_factory=list)
+    model: str
    identifiers: dict[str, Any] = field(default_factory=dict)
    attrs: Optional[dict[str, Any]] = field(default_factory=dict)

@ -105,18 +90,6 @@ class BlueprintEntry:
        """Get attributes of this entry, with all yaml tags resolved"""
        return self.tag_resolver(self.identifiers, blueprint)

-    def get_state(self, blueprint: "Blueprint") -> BlueprintEntryDesiredState:
-        """Get the blueprint state, with yaml tags resolved if present"""
-        return BlueprintEntryDesiredState(self.tag_resolver(self.state, blueprint))
-
-    def get_model(self, blueprint: "Blueprint") -> str:
-        """Get the blueprint model, with yaml tags resolved if present"""
-        return str(self.tag_resolver(self.model, blueprint))
-
-    def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
-        """Check all conditions of this entry match (evaluate to True)"""
-        return all(self.tag_resolver(self.conditions, blueprint))
-

@dataclass
 class BlueprintMetadata:
@ -171,26 +144,6 @@ class KeyOf(YAMLTag):
        )


-class Env(YAMLTag):
-    """Lookup environment variable with optional default"""
-
-    key: str
-    default: Optional[Any]
-
-    # pylint: disable=unused-argument
-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
-        super().__init__()
-        self.default = None
-        if isinstance(node, ScalarNode):
-            self.key = node.value
-        if isinstance(node, SequenceNode):
-            self.key = node.value[0].value
-            self.default = node.value[1].value
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        return getenv(self.key, self.default)
-
-
 class Context(YAMLTag):
    """Lookup key from instance context"""

@ -226,18 +179,11 @@ class Format(YAMLTag):
        self.format_string = node.value[0].value
        self.args = []
        for raw_node in node.value[1:]:
-            self.args.append(loader.construct_object(raw_node))
+            self.args.append(raw_node.value)

    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        args = []
-        for arg in self.args:
-            if isinstance(arg, YAMLTag):
-                args.append(arg.resolve(entry, blueprint))
-            else:
-                args.append(arg)
-
        try:
-            return self.format_string % tuple(args)
+            return self.format_string % tuple(self.args)
        except TypeError as exc:
            raise EntryInvalidError(exc)

@ -264,93 +210,13 @@ class Find(YAMLTag):
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        query = Q()
        for cond in self.conditions:
-            if isinstance(cond[0], YAMLTag):
-                query_key = cond[0].resolve(entry, blueprint)
-            else:
-                query_key = cond[0]
-            if isinstance(cond[1], YAMLTag):
-                query_value = cond[1].resolve(entry, blueprint)
-            else:
-                query_value = cond[1]
-            query &= Q(**{query_key: query_value})
+            query &= Q(**{cond[0]: cond[1]})
        instance = self.model_class.objects.filter(query).first()
        if instance:
            return instance.pk
        return None


-class Condition(YAMLTag):
-    """Convert all values to a single boolean"""
-
-    mode: Literal["AND", "NAND", "OR", "NOR", "XOR", "XNOR"]
-    args: list[Any]
-
-    _COMPARATORS = {
-        # Using all and any here instead of from operator import iand, ior
-        # to improve performance
-        "AND": all,
-        "NAND": lambda args: not all(args),
-        "OR": any,
-        "NOR": lambda args: not any(args),
-        "XOR": lambda args: reduce(ixor, args) if len(args) > 1 else args[0],
-        "XNOR": lambda args: not (reduce(ixor, args) if len(args) > 1 else args[0]),
-    }
-
-    # pylint: disable=unused-argument
-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
-        super().__init__()
-        self.mode = node.value[0].value
-        self.args = []
-        for raw_node in node.value[1:]:
-            self.args.append(loader.construct_object(raw_node))
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        args = []
-        for arg in self.args:
-            if isinstance(arg, YAMLTag):
-                args.append(arg.resolve(entry, blueprint))
-            else:
-                args.append(arg)
-
-        if not args:
-            raise EntryInvalidError("At least one value is required after mode selection.")
-
-        try:
-            comparator = self._COMPARATORS[self.mode.upper()]
-            return comparator(tuple(bool(x) for x in args))
-        except (TypeError, KeyError) as exc:
-            raise EntryInvalidError(exc)
-
-
-class If(YAMLTag):
-    """Select YAML to use based on condition"""
-
-    condition: Any
-    when_true: Any
-    when_false: Any
-
-    # pylint: disable=unused-argument
-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
-        super().__init__()
-        self.condition = loader.construct_object(node.value[0])
-        self.when_true = loader.construct_object(node.value[1])
-        self.when_false = loader.construct_object(node.value[2])
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        if isinstance(self.condition, YAMLTag):
-            condition = self.condition.resolve(entry, blueprint)
-        else:
-            condition = self.condition
-
-        try:
-            return entry.tag_resolver(
-                self.when_true if condition else self.when_false,
-                blueprint,
-            )
-        except TypeError as exc:
-            raise EntryInvalidError(exc)
-
-
 class BlueprintDumper(SafeDumper):
    """Dump dataclasses to yaml"""

@ -361,15 +227,8 @@ class BlueprintDumper(SafeDumper):
        self.add_representer(UUID, lambda self, data: self.represent_str(str(data)))
        self.add_representer(OrderedDict, lambda self, data: self.represent_dict(dict(data)))
        self.add_representer(Enum, lambda self, data: self.represent_str(data.value))
-        self.add_representer(
-            BlueprintEntryDesiredState, lambda self, data: self.represent_str(data.value)
-        )
        self.add_representer(None, lambda self, data: self.represent_str(str(data)))

-    def ignore_aliases(self, data):
-        """Don't use any YAML anchors"""
-        return True
-
    def represent(self, data) -> None:
        if is_dataclass(data):

@ -391,9 +250,6 @@ class BlueprintLoader(SafeLoader):
        self.add_constructor("!Find", Find)
        self.add_constructor("!Context", Context)
        self.add_constructor("!Format", Format)
-        self.add_constructor("!Condition", Condition)
-        self.add_constructor("!If", If)
-        self.add_constructor("!Env", Env)


 class EntryInvalidError(SentryIgnoredException):
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -3,7 +3,6 @@ from contextlib import contextmanager
 from copy import deepcopy
 from typing import Any, Optional

-from dacite.config import Config
 from dacite.core import from_dict
 from dacite.exceptions import DaciteError
 from deepmerge import always_merger
@ -21,7 +20,6 @@ from yaml import load
 from authentik.blueprints.v1.common import (
    Blueprint,
    BlueprintEntry,
-    BlueprintEntryDesiredState,
    BlueprintEntryState,
    BlueprintLoader,
    EntryInvalidError,
@ -34,7 +32,7 @@ from authentik.core.models import (
    Source,
    UserSourceConnection,
 )
-from authentik.flows.models import FlowToken, Stage
+from authentik.flows.models import Stage
 from authentik.lib.models import SerializerModel
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
@ -60,8 +58,6 @@ def is_model_allowed(model: type[Model]) -> bool:
        PolicyBindingModel,
        # Classes that have other dependencies
        AuthenticatedSession,
-        # Classes which are only internally managed
-        FlowToken,
    )
    return model not in excluded_models and issubclass(model, (SerializerModel, BaseMetaModel))

@ -86,16 +82,14 @@ class Importer:
        self.logger = get_logger()
        import_dict = load(yaml_input, BlueprintLoader)
        try:
-            self.__import = from_dict(
-                Blueprint, import_dict, config=Config(cast=[BlueprintEntryDesiredState])
-            )
+            self.__import = from_dict(Blueprint, import_dict)
        except DaciteError as exc:
            raise EntryInvalidError from exc
-        ctx = {}
-        always_merger.merge(ctx, self.__import.context)
+        context = {}
+        always_merger.merge(context, self.__import.context)
        if context:
-            always_merger.merge(ctx, context)
-        self.__import.context = ctx
+            always_merger.merge(context, context)
+        self.__import.context = context

    @property
    def blueprint(self) -> Blueprint:
@ -134,23 +128,16 @@ class Importer:
            main_query = Q(pk=attrs["pk"])
        sub_query = Q()
        for identifier, value in attrs.items():
+            if isinstance(value, dict):
+                continue
            if identifier == "pk":
                continue
-            if isinstance(value, dict):
-                sub_query &= Q(**{f"{identifier}__contains": value})
-            else:
-                sub_query &= Q(**{identifier: value})
-
+            sub_query &= Q(**{identifier: value})
        return main_query | sub_query

-    # pylint: disable-msg=too-many-locals
-    def _validate_single(self, entry: BlueprintEntry) -> Optional[BaseSerializer]:
+    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer:
        """Validate a single entry"""
-        if not entry.check_all_conditions_match(self.__import):
-            self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
-            return None
-
-        model_app_label, model_name = entry.get_model(self.__import).split(".")
+        model_app_label, model_name = entry.model.split(".")
        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
        # Don't use isinstance since we don't want to check for inheritance
        if not is_model_allowed(model):
@ -165,6 +152,8 @@ class Importer:
                    f"Serializer errors {serializer.errors}", serializer_errors=serializer.errors
                ) from exc
            return serializer
+        if entry.identifiers == {}:
+            raise EntryInvalidError("No identifiers")

        # If we try to validate without referencing a possible instance
        # we'll get a duplicate error, hence we load the model here and return
@ -176,19 +165,11 @@ class Importer:
            if isinstance(value, dict) and "pk" in value:
                del updated_identifiers[key]
                updated_identifiers[f"{key}"] = value["pk"]
-
-        query = self.__query_from_identifier(updated_identifiers)
-        if not query:
-            raise EntryInvalidError("No or invalid identifiers")
-
-        existing_models = model.objects.filter(query)
+        existing_models = model.objects.filter(self.__query_from_identifier(updated_identifiers))

        serializer_kwargs = {}
-        model_instance = existing_models.first()
-        if not isinstance(model(), BaseMetaModel) and model_instance:
-            if entry.get_state(self.__import) == BlueprintEntryDesiredState.CREATED:
-                self.logger.debug("instance exists, skipping")
-                return None
+        if not isinstance(model(), BaseMetaModel) and existing_models.exists():
+            model_instance = existing_models.first()
            self.logger.debug(
                "initialise serializer with instance",
                model=model,
@ -210,7 +191,7 @@ class Importer:
            full_data = self.__update_pks_for_attrs(entry.get_attrs(self.__import))
        except ValueError as exc:
            raise EntryInvalidError(exc) from exc
-        always_merger.merge(full_data, updated_identifiers)
+        full_data.update(updated_identifiers)
        serializer_kwargs["data"] = full_data

        serializer: Serializer = model().serializer(**serializer_kwargs)
@ -239,7 +220,7 @@ class Importer:
        """Apply (create/update) models yaml"""
        self.__pk_map = {}
        for entry in self.__import.entries:
-            model_app_label, model_name = entry.get_model(self.__import).split(".")
+            model_app_label, model_name = entry.model.split(".")
            try:
                model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
            except LookupError:
@ -253,26 +234,12 @@ class Importer:
            except EntryInvalidError as exc:
                self.logger.warning(f"entry invalid: {exc}", entry=entry, error=exc)
                return False
-            if not serializer:
-                continue

-            state = entry.get_state(self.__import)
-            if state in [
-                BlueprintEntryDesiredState.PRESENT,
-                BlueprintEntryDesiredState.CREATED,
-            ]:
-                model = serializer.save()
-                if "pk" in entry.identifiers:
-                    self.__pk_map[entry.identifiers["pk"]] = model.pk
-                entry._state = BlueprintEntryState(model)
-                self.logger.debug("updated model", model=model)
-            elif state == BlueprintEntryDesiredState.ABSENT:
-                instance: Optional[Model] = serializer.instance
-                if instance.pk:
-                    instance.delete()
-                    self.logger.debug("deleted model", mode=instance)
-                    continue
-                self.logger.debug("entry to delete with no instance, skipping")
+            model = serializer.save()
+            if "pk" in entry.identifiers:
+                self.__pk_map[entry.identifiers["pk"]] = model.pk
+            entry._state = BlueprintEntryState(model)
+            self.logger.debug("updated model", model=model)
        return True

    def validate(self) -> tuple[bool, list[EventDict]]:
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@ -10,13 +10,6 @@ from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from structlog.stdlib import get_logger
-from watchdog.events import (
-    FileCreatedEvent,
-    FileModifiedEvent,
-    FileSystemEvent,
-    FileSystemEventHandler,
-)
-from watchdog.observers import Observer
 from yaml import load
 from yaml.error import YAMLError

@ -39,7 +32,6 @@ from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
-_file_watcher_started = False


@dataclass
@ -53,39 +45,6 @@ class BlueprintFile:
    meta: Optional[BlueprintMetadata] = field(default=None)


-def start_blueprint_watcher():
-    """Start blueprint watcher, if it's not running already."""
-    # This function might be called twice since it's called on celery startup
-    # pylint: disable=global-statement
-    global _file_watcher_started
-    if _file_watcher_started:
-        return
-    observer = Observer()
-    observer.schedule(BlueprintEventHandler(), CONFIG.y("blueprints_dir"), recursive=True)
-    observer.start()
-    _file_watcher_started = True
-
-
-class BlueprintEventHandler(FileSystemEventHandler):
-    """Event handler for blueprint events"""
-
-    def on_any_event(self, event: FileSystemEvent):
-        if not isinstance(event, (FileCreatedEvent, FileModifiedEvent)):
-            return
-        if event.is_directory:
-            return
-        if isinstance(event, FileCreatedEvent):
-            LOGGER.debug("new blueprint file created, starting discovery")
-            blueprints_discover.delay()
-        if isinstance(event, FileModifiedEvent):
-            path = Path(event.src_path)
-            root = Path(CONFIG.y("blueprints_dir")).absolute()
-            rel_path = str(path.relative_to(root))
-            for instance in BlueprintInstance.objects.filter(path=rel_path):
-                LOGGER.debug("modified blueprint file, starting apply", instance=instance)
-                apply_blueprint.delay(instance.pk.hex)
-
-
@CELERY_APP.task(
    throws=(DatabaseError, ProgrammingError, InternalError),
 )
@ -101,7 +60,8 @@ def blueprints_find():
    """Find blueprints and return valid ones"""
    blueprints = []
    root = Path(CONFIG.y("blueprints_dir"))
-    for path in root.glob("**/*.yaml"):
+    for file in root.glob("**/*.yaml"):
+        path = Path(file)
        LOGGER.debug("found blueprint", path=str(path))
        with open(path, "r", encoding="utf-8") as blueprint_file:
            try:
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -23,15 +23,10 @@ from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import FilePathSerializer, FileUploadSerializer
 from authentik.core.models import Application, User
 from authentik.events.models import EventAction
 from authentik.events.utils import sanitize_dict
-from authentik.lib.utils.file import (
-    FilePathSerializer,
-    FileUploadSerializer,
-    set_file,
-    set_file_url,
-)
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyResult
@ -42,7 +37,7 @@ LOGGER = get_logger()

 def user_app_cache_key(user_pk: str) -> str:
    """Cache key where application list for user is saved"""
-    return f"goauthentik.io/core/app_access/{user_pk}"
+    return f"user_app_cache_{user_pk}"


 class ApplicationSerializer(ModelSerializer):
@ -196,9 +191,9 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        if not should_cache:
            allowed_applications = self._get_allowed_applications(queryset)
        if should_cache:
+            LOGGER.debug("Caching allowed application list")
            allowed_applications = cache.get(user_app_cache_key(self.request.user.pk))
            if not allowed_applications:
-                LOGGER.debug("Caching allowed application list")
                allowed_applications = self._get_allowed_applications(queryset)
                cache.set(
                    user_app_cache_key(self.request.user.pk),
@ -229,7 +224,21 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
    def set_icon(self, request: Request, slug: str):
        """Set application icon"""
        app: Application = self.get_object()
-        return set_file(request, app, "meta_icon")
+        icon = request.FILES.get("file", None)
+        clear = request.data.get("clear", "false").lower() == "true"
+        if clear:
+            # .delete() saves the model by default
+            app.meta_icon.delete()
+            return Response({})
+        if icon:
+            app.meta_icon = icon
+            try:
+                app.save()
+            except PermissionError as exc:
+                LOGGER.warning("Failed to save icon", exc=exc)
+                return HttpResponseBadRequest()
+            return Response({})
+        return HttpResponseBadRequest()

    @permission_required("authentik_core.change_application")
    @extend_schema(
@ -249,7 +258,12 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
    def set_icon_url(self, request: Request, slug: str):
        """Set application icon (as URL)"""
        app: Application = self.get_object()
-        return set_file_url(request, app, "meta_icon")
+        url = request.data.get("url", None)
+        if url is None:
+            return HttpResponseBadRequest()
+        app.meta_icon.name = url
+        app.save()
+        return Response({})

    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
    @extend_schema(responses={200: CoordinateSerializer(many=True)})
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -2,22 +2,15 @@
 from json import loads

 from django.db.models.query import QuerySet
-from django.http import Http404
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from drf_spectacular.utils import OpenApiResponse, extend_schema
-from guardian.shortcuts import get_objects_for_user
-from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, JSONField
-from rest_framework.request import Request
-from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter

-from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer, is_dict
+from authentik.core.api.utils import is_dict
 from authentik.core.models import Group, User


@ -120,12 +113,6 @@ class GroupFilter(FilterSet):
        fields = ["name", "is_superuser", "members_by_pk", "attributes", "members_by_username"]


-class UserAccountSerializer(PassiveSerializer):
-    """Account adding/removing operations"""
-
-    pk = IntegerField(required=True)
-
-
 class GroupViewSet(UsedByMixin, ModelViewSet):
    """Group Viewset"""

@ -147,53 +134,3 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
        if self.request.user.has_perm("authentik_core.view_group"):
            return self._filter_queryset_for_list(queryset)
        return super().filter_queryset(queryset)
-
-    @permission_required(None, ["authentik_core.add_user"])
-    @extend_schema(
-        request=UserAccountSerializer,
-        responses={
-            204: OpenApiResponse(description="User added"),
-            404: OpenApiResponse(description="User not found"),
-        },
-    )
-    @action(detail=True, methods=["POST"], pagination_class=None, filter_backends=[])
-    # pylint: disable=unused-argument, invalid-name
-    def add_user(self, request: Request, pk: str) -> Response:
-        """Add user to group"""
-        group: Group = self.get_object()
-        user: User = (
-            get_objects_for_user(request.user, "authentik_core.view_user")
-            .filter(
-                pk=request.data.get("pk"),
-            )
-            .first()
-        )
-        if not user:
-            raise Http404
-        group.users.add(user)
-        return Response(status=204)
-
-    @permission_required(None, ["authentik_core.add_user"])
-    @extend_schema(
-        request=UserAccountSerializer,
-        responses={
-            204: OpenApiResponse(description="User added"),
-            404: OpenApiResponse(description="User not found"),
-        },
-    )
-    @action(detail=True, methods=["POST"], pagination_class=None, filter_backends=[])
-    # pylint: disable=unused-argument, invalid-name
-    def remove_user(self, request: Request, pk: str) -> Response:
-        """Add user to group"""
-        group: Group = self.get_object()
-        user: User = (
-            get_objects_for_user(request.user, "authentik_core.view_user")
-            .filter(
-                pk=request.data.get("pk"),
-            )
-            .first()
-        )
-        if not user:
-            raise Http404
-        group.users.remove(user)
-        return Response(status=204)
--- a/authentik/core/api/propertymappings.py
+++ b/authentik/core/api/propertymappings.py
@ -19,7 +19,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, PassiveSerializer, TypeCreateSerializer
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
 from authentik.core.models import PropertyMapping
-from authentik.events.utils import sanitize_item
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.exec import PolicyTestSerializer

@ -141,9 +140,7 @@ class PropertyMappingViewSet(
                self.request,
                **test_params.validated_data.get("context", {}),
            )
-            response_data["result"] = dumps(
-                sanitize_item(result), indent=(4 if format_result else None)
-            )
+            response_data["result"] = dumps(result, indent=(4 if format_result else None))
        except Exception as exc:  # pylint: disable=broad-except
            response_data["result"] = str(exc)
            response_data["successful"] = False
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -2,11 +2,10 @@
 from typing import Iterable

 from django_filters.rest_framework import DjangoFilterBackend
-from drf_spectacular.utils import OpenApiResponse, extend_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.filters import OrderingFilter, SearchFilter
-from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, ReadOnlyField, SerializerMethodField
@ -14,17 +13,10 @@ from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
-from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
-from authentik.lib.utils.file import (
-    FilePathSerializer,
-    FileUploadSerializer,
-    set_file,
-    set_file_url,
-)
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.engine import PolicyEngine

@ -36,7 +28,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):

    managed = ReadOnlyField()
    component = SerializerMethodField()
-    icon = ReadOnlyField(source="get_icon")

    def get_component(self, obj: Source) -> str:
        """Get object component so that we know how to edit the object"""
@ -63,7 +54,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
            "user_matching_mode",
            "managed",
            "user_path_template",
-            "icon",
        ]


@ -85,49 +75,6 @@ class SourceViewSet(
    def get_queryset(self):  # pragma: no cover
        return Source.objects.select_subclasses()

-    @permission_required("authentik_core.change_source")
-    @extend_schema(
-        request={
-            "multipart/form-data": FileUploadSerializer,
-        },
-        responses={
-            200: OpenApiResponse(description="Success"),
-            400: OpenApiResponse(description="Bad request"),
-        },
-    )
-    @action(
-        detail=True,
-        pagination_class=None,
-        filter_backends=[],
-        methods=["POST"],
-        parser_classes=(MultiPartParser,),
-    )
-    # pylint: disable=unused-argument
-    def set_icon(self, request: Request, slug: str):
-        """Set source icon"""
-        source: Source = self.get_object()
-        return set_file(request, source, "icon")
-
-    @permission_required("authentik_core.change_source")
-    @extend_schema(
-        request=FilePathSerializer,
-        responses={
-            200: OpenApiResponse(description="Success"),
-            400: OpenApiResponse(description="Bad request"),
-        },
-    )
-    @action(
-        detail=True,
-        pagination_class=None,
-        filter_backends=[],
-        methods=["POST"],
-    )
-    # pylint: disable=unused-argument
-    def set_icon_url(self, request: Request, slug: str):
-        """Set source icon (as URL)"""
-        source: Source = self.get_object()
-        return set_file_url(request, source, "icon")
-
    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -46,6 +46,7 @@ from structlog.stdlib import get_logger

 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.decorators import permission_required
+from authentik.core.api.groups import GroupSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import (
@ -73,26 +74,6 @@ from authentik.tenants.models import Tenant
 LOGGER = get_logger()


-class UserGroupSerializer(ModelSerializer):
-    """Simplified Group Serializer for user's groups"""
-
-    attributes = JSONField(required=False)
-    parent_name = CharField(source="parent.name", read_only=True)
-
-    class Meta:
-
-        model = Group
-        fields = [
-            "pk",
-            "num_pk",
-            "name",
-            "is_superuser",
-            "parent",
-            "parent_name",
-            "attributes",
-        ]
-
-
 class UserSerializer(ModelSerializer):
    """User Serializer"""

@ -102,7 +83,7 @@ class UserSerializer(ModelSerializer):
    groups = PrimaryKeyRelatedField(
        allow_empty=True, many=True, source="ak_groups", queryset=Group.objects.all()
    )
-    groups_obj = ListSerializer(child=UserGroupSerializer(), read_only=True, source="ak_groups")
+    groups_obj = ListSerializer(child=GroupSerializer(), read_only=True, source="ak_groups")
    uid = CharField(read_only=True)
    username = CharField(max_length=150)

--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -2,7 +2,7 @@
 from typing import Any

 from django.db.models import Model
-from rest_framework.fields import CharField, IntegerField, JSONField
+from rest_framework.fields import BooleanField, CharField, FileField, IntegerField
 from rest_framework.serializers import Serializer, SerializerMethodField, ValidationError


@ -23,10 +23,17 @@ class PassiveSerializer(Serializer):
        return Model()


-class PropertyMappingPreviewSerializer(PassiveSerializer):
-    """Preview how the current user is mapped via the property mappings selected in a provider"""
+class FileUploadSerializer(PassiveSerializer):
+    """Serializer to upload file"""

-    preview = JSONField(read_only=True)
+    file = FileField(required=False)
+    clear = BooleanField(default=False)
+
+
+class FilePathSerializer(PassiveSerializer):
+    """Serializer to upload file"""
+
+    url = CharField()


 class MetaNameSerializer(PassiveSerializer):
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -1,4 +1,5 @@
 """Property Mapping Evaluator"""
+from traceback import format_tb
 from typing import Optional

 from django.db.models import Model
@ -7,7 +8,6 @@ from django.http import HttpRequest
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
 from authentik.lib.expression.evaluator import BaseEvaluator
-from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.types import PolicyRequest


@ -38,7 +38,7 @@ class PropertyMappingEvaluator(BaseEvaluator):

    def handle_error(self, exc: Exception, expression_source: str):
        """Exception Handler"""
-        error_string = exception_to_string(exc)
+        error_string = "\n".join(format_tb(exc.__traceback__) + [str(exc)])
        event = Event.new(
            EventAction.PROPERTY_MAPPING_EXCEPTION,
            expression=expression_source,
--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@ -1,8 +1,6 @@
 """authentik shell command"""
 import code
 import platform
-import sys
-import traceback

 from django.apps import apps
 from django.core.management.base import BaseCommand
@ -91,21 +89,6 @@ class Command(BaseCommand):
            exec(options["command"], namespace)  # nosec # noqa
            return

-        try:
-            hook = sys.__interactivehook__
-        except AttributeError:
-            # Match the behavior of the cpython shell where a missing
-            # sys.__interactivehook__ is ignored.
-            pass
-        else:
-            try:
-                hook()
-            except Exception:  # pylint: disable=broad-except
-                # Match the behavior of the cpython shell where an error in
-                # sys.__interactivehook__ prints a warning and the exception
-                # and continues.
-                print("Failed calling sys.__interactivehook__")
-                traceback.print_exc()
        # Try to enable tab-complete
        try:
            import readline
--- a/authentik/core/migrations/0024_source_icon.py
+++ b/authentik/core/migrations/0024_source_icon.py
@ -1,20 +0,0 @@
-# Generated by Django 4.1.3 on 2022-11-15 20:33
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0023_source_authentik_c_slug_ccb2e5_idx_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="source",
-            name="icon",
-            field=models.FileField(
-                default=None, max_length=500, null=True, upload_to="source-icons/"
-            ),
-        ),
-    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -297,7 +297,7 @@ class Provider(SerializerModel):
        raise NotImplementedError

    def __str__(self):
-        return str(self.name)
+        return self.name


 class Application(SerializerModel, PolicyBindingModel):
@ -379,7 +379,7 @@ class Application(SerializerModel, PolicyBindingModel):
            return None

    def __str__(self):
-        return str(self.name)
+        return self.name

    class Meta:

@ -421,12 +421,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):

    enabled = models.BooleanField(default=True)
    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
-    icon = models.FileField(
-        upload_to="source-icons/",
-        default=None,
-        null=True,
-        max_length=500,
-    )

    authentication_flow = models.ForeignKey(
        "authentik_flows.Flow",
@ -460,16 +454,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):

    objects = InheritanceManager()

-    @property
-    def get_icon(self) -> Optional[str]:
-        """Get the URL to the Icon. If the name is /static or
-        starts with http it is returned as-is"""
-        if not self.icon:
-            return None
-        if "://" in self.icon.name or self.icon.name.startswith("/static"):
-            return self.icon.name
-        return self.icon.url
-
    def get_user_path(self) -> str:
        """Get user path, fallback to default for formatting errors"""
        try:
@ -497,7 +481,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        return None

    def __str__(self):
-        return str(self.name)
+        return self.name

    class Meta:

--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -2,14 +2,10 @@
 {% get_current_language as LANGUAGE_CODE %}

 <script>
-    window.authentik = {
-        locale: "{{ LANGUAGE_CODE }}",
-        config: JSON.parse('{{ config_json|escapejs }}'),
-        tenant: JSON.parse('{{ tenant_json|escapejs }}'),
-        versionFamily: "{{ version_family }}",
-        versionSubdomain: "{{ version_subdomain }}",
-        build: "{{ build }}",
-    };
+    window.authentik = {};
+    window.authentik.locale = "{{ LANGUAGE_CODE }}";
+    window.authentik.config = JSON.parse('{{ config_json|escapejs }}');
+    window.authentik.tenant = JSON.parse('{{ tenant_json|escapejs }}');
    window.addEventListener("DOMContentLoaded", () => {
        {% for message in messages %}
        window.dispatchEvent(
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -13,7 +13,6 @@
        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/dropdown.css' %}">
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -1,8 +1,6 @@
 """Test Applications API"""
 from json import loads

-from django.core.files.base import ContentFile
-from django.test.client import BOUNDARY, MULTIPART_CONTENT, encode_multipart
 from django.urls import reverse
 from rest_framework.test import APITestCase

@ -23,7 +21,7 @@ class TestApplicationsAPI(APITestCase):
            redirect_uris="http://some-other-domain",
            authorization_flow=create_test_flow(),
        )
-        self.allowed: Application = Application.objects.create(
+        self.allowed = Application.objects.create(
            name="allowed",
            slug="allowed",
            meta_launch_url="https://goauthentik.io/%(username)s",
@ -37,31 +35,6 @@ class TestApplicationsAPI(APITestCase):
            order=0,
        )

-    def test_set_icon(self):
-        """Test set_icon"""
-        file = ContentFile(b"text", "name")
-        self.client.force_login(self.user)
-        response = self.client.post(
-            reverse(
-                "authentik_api:application-set-icon",
-                kwargs={"slug": self.allowed.slug},
-            ),
-            data=encode_multipart(data={"file": file}, boundary=BOUNDARY),
-            content_type=MULTIPART_CONTENT,
-        )
-        self.assertEqual(response.status_code, 200)
-
-        app_raw = self.client.get(
-            reverse(
-                "authentik_api:application-detail",
-                kwargs={"slug": self.allowed.slug},
-            ),
-        )
-        app = loads(app_raw.content)
-        self.allowed.refresh_from_db()
-        self.assertEqual(self.allowed.get_meta_icon, app["meta_icon"])
-        self.assertEqual(self.allowed.meta_icon.read(), b"text")
-
    def test_check_access(self):
        """Test check_access operation"""
        self.client.force_login(self.user)
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -1,69 +0,0 @@
-"""Test Groups API"""
-from django.urls.base import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Group, User
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.generators import generate_id
-
-
-class TestGroupsAPI(APITestCase):
-    """Test Groups API"""
-
-    def setUp(self) -> None:
-        self.admin = create_test_admin_user()
-        self.user = User.objects.create(username="test-user")
-
-    def test_add_user(self):
-        """Test add_user"""
-        group = Group.objects.create(name=generate_id())
-        self.client.force_login(self.admin)
-        res = self.client.post(
-            reverse("authentik_api:group-add-user", kwargs={"pk": group.pk}),
-            data={
-                "pk": self.user.pk,
-            },
-        )
-        self.assertEqual(res.status_code, 204)
-        group.refresh_from_db()
-        self.assertEqual(list(group.users.all()), [self.user])
-
-    def test_add_user_404(self):
-        """Test add_user"""
-        group = Group.objects.create(name=generate_id())
-        self.client.force_login(self.admin)
-        res = self.client.post(
-            reverse("authentik_api:group-add-user", kwargs={"pk": group.pk}),
-            data={
-                "pk": self.user.pk + 3,
-            },
-        )
-        self.assertEqual(res.status_code, 404)
-
-    def test_remove_user(self):
-        """Test remove_user"""
-        group = Group.objects.create(name=generate_id())
-        group.users.add(self.user)
-        self.client.force_login(self.admin)
-        res = self.client.post(
-            reverse("authentik_api:group-remove-user", kwargs={"pk": group.pk}),
-            data={
-                "pk": self.user.pk,
-            },
-        )
-        self.assertEqual(res.status_code, 204)
-        group.refresh_from_db()
-        self.assertEqual(list(group.users.all()), [])
-
-    def test_remove_user_404(self):
-        """Test remove_user"""
-        group = Group.objects.create(name=generate_id())
-        group.users.add(self.user)
-        self.client.force_login(self.admin)
-        res = self.client.post(
-            reverse("authentik_api:group-remove-user", kwargs={"pk": group.pk}),
-            data={
-                "pk": self.user.pk + 3,
-            },
-        )
-        self.assertEqual(res.status_code, 404)
--- a/authentik/core/tests/test_models.py
+++ b/authentik/core/tests/test_models.py
@ -35,7 +35,7 @@ def source_tester_factory(test_model: type[Stage]) -> Callable:

    def tester(self: TestModels):
        model_class = None
-        if test_model._meta.abstract:  # pragma: no cover
+        if test_model._meta.abstract:
            model_class = test_model.__bases__[0]()
        else:
            model_class = test_model()
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -6,8 +6,6 @@ from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from rest_framework.request import Request

-from authentik import get_build_hash
-from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.flows.models import Flow
 from authentik.tenants.api import CurrentTenantSerializer
@ -19,9 +17,6 @@ class InterfaceView(TemplateView):
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        kwargs["config_json"] = dumps(ConfigView(request=Request(self.request)).get_config().data)
        kwargs["tenant_json"] = dumps(CurrentTenantSerializer(self.request.tenant).data)
-        kwargs["version_family"] = f"{LOCAL_VERSION.major}.{LOCAL_VERSION.minor}"
-        kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
-        kwargs["build"] = get_build_hash()
        return super().get_context_data(**kwargs)


--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -15,14 +15,12 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField, IntegerField, SerializerMethodField
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

-from authentik.api.authorization import SecretKeyFilter
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
@ -205,17 +203,9 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    filterset_class = CertificateKeyPairFilter
    ordering = ["name"]
    search_fields = ["name"]
-    filter_backends = [SecretKeyFilter, OrderingFilter, SearchFilter]

    @extend_schema(
        parameters=[
-            # Override the type for `has_key` above
-            OpenApiParameter(
-                "has_key",
-                bool,
-                required=False,
-                description="Only return certificate-key pairs with keys",
-            ),
            OpenApiParameter("include_details", bool, default=True),
        ]
    )
--- a/authentik/events/middleware.py
+++ b/authentik/events/middleware.py
@ -1,7 +1,6 @@
 """Events middleware"""
 from functools import partial
-from threading import Thread
-from typing import Any, Callable, Optional
+from typing import Callable

 from django.conf import settings
 from django.contrib.sessions.models import Session
@ -14,6 +13,7 @@ from guardian.models import UserObjectPermission

 from authentik.core.models import AuthenticatedSession, User
 from authentik.events.models import Event, EventAction, Notification
+from authentik.events.signals import EventNewThread
 from authentik.events.utils import model_to_dict
 from authentik.flows.models import FlowToken
 from authentik.lib.sentry import before_send
@ -37,25 +37,6 @@ def should_log_model(model: Model) -> bool:
    return not isinstance(model, IGNORED_MODELS)


-class EventNewThread(Thread):
-    """Create Event in background thread"""
-
-    action: str
-    request: HttpRequest
-    kwargs: dict[str, Any]
-    user: Optional[User] = None
-
-    def __init__(self, action: str, request: HttpRequest, user: Optional[User] = None, **kwargs):
-        super().__init__()
-        self.action = action
-        self.request = request
-        self.user = user
-        self.kwargs = kwargs
-
-    def run(self):
-        Event.new(self.action, **self.kwargs).from_http(self.request, user=self.user)
-
-
 class AuditMiddleware:
    """Register handlers for duration of request-response that log creation/update/deletion
    of models"""
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -45,7 +45,7 @@ from authentik.stages.email.utils import TemplateEmailMessage
 from authentik.tenants.models import Tenant
 from authentik.tenants.utils import DEFAULT_TENANT

-LOGGER = get_logger()
+LOGGER = get_logger("authentik.events")
 if TYPE_CHECKING:
    from rest_framework.serializers import Serializer

@ -293,7 +293,7 @@ class Event(SerializerModel, ExpiringModel):
        return f"{self.action}: {self.context}"

    def __str__(self) -> str:
-        return f"Event action={self.action} user={self.user} context={self.context}"
+        return f"<Event action={self.action} user={self.user} context={self.context}>"

    class Meta:

--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@ -15,7 +15,6 @@ from authentik.events.models import Event, EventAction
 from authentik.lib.utils.errors import exception_to_string

 LOGGER = get_logger()
-CACHE_KEY_PREFIX = "goauthentik.io/events/tasks/"


 class TaskResultStatus(Enum):
@ -71,16 +70,16 @@ class TaskInfo:
    @staticmethod
    def all() -> dict[str, "TaskInfo"]:
        """Get all TaskInfo objects"""
-        return cache.get_many(cache.keys(CACHE_KEY_PREFIX + "*"))
+        return cache.get_many(cache.keys("task_*"))

    @staticmethod
    def by_name(name: str) -> Optional["TaskInfo"]:
        """Get TaskInfo Object by name"""
-        return cache.get(CACHE_KEY_PREFIX + name, None)
+        return cache.get(f"task_{name}", None)

    def delete(self):
        """Delete task info from cache"""
-        return cache.delete(CACHE_KEY_PREFIX + self.task_name)
+        return cache.delete(f"task_{self.task_name}")

    def set_prom_metrics(self):
        """Update prometheus metrics"""
@ -99,9 +98,9 @@ class TaskInfo:

    def save(self, timeout_hours=6):
        """Save task into cache"""
-        key = CACHE_KEY_PREFIX + self.task_name
+        key = f"task_{self.task_name}"
        if self.result.uid:
-            key += f"/{self.result.uid}"
+            key += f"_{self.result.uid}"
            self.task_name += f"_{self.result.uid}"
        self.set_prom_metrics()
        cache.set(key, self, timeout=timeout_hours * 60 * 60)
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -1,4 +1,5 @@
 """authentik events signal listener"""
+from threading import Thread
 from typing import Any, Optional

 from django.contrib.auth.signals import user_logged_in, user_logged_out
@ -18,45 +19,63 @@ from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 from authentik.stages.user_write.signals import user_write

-SESSION_LOGIN_EVENT = "login_event"
+
+class EventNewThread(Thread):
+    """Create Event in background thread"""
+
+    action: str
+    request: HttpRequest
+    kwargs: dict[str, Any]
+    user: Optional[User] = None
+
+    def __init__(self, action: str, request: HttpRequest, user: Optional[User] = None, **kwargs):
+        super().__init__()
+        self.action = action
+        self.request = request
+        self.user = user
+        self.kwargs = kwargs
+
+    def run(self):
+        Event.new(self.action, **self.kwargs).from_http(self.request, user=self.user)


@receiver(user_logged_in)
 # pylint: disable=unused-argument
 def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
    """Log successful login"""
-    kwargs = {}
+    thread = EventNewThread(EventAction.LOGIN, request)
    if SESSION_KEY_PLAN in request.session:
        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
        if PLAN_CONTEXT_SOURCE in flow_plan.context:
            # Login request came from an external source, save it in the context
-            kwargs[PLAN_CONTEXT_SOURCE] = flow_plan.context[PLAN_CONTEXT_SOURCE]
+            thread.kwargs[PLAN_CONTEXT_SOURCE] = flow_plan.context[PLAN_CONTEXT_SOURCE]
        if PLAN_CONTEXT_METHOD in flow_plan.context:
+            thread.kwargs[PLAN_CONTEXT_METHOD] = flow_plan.context[PLAN_CONTEXT_METHOD]
            # Save the login method used
-            kwargs[PLAN_CONTEXT_METHOD] = flow_plan.context[PLAN_CONTEXT_METHOD]
-            kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(PLAN_CONTEXT_METHOD_ARGS, {})
-    event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user)
-    request.session[SESSION_LOGIN_EVENT] = event
-
-
-def get_login_event(request: HttpRequest) -> Optional[Event]:
-    """Wrapper to get login event that can be mocked in tests"""
-    return request.session.get(SESSION_LOGIN_EVENT, None)
+            thread.kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(
+                PLAN_CONTEXT_METHOD_ARGS, {}
+            )
+    thread.user = user
+    thread.run()


@receiver(user_logged_out)
 # pylint: disable=unused-argument
 def on_user_logged_out(sender, request: HttpRequest, user: User, **_):
    """Log successfully logout"""
-    Event.new(EventAction.LOGOUT).from_http(request, user=user)
+    thread = EventNewThread(EventAction.LOGOUT, request)
+    thread.user = user
+    thread.run()


@receiver(user_write)
 # pylint: disable=unused-argument
 def on_user_write(sender, request: HttpRequest, user: User, data: dict[str, Any], **kwargs):
    """Log User write"""
-    data["created"] = kwargs.get("created", False)
-    Event.new(EventAction.USER_WRITE, **data).from_http(request, user=user)
+    thread = EventNewThread(EventAction.USER_WRITE, request, **data)
+    thread.kwargs["created"] = kwargs.get("created", False)
+    thread.user = user
+    thread.run()


@receiver(login_failed)
@ -70,23 +89,26 @@ def on_login_failed(
    **kwargs,
 ):
    """Failed Login, authentik custom event"""
-    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(request)
+    thread = EventNewThread(EventAction.LOGIN_FAILED, request, **credentials, stage=stage, **kwargs)
+    thread.run()


@receiver(invitation_used)
 # pylint: disable=unused-argument
 def on_invitation_used(sender, request: HttpRequest, invitation: Invitation, **_):
    """Log Invitation usage"""
-    Event.new(EventAction.INVITE_USED, invitation_uuid=invitation.invite_uuid.hex).from_http(
-        request
+    thread = EventNewThread(
+        EventAction.INVITE_USED, request, invitation_uuid=invitation.invite_uuid.hex
    )
+    thread.run()


@receiver(password_changed)
 # pylint: disable=unused-argument
 def on_password_changed(sender, user: User, password: str, **_):
    """Log password change"""
-    Event.new(EventAction.PASSWORD_SET).from_http(None, user=user)
+    thread = EventNewThread(EventAction.PASSWORD_SET, None, user=user)
+    thread.run()


@receiver(post_save, sender=Event)
--- a/authentik/events/utils.py
+++ b/authentik/events/utils.py
@ -1,9 +1,7 @@
 """event utilities"""
 import re
-from copy import copy
 from dataclasses import asdict, is_dataclass
 from pathlib import Path
-from types import GeneratorType
 from typing import Any, Optional
 from uuid import UUID

@ -88,21 +86,13 @@ def sanitize_item(value: Any) -> Any:
    """Sanitize a single item, ensure it is JSON parsable"""
    if is_dataclass(value):
        # Because asdict calls `copy.deepcopy(obj)` on everything that's not tuple/dict,
-        # and deepcopy doesn't work with HttpRequest (neither django nor rest_framework).
-        # (more specifically doesn't work with ResolverMatch)
-        # rest_framework's custom Request class makes this more complicated as it also holds a
-        # thread lock.
-        # Since this class is mainly used for Events which already hold the http request context
-        # we just remove the http_request from the shallow policy request
+        # and deepcopy doesn't work with HttpRequests (neither django nor rest_framework).
        # Currently, the only dataclass that actually holds an http request is a PolicyRequest
-        if isinstance(value, PolicyRequest) and value.http_request is not None:
-            value: PolicyRequest = copy(value)
+        if isinstance(value, PolicyRequest):
            value.http_request = None
        value = asdict(value)
    if isinstance(value, dict):
        return sanitize_dict(value)
-    if isinstance(value, GeneratorType):
-        return sanitize_item(list(value))
    if isinstance(value, list):
        new_values = []
        for item in value:
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -1,6 +1,7 @@
 """Flow API Views"""
 from django.core.cache import cache
 from django.http import HttpResponse
+from django.http.response import HttpResponseBadRequest
 from django.urls import reverse
 from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
@ -18,19 +19,19 @@ from authentik.api.decorators import permission_required
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import CacheSerializer, LinkSerializer, PassiveSerializer
+from authentik.core.api.utils import (
+    CacheSerializer,
+    FilePathSerializer,
+    FileUploadSerializer,
+    LinkSerializer,
+    PassiveSerializer,
+)
 from authentik.events.utils import sanitize_dict
 from authentik.flows.api.flows_diagram import FlowDiagram, FlowDiagramSerializer
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow
-from authentik.flows.planner import CACHE_PREFIX, PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
 from authentik.flows.views.executor import SESSION_KEY_HISTORY, SESSION_KEY_PLAN
-from authentik.lib.utils.file import (
-    FilePathSerializer,
-    FileUploadSerializer,
-    set_file,
-    set_file_url,
-)
 from authentik.lib.views import bad_request_message

 LOGGER = get_logger()
@ -122,7 +123,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    @action(detail=False, pagination_class=None, filter_backends=[])
    def cache_info(self, request: Request) -> Response:
        """Info about cached flows"""
-        return Response(data={"count": len(cache.keys(f"{CACHE_PREFIX}*"))})
+        return Response(data={"count": len(cache.keys("flow_*"))})

    @permission_required(None, ["authentik_flows.clear_flow_cache"])
    @extend_schema(
@ -135,7 +136,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    @action(detail=False, methods=["POST"])
    def cache_clear(self, request: Request) -> Response:
        """Clear flow cache"""
-        keys = cache.keys(f"{CACHE_PREFIX}*")
+        keys = cache.keys("flow_*")
        cache.delete_many(keys)
        LOGGER.debug("Cleared flow cache", keys=len(keys))
        return Response(status=204)
@ -249,7 +250,25 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    def set_background(self, request: Request, slug: str):
        """Set Flow background"""
        flow: Flow = self.get_object()
-        return set_file(request, flow, "background")
+        background = request.FILES.get("file", None)
+        clear = request.data.get("clear", "false").lower() == "true"
+        if clear:
+            if flow.background_url.startswith("/media"):
+                # .delete() saves the model by default
+                flow.background.delete()
+            else:
+                flow.background = None
+                flow.save()
+            return Response({})
+        if background:
+            flow.background = background
+            try:
+                flow.save()
+            except PermissionError as exc:
+                LOGGER.warning("Failed to save icon", exc=exc)
+                return HttpResponseBadRequest()
+            return Response({})
+        return HttpResponseBadRequest()

    @permission_required("authentik_core.change_application")
    @extend_schema(
@ -269,7 +288,12 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    def set_background_url(self, request: Request, slug: str):
        """Set Flow background (as URL)"""
        flow: Flow = self.get_object()
-        return set_file_url(request, flow, "background")
+        url = request.data.get("url", None)
+        if not url:
+            return HttpResponseBadRequest()
+        flow.background.name = url
+        flow.save()
+        return Response({})

    @extend_schema(
        responses={
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -1,6 +1,7 @@
 """Challenge helpers"""
 from dataclasses import asdict, is_dataclass
 from enum import Enum
+from traceback import format_tb
 from typing import TYPE_CHECKING, Optional, TypedDict
 from uuid import UUID

@ -8,10 +9,8 @@ from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.http import JsonResponse
 from rest_framework.fields import CharField, ChoiceField, DictField
-from rest_framework.request import Request

 from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.utils.errors import exception_to_string

 if TYPE_CHECKING:
    from authentik.flows.stage import StageView
@ -91,31 +90,32 @@ class WithUserInfoChallenge(Challenge):
    pending_user_avatar = CharField()


-class FlowErrorChallenge(Challenge):
+class FlowErrorChallenge(WithUserInfoChallenge):
    """Challenge class when an unhandled error occurs during a stage. Normal users
    are shown an error message, superusers are shown a full stacktrace."""

-    type = CharField(default=ChallengeTypes.NATIVE.value)
-    component = CharField(default="ak-stage-flow-error")
+    component = CharField(default="xak-flow-error")

    request_id = CharField()

    error = CharField(required=False)
    traceback = CharField(required=False)

-    def __init__(self, request: Optional[Request] = None, error: Optional[Exception] = None):
-        super().__init__(data={})
+    def __init__(self, *args, **kwargs):
+        request = kwargs.pop("request", None)
+        error = kwargs.pop("error", None)
+        super().__init__(*args, **kwargs)
        if not request or not error:
            return
-        self.initial_data["request_id"] = request.request_id
+        self.request_id = request.request_id
        from authentik.core.models import USER_ATTRIBUTE_DEBUG

        if request.user and request.user.is_authenticated:
            if request.user.is_superuser or request.user.group_attributes(request).get(
                USER_ATTRIBUTE_DEBUG, False
            ):
-                self.initial_data["error"] = str(error)
-                self.initial_data["traceback"] = exception_to_string(error)
+                self.error = error
+                self.traceback = "".join(format_tb(self.error.__traceback__))


 class AccessDeniedChallenge(WithUserInfoChallenge):
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -14,7 +14,6 @@ from authentik.core.models import Token
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.challenge import FlowLayout
 from authentik.lib.models import InheritanceForeignKey, SerializerModel
-from authentik.lib.utils.reflection import class_to_path
 from authentik.policies.models import PolicyBindingModel

 if TYPE_CHECKING:
@ -111,8 +110,6 @@ def in_memory_stage(view: type["StageView"], **kwargs) -> Stage:
    # we set the view as a separate property and reference a generic function
    # that returns that member
    setattr(stage, "__in_memory_type", view)
-    setattr(stage, "name", _("Dynamic In-memory stage: %(doc)s" % {"doc": view.__doc__}))
-    setattr(stage._meta, "verbose_name", class_to_path(view))
    for key, value in kwargs.items():
        setattr(stage, key, value)
    return stage
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -34,12 +34,11 @@ PLAN_CONTEXT_SOURCE = "source"
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
 CACHE_TIMEOUT = int(CONFIG.y("redis.cache_timeout_flows"))
-CACHE_PREFIX = "goauthentik.io/flows/planner/"


 def cache_key(flow: Flow, user: Optional[User] = None) -> str:
    """Generate Cache key for flow"""
-    prefix = CACHE_PREFIX + str(flow.pk)
+    prefix = f"flow_{flow.pk}"
    if user:
        prefix += f"#{user.pk}"
    return prefix
@ -168,7 +167,6 @@ class FlowPlanner:
            # First off, check the flow's direct policy bindings
            # to make sure the user even has access to the flow
            engine = PolicyEngine(self.flow, user, request)
-            engine.use_cache = self.use_cache
            if default_context:
                span.set_data("default_context", cleanse_dict(default_context))
                engine.request.context.update(default_context)
@ -234,7 +232,6 @@ class FlowPlanner:
                        stage=stage,
                    )
                    engine = PolicyEngine(binding, user, request)
-                    engine.use_cache = self.use_cache
                    engine.request.context["flow_plan"] = plan
                    engine.request.context.update(plan.context)
                    engine.build()
--- a/authentik/flows/signals.py
+++ b/authentik/flows/signals.py
@ -5,7 +5,6 @@ from django.dispatch import receiver
 from structlog.stdlib import get_logger

 from authentik.flows.apps import GAUGE_FLOWS_CACHED
-from authentik.flows.planner import CACHE_PREFIX
 from authentik.root.monitoring import monitoring_set

 LOGGER = get_logger()
@ -22,7 +21,7 @@ def delete_cache_prefix(prefix: str) -> int:
 # pylint: disable=unused-argument
 def monitoring_set_flows(sender, **kwargs):
    """set flow gauges"""
-    GAUGE_FLOWS_CACHED.set(len(cache.keys(f"{CACHE_PREFIX}*") or []))
+    GAUGE_FLOWS_CACHED.set(len(cache.keys("flow_*") or []))


@receiver(post_save)
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -44,7 +44,6 @@ from authentik.flows.models import (
    Stage,
 )
 from authentik.flows.planner import (
-    CACHE_PREFIX,
    PLAN_CONTEXT_IS_RESTORED,
    PLAN_CONTEXT_PENDING_USER,
    PLAN_CONTEXT_REDIRECT,
@ -217,7 +216,7 @@ class FlowExecutorView(APIView):
                self._logger.warning(
                    "f(exec): found incompatible flow plan, invalidating run", exc=exc
                )
-                keys = cache.keys(f"{CACHE_PREFIX}*")
+                keys = cache.keys("flow_*")
                cache.delete_many(keys)
                return self.stage_invalid()
            if not next_binding:
@ -255,7 +254,7 @@ class FlowExecutorView(APIView):
            message=exception_to_string(exc),
        ).from_http(self.request)
        challenge = FlowErrorChallenge(self.request, exc)
-        challenge.is_valid(raise_exception=True)
+        challenge.is_valid()
        return to_stage_response(self.request, HttpChallengeResponse(challenge))

    @extend_schema(
@ -352,7 +351,7 @@ class FlowExecutorView(APIView):
            # from the cache. If there are errors, just delete all cached flows
            _ = plan.has_stages
        except Exception:  # pylint: disable=broad-except
-            keys = cache.keys(f"{CACHE_PREFIX}*")
+            keys = cache.keys("flow_*")
            cache.delete_many(keys)
            return self._initiate_plan()
        return plan
@ -378,9 +377,7 @@ class FlowExecutorView(APIView):
            # an expression policy or authentik itself, so we don't
            # check if its an absolute URL or a relative one
            self.cancel()
-            return to_stage_response(
-                self.request, redirect(self.plan.context.get(PLAN_CONTEXT_REDIRECT))
-            )
+            return redirect(self.plan.context.get(PLAN_CONTEXT_REDIRECT))
        next_param = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:root-redirect"
        )
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -19,7 +19,10 @@ redis:
  password: ''
  tls: false
  tls_reqs: "none"
-  db: 0
+  cache_db: 0
+  message_queue_db: 1
+  ws_db: 2
+  outpost_session_db: 3
  cache_timeout: 300
  cache_timeout_flows: 300
  cache_timeout_policies: 300
@ -29,9 +32,9 @@ debug: false

 log_level: info

+# Error reporting, sends stacktrace to sentry.beryju.org
 error_reporting:
  enabled: false
-  sentry_dsn: https://151ba72610234c4c97c5bcff4e1cffd8@o4504163616882688.ingest.sentry.io/4504163677503489
  environment: customer
  send_pii: false
  sample_rate: 0.1
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -42,7 +42,7 @@ class BaseEvaluator:
            "ak_user_by": BaseEvaluator.expr_user_by,
            "ak_user_has_authenticator": BaseEvaluator.expr_func_user_has_authenticator,
            "ak_create_event": self.expr_event_create,
-            "ak_logger": get_logger(self._filename).bind(),
+            "ak_logger": get_logger(self._filename),
            "requests": get_http_session(),
            "ip_address": ip_address,
            "ip_network": ip_network,
@ -99,16 +99,13 @@ class BaseEvaluator:
    def expr_event_create(self, action: str, **kwargs):
        """Create event with supplied data and try to extract as much relevant data
        from the context"""
-        # If the result was a complex variable, we don't want to re-use it
-        self._context.pop("result", None)
-        self._context.pop("handler", None)
        kwargs["context"] = self._context
        event = Event.new(
            action,
            app=self._filename,
            **kwargs,
        )
-        if "request" in self._context and isinstance(self._context["request"], PolicyRequest):
+        if "request" in self._context and isinstance(PolicyRequest, self._context["request"]):
            policy_request: PolicyRequest = self._context["request"]
            if policy_request.http_request:
                event.from_http(policy_request)
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -34,6 +34,7 @@ from authentik.lib.utils.http import authentik_user_agent
 from authentik.lib.utils.reflection import class_to_path, get_env

 LOGGER = get_logger()
+SENTRY_DSN = "https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8"


 class SentryWSMiddleware(BaseMiddleware):
@ -66,14 +67,11 @@ def sentry_init(**sentry_init_kwargs):
    kwargs = {
        "environment": sentry_env,
        "send_default_pii": CONFIG.y_bool("error_reporting.send_pii", False),
-        "_experiments": {
-            "profiles_sample_rate": float(CONFIG.y("error_reporting.sample_rate", 0.1)),
-        },
    }
    kwargs.update(**sentry_init_kwargs)
    # pylint: disable=abstract-class-instantiated
    sentry_sdk_init(
-        dsn=CONFIG.y("error_reporting.sentry_dsn"),
+        dsn=SENTRY_DSN,
        integrations=[
            DjangoIntegration(transaction_style="function_name"),
            CeleryIntegration(),
--- a/authentik/lib/tests/test_serializer_model.py
+++ b/authentik/lib/tests/test_serializer_model.py
@ -19,7 +19,7 @@ def model_tester_factory(test_model: type[Stage]) -> Callable:
    def tester(self: TestModels):
        try:
            model_class = None
-            if test_model._meta.abstract:  # pragma: no cover
+            if test_model._meta.abstract:
                return
            model_class = test_model()
            self.assertTrue(issubclass(model_class.serializer, BaseSerializer))
--- a/authentik/lib/utils/file.py
+++ b/authentik/lib/utils/file.py
@ -1,55 +0,0 @@
-"""file utils"""
-from django.db.models import Model
-from django.http import HttpResponseBadRequest
-from rest_framework.fields import BooleanField, CharField, FileField
-from rest_framework.request import Request
-from rest_framework.response import Response
-from structlog import get_logger
-
-from authentik.core.api.utils import PassiveSerializer
-
-LOGGER = get_logger()
-
-
-class FileUploadSerializer(PassiveSerializer):
-    """Serializer to upload file"""
-
-    file = FileField(required=False)
-    clear = BooleanField(default=False)
-
-
-class FilePathSerializer(PassiveSerializer):
-    """Serializer to upload file"""
-
-    url = CharField()
-
-
-def set_file(request: Request, obj: Model, field_name: str):
-    """Upload file"""
-    field = getattr(obj, field_name)
-    file = request.FILES.get("file", None)
-    clear = request.data.get("clear", "false").lower() == "true"
-    if clear:
-        # .delete() saves the model by default
-        field.delete()
-        return Response({})
-    if file:
-        setattr(obj, field_name, file)
-        try:
-            obj.save()
-        except PermissionError as exc:
-            LOGGER.warning("Failed to save file", exc=exc)
-            return HttpResponseBadRequest()
-        return Response({})
-    return HttpResponseBadRequest()
-
-
-def set_file_url(request: Request, obj: Model, field: str):
-    """Set file field to URL"""
-    field = getattr(obj, field)
-    url = request.data.get("url", None)
-    if url is None:
-        return HttpResponseBadRequest()
-    field.name = url
-    obj.save()
-    return Response({})
--- a/authentik/lib/utils/reflection.py
+++ b/authentik/lib/utils/reflection.py
@ -48,14 +48,14 @@ def get_apps():

 def get_env() -> str:
    """Get environment in which authentik is currently running"""
-    if "CI" in os.environ:
-        return "ci"
-    if CONFIG.y_bool("debug"):
-        return "dev"
    if SERVICE_HOST_ENV_NAME in os.environ:
        return "kubernetes"
+    if "CI" in os.environ:
+        return "ci"
    if Path("/tmp/authentik-mode").exists():  # nosec
        return "compose"
+    if CONFIG.y_bool("debug"):
+        return "dev"
    if "AK_APPLIANCE" in os.environ:
        return os.environ["AK_APPLIANCE"]
    return "custom"
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@ -19,13 +19,7 @@ from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.core.models import Provider
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
 from authentik.outposts.apps import MANAGED_OUTPOST
-from authentik.outposts.models import (
-    Outpost,
-    OutpostConfig,
-    OutpostState,
-    OutpostType,
-    default_outpost_config,
-)
+from authentik.outposts.models import Outpost, OutpostConfig, OutpostType, default_outpost_config
 from authentik.providers.ldap.models import LDAPProvider
 from authentik.providers.proxy.models import ProxyProvider

@ -102,7 +96,6 @@ class OutpostDefaultConfigSerializer(PassiveSerializer):
 class OutpostHealthSerializer(PassiveSerializer):
    """Outpost health status"""

-    uid = CharField(read_only=True)
    last_seen = DateTimeField(read_only=True)
    version = CharField(read_only=True)
    version_should = CharField(read_only=True)
@ -112,8 +105,6 @@ class OutpostHealthSerializer(PassiveSerializer):
    build_hash = CharField(read_only=True, required=False)
    build_hash_should = CharField(read_only=True, required=False)

-    hostname = CharField(read_only=True, required=False)
-

 class OutpostFilter(FilterSet):
    """Filter for Outposts"""
@ -154,16 +145,13 @@ class OutpostViewSet(UsedByMixin, ModelViewSet):
        outpost: Outpost = self.get_object()
        states = []
        for state in outpost.state:
-            state: OutpostState
            states.append(
                {
-                    "uid": state.uid,
                    "last_seen": state.last_seen,
                    "version": state.version,
                    "version_should": state.version_should,
                    "version_outdated": state.version_outdated,
                    "build_hash": state.build_hash,
-                    "hostname": state.hostname,
                    "build_hash_should": get_build_hash(),
                }
            )
--- a/authentik/outposts/api/service_connections.py
+++ b/authentik/outposts/api/service_connections.py
@ -143,7 +143,7 @@ class KubernetesServiceConnectionSerializer(ServiceConnectionSerializer):
    class Meta:

        model = KubernetesServiceConnection
-        fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig", "verify_ssl"]
+        fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig"]


 class KubernetesServiceConnectionViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/outposts/channels.py
+++ b/authentik/outposts/channels.py
@ -98,7 +98,6 @@ class OutpostConsumer(AuthJsonConsumer):
        if self.channel_name not in state.channel_ids:
            state.channel_ids.append(self.channel_name)
        state.last_seen = datetime.now()
-        state.hostname = msg.args.get("hostname", "")

        if not self.first_msg:
            GAUGE_OUTPOSTS_CONNECTED.labels(
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@ -36,7 +36,6 @@ class KubernetesClient(ApiClient, BaseClient):
                load_incluster_config(client_configuration=config)
            else:
                load_kube_config_from_dict(connection.kubeconfig, client_configuration=config)
-            config.verify_ssl = connection.verify_ssl
            super().__init__(config)
        except ConfigException as exc:
            raise ServiceConnectionInvalid(exc) from exc
--- a/authentik/outposts/migrations/0018_kubernetesserviceconnection_verify_ssl.py
+++ b/authentik/outposts/migrations/0018_kubernetesserviceconnection_verify_ssl.py
@ -1,20 +0,0 @@
-# Generated by Django 4.1.3 on 2022-11-14 12:56
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_outposts", "0001_squashed_0017_outpost_managed"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="kubernetesserviceconnection",
-            name="verify_ssl",
-            field=models.BooleanField(
-                default=True, help_text="Verify SSL Certificates of the Kubernetes API endpoint"
-            ),
-        ),
-    ]
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -13,7 +13,7 @@ from django.utils.translation import gettext_lazy as _
 from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm
 from model_utils.managers import InheritanceManager
-from packaging.version import Version, parse
+from packaging.version import LegacyVersion, Version, parse
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
 class OutpostConfig:
    """Configuration an outpost uses to configure it self"""

-    # update website/docs/outposts/_config.md
+    # update website/docs/outposts/outposts.md

    authentik_host: str = ""
    authentik_host_insecure: bool = False
@ -62,17 +62,16 @@ class OutpostConfig:
    log_level: str = CONFIG.y("log_level")
    object_naming_template: str = field(default="ak-outpost-%(name)s")

-    container_image: Optional[str] = field(default=None)
-
    docker_network: Optional[str] = field(default=None)
    docker_map_ports: bool = field(default=True)
    docker_labels: Optional[dict[str, str]] = field(default=None)

+    container_image: Optional[str] = field(default=None)
+
    kubernetes_replicas: int = field(default=1)
    kubernetes_namespace: str = field(default_factory=get_namespace)
    kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
    kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
-    kubernetes_ingress_class_name: Optional[str] = field(default=None)
    kubernetes_service_type: str = field(default="ClusterIP")
    kubernetes_disabled_components: list[str] = field(default_factory=list)
    kubernetes_image_pull_secrets: list[str] = field(default_factory=list)
@ -225,9 +224,6 @@ class KubernetesServiceConnection(SerializerModel, OutpostServiceConnection):
        ),
        blank=True,
    )
-    verify_ssl = models.BooleanField(
-        default=True, help_text=_("Verify SSL Certificates of the Kubernetes API endpoint")
-    )

    @property
    def serializer(self) -> Serializer:
@ -292,7 +288,7 @@ class Outpost(SerializerModel, ManagedModel):
    @property
    def state_cache_prefix(self) -> str:
        """Key by which the outposts status is saved"""
-        return f"goauthentik.io/outposts/{self.uuid.hex}_state"
+        return f"outpost_{self.uuid.hex}_state"

    @property
    def state(self) -> list["OutpostState"]:
@ -429,9 +425,8 @@ class OutpostState:
    channel_ids: list[str] = field(default_factory=list)
    last_seen: Optional[datetime] = field(default=None)
    version: Optional[str] = field(default=None)
-    version_should: Version = field(default=OUR_VERSION)
+    version_should: Version | LegacyVersion = field(default=OUR_VERSION)
    build_hash: str = field(default="")
-    hostname: str = field(default="")

    _outpost: Optional[Outpost] = field(default=None)

--- a/authentik/policies/api/policies.py
+++ b/authentik/policies/api/policies.py
@ -21,7 +21,7 @@ from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.exec import PolicyTestResultSerializer, PolicyTestSerializer
 from authentik.policies.models import Policy, PolicyBinding
 from authentik.policies.process import PolicyProcess
-from authentik.policies.types import CACHE_PREFIX, PolicyRequest
+from authentik.policies.types import PolicyRequest

 LOGGER = get_logger()

@ -114,7 +114,7 @@ class PolicyViewSet(
    @action(detail=False, pagination_class=None, filter_backends=[])
    def cache_info(self, request: Request) -> Response:
        """Info about cached policies"""
-        return Response(data={"count": len(cache.keys(f"{CACHE_PREFIX}*"))})
+        return Response(data={"count": len(cache.keys("policy_*"))})

    @permission_required(None, ["authentik_policies.clear_policy_cache"])
    @extend_schema(
@ -127,7 +127,7 @@ class PolicyViewSet(
    @action(detail=False, methods=["POST"])
    def cache_clear(self, request: Request) -> Response:
        """Clear policy cache"""
-        keys = cache.keys(f"{CACHE_PREFIX}*")
+        keys = cache.keys("policy_*")
        cache.delete_many(keys)
        LOGGER.debug("Cleared Policy cache", keys=len(keys))
        # Also delete user application cache
--- a/authentik/policies/expression/evaluator.py
+++ b/authentik/policies/expression/evaluator.py
@ -87,7 +87,7 @@ class PolicyEvaluator(BaseEvaluator):
                LOGGER.warning(
                    "Expression policy returned None",
                    src=expression_source,
-                    policy=self._filename,
+                    req=self._context,
                )
                policy_result.passing = False
            if result:
--- a/authentik/policies/expression/tests.py
+++ b/authentik/policies/expression/tests.py
@ -1,17 +1,13 @@
 """evaluator tests"""
-from django.test import RequestFactory, TestCase
+from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.serializers import ValidationError
 from rest_framework.test import APITestCase

-from authentik.core.models import Application
-from authentik.lib.generators import generate_id
 from authentik.policies.exceptions import PolicyException
 from authentik.policies.expression.api import ExpressionPolicySerializer
 from authentik.policies.expression.evaluator import PolicyEvaluator
 from authentik.policies.expression.models import ExpressionPolicy
-from authentik.policies.models import PolicyBinding
-from authentik.policies.process import PolicyProcess
 from authentik.policies.types import PolicyRequest


@ -19,15 +15,7 @@ class TestEvaluator(TestCase):
    """Evaluator tests"""

    def setUp(self):
-        factory = RequestFactory()
-        self.http_request = factory.get("/")
-        self.obj = Application.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-        )
        self.request = PolicyRequest(user=get_anonymous_user())
-        self.request.obj = self.obj
-        self.request.http_request = self.http_request

    def test_full(self):
        """Test full with Policy instance"""
@ -75,41 +63,6 @@ class TestEvaluator(TestCase):
        with self.assertRaises(ValidationError):
            evaluator.validate(template)

-    def test_execution_logging(self):
-        """test execution_logging"""
-        expr = ExpressionPolicy.objects.create(
-            name=generate_id(),
-            execution_logging=True,
-            expression="ak_message(request.http_request.path)\nreturn True",
-        )
-        evaluator = PolicyEvaluator("test")
-        evaluator.set_policy_request(self.request)
-        proc = PolicyProcess(PolicyBinding(policy=expr), request=self.request, connection=None)
-        res = proc.profiling_wrapper()
-        self.assertEqual(res.messages, ("/",))
-
-    def test_call_policy(self):
-        """test ak_call_policy"""
-        expr = ExpressionPolicy.objects.create(
-            name=generate_id(),
-            execution_logging=True,
-            expression="ak_message(request.http_request.path)\nreturn True",
-        )
-        tmpl = (
-            """
-        ak_message(request.http_request.path)
-        res = ak_call_policy('%s')
-        ak_message(request.http_request.path)
-        for msg in res.messages:
-            ak_message(msg)
-        """
-            % expr.name
-        )
-        evaluator = PolicyEvaluator("test")
-        evaluator.set_policy_request(self.request)
-        res = evaluator.evaluate(tmpl)
-        self.assertEqual(res.messages, ("/", "/", "/"))
-

 class TestExpressionPolicyAPI(APITestCase):
    """Test expression policy's API"""
--- a/authentik/policies/hibp/models.py
+++ b/authentik/policies/hibp/models.py
@ -15,7 +15,7 @@ LOGGER = get_logger()


 class HaveIBeenPwendPolicy(Policy):
-    """DEPRECATED. Check if password is on HaveIBeenPwned's list by uploading the first
+    """Check if password is on HaveIBeenPwned's list by uploading the first
    5 characters of the SHA1 Hash."""

    password_field = models.TextField(
--- a/authentik/policies/migrations/0009_alter_policy_name.py
+++ b/authentik/policies/migrations/0009_alter_policy_name.py
@ -1,19 +0,0 @@
-# Generated by Django 4.1.4 on 2022-12-25 13:46
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_policies", "0008_policybinding_authentik_p_policy__534e15_idx_and_more"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="policy",
-            name="name",
-            field=models.TextField(default="unnamed-policy"),
-            preserve_default=False,
-        ),
-    ]
--- a/authentik/policies/models.py
+++ b/authentik/policies/models.py
@ -41,9 +41,6 @@ class PolicyBindingModel(models.Model):

    objects = InheritanceManager()

-    def __str__(self) -> str:
-        return f"PolicyBindingModel {self.pbm_uuid}"
-
    class Meta:
        verbose_name = _("Policy Binding Model")
        verbose_name_plural = _("Policy Binding Models")
@ -138,7 +135,6 @@ class PolicyBinding(SerializerModel):
            return f"Binding from {self.target} #{self.order} to {suffix}"
        except PolicyBinding.target.RelatedObjectDoesNotExist:  # pylint: disable=no-member
            return f"Binding - #{self.order} to {suffix}"
-        return ""

    class Meta:

@ -159,7 +155,7 @@ class Policy(SerializerModel, CreatedUpdatedModel):

    policy_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)

-    name = models.TextField()
+    name = models.TextField(blank=True, null=True)

    execution_logging = models.BooleanField(
        default=False,
@ -179,7 +175,7 @@ class Policy(SerializerModel, CreatedUpdatedModel):
        raise NotImplementedError

    def __str__(self):
-        return str(self.name)
+        return self.name

    def passes(self, request: PolicyRequest) -> PolicyResult:  # pragma: no cover
        """Check if request passes this policy"""
--- a/authentik/policies/password/api.py
+++ b/authentik/policies/password/api.py
@ -20,11 +20,6 @@ class PasswordPolicySerializer(PolicySerializer):
            "length_min",
            "symbol_charset",
            "error_message",
-            "check_static_rules",
-            "check_have_i_been_pwned",
-            "check_zxcvbn",
-            "hibp_allowed_count",
-            "zxcvbn_score_threshold",
        ]


--- a/authentik/policies/password/migrations/0005_passwordpolicy_check_have_i_been_pwned_and_more.py
+++ b/authentik/policies/password/migrations/0005_passwordpolicy_check_have_i_been_pwned_and_more.py
@ -1,73 +0,0 @@
-# Generated by Django 4.1.3 on 2022-11-14 09:23
-from django.apps.registry import Apps
-from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_hibp_policy(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
-
-    HaveIBeenPwendPolicy = apps.get_model("authentik_policies_hibp", "HaveIBeenPwendPolicy")
-    PasswordPolicy = apps.get_model("authentik_policies_password", "PasswordPolicy")
-
-    PolicyBinding = apps.get_model("authentik_policies", "PolicyBinding")
-
-    for old_policy in HaveIBeenPwendPolicy.objects.using(db_alias).all():
-        new_policy = PasswordPolicy.objects.using(db_alias).create(
-            name=old_policy.name,
-            hibp_allowed_count=old_policy.allowed_count,
-            password_field=old_policy.password_field,
-            execution_logging=old_policy.execution_logging,
-            check_static_rules=False,
-            check_have_i_been_pwned=True,
-        )
-        PolicyBinding.objects.using(db_alias).filter(policy=old_policy).update(policy=new_policy)
-        old_policy.delete()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_policies_hibp", "0003_haveibeenpwendpolicy_authentik_p_policy__6957d7_idx"),
-        ("authentik_policies_password", "0004_passwordpolicy_authentik_p_policy__855e80_idx"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="passwordpolicy",
-            name="check_have_i_been_pwned",
-            field=models.BooleanField(default=False),
-        ),
-        migrations.AddField(
-            model_name="passwordpolicy",
-            name="check_static_rules",
-            field=models.BooleanField(default=True),
-        ),
-        migrations.AddField(
-            model_name="passwordpolicy",
-            name="check_zxcvbn",
-            field=models.BooleanField(default=False),
-        ),
-        migrations.AddField(
-            model_name="passwordpolicy",
-            name="hibp_allowed_count",
-            field=models.PositiveIntegerField(
-                default=0,
-                help_text="How many times the password hash is allowed to be on haveibeenpwned",
-            ),
-        ),
-        migrations.AddField(
-            model_name="passwordpolicy",
-            name="zxcvbn_score_threshold",
-            field=models.PositiveIntegerField(
-                default=2,
-                help_text="If the zxcvbn score is equal or less than this value, the policy will fail.",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="passwordpolicy",
-            name="error_message",
-            field=models.TextField(blank=True),
-        ),
-        migrations.RunPython(migrate_hibp_policy),
-    ]
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -1,14 +1,11 @@
-"""password policy"""
+"""user field matcher models"""
 import re
-from hashlib import sha1

 from django.db import models
 from django.utils.translation import gettext as _
 from rest_framework.serializers import BaseSerializer
 from structlog.stdlib import get_logger
-from zxcvbn import zxcvbn

-from authentik.lib.utils.http import get_http_session
 from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
@ -27,27 +24,13 @@ class PasswordPolicy(Policy):
        help_text=_("Field key to check, field keys defined in Prompt stages are available."),
    )

-    check_static_rules = models.BooleanField(default=True)
-    check_have_i_been_pwned = models.BooleanField(default=False)
-    check_zxcvbn = models.BooleanField(default=False)
-
    amount_digits = models.PositiveIntegerField(default=0)
    amount_uppercase = models.PositiveIntegerField(default=0)
    amount_lowercase = models.PositiveIntegerField(default=0)
    amount_symbols = models.PositiveIntegerField(default=0)
    length_min = models.PositiveIntegerField(default=0)
    symbol_charset = models.TextField(default=r"!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ")
-    error_message = models.TextField(blank=True)
-
-    hibp_allowed_count = models.PositiveIntegerField(
-        default=0,
-        help_text=_("How many times the password hash is allowed to be on haveibeenpwned"),
-    )
-
-    zxcvbn_score_threshold = models.PositiveIntegerField(
-        default=2,
-        help_text=_("If the zxcvbn score is equal or less than this value, the policy will fail."),
-    )
+    error_message = models.TextField()

    @property
    def serializer(self) -> type[BaseSerializer]:
@ -59,105 +42,48 @@ class PasswordPolicy(Policy):
    def component(self) -> str:
        return "ak-policy-password-form"

+    # pylint: disable=too-many-return-statements
    def passes(self, request: PolicyRequest) -> PolicyResult:
-        password = request.context.get(PLAN_CONTEXT_PROMPT, {}).get(
-            self.password_field, request.context.get(self.password_field)
-        )
-        if not password:
+        if (
+            self.password_field not in request.context
+            and self.password_field not in request.context.get(PLAN_CONTEXT_PROMPT, {})
+        ):
            LOGGER.warning(
                "Password field not set in Policy Request",
                field=self.password_field,
                fields=request.context.keys(),
+                prompt_fields=request.context.get(PLAN_CONTEXT_PROMPT, {}).keys(),
            )
            return PolicyResult(False, _("Password not set in context"))
-        password = str(password)

-        if self.check_static_rules:
-            static_result = self.passes_static(password, request)
-            if not static_result.passing:
-                return static_result
-        if self.check_have_i_been_pwned:
-            hibp_result = self.passes_hibp(password, request)
-            if not hibp_result.passing:
-                return hibp_result
-        if self.check_zxcvbn:
-            zxcvbn_result = self.passes_zxcvbn(password, request)
-            if not zxcvbn_result.passing:
-                return zxcvbn_result
-        return PolicyResult(True)
+        if self.password_field in request.context:
+            password = request.context[self.password_field]
+        else:
+            password = request.context[PLAN_CONTEXT_PROMPT][self.password_field]

-    # pylint: disable=too-many-return-statements
-    def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
-        """Check static rules"""
        if len(password) < self.length_min:
-            LOGGER.debug("password failed", check="static", reason="length")
+            LOGGER.debug("password failed", reason="length")
            return PolicyResult(False, self.error_message)

        if self.amount_digits > 0 and len(RE_DIGITS.findall(password)) < self.amount_digits:
-            LOGGER.debug("password failed", check="static", reason="amount_digits")
+            LOGGER.debug("password failed", reason="amount_digits")
            return PolicyResult(False, self.error_message)
        if self.amount_lowercase > 0 and len(RE_LOWER.findall(password)) < self.amount_lowercase:
-            LOGGER.debug("password failed", check="static", reason="amount_lowercase")
+            LOGGER.debug("password failed", reason="amount_lowercase")
            return PolicyResult(False, self.error_message)
        if self.amount_uppercase > 0 and len(RE_UPPER.findall(password)) < self.amount_lowercase:
-            LOGGER.debug("password failed", check="static", reason="amount_uppercase")
+            LOGGER.debug("password failed", reason="amount_uppercase")
            return PolicyResult(False, self.error_message)
        if self.amount_symbols > 0:
            count = 0
            for symbol in self.symbol_charset:
                count += password.count(symbol)
            if count < self.amount_symbols:
-                LOGGER.debug("password failed", check="static", reason="amount_symbols")
+                LOGGER.debug("password failed", reason="amount_symbols")
                return PolicyResult(False, self.error_message)

        return PolicyResult(True)

-    def check_hibp(self, short_hash: str) -> str:
-        """Check the haveibeenpwned API"""
-        url = f"https://api.pwnedpasswords.com/range/{short_hash}"
-        return get_http_session().get(url).text
-
-    def passes_hibp(self, password: str, request: PolicyRequest) -> PolicyResult:
-        """Check if password is in HIBP DB. Hashes given Password with SHA1, uses the first 5
-        characters of Password in request and checks if full hash is in response. Returns 0
-        if Password is not in result otherwise the count of how many times it was used."""
-        pw_hash = sha1(password.encode("utf-8")).hexdigest()  # nosec
-        result = self.check_hibp(pw_hash[:5])
-        final_count = 0
-        for line in result.split("\r\n"):
-            full_hash, count = line.split(":")
-            if pw_hash[5:] == full_hash.lower():
-                final_count = int(count)
-        LOGGER.debug("got hibp result", count=final_count, hash=pw_hash[:5])
-        if final_count > self.hibp_allowed_count:
-            LOGGER.debug("password failed", check="hibp", count=final_count)
-            message = _("Password exists on %(count)d online lists." % {"count": final_count})
-            return PolicyResult(False, message)
-        return PolicyResult(True)
-
-    def passes_zxcvbn(self, password: str, request: PolicyRequest) -> PolicyResult:
-        """Check Dropbox's zxcvbn password estimator"""
-        user_inputs = []
-        if request.user.is_authenticated:
-            user_inputs.append(request.user.username)
-            user_inputs.append(request.user.name)
-            user_inputs.append(request.user.email)
-        if request.http_request:
-            user_inputs.append(request.http_request.tenant.branding_title)
-        # Only calculate result for the first 100 characters, as with over 100 char
-        # long passwords we can be reasonably sure that they'll surpass the score anyways
-        # See https://github.com/dropbox/zxcvbn#runtime-latency
-        results = zxcvbn(password[:100], user_inputs)
-        LOGGER.debug("password failed", check="zxcvbn", score=results["score"])
-        result = PolicyResult(results["score"] > self.zxcvbn_score_threshold)
-        if not result.passing:
-            result.messages += tuple((_("Password is too weak."),))
-        if isinstance(results["feedback"]["warning"], list):
-            result.messages += tuple(results["feedback"]["warning"])
-        if isinstance(results["feedback"]["suggestions"], list):
-            result.messages += tuple(results["feedback"]["suggestions"])
-        return result
-
    class Meta(Policy.PolicyMeta):

        verbose_name = _("Password Policy")
--- a/authentik/policies/password/tests/test_hibp.py
+++ b/authentik/policies/password/tests/test_hibp.py
@ -1,50 +0,0 @@
-"""Password Policy HIBP tests"""
-from django.test import TestCase
-from guardian.shortcuts import get_anonymous_user
-
-from authentik.lib.generators import generate_key
-from authentik.policies.password.models import PasswordPolicy
-from authentik.policies.types import PolicyRequest, PolicyResult
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-
-class TestPasswordPolicyHIBP(TestCase):
-    """Test Password Policy (haveibeenpwned)"""
-
-    def test_invalid(self):
-        """Test without password"""
-        policy = PasswordPolicy.objects.create(
-            check_have_i_been_pwned=True,
-            check_static_rules=False,
-            name="test_invalid",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        result: PolicyResult = policy.passes(request)
-        self.assertFalse(result.passing)
-        self.assertEqual(result.messages[0], "Password not set in context")
-
-    def test_false(self):
-        """Failing password case"""
-        policy = PasswordPolicy.objects.create(
-            check_have_i_been_pwned=True,
-            check_static_rules=False,
-            name="test_false",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        request.context[PLAN_CONTEXT_PROMPT] = {"password": "password"}  # nosec
-        result: PolicyResult = policy.passes(request)
-        self.assertFalse(result.passing)
-        self.assertTrue(result.messages[0].startswith("Password exists on "))
-
-    def test_true(self):
-        """Positive password case"""
-        policy = PasswordPolicy.objects.create(
-            check_have_i_been_pwned=True,
-            check_static_rules=False,
-            name="test_true",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        request.context[PLAN_CONTEXT_PROMPT] = {"password": generate_key()}
-        result: PolicyResult = policy.passes(request)
-        self.assertTrue(result.passing)
-        self.assertEqual(result.messages, tuple())
--- a/authentik/policies/password/tests/test_zxcvbn.py
+++ b/authentik/policies/password/tests/test_zxcvbn.py
@ -1,58 +0,0 @@
-"""Password Policy zxcvbn tests"""
-from django.test import TestCase
-from guardian.shortcuts import get_anonymous_user
-
-from authentik.lib.generators import generate_key
-from authentik.policies.password.models import PasswordPolicy
-from authentik.policies.types import PolicyRequest, PolicyResult
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-
-class TestPasswordPolicyZxcvbn(TestCase):
-    """Test Password Policy (zxcvbn)"""
-
-    def test_invalid(self):
-        """Test without password"""
-        policy = PasswordPolicy.objects.create(
-            check_zxcvbn=True,
-            check_static_rules=False,
-            name="test_invalid",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        result: PolicyResult = policy.passes(request)
-        self.assertFalse(result.passing)
-        self.assertEqual(result.messages[0], "Password not set in context")
-
-    def test_false(self):
-        """Failing password case"""
-        policy = PasswordPolicy.objects.create(
-            check_zxcvbn=True,
-            check_static_rules=False,
-            zxcvbn_score_threshold=3,
-            name="test_false",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        request.context[PLAN_CONTEXT_PROMPT] = {"password": "password"}  # nosec
-        result: PolicyResult = policy.passes(request)
-        self.assertFalse(result.passing, result.messages)
-        self.assertEqual(result.messages[0], "Password is too weak.")
-        self.assertEqual(result.messages[1], "Add another word or two. Uncommon words are better.")
-
-        request.context[PLAN_CONTEXT_PROMPT] = {"password": "Awdccdw1234"}  # nosec
-        result: PolicyResult = policy.passes(request)
-        self.assertFalse(result.passing, result.messages)
-        self.assertEqual(result.messages[0], "Password is too weak.")
-        self.assertEqual(len(result.messages), 1)
-
-    def test_true(self):
-        """Positive password case"""
-        policy = PasswordPolicy.objects.create(
-            check_zxcvbn=True,
-            check_static_rules=False,
-            name="test_true",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        request.context[PLAN_CONTEXT_PROMPT] = {"password": generate_key()}
-        result: PolicyResult = policy.passes(request)
-        self.assertTrue(result.passing)
-        self.assertEqual(result.messages, tuple())
--- a/authentik/policies/process.py
+++ b/authentik/policies/process.py
@ -14,7 +14,7 @@ from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.apps import HIST_POLICIES_EXECUTION_TIME
 from authentik.policies.exceptions import PolicyException
 from authentik.policies.models import PolicyBinding
-from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
+from authentik.policies.types import PolicyRequest, PolicyResult

 LOGGER = get_logger()

@ -25,7 +25,7 @@ PROCESS_CLASS = FORK_CTX.Process

 def cache_key(binding: PolicyBinding, request: PolicyRequest) -> str:
    """Generate Cache key for policy"""
-    prefix = f"{CACHE_PREFIX}{binding.policy_binding_uuid.hex}_"
+    prefix = f"policy_{binding.policy_binding_uuid.hex}_"
    if request.http_request and hasattr(request.http_request, "session"):
        prefix += f"_{request.http_request.session.session_key}"
    if request.user:
@ -56,6 +56,8 @@ class PolicyProcess(PROCESS_CLASS):

    def create_event(self, action: str, message: str, **kwargs):
        """Create event with common values from `self.request` and `self.binding`."""
+        # Keep a reference to http_request even if its None, because cleanse_dict will remove it
+        http_request = self.request.http_request
        event = Event.new(
            action=action,
            message=message,
@ -65,8 +67,8 @@ class PolicyProcess(PROCESS_CLASS):
            **kwargs,
        )
        event.set_user(self.request.user)
-        if self.request.http_request:
-            event.from_http(self.request.http_request)
+        if http_request:
+            event.from_http(http_request)
        else:
            event.save()

@ -101,14 +103,12 @@ class PolicyProcess(PROCESS_CLASS):
            LOGGER.debug("P_ENG(proc): error", exc=src_exc)
            policy_result = PolicyResult(False, str(src_exc))
        policy_result.source_binding = self.binding
-        should_cache = self.request.should_cache
-        if should_cache:
+        if not self.request.debug:
            key = cache_key(self.binding, self.request)
            cache.set(key, policy_result, CACHE_TIMEOUT)
        LOGGER.debug(
-            "P_ENG(proc): finished",
+            "P_ENG(proc): finished and cached ",
            policy=self.binding.policy,
-            cached=should_cache,
            result=policy_result,
            # this is used for filtering in access checking where logs are sent to the admin
            process="PolicyProcess",
--- a/authentik/policies/reputation/signals.py
+++ b/authentik/policies/reputation/signals.py
@ -23,12 +23,12 @@ def update_score(request: HttpRequest, identifier: str, amount: int):
    try:
        # We only update the cache here, as its faster than writing to the DB
        score = cache.get_or_set(
-            CACHE_KEY_PREFIX + remote_ip + "/" + identifier,
+            CACHE_KEY_PREFIX + remote_ip + identifier,
            {"ip": remote_ip, "identifier": identifier, "score": 0},
            CACHE_TIMEOUT,
        )
        score["score"] += amount
-        cache.set(CACHE_KEY_PREFIX + remote_ip + "/" + identifier, score)
+        cache.set(CACHE_KEY_PREFIX + remote_ip + identifier, score)
    except ValueError as exc:
        LOGGER.warning("failed to set reputation", exc=exc)

--- a/authentik/policies/reputation/tests.py
+++ b/authentik/policies/reputation/tests.py
@ -32,7 +32,7 @@ class TestReputationPolicy(TestCase):
        )
        # Test value in cache
        self.assertEqual(
-            cache.get(CACHE_KEY_PREFIX + self.test_ip + "/" + self.test_username),
+            cache.get(CACHE_KEY_PREFIX + self.test_ip + self.test_username),
            {"ip": "127.0.0.1", "identifier": "test", "score": -1},
        )
        # Save cache and check db values
@ -47,7 +47,7 @@ class TestReputationPolicy(TestCase):
        )
        # Test value in cache
        self.assertEqual(
-            cache.get(CACHE_KEY_PREFIX + self.test_ip + "/" + self.test_username),
+            cache.get(CACHE_KEY_PREFIX + self.test_ip + self.test_username),
            {"ip": "127.0.0.1", "identifier": "test", "score": -1},
        )
        # Save cache and check db values
--- a/authentik/policies/signals.py
+++ b/authentik/policies/signals.py
@ -6,7 +6,6 @@ from structlog.stdlib import get_logger

 from authentik.core.api.applications import user_app_cache_key
 from authentik.policies.apps import GAUGE_POLICIES_CACHED
-from authentik.policies.types import CACHE_PREFIX
 from authentik.root.monitoring import monitoring_set

 LOGGER = get_logger()
@ -16,7 +15,7 @@ LOGGER = get_logger()
 # pylint: disable=unused-argument
 def monitoring_set_policies(sender, **kwargs):
    """set policy gauges"""
-    GAUGE_POLICIES_CACHED.set(len(cache.keys(f"{CACHE_PREFIX}_*") or []))
+    GAUGE_POLICIES_CACHED.set(len(cache.keys("policy_*") or []))


@receiver(post_save)
@ -28,7 +27,7 @@ def invalidate_policy_cache(sender, instance, **_):
    if isinstance(instance, Policy):
        total = 0
        for binding in PolicyBinding.objects.filter(policy=instance):
-            prefix = f"{CACHE_PREFIX}{binding.policy_binding_uuid.hex}_{binding.policy.pk.hex}*"
+            prefix = f"policy_{binding.policy_binding_uuid.hex}_{binding.policy.pk.hex}*"
            keys = cache.keys(prefix)
            total += len(keys)
            cache.delete_many(keys)
--- a/authentik/policies/tests/test_engine.py
+++ b/authentik/policies/tests/test_engine.py
@ -8,7 +8,6 @@ from authentik.policies.engine import PolicyEngine
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import Policy, PolicyBinding, PolicyBindingModel, PolicyEngineMode
 from authentik.policies.tests.test_process import clear_policy_cache
-from authentik.policies.types import CACHE_PREFIX


 class TestPolicyEngine(TestCase):
@ -102,8 +101,8 @@ class TestPolicyEngine(TestCase):
        pbm = PolicyBindingModel.objects.create()
        binding = PolicyBinding.objects.create(target=pbm, policy=self.policy_false, order=0)
        engine = PolicyEngine(pbm, self.user)
-        self.assertEqual(len(cache.keys(f"{CACHE_PREFIX}{binding.policy_binding_uuid.hex}*")), 0)
+        self.assertEqual(len(cache.keys(f"policy_{binding.policy_binding_uuid.hex}*")), 0)
        self.assertEqual(engine.build().passing, False)
-        self.assertEqual(len(cache.keys(f"{CACHE_PREFIX}{binding.policy_binding_uuid.hex}*")), 1)
+        self.assertEqual(len(cache.keys(f"policy_{binding.policy_binding_uuid.hex}*")), 1)
        self.assertEqual(engine.build().passing, False)
-        self.assertEqual(len(cache.keys(f"{CACHE_PREFIX}{binding.policy_binding_uuid.hex}*")), 1)
+        self.assertEqual(len(cache.keys(f"policy_{binding.policy_binding_uuid.hex}*")), 1)
--- a/authentik/policies/tests/test_process.py
+++ b/authentik/policies/tests/test_process.py
@ -2,7 +2,6 @@
 from django.contrib.auth.models import AnonymousUser
 from django.core.cache import cache
 from django.test import RequestFactory, TestCase
-from django.urls import resolve, reverse
 from guardian.shortcuts import get_anonymous_user

 from authentik.core.models import Application, Group, User
@ -11,12 +10,12 @@ from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import Policy, PolicyBinding
 from authentik.policies.process import PolicyProcess
-from authentik.policies.types import CACHE_PREFIX, PolicyRequest
+from authentik.policies.types import PolicyRequest


 def clear_policy_cache():
    """Ensure no policy-related keys are still cached"""
-    keys = cache.keys(f"{CACHE_PREFIX}*")
+    keys = cache.keys("policy_*")
    cache.delete(keys)


@ -130,9 +129,8 @@ class TestPolicyProcess(TestCase):
        )
        binding = PolicyBinding(policy=policy, target=Application.objects.create(name="test"))

-        http_request = self.factory.get(reverse("authentik_core:impersonate-end"))
+        http_request = self.factory.get("/")
        http_request.user = self.user
-        http_request.resolver_match = resolve(reverse("authentik_core:impersonate-end"))

        request = PolicyRequest(self.user)
        request.set_http_request(http_request)
--- a/authentik/policies/types.py
+++ b/authentik/policies/types.py
@ -16,7 +16,6 @@ if TYPE_CHECKING:
    from authentik.policies.models import PolicyBinding

 LOGGER = get_logger()
-CACHE_PREFIX = "goauthentik.io/policies/"


@dataclass
@ -46,15 +45,6 @@ class PolicyRequest:
            return
        self.context["geoip"] = GEOIP_READER.city(client_ip)

-    @property
-    def should_cache(self) -> bool:
-        """Check if this request's result should be cached"""
-        if not self.user.is_authenticated:
-            return False
-        if self.debug:
-            return False
-        return True
-
    def __repr__(self) -> str:
        return self.__str__()

--- a/authentik/providers/oauth2/api/providers.py
+++ b/authentik/providers/oauth2/api/providers.py
@ -8,12 +8,11 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet

-from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Provider
-from authentik.providers.oauth2.models import OAuth2Provider, RefreshToken, ScopeMapping
+from authentik.providers.oauth2.models import OAuth2Provider


 class OAuth2ProviderSerializer(ProviderSerializer):
@ -116,7 +115,7 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
            )
            data["logout"] = request.build_absolute_uri(
                reverse(
-                    "authentik_providers_oauth2:end-session",
+                    "authentik_core:if-session-end",
                    kwargs={"application_slug": provider.application.slug},
                )
            )
@ -129,28 +128,3 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
        except Provider.application.RelatedObjectDoesNotExist:  # pylint: disable=no-member
            pass
        return Response(data)
-
-    @permission_required(
-        "authentik_providers_oauth2.view_oauth2provider",
-    )
-    @extend_schema(
-        responses={
-            200: PropertyMappingPreviewSerializer(),
-            400: OpenApiResponse(description="Bad request"),
-        },
-    )
-    @action(detail=True, methods=["GET"])
-    # pylint: disable=invalid-name, unused-argument
-    def preview_user(self, request: Request, pk: int) -> Response:
-        """Preview user data for provider"""
-        provider: OAuth2Provider = self.get_object()
-        temp_token = RefreshToken()
-        temp_token.scope = ScopeMapping.objects.filter(provider=provider).values_list(
-            "scope_name", flat=True
-        )
-        temp_token.provider = provider
-        temp_token.user = request.user
-        serializer = PropertyMappingPreviewSerializer(
-            instance={"preview": temp_token.create_id_token(request.user, request).to_dict()}
-        )
-        return Response(serializer.data)
--- a/authentik/providers/oauth2/api/scopes.py
+++ b/authentik/providers/oauth2/api/scopes.py
--- a/authentik/providers/oauth2/api/tokens.py
+++ b/authentik/providers/oauth2/api/tokens.py
@ -12,7 +12,7 @@ from rest_framework.viewsets import GenericViewSet
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import MetaNameSerializer
-from authentik.providers.oauth2.api.providers import OAuth2ProviderSerializer
+from authentik.providers.oauth2.api.provider import OAuth2ProviderSerializer
 from authentik.providers.oauth2.models import AuthorizationCode, RefreshToken


--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jens Langhammer	def0a42bf1	release: 2022.10.4	2022-12-23 14:19:17 +01:00
Jens Langhammer	727e55e44b	web: backport API update Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-23 14:19:10 +01:00
Jens L	cd88b91686	security: fix CVE 2022 23555 (#4274 ) * add flow to invitation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * show warning on invitation page Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add security advisory Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-23 14:18:13 +01:00
Jens L	8eb73d3a16	security: fix CVE 2022 46172 (#4275 ) * fallback to current user in user_write, add flag to disable user creation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update api and web ui Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update default flows Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add cve post to website Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-23 14:18:09 +01:00
Jens Langhammer	83f46f6ff1	release: 2022.10.3	2022-12-02 23:01:17 +02:00
Jens Langhammer	0e7cc6da4c	web: bump API version Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-02 22:51:09 +02:00
Jens Langhammer	a262171671	release: 2022.10.2	2022-12-01 10:40:58 +02:00
Jens Langhammer	87b8ca7be4	*: backport CVE-2022-46145 fix Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-01 10:40:51 +02:00
Jens Langhammer	cc8dc1403f	root: include security policy in website container Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-30 13:05:02 +02:00
Jens Langhammer	f21a196a3b	root: rework and expand security policy Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> # Conflicts: # SECURITY.md	2022-11-30 13:04:50 +02:00