api: fix schema not referencing errors correctly

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2022.8.1
+current_version = 2022.8.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.github/workflows/ci-main.yml

@@ -139,7 +139,7 @@ jobs:
         working-directory: web
         run: |
           npm ci
-          make -C .. gen-client-web
+          make -C .. gen-client-ts
           npm run build
       - name: run e2e
         run: |
@@ -173,7 +173,7 @@ jobs:
         working-directory: web/
         run: |
           npm ci
-          make -C .. gen-client-web
+          make -C .. gen-client-ts
           npm run build
       - name: run e2e
         run: |

.github/workflows/ci-web.yml

@@ -23,7 +23,7 @@ jobs:
       - working-directory: web/
         run: npm ci
       - name: Generate API
-        run: make gen-client-web
+        run: make gen-client-ts
       - name: Eslint
         working-directory: web/
         run: npm run lint
@@ -39,7 +39,7 @@ jobs:
       - working-directory: web/
         run: npm ci
       - name: Generate API
-        run: make gen-client-web
+        run: make gen-client-ts
       - name: prettier
         working-directory: web/
         run: npm run prettier-check
@@ -60,7 +60,7 @@ jobs:
           cd node_modules/@goauthentik
           ln -s ../../src/ web
       - name: Generate API
-        run: make gen-client-web
+        run: make gen-client-ts
       - name: lit-analyse
         working-directory: web/
         run: npm run lit-analyse
@@ -86,7 +86,7 @@ jobs:
       - working-directory: web/
         run: npm ci
       - name: Generate API
-        run: make gen-client-web
+        run: make gen-client-ts
       - name: build
         working-directory: web/
         run: npm run build

.github/workflows/release-publish.yml

@@ -138,7 +138,7 @@ jobs:
           docker-compose pull -q
           docker-compose up --no-start
           docker-compose start postgresql redis
-          docker-compose run -u root server test
+          docker-compose run -u root server test-all
   sentry-release:
     needs:
       - build-server
@@ -157,6 +157,7 @@ jobs:
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1
+        continue-on-error: true
         if: ${{ github.event_name == 'release' }}
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/web-api-publish.yml

@@ -16,7 +16,7 @@ jobs:
           node-version: '16'
           registry-url: 'https://registry.npmjs.org'
       - name: Generate API Client
-        run: make gen-client-web
+        run: make gen-client-ts
       - name: Publish package
         working-directory: gen-ts-api/
         run: |

Makefile

@@ -49,24 +49,44 @@ lint:
 	bandit -r authentik tests lifecycle -x node_modules
 	golangci-lint run -v
 
+migrate:
+	python -m lifecycle.migrate
+
+run:
+	go run -v cmd/server/main.go
+
 i18n-extract: i18n-extract-core web-extract
 
 i18n-extract-core:
 	ak makemessages --ignore web --ignore internal --ignore web --ignore web-api --ignore website -l en
 
+#########################
+## API Schema
+#########################
+
 gen-build:
 	AUTHENTIK_DEBUG=true ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true ak spectacular --file schema.yml
 
+gen-diff:
+	git show $(shell git tag -l | tail -n 1):schema.yml > old_schema.yml
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-diff:2.0.1 \
+		--markdown /local/diff.md \
+		/local/old_schema.yml /local/schema.yml
+	rm old_schema.yml
+
 gen-clean:
 	rm -rf web/api/src/
 	rm -rf api/
 
-gen-client-web:
+gen-client-ts:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		openapitools/openapi-generator-cli:v6.0.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v6.0.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/gen-ts-api \
@@ -84,7 +104,7 @@ gen-client-go:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		openapitools/openapi-generator-cli:v6.0.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v6.0.0 generate \
 		-i /local/schema.yml \
 		-g go \
 		-o /local/gen-go-api \
@@ -95,13 +115,7 @@ gen-client-go:
 gen-dev-config:
 	python -m scripts.generate_config
 
-gen: gen-build gen-clean gen-client-web
-
-migrate:
-	python -m lifecycle.migrate
-
-run:
-	go run -v cmd/server/main.go
+gen: gen-build gen-clean gen-client-ts
 
 #########################
 ## Web

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2022.8.1"
+__version__ = "2022.8.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/meta.py

@@ -18,13 +18,13 @@ class AppSerializer(PassiveSerializer):
 
 
 class AppsViewSet(ViewSet):
-    """Read-only view set list all installed apps"""
+    """Read-only view list all installed apps"""
 
     permission_classes = [IsAdminUser]
 
     @extend_schema(responses={200: AppSerializer(many=True)})
     def list(self, request: Request) -> Response:
-        """List current messages and pass into Serializer"""
+        """Read-only view list all installed apps"""
         data = []
         for app in sorted(get_apps(), key=lambda app: app.name):
             data.append({"name": app.name, "label": app.verbose_name})

authentik/api/schema.py

@@ -60,8 +60,28 @@ def postprocess_schema_responses(result, generator, **kwargs):  # noqa: W0613
 
     for path in result["paths"].values():
         for method in path.values():
-            method["responses"].setdefault("400", validation_error.ref)
-            method["responses"].setdefault("403", generic_error.ref)
+            method["responses"].setdefault(
+                "400",
+                {
+                    "content": {
+                        "application/json": {
+                            "schema": validation_error.ref,
+                        }
+                    },
+                    "description": "",
+                },
+            )
+            method["responses"].setdefault(
+                "403",
+                {
+                    "content": {
+                        "application/json": {
+                            "schema": generic_error.ref,
+                        }
+                    },
+                    "description": "",
+                },
+            )
 
     result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
 

authentik/blueprints/api.py

@@ -1,8 +1,7 @@
 """Serializer mixin for managed models"""
-from dataclasses import asdict
-
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField, JSONField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
@@ -11,11 +10,10 @@ from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.decorators import permission_required
-from authentik.blueprints.models import BlueprintInstance
-from authentik.blueprints.v1.tasks import BlueprintFile, apply_blueprint, blueprints_find
+from authentik.blueprints.models import BlueprintInstance, BlueprintRetrievalFailed
+from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
-from authentik.events.utils import sanitize_dict
 
 
 class ManagedSerializer:
@@ -34,6 +32,14 @@ class MetadataSerializer(PassiveSerializer):
 class BlueprintInstanceSerializer(ModelSerializer):
     """Info about a single blueprint instance file"""
 
+    def validate_path(self, path: str) -> str:
+        """Ensure the path specified is retrievable"""
+        try:
+            BlueprintInstance(path=path).retrieve()
+        except BlueprintRetrievalFailed as exc:
+            raise ValidationError(exc) from exc
+        return path
+
     class Meta:
 
         model = BlueprintInstance
@@ -85,8 +91,8 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
     @action(detail=False, pagination_class=None, filter_backends=[])
     def available(self, request: Request) -> Response:
         """Get blueprints"""
-        files: list[BlueprintFile] = blueprints_find.delay().get()
-        return Response([sanitize_dict(asdict(file)) for file in files])
+        files: list[dict] = blueprints_find_dict.delay().get()
+        return Response(files)
 
     @permission_required("authentik_blueprints.view_blueprintinstance")
     @extend_schema(

authentik/blueprints/management/commands/apply_blueprint.py

@@ -2,6 +2,7 @@
 from django.core.management.base import BaseCommand, no_translations
 from structlog.stdlib import get_logger
 
+from authentik.blueprints.models import BlueprintInstance
 from authentik.blueprints.v1.importer import Importer
 
 LOGGER = get_logger()
@@ -14,14 +15,14 @@ class Command(BaseCommand):
     def handle(self, *args, **options):
         """Apply all blueprints in order, abort when one fails to import"""
         for blueprint_path in options.get("blueprints", []):
-            with open(blueprint_path, "r", encoding="utf8") as blueprint_file:
-                importer = Importer(blueprint_file.read())
-                valid, logs = importer.validate()
-                if not valid:
-                    for log in logs:
-                        LOGGER.debug(**log)
-                    raise ValueError("blueprint invalid")
-                importer.apply()
+            content = BlueprintInstance(path=blueprint_path).retrieve()
+            importer = Importer(content)
+            valid, logs = importer.validate()
+            if not valid:
+                for log in logs:
+                    LOGGER.debug(**log)
+                raise ValueError("blueprint invalid")
+            importer.apply()
 
     def add_arguments(self, parser):
         parser.add_argument("blueprints", nargs="+", type=str)

authentik/blueprints/management/commands/export_blueprint.py

@@ -0,0 +1,17 @@
+"""Export blueprint of current authentik install"""
+from django.core.management.base import BaseCommand, no_translations
+from structlog.stdlib import get_logger
+
+from authentik.blueprints.v1.exporter import Exporter
+
+LOGGER = get_logger()
+
+
+class Command(BaseCommand):
+    """Export blueprint of current authentik install"""
+
+    @no_translations
+    def handle(self, *args, **options):
+        """Export blueprint of current authentik install"""
+        exporter = Exporter()
+        self.stdout.write(exporter.export_to_string())

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -7,6 +7,7 @@ from django.core.management.base import BaseCommand, no_translations
 from structlog.stdlib import get_logger
 
 from authentik.blueprints.v1.importer import is_model_allowed
+from authentik.lib.models import SerializerModel
 
 LOGGER = get_logger()
 
@@ -31,5 +32,7 @@ class Command(BaseCommand):
         for model in apps.get_models():
             if not is_model_allowed(model):
                 continue
+            if SerializerModel not in model.__mro__:
+                continue
             model_names.append(f"{model._meta.app_label}.{model._meta.model_name}")
         self.schema["properties"]["entries"]["items"]["properties"]["model"]["enum"] = model_names

authentik/blueprints/migrations/0001_initial.py

@@ -113,7 +113,8 @@ class Migration(migrations.Migration):
                             ("error", "Error"),
                             ("orphaned", "Orphaned"),
                             ("unknown", "Unknown"),
-                        ]
+                        ],
+                        default="unknown",
                     ),
                 ),
                 ("enabled", models.BooleanField(default=True)),

authentik/blueprints/models.py

@@ -1,12 +1,23 @@
 """Managed Object models"""
+from pathlib import Path
+from urllib.parse import urlparse
 from uuid import uuid4
 
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils.translation import gettext_lazy as _
+from requests import RequestException
 from rest_framework.serializers import Serializer
 
+from authentik.lib.config import CONFIG
 from authentik.lib.models import CreatedUpdatedModel, SerializerModel
+from authentik.lib.sentry import SentryIgnoredException
+from authentik.lib.utils.http import get_http_session
+
+
+class BlueprintRetrievalFailed(SentryIgnoredException):
+    """Error raised when we're unable to fetch the blueprint contents, whether it be HTTP files
+    not being accessible or local files not being readable"""
 
 
 class ManagedModel(models.Model):
@@ -54,10 +65,25 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
     context = models.JSONField(default=dict)
     last_applied = models.DateTimeField(auto_now=True)
     last_applied_hash = models.TextField()
-    status = models.TextField(choices=BlueprintInstanceStatus.choices)
+    status = models.TextField(
+        choices=BlueprintInstanceStatus.choices, default=BlueprintInstanceStatus.UNKNOWN
+    )
     enabled = models.BooleanField(default=True)
     managed_models = ArrayField(models.TextField(), default=list)
 
+    def retrieve(self) -> str:
+        """Retrieve blueprint contents"""
+        if urlparse(self.path).scheme != "":
+            try:
+                res = get_http_session().get(self.path, timeout=3, allow_redirects=True)
+                res.raise_for_status()
+                return res.text
+            except RequestException as exc:
+                raise BlueprintRetrievalFailed(exc) from exc
+        path = Path(CONFIG.y("blueprints_dir")).joinpath(Path(self.path))
+        with path.open("r", encoding="utf-8") as _file:
+            return _file.read()
+
     @property
     def serializer(self) -> Serializer:
         from authentik.blueprints.api import BlueprintInstanceSerializer

authentik/blueprints/tests/__init__.py

@@ -6,6 +6,7 @@ from typing import Callable
 from django.apps import apps
 
 from authentik.blueprints.manager import ManagedAppConfig
+from authentik.blueprints.models import BlueprintInstance
 from authentik.lib.config import CONFIG
 
 
@@ -19,11 +20,9 @@ def apply_blueprint(*files: str):
 
         @wraps(func)
         def wrapper(*args, **kwargs):
-            base_path = Path(CONFIG.y("blueprints_dir"))
             for file in files:
-                full_path = Path(base_path, file)
-                with full_path.open("r", encoding="utf-8") as _file:
-                    Importer(_file.read()).apply()
+                content = BlueprintInstance(path=file).retrieve()
+                Importer(content).apply()
             return func(*args, **kwargs)
 
         return wrapper

authentik/blueprints/tests/test_packaged.py

@@ -1,17 +1,16 @@
 """test packaged blueprints"""
-from glob import glob
 from pathlib import Path
 from typing import Callable
 
 from django.test import TransactionTestCase
-from django.utils.text import slugify
 
+from authentik.blueprints.models import BlueprintInstance
 from authentik.blueprints.tests import apply_blueprint
 from authentik.blueprints.v1.importer import Importer
 from authentik.tenants.models import Tenant
 
 
-class TestBundled(TransactionTestCase):
+class TestPackaged(TransactionTestCase):
     """Empty class, test methods are added dynamically"""
 
     @apply_blueprint("default/90-default-tenant.yaml")
@@ -20,18 +19,18 @@ class TestBundled(TransactionTestCase):
         self.assertTrue(Tenant.objects.filter(domain="authentik-default").exists())
 
 
-def blueprint_tester(file_name: str) -> Callable:
+def blueprint_tester(file_name: Path) -> Callable:
     """This is used instead of subTest for better visibility"""
 
-    def tester(self: TestBundled):
-        with open(file_name, "r", encoding="utf8") as flow_yaml:
-            importer = Importer(flow_yaml.read())
+    def tester(self: TestPackaged):
+        base = Path("blueprints/")
+        rel_path = Path(file_name).relative_to(base)
+        importer = Importer(BlueprintInstance(path=str(rel_path)).retrieve())
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
 
     return tester
 
 
-for flow_file in glob("blueprints/**/*.yaml", recursive=True):
-    method_name = slugify(Path(flow_file).stem).replace("-", "_").replace(".", "_")
-    setattr(TestBundled, f"test_flow_{method_name}", blueprint_tester(flow_file))
+for blueprint_file in Path("blueprints/").glob("**/*.yaml"):
+    setattr(TestPackaged, f"test_blueprint_{blueprint_file}", blueprint_tester(blueprint_file))

authentik/blueprints/tests/test_v1.py

@@ -1,7 +1,7 @@
 """Test blueprints v1"""
 from django.test import TransactionTestCase
 
-from authentik.blueprints.v1.exporter import Exporter
+from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.lib.generators import generate_id
@@ -70,7 +70,7 @@ class TestBlueprintsV1(TransactionTestCase):
                 order=0,
             )
 
-            exporter = Exporter(flow)
+            exporter = FlowExporter(flow)
             export = exporter.export()
             self.assertEqual(len(export.entries), 3)
             export_yaml = exporter.export_to_string()
@@ -126,7 +126,7 @@ class TestBlueprintsV1(TransactionTestCase):
             fsb = FlowStageBinding.objects.create(target=flow, stage=user_login, order=0)
             PolicyBinding.objects.create(policy=flow_policy, target=fsb, order=0)
 
-            exporter = Exporter(flow)
+            exporter = FlowExporter(flow)
             export_yaml = exporter.export_to_string()
 
         importer = Importer(export_yaml)
@@ -169,7 +169,7 @@ class TestBlueprintsV1(TransactionTestCase):
 
             FlowStageBinding.objects.create(target=flow, stage=first_stage, order=0)
 
-            exporter = Exporter(flow)
+            exporter = FlowExporter(flow)
             export_yaml = exporter.export_to_string()
 
         importer = Importer(export_yaml)

authentik/blueprints/tests/test_v1_tasks.py

@@ -1,4 +1,5 @@
 """Test blueprints v1 tasks"""
+from hashlib import sha512
 from tempfile import NamedTemporaryFile, mkdtemp
 
 from django.test import TransactionTestCase
@@ -36,25 +37,32 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
     @CONFIG.patch("blueprints_dir", TMP)
     def test_valid(self):
         """Test valid file"""
+        blueprint_id = generate_id()
         with NamedTemporaryFile(mode="w+", suffix=".yaml", dir=TMP) as file:
             file.write(
                 dump(
                     {
                         "version": 1,
                         "entries": [],
+                        "metadata": {
+                            "name": blueprint_id,
+                        },
                     }
                 )
             )
+            file.seek(0)
+            file_hash = sha512(file.read().encode()).hexdigest()
             file.flush()
             blueprints_discover()  # pylint: disable=no-value-for-parameter
+            instance = BlueprintInstance.objects.filter(name=blueprint_id).first()
+            self.assertEqual(instance.last_applied_hash, file_hash)
             self.assertEqual(
-                BlueprintInstance.objects.first().last_applied_hash,
-                (
-                    "e52bb445b03cd36057258dc9f0ce0fbed8278498ee1470e45315293e5f026d1b"
-                    "d1f9b3526871c0003f5c07be5c3316d9d4a08444bd8fed1b3f03294e51e44522"
-                ),
+                instance.metadata,
+                {
+                    "name": blueprint_id,
+                    "labels": {},
+                },
             )
-            self.assertEqual(BlueprintInstance.objects.first().metadata, {})
 
     @CONFIG.patch("blueprints_dir", TMP)
     def test_valid_updated(self):

authentik/blueprints/v1/common.py

@@ -27,16 +27,23 @@ def get_attrs(obj: SerializerModel) -> dict[str, Any]:
             continue
         if _field.read_only:
             data.pop(field_name, None)
-        if _field.default == data.get(field_name, None):
+        if _field.get_initial() == data.get(field_name, None):
             data.pop(field_name, None)
         if field_name.endswith("_set"):
             data.pop(field_name, None)
     return data
 
 
+@dataclass
+class BlueprintEntryState:
+    """State of a single instance"""
+
+    instance: Optional[Model] = None
+
+
 @dataclass
 class BlueprintEntry:
-    """Single entry of a bundle"""
+    """Single entry of a blueprint"""
 
     identifiers: dict[str, Any]
     model: str
@@ -45,11 +52,11 @@ class BlueprintEntry:
     # pylint: disable=invalid-name
     id: Optional[str] = None
 
-    _instance: Optional[Model] = None
+    _state: BlueprintEntryState = field(default_factory=BlueprintEntryState)
 
     @staticmethod
     def from_model(model: SerializerModel, *extra_identifier_names: str) -> "BlueprintEntry":
-        """Convert a SerializerModel instance to a Bundle Entry"""
+        """Convert a SerializerModel instance to a blueprint Entry"""
         identifiers = {
             "pk": model.pk,
         }
@@ -123,15 +130,15 @@ class KeyOf(YAMLTag):
 
     def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
         for _entry in blueprint.entries:
-            if _entry.id == self.id_from and _entry._instance:
+            if _entry.id == self.id_from and _entry._state.instance:
                 # Special handling for PolicyBindingModels, as they'll have a different PK
                 # which is used when creating policy bindings
                 if (
-                    isinstance(_entry._instance, PolicyBindingModel)
+                    isinstance(_entry._state.instance, PolicyBindingModel)
                     and entry.model.lower() == "authentik_policies.policybinding"
                 ):
-                    return _entry._instance.pbm_uuid
-                return _entry._instance.pk
+                    return _entry._state.instance.pbm_uuid
+                return _entry._state.instance.pk
         raise ValueError(
             f"KeyOf: failed to find entry with `id` of `{self.id_from}` and a model instance"
         )
@@ -176,8 +183,6 @@ class Format(YAMLTag):
 
     def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
         try:
-            print(self.format_string)
-            print(self.args)
             return self.format_string % tuple(self.args)
         except TypeError as exc:
             raise EntryInvalidError(exc)
@@ -225,7 +230,13 @@ class BlueprintDumper(SafeDumper):
 
     def represent(self, data) -> None:
         if is_dataclass(data):
-            data = asdict(data)
+
+            def factory(items):
+                final_dict = dict(items)
+                final_dict.pop("_state", None)
+                return final_dict
+
+            data = asdict(data, dict_factory=factory)
         return super().represent(data)
 
 

authentik/blueprints/v1/exporter.py

@@ -1,12 +1,23 @@
-"""Flow exporter"""
+"""Blueprint exporter"""
 from typing import Iterator
 from uuid import UUID
 
+from django.apps import apps
 from django.db.models import Q
+from django.utils.timezone import now
+from django.utils.translation import gettext as _
 from yaml import dump
 
-from authentik.blueprints.v1.common import Blueprint, BlueprintDumper, BlueprintEntry
+from authentik.blueprints.v1.common import (
+    Blueprint,
+    BlueprintDumper,
+    BlueprintEntry,
+    BlueprintMetadata,
+)
+from authentik.blueprints.v1.importer import is_model_allowed
+from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_GENERATED
 from authentik.flows.models import Flow, FlowStageBinding, Stage
+from authentik.lib.models import SerializerModel
 from authentik.policies.models import Policy, PolicyBinding
 from authentik.stages.prompt.models import PromptStage
 
@@ -14,6 +25,48 @@ from authentik.stages.prompt.models import PromptStage
 class Exporter:
     """Export flow with attached stages into yaml"""
 
+    excluded_models = []
+
+    def __init__(self):
+        self.excluded_models = []
+
+    def get_entries(self) -> Iterator[BlueprintEntry]:
+        """Get blueprint entries"""
+        for model in apps.get_models():
+            if not is_model_allowed(model):
+                continue
+            if model in self.excluded_models:
+                continue
+            if SerializerModel not in model.__mro__:
+                continue
+            for obj in model.objects.all():
+                yield BlueprintEntry.from_model(obj)
+
+    def _pre_export(self, blueprint: Blueprint):
+        """Hook to run anything pre-export"""
+
+    def export(self) -> Blueprint:
+        """Create a list of all objects and create a blueprint"""
+        blueprint = Blueprint()
+        self._pre_export(blueprint)
+        blueprint.metadata = BlueprintMetadata(
+            name=_("authentik Export - %(date)s" % {"date": str(now())}),
+            labels={
+                LABEL_AUTHENTIK_GENERATED: "true",
+            },
+        )
+        blueprint.entries = list(self.get_entries())
+        return blueprint
+
+    def export_to_string(self) -> str:
+        """Call export and convert it to yaml"""
+        blueprint = self.export()
+        return dump(blueprint, Dumper=BlueprintDumper)
+
+
+class FlowExporter(Exporter):
+    """Exporter customised to only return objects related to `flow`"""
+
     flow: Flow
     with_policies: bool
     with_stage_prompts: bool
@@ -21,11 +74,14 @@ class Exporter:
     pbm_uuids: list[UUID]
 
     def __init__(self, flow: Flow):
+        super().__init__()
         self.flow = flow
         self.with_policies = True
         self.with_stage_prompts = True
 
-    def _prepare_pbm(self):
+    def _pre_export(self, blueprint: Blueprint):
+        if not self.with_policies:
+            return
         self.pbm_uuids = [self.flow.pbm_uuid]
         self.pbm_uuids += FlowStageBinding.objects.filter(target=self.flow).values_list(
             "pbm_uuid", flat=True
@@ -70,23 +126,15 @@ class Exporter:
             for prompt in stage.fields.all():
                 yield BlueprintEntry.from_model(prompt)
 
-    def export(self) -> Blueprint:
-        """Create a list of all objects including the flow"""
-        if self.with_policies:
-            self._prepare_pbm()
-        bundle = Blueprint()
-        bundle.entries.append(BlueprintEntry.from_model(self.flow, "slug"))
+    def get_entries(self) -> Iterator[BlueprintEntry]:
+        entries = []
+        entries.append(BlueprintEntry.from_model(self.flow, "slug"))
         if self.with_stage_prompts:
-            bundle.entries.extend(self.walk_stage_prompts())
+            entries.extend(self.walk_stage_prompts())
         if self.with_policies:
-            bundle.entries.extend(self.walk_policies())
-        bundle.entries.extend(self.walk_stages())
-        bundle.entries.extend(self.walk_stage_bindings())
+            entries.extend(self.walk_policies())
+        entries.extend(self.walk_stages())
+        entries.extend(self.walk_stage_bindings())
         if self.with_policies:
-            bundle.entries.extend(self.walk_policy_bindings())
-        return bundle
-
-    def export_to_string(self) -> str:
-        """Call export and convert it to yaml"""
-        bundle = self.export()
-        return dump(bundle, Dumper=BlueprintDumper)
+            entries.extend(self.walk_policy_bindings())
+        return entries

authentik/blueprints/v1/importer.py

@@ -21,6 +21,7 @@ from yaml import load
 from authentik.blueprints.v1.common import (
     Blueprint,
     BlueprintEntry,
+    BlueprintEntryState,
     BlueprintLoader,
     EntryInvalidError,
 )
@@ -220,7 +221,7 @@ class Importer:
             model = serializer.save()
             if "pk" in entry.identifiers:
                 self.__pk_map[entry.identifiers["pk"]] = model.pk
-            entry._instance = model
+            entry._state = BlueprintEntryState(model)
             self.logger.debug("updated model", model=model, pk=model.pk)
         return True
 
@@ -230,7 +231,7 @@ class Importer:
         self.logger.debug("Starting blueprint import validation")
         orig_import = deepcopy(self.__import)
         if self.__import.version != 1:
-            self.logger.warning("Invalid bundle version")
+            self.logger.warning("Invalid blueprint version")
             return False, []
         with (
             transaction_rollback(),

authentik/blueprints/v1/labels.py

@@ -2,3 +2,4 @@
 
 LABEL_AUTHENTIK_SYSTEM = "blueprints.goauthentik.io/system"
 LABEL_AUTHENTIK_INSTANTIATE = "blueprints.goauthentik.io/instantiate"
+LABEL_AUTHENTIK_GENERATED = "blueprints.goauthentik.io/generated"

authentik/blueprints/v1/tasks.py

@@ -8,10 +8,15 @@ from dacite import from_dict
 from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
+from structlog.stdlib import get_logger
 from yaml import load
 from yaml.error import YAMLError
 
-from authentik.blueprints.models import BlueprintInstance, BlueprintInstanceStatus
+from authentik.blueprints.models import (
+    BlueprintInstance,
+    BlueprintInstanceStatus,
+    BlueprintRetrievalFailed,
+)
 from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_INSTANTIATE
@@ -21,9 +26,12 @@ from authentik.events.monitored_tasks import (
     TaskResultStatus,
     prefill_task,
 )
+from authentik.events.utils import sanitize_dict
 from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 
+LOGGER = get_logger()
+
 
 @dataclass
 class BlueprintFile:
@@ -39,27 +47,43 @@ class BlueprintFile:
 @CELERY_APP.task(
     throws=(DatabaseError, ProgrammingError, InternalError),
 )
+def blueprints_find_dict():
+    """Find blueprints as `blueprints_find` does, but return a safe dict"""
+    blueprints = []
+    for blueprint in blueprints_find():
+        blueprints.append(sanitize_dict(asdict(blueprint)))
+    return blueprints
+
+
 def blueprints_find():
     """Find blueprints and return valid ones"""
     blueprints = []
     root = Path(CONFIG.y("blueprints_dir"))
     for file in root.glob("**/*.yaml"):
         path = Path(file)
+        LOGGER.debug("found blueprint", path=str(path))
         with open(path, "r", encoding="utf-8") as blueprint_file:
             try:
                 raw_blueprint = load(blueprint_file.read(), BlueprintLoader)
-            except YAMLError:
+            except YAMLError as exc:
                 raw_blueprint = None
+                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(path))
             if not raw_blueprint:
                 continue
             metadata = raw_blueprint.get("metadata", None)
             version = raw_blueprint.get("version", 1)
             if version != 1:
+                LOGGER.warning("invalid blueprint version", version=version, path=str(path))
                 continue
         file_hash = sha512(path.read_bytes()).hexdigest()
         blueprint = BlueprintFile(path.relative_to(root), version, file_hash, path.stat().st_mtime)
         blueprint.meta = from_dict(BlueprintMetadata, metadata) if metadata else None
         blueprints.append(blueprint)
+        LOGGER.info(
+            "parsed & loaded blueprint",
+            hash=file_hash,
+            path=str(path),
+        )
     return blueprints
 
 
@@ -118,10 +142,9 @@ def apply_blueprint(self: MonitoredTask, instance_pk: str):
         instance: BlueprintInstance = BlueprintInstance.objects.filter(pk=instance_pk).first()
         if not instance or not instance.enabled:
             return
-        full_path = Path(CONFIG.y("blueprints_dir")).joinpath(Path(instance.path))
-        file_hash = sha512(full_path.read_bytes()).hexdigest()
-        with open(full_path, "r", encoding="utf-8") as blueprint_file:
-            importer = Importer(blueprint_file.read(), instance.context)
+        blueprint_content = instance.retrieve()
+        file_hash = sha512(blueprint_content.encode()).hexdigest()
+        importer = Importer(blueprint_content, instance.context)
         valid, logs = importer.validate()
         if not valid:
             instance.status = BlueprintInstanceStatus.ERROR
@@ -139,7 +162,13 @@ def apply_blueprint(self: MonitoredTask, instance_pk: str):
         instance.last_applied = now()
         instance.save()
         self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL))
-    except (DatabaseError, ProgrammingError, InternalError, IOError) as exc:
+    except (
+        DatabaseError,
+        ProgrammingError,
+        InternalError,
+        IOError,
+        BlueprintRetrievalFailed,
+    ) as exc:
         instance.status = BlueprintInstanceStatus.ERROR
         instance.save()
         self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))

authentik/core/templates/if/admin.html

@@ -10,8 +10,8 @@
 <script>
 window.authentik = {};
 window.authentik.locale = "{{ tenant.default_locale }}";
-window.authentik.config = JSON.parse('{{ config_json|safe }}');
-window.authentik.tenant = JSON.parse('{{ tenant_json|safe }}');
+window.authentik.config = JSON.parse('{{ config_json|escapejs }}');
+window.authentik.tenant = JSON.parse('{{ tenant_json|escapejs }}');
 </script>
 {% endblock %}
 

authentik/core/templates/if/flow.html

@@ -12,8 +12,8 @@
 <script>
 window.authentik = {};
 window.authentik.locale = "{{ tenant.default_locale }}";
-window.authentik.config = JSON.parse( '{{ config_json|safe }}');
-window.authentik.tenant = JSON.parse('{{ tenant_json|safe }}');
+window.authentik.config = JSON.parse('{{ config_json|escapejs }}');
+window.authentik.tenant = JSON.parse('{{ tenant_json|escapejs }}');
 window.authentik.flow = {
     "layout": "{{ flow.layout }}",
 };

authentik/core/templates/if/user.html

@@ -10,8 +10,8 @@
 <script>
 window.authentik = {};
 window.authentik.locale = "{{ tenant.default_locale }}";
-window.authentik.config = JSON.parse('{{ config_json|safe }}');
-window.authentik.tenant = JSON.parse('{{ tenant_json|safe }}');
+window.authentik.config = JSON.parse('{{ config_json|escapejs }}');
+window.authentik.tenant = JSON.parse('{{ tenant_json|escapejs }}');
 </script>
 {% endblock %}
 

authentik/events/utils.py

@@ -23,21 +23,31 @@ from authentik.policies.types import PolicyRequest
 ALLOWED_SPECIAL_KEYS = re.compile("passing", flags=re.I)
 
 
+def cleanse_item(key: str, value: Any) -> Any:
+    """Cleanse a single item"""
+    if isinstance(value, dict):
+        return cleanse_dict(value)
+    if isinstance(value, list):
+        for idx, item in enumerate(value):
+            value[idx] = cleanse_item(key, item)
+        return value
+    try:
+        if SafeExceptionReporterFilter.hidden_settings.search(
+            key
+        ) and not ALLOWED_SPECIAL_KEYS.search(key):
+            return SafeExceptionReporterFilter.cleansed_substitute
+    except TypeError:  # pragma: no cover
+        return value
+    return value
+
+
 def cleanse_dict(source: dict[Any, Any]) -> dict[Any, Any]:
     """Cleanse a dictionary, recursively"""
     final_dict = {}
     for key, value in source.items():
-        try:
-            if SafeExceptionReporterFilter.hidden_settings.search(
-                key
-            ) and not ALLOWED_SPECIAL_KEYS.search(key):
-                final_dict[key] = SafeExceptionReporterFilter.cleansed_substitute
-            else:
-                final_dict[key] = value
-        except TypeError:  # pragma: no cover
-            final_dict[key] = value
-        if isinstance(value, dict):
-            final_dict[key] = cleanse_dict(value)
+        new_value = cleanse_item(key, value)
+        if new_value is not ...:
+            final_dict[key] = new_value
     return final_dict
 
 
@@ -70,6 +80,45 @@ def get_user(user: User, original_user: Optional[User] = None) -> dict[str, Any]
     return user_data
 
 
+# pylint: disable=too-many-return-statements
+def sanitize_item(value: Any) -> Any:
+    """Sanitize a single item, ensure it is JSON parsable"""
+    if is_dataclass(value):
+        # Because asdict calls `copy.deepcopy(obj)` on everything that's not tuple/dict,
+        # and deepcopy doesn't work with HttpRequests (neither django nor rest_framework).
+        # Currently, the only dataclass that actually holds an http request is a PolicyRequest
+        if isinstance(value, PolicyRequest):
+            value.http_request = None
+        value = asdict(value)
+    if isinstance(value, dict):
+        return sanitize_dict(value)
+    if isinstance(value, list):
+        new_values = []
+        for item in value:
+            new_value = sanitize_item(item)
+            if new_value:
+                new_values.append(new_value)
+        return new_values
+    if isinstance(value, (User, AnonymousUser)):
+        return sanitize_dict(get_user(value))
+    if isinstance(value, models.Model):
+        return sanitize_dict(model_to_dict(value))
+    if isinstance(value, UUID):
+        return value.hex
+    if isinstance(value, (HttpRequest, WSGIRequest)):
+        return ...
+    if isinstance(value, City):
+        return GEOIP_READER.city_to_dict(value)
+    if isinstance(value, Path):
+        return str(value)
+    if isinstance(value, type):
+        return {
+            "type": value.__name__,
+            "module": value.__module__,
+        }
+    return value
+
+
 def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:
     """clean source of all Models that would interfere with the JSONField.
     Models are replaced with a dictionary of {
@@ -79,32 +128,7 @@ def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:
     }"""
     final_dict = {}
     for key, value in source.items():
-        if is_dataclass(value):
-            # Because asdict calls `copy.deepcopy(obj)` on everything that's not tuple/dict,
-            # and deepcopy doesn't work with HttpRequests (neither django nor rest_framework).
-            # Currently, the only dataclass that actually holds an http request is a PolicyRequest
-            if isinstance(value, PolicyRequest):
-                value.http_request = None
-            value = asdict(value)
-        if isinstance(value, dict):
-            final_dict[key] = sanitize_dict(value)
-        elif isinstance(value, (User, AnonymousUser)):
-            final_dict[key] = sanitize_dict(get_user(value))
-        elif isinstance(value, models.Model):
-            final_dict[key] = sanitize_dict(model_to_dict(value))
-        elif isinstance(value, UUID):
-            final_dict[key] = value.hex
-        elif isinstance(value, (HttpRequest, WSGIRequest)):
-            continue
-        elif isinstance(value, City):
-            final_dict[key] = GEOIP_READER.city_to_dict(value)
-        elif isinstance(value, Path):
-            final_dict[key] = str(value)
-        elif isinstance(value, type):
-            final_dict[key] = {
-                "type": value.__name__,
-                "module": value.__module__,
-            }
-        else:
-            final_dict[key] = value
+        new_value = sanitize_item(value)
+        if new_value is not ...:
+            final_dict[key] = new_value
     return final_dict

authentik/flows/api/flows.py

@@ -20,7 +20,7 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.decorators import permission_required
-from authentik.blueprints.v1.exporter import Exporter
+from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
@@ -198,7 +198,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
     def export(self, request: Request, slug: str) -> Response:
         """Export flow to .yaml file"""
         flow = self.get_object()
-        exporter = Exporter(flow)
+        exporter = FlowExporter(flow)
         response = HttpResponse(content=exporter.export_to_string())
         response["Content-Disposition"] = f'attachment; filename="{flow.slug}.yaml"'
         return response

authentik/flows/apps.py

@@ -28,7 +28,7 @@ class AuthentikFlowsConfig(ManagedAppConfig):
         """Load flows signals"""
         self.import_module("authentik.flows.signals")
 
-    def reconcile_stages_loaded(self):
+    def reconcile_load_stages(self):
         """Ensure all stages are loaded"""
         from authentik.flows.models import Stage
 

authentik/outposts/tasks.py

@@ -1,6 +1,5 @@
 """outpost tasks"""
 from os import R_OK, access
-from os.path import expanduser
 from pathlib import Path
 from socket import gethostname
 from typing import Any, Optional
@@ -240,25 +239,25 @@ def _outpost_single_update(outpost: Outpost, layer=None):
 def outpost_local_connection():
     """Checks the local environment and create Service connections."""
     if not CONFIG.y_bool("outposts.discover"):
-        LOGGER.debug("Outpost integration discovery is disabled")
+        LOGGER.info("Outpost integration discovery is disabled")
         return
     # Explicitly check against token filename, as that's
     # only present when the integration is enabled
     if Path(SERVICE_TOKEN_FILENAME).exists():
-        LOGGER.debug("Detected in-cluster Kubernetes Config")
+        LOGGER.info("Detected in-cluster Kubernetes Config")
         if not KubernetesServiceConnection.objects.filter(local=True).exists():
             LOGGER.debug("Created Service Connection for in-cluster")
             KubernetesServiceConnection.objects.create(
                 name="Local Kubernetes Cluster", local=True, kubeconfig={}
             )
     # For development, check for the existence of a kubeconfig file
-    kubeconfig_path = expanduser(KUBE_CONFIG_DEFAULT_LOCATION)
-    if Path(kubeconfig_path).exists():
-        LOGGER.debug("Detected kubeconfig")
+    kubeconfig_path = Path(KUBE_CONFIG_DEFAULT_LOCATION).expanduser()
+    if kubeconfig_path.exists():
+        LOGGER.info("Detected kubeconfig")
         kubeconfig_local_name = f"k8s-{gethostname()}"
         if not KubernetesServiceConnection.objects.filter(name=kubeconfig_local_name).exists():
             LOGGER.debug("Creating kubeconfig Service Connection")
-            with open(kubeconfig_path, "r", encoding="utf8") as _kubeconfig:
+            with kubeconfig_path.open("r", encoding="utf8") as _kubeconfig:
                 KubernetesServiceConnection.objects.create(
                     name=kubeconfig_local_name,
                     kubeconfig=yaml.safe_load(_kubeconfig),
@@ -266,7 +265,7 @@ def outpost_local_connection():
     unix_socket_path = urlparse(DEFAULT_UNIX_SOCKET).path
     socket = Path(unix_socket_path)
     if socket.exists() and access(socket, R_OK):
-        LOGGER.debug("Detected local docker socket")
+        LOGGER.info("Detected local docker socket")
         if len(DockerServiceConnection.objects.filter(local=True)) == 0:
             LOGGER.debug("Created Service Connection for docker")
             DockerServiceConnection.objects.create(

authentik/policies/views.py

@@ -70,7 +70,6 @@ class PolicyAccessView(AccessMixin, View):
         # Check if user is unauthenticated, so we pass the application
         # for the identification stage
         if not request.user.is_authenticated:
-            LOGGER.warning("user not authenticated")
             return self.handle_no_permission()
         # Check permissions
         result = self.user_has_access()

authentik/providers/oauth2/utils.py

@@ -10,7 +10,7 @@ from django.http.response import HttpResponseRedirect
 from django.utils.cache import patch_vary_headers
 from structlog.stdlib import get_logger
 
-from authentik.core.middleware import KEY_USER
+from authentik.core.middleware import CTX_AUTH_VIA, KEY_USER
 from authentik.events.models import Event, EventAction
 from authentik.providers.oauth2.errors import BearerTokenError
 from authentik.providers.oauth2.models import OAuth2Provider, RefreshToken
@@ -166,6 +166,7 @@ def protected_resource_view(scopes: list[str]):
                 ] = f'error="{error.code}", error_description="{error.description}"'
                 return response
             kwargs["token"] = token
+            CTX_AUTH_VIA.set("oauth_token")
             response = view(request, *args, **kwargs)
             setattr(response, "ak_context", {})
             response.ak_context[KEY_USER] = token.user.username

authentik/providers/oauth2/views/authorize.py

@@ -24,12 +24,7 @@ from authentik.flows.challenge import (
     HttpChallengeResponse,
 )
 from authentik.flows.models import in_memory_stage
-from authentik.flows.planner import (
-    PLAN_CONTEXT_APPLICATION,
-    PLAN_CONTEXT_SSO,
-    FlowPlan,
-    FlowPlanner,
-)
+from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.time import timedelta_from_string
@@ -353,7 +348,7 @@ class AuthorizationFlowInitView(PolicyAccessView):
         # planner.use_cache = False
         planner.allow_empty_flows = True
         scope_descriptions = UserInfoView().get_scope_descriptions(self.params.scope)
-        plan: FlowPlan = planner.plan(
+        plan = planner.plan(
             self.request,
             {
                 PLAN_CONTEXT_SSO: True,
@@ -482,7 +477,7 @@ class OAuthFulfillmentStage(StageView):
                 GrantTypes.HYBRID,
             ]:
                 code = self.params.create_code(self.request)
-                code.save(force_insert=True)
+                code.save()
 
             if self.params.response_mode == ResponseMode.QUERY:
                 query_params = parse_qs(uri.query)

authentik/providers/proxy/apps.py

@@ -1,10 +1,11 @@
 """authentik Proxy app"""
-from django.apps import AppConfig
+from authentik.blueprints.manager import ManagedAppConfig
 
 
-class AuthentikProviderProxyConfig(AppConfig):
+class AuthentikProviderProxyConfig(ManagedAppConfig):
     """authentik proxy app"""
 
     name = "authentik.providers.proxy"
     label = "authentik_providers_proxy"
     verbose_name = "authentik Providers.Proxy"
+    default = True

authentik/sources/oauth/clients/base.py

@@ -72,7 +72,7 @@ class BaseOAuthClient:
         # Special handling for scope, since it's set as array
         # to make additional scopes easier
         args["scope"] = " ".join(sorted(set(args["scope"])))
-        params = urlencode(args, quote_via=quote)
+        params = urlencode(args, quote_via=quote, doseq=True)
         LOGGER.info("redirect args", **args)
         return urlunparse(parsed_url._replace(query=params))
 

authentik/stages/password/migrations/0007_app_password.py

@@ -15,7 +15,8 @@ def update_default_backends(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
     if not stages.exists():
         return
     stage = stages.first()
-    stage.backends.append(BACKEND_APP_PASSWORD)
+    if BACKEND_APP_PASSWORD not in stage.backends:
+        stage.backends.append(BACKEND_APP_PASSWORD)
     stage.save()
 
 

blueprints/default/10-flow-default-authentication-flow.yaml

@@ -4,7 +4,6 @@ metadata:
 entries:
 - attrs:
     designation: authentication
-    layout: stacked
     name: Welcome to authentik!
     title: Welcome to authentik!
   identifiers:
@@ -16,22 +15,12 @@ entries:
     - authentik.core.auth.InbuiltBackend
     - authentik.sources.ldap.auth.LDAPBackend
     - authentik.core.auth.TokenBackend
-    - authentik.core.auth.TokenBackend
     configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
-    failed_attempts_before_cancel: 5
   identifiers:
     name: default-authentication-password
   id: default-authentication-password
   model: authentik_stages_password.passwordstage
-- attrs:
-    device_classes:
-    - static
-    - totp
-    - webauthn
-    - duo
-    - sms
-    not_configured_action: skip
-  identifiers:
+- identifiers:
     name: default-authentication-mfa-validation
   id: default-authentication-mfa-validation
   model: authentik_stages_authenticator_validate.authenticatorvalidatestage

blueprints/default/20-flow-default-authenticator-static-setup.yaml

@@ -5,7 +5,6 @@ entries:
 - attrs:
     designation: stage_configuration
     name: default-authenticator-static-setup
-    policy_engine_mode: any
     title: Setup Static OTP Tokens
   identifiers:
     slug: default-authenticator-static-setup

blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml

@@ -5,7 +5,6 @@ entries:
 - attrs:
     designation: stage_configuration
     name: default-authenticator-webauthn-setup
-    policy_engine_mode: any
     title: Setup WebAuthn
   identifiers:
     slug: default-authenticator-webauthn-setup

blueprints/schema.json

@@ -48,9 +48,6 @@
                     "model": {
                         "type": "string",
                         "enum": [
-                            "auth.permission",
-                            "contenttypes.contenttype",
-                            "sessions.session",
                             "authentik_crypto.certificatekeypair",
                             "authentik_events.event",
                             "authentik_events.notificationtransport",
@@ -114,15 +111,6 @@
                             "authentik_stages_user_write.userwritestage",
                             "authentik_tenants.tenant",
                             "authentik_blueprints.blueprintinstance",
-                            "guardian.userobjectpermission",
-                            "guardian.groupobjectpermission",
-                            "otp_static.staticdevice",
-                            "otp_static.statictoken",
-                            "otp_totp.totpdevice",
-                            "silk.request",
-                            "silk.response",
-                            "silk.sqlquery",
-                            "silk.profile",
                             "authentik_core.group",
                             "authentik_core.user",
                             "authentik_core.application",

docker-compose.yml

@@ -29,7 +29,7 @@ services:
       retries: 5
       timeout: 3s
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}
     restart: unless-stopped
     command: server
     environment:
@@ -50,7 +50,7 @@ services:
       - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
       - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/quasoft/memstore v0.0.0-20191010062613-2bce066d2b0b
 	github.com/sirupsen/logrus v1.9.0
 	github.com/stretchr/testify v1.8.0
-	goauthentik.io/api/v3 v3.2022073.8
+	goauthentik.io/api/v3 v3.2022081.1
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
 	gopkg.in/boj/redistore.v1 v1.0.0-20160128113310-fc113767cd6b

go.sum

@@ -367,8 +367,8 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
-goauthentik.io/api/v3 v3.2022073.8 h1:BwTDSNcbsfN0PUfJ0qnwUGJdp2gTMXryYMvUQfXxrZg=
-goauthentik.io/api/v3 v3.2022073.8/go.mod h1:QM9J32HgYE4gL71lWAfAoXSPdSmLVLW08itfLI3Mo10=
+goauthentik.io/api/v3 v3.2022081.1 h1:/V6ktaQ9O8zhRHTkiswxgqg16fe3FL++9UoT9+S97NA=
+goauthentik.io/api/v3 v3.2022081.1/go.mod h1:QM9J32HgYE4gL71lWAfAoXSPdSmLVLW08itfLI3Mo10=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2022.8.1"
+const VERSION = "2022.8.2"

internal/outpost/proxyv2/application/application.go

@@ -148,9 +148,11 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 	mux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
 	mux.Use(func(inner http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if _, set := r.URL.Query()[CallbackSignature]; set {
+			if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
+				a.log.Debug("handling OAuth Callback from querystring signature")
 				a.handleAuthCallback(w, r)
-			} else if _, set := r.URL.Query()[LogoutSignature]; set {
+			} else if strings.EqualFold(r.URL.Query().Get(LogoutSignature), "true") {
+				a.log.Debug("handling OAuth Logout from querystring signature")
 				a.handleSignOut(w, r)
 			} else {
 				inner.ServeHTTP(w, r)
@@ -201,6 +203,16 @@ func (a *Application) Mode() api.ProxyMode {
 	return *a.proxyConfig.Mode.Get()
 }
 
+func (a *Application) HasQuerySignature(r *http.Request) bool {
+	if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
+		return true
+	}
+	if strings.EqualFold(r.URL.Query().Get(LogoutSignature), "true") {
+		return true
+	}
+	return false
+}
+
 func (a *Application) ProxyConfig() api.ProxyOutpostConfig {
 	return a.proxyConfig
 }

internal/outpost/proxyv2/application/mode_forward.go

@@ -154,6 +154,7 @@ func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request
 func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request) {
 	a.log.WithField("header", r.Header).Trace("tracing headers for debug")
 	r.URL.Path = strings.TrimPrefix(r.URL.Path, envoyPrefix)
+	r.URL.Host = r.Host
 	fwd := r.URL
 	// Check if we're authenticated, or the request path is on the allowlist
 	claims, err := a.getClaims(r)

internal/outpost/proxyv2/application/mode_forward_envoy_test.go

@@ -24,7 +24,8 @@ func TestForwardHandleEnvoy_Single_Skip(t *testing.T) {
 
 func TestForwardHandleEnvoy_Single_Headers(t *testing.T) {
 	a := newTestApplication()
-	req, _ := http.NewRequest("GET", "http://test.goauthentik.io/app", nil)
+	req, _ := http.NewRequest("GET", "http:///app", nil)
+	req.Host = "ext.t.goauthentik.io"
 
 	rr := httptest.NewRecorder()
 	a.forwardHandleEnvoy(rr, req)
@@ -39,7 +40,7 @@ func TestForwardHandleEnvoy_Single_Headers(t *testing.T) {
 		"state":         []string{s.Values[constants.SessionOAuthState].([]string)[0]},
 	}
 	assert.Equal(t, fmt.Sprintf("http://fake-auth.t.goauthentik.io/auth?%s", shouldUrl.Encode()), loc.String())
-	assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
+	assert.Equal(t, "http://ext.t.goauthentik.io/app", s.Values[constants.SessionRedirect])
 }
 
 func TestForwardHandleEnvoy_Single_Claims(t *testing.T) {
@@ -91,7 +92,8 @@ func TestForwardHandleEnvoy_Domain_Header(t *testing.T) {
 	a.proxyConfig.Mode = *api.NewNullableProxyMode(api.PROXYMODE_FORWARD_DOMAIN.Ptr())
 	a.proxyConfig.CookieDomain = api.PtrString("foo")
 	a.proxyConfig.ExternalHost = "http://auth.test.goauthentik.io"
-	req, _ := http.NewRequest("GET", "http://test.goauthentik.io/app", nil)
+	req, _ := http.NewRequest("GET", "http:///app", nil)
+	req.Host = "test.goauthentik.io"
 
 	rr := httptest.NewRecorder()
 	a.forwardHandleEnvoy(rr, req)

internal/outpost/proxyv2/proxyv2.go

@@ -66,13 +66,13 @@ func NewProxyServer(ac *ak.APIController) *ProxyServer {
 }
 
 func (ps *ProxyServer) HandleHost(rw http.ResponseWriter, r *http.Request) bool {
-	a, host := ps.lookupApp(r)
-	if a != nil {
-		if a.Mode() == api.PROXYMODE_PROXY {
-			ps.log.WithField("host", host).Trace("routing to proxy outpost")
-			a.ServeHTTP(rw, r)
-			return true
-		}
+	a, _ := ps.lookupApp(r)
+	if a == nil {
+		return false
+	}
+	if a.HasQuerySignature(r) || a.Mode() == api.PROXYMODE_PROXY {
+		a.ServeHTTP(rw, r)
+		return true
 	}
 	return false
 }

internal/web/proxy.go

@@ -9,9 +9,7 @@ import (
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
-	"goauthentik.io/internal/outpost/proxyv2/application"
 	"goauthentik.io/internal/utils/sentry"
-	"goauthentik.io/internal/utils/web"
 )
 
 func (ws *WebServer) configureProxy() {
@@ -53,9 +51,7 @@ func (ws *WebServer) configureProxy() {
 		}
 		before := time.Now()
 		if ws.ProxyServer != nil {
-			_, oauthCallbackSet := r.URL.Query()[application.CallbackSignature]
-			_, logoutSet := r.URL.Query()[application.LogoutSignature]
-			if ws.ProxyServer.HandleHost(rw, r) || oauthCallbackSet || logoutSet {
+			if ws.ProxyServer.HandleHost(rw, r) {
 				Requests.With(prometheus.Labels{
 					"dest": "embedded_outpost",
 				}).Observe(float64(time.Since(before)))
@@ -65,7 +61,6 @@ func (ws *WebServer) configureProxy() {
 		Requests.With(prometheus.Labels{
 			"dest": "py",
 		}).Observe(float64(time.Since(before)))
-		ws.log.WithField("host", web.GetHost(r)).Trace("routing to application server")
 		rp.ServeHTTP(rw, r)
 	}))
 }

lifecycle/ak

@@ -46,6 +46,10 @@ elif [[ "$1" == "worker" ]]; then
     wait_for_db
     echo "worker" > $MODE_FILE
     check_if_root "celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"
+elif [[ "$1" == "worker-status" ]]; then
+    wait_for_db
+    celery -A authentik.root.celery flower \
+        --port=9000
 elif [[ "$1" == "bash" ]]; then
     /bin/bash
 elif [[ "$1" == "test-all" ]]; then

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-31 14:22+0000\n"
+"POT-Creation-Date: 2022-08-18 14:31+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -31,18 +31,28 @@ msgstr ""
 msgid "Validation Error"
 msgstr ""
 
-#: authentik/blueprints/models.py:18
+#: authentik/blueprints/models.py:29
 msgid "Managed by authentik"
 msgstr ""
 
-#: authentik/blueprints/models.py:69
+#: authentik/blueprints/models.py:98
 msgid "Blueprint Instance"
 msgstr ""
 
-#: authentik/blueprints/models.py:70
+#: authentik/blueprints/models.py:99
 msgid "Blueprint Instances"
 msgstr ""
 
+#: authentik/blueprints/v1/exporter.py:50
+#, python-format
+msgid "authentik Export - %(date)s"
+msgstr ""
+
+#: authentik/blueprints/v1/tasks.py:103 authentik/crypto/tasks.py:93
+#, python-format
+msgid "Successfully imported %(count)d files."
+msgstr ""
+
 #: authentik/core/api/providers.py:89
 msgid "SAML Provider from Metadata"
 msgstr ""
@@ -67,95 +77,95 @@ msgstr ""
 msgid "Users added to this group will be superusers."
 msgstr ""
 
-#: authentik/core/models.py:152
+#: authentik/core/models.py:153
 msgid "User's display name."
 msgstr ""
 
-#: authentik/core/models.py:251 authentik/providers/oauth2/models.py:322
+#: authentik/core/models.py:252 authentik/providers/oauth2/models.py:322
 msgid "User"
 msgstr ""
 
-#: authentik/core/models.py:252
+#: authentik/core/models.py:253
 msgid "Users"
 msgstr ""
 
-#: authentik/core/models.py:263
+#: authentik/core/models.py:264
 msgid "Flow used when authorizing this provider."
 msgstr ""
 
-#: authentik/core/models.py:296
+#: authentik/core/models.py:297
 msgid "Application's display Name."
 msgstr ""
 
-#: authentik/core/models.py:297
+#: authentik/core/models.py:298
 msgid "Internal application name, used in URLs."
 msgstr ""
 
-#: authentik/core/models.py:309
+#: authentik/core/models.py:310
 msgid "Open launch URL in a new browser tab or window."
 msgstr ""
 
-#: authentik/core/models.py:374
+#: authentik/core/models.py:375
 msgid "Application"
 msgstr ""
 
-#: authentik/core/models.py:375
+#: authentik/core/models.py:376
 msgid "Applications"
 msgstr ""
 
-#: authentik/core/models.py:381
+#: authentik/core/models.py:382
 msgid "Use the source-specific identifier"
 msgstr ""
 
-#: authentik/core/models.py:389
+#: authentik/core/models.py:390
 msgid ""
 "Use the user's email address, but deny enrollment when the email address "
 "already exists."
 msgstr ""
 
-#: authentik/core/models.py:398
+#: authentik/core/models.py:399
 msgid ""
 "Use the user's username, but deny enrollment when the username already "
 "exists."
 msgstr ""
 
-#: authentik/core/models.py:405
+#: authentik/core/models.py:406
 msgid "Source's display Name."
 msgstr ""
 
-#: authentik/core/models.py:406
+#: authentik/core/models.py:407
 msgid "Internal source name, used in URLs."
 msgstr ""
 
-#: authentik/core/models.py:419
+#: authentik/core/models.py:420
 msgid "Flow to use when authenticating existing users."
 msgstr ""
 
-#: authentik/core/models.py:428
+#: authentik/core/models.py:429
 msgid "Flow to use when enrolling new users."
 msgstr ""
 
-#: authentik/core/models.py:589
+#: authentik/core/models.py:590
 msgid "Token"
 msgstr ""
 
-#: authentik/core/models.py:590
+#: authentik/core/models.py:591
 msgid "Tokens"
 msgstr ""
 
-#: authentik/core/models.py:633
+#: authentik/core/models.py:634
 msgid "Property Mapping"
 msgstr ""
 
-#: authentik/core/models.py:634
+#: authentik/core/models.py:635
 msgid "Property Mappings"
 msgstr ""
 
-#: authentik/core/models.py:670
+#: authentik/core/models.py:671
 msgid "Authenticated Session"
 msgstr ""
 
-#: authentik/core/models.py:671
+#: authentik/core/models.py:672
 msgid "Authenticated Sessions"
 msgstr ""
 
@@ -229,7 +239,7 @@ msgid "Powered by authentik"
 msgstr ""
 
 #: authentik/core/views/apps.py:48
-#: authentik/providers/oauth2/views/authorize.py:364
+#: authentik/providers/oauth2/views/authorize.py:359
 #: authentik/providers/saml/views/sso.py:69
 #, python-format
 msgid "You're about to sign into %(application)s."
@@ -257,11 +267,6 @@ msgstr ""
 msgid "Certificate-Key Pairs"
 msgstr ""
 
-#: authentik/crypto/tasks.py:93
-#, python-format
-msgid "Successfully imported %(count)d files."
-msgstr ""
-
 #: authentik/events/models.py:294
 msgid "Event"
 msgstr ""
@@ -352,17 +357,17 @@ msgstr ""
 msgid "Task has not been run yet."
 msgstr ""
 
-#: authentik/flows/api/flows.py:228 authentik/flows/api/flows.py:250
+#: authentik/flows/api/flows.py:229 authentik/flows/api/flows.py:251
 #, python-format
 msgid "Policy (%(type)s)"
 msgstr ""
 
-#: authentik/flows/api/flows.py:259
+#: authentik/flows/api/flows.py:260
 #, python-format
 msgid "Stage (%(type)s)"
 msgstr ""
 
-#: authentik/flows/api/flows.py:374
+#: authentik/flows/api/flows.py:375
 #, python-format
 msgid "Flow not applicable to current user/request: %(messages)s"
 msgstr ""
@@ -855,26 +860,26 @@ msgstr ""
 msgid "OAuth2 Tokens"
 msgstr ""
 
-#: authentik/providers/oauth2/views/authorize.py:418
+#: authentik/providers/oauth2/views/authorize.py:413
 #: authentik/providers/saml/views/flows.py:86
 #, python-format
 msgid "Redirecting to %(app)s..."
 msgstr ""
 
-#: authentik/providers/oauth2/views/userinfo.py:43
-#: authentik/providers/oauth2/views/userinfo.py:44
+#: authentik/providers/oauth2/views/userinfo.py:41
+#: authentik/providers/oauth2/views/userinfo.py:42
 msgid "GitHub Compatibility: Access your User Information"
 msgstr ""
 
-#: authentik/providers/oauth2/views/userinfo.py:45
+#: authentik/providers/oauth2/views/userinfo.py:43
 msgid "GitHub Compatibility: Access you Email addresses"
 msgstr ""
 
-#: authentik/providers/oauth2/views/userinfo.py:46
+#: authentik/providers/oauth2/views/userinfo.py:44
 msgid "GitHub Compatibility: Access your Groups"
 msgstr ""
 
-#: authentik/providers/oauth2/views/userinfo.py:47
+#: authentik/providers/oauth2/views/userinfo.py:45
 msgid "authentik API Access on behalf of your user"
 msgstr ""
 
@@ -1649,7 +1654,7 @@ msgstr ""
 msgid "Identification Stages"
 msgstr ""
 
-#: authentik/stages/identification/stage.py:176
+#: authentik/stages/identification/stage.py:173
 msgid "Log in"
 msgstr ""
 

pyproject.toml

@@ -97,7 +97,7 @@ addopts = "-p no:celery --junitxml=unittest.xml"
 
 [tool.poetry]
 name = "authentik"
-version = "2022.8.1"
+version = "2022.8.2"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 
@@ -149,6 +149,7 @@ wsproto = "*"
 xmlsec = "*"
 twilio = "*"
 dumb-init = "*"
+flower = "*"
 
 [tool.poetry.dev-dependencies]
 bandit = "*"

tests/e2e/test_source_oauth.py

@@ -1,5 +1,5 @@
 """test OAuth Source"""
-from os.path import abspath
+from pathlib import Path
 from sys import platform
 from time import sleep
 from typing import Any, Optional
@@ -116,7 +116,7 @@ class TestSourceOAuth2(SeleniumTestCase):
                 interval=5 * 100 * 1000000,
                 start_period=1 * 100 * 1000000,
             ),
-            "volumes": {abspath(CONFIG_PATH): {"bind": "/config.yml", "mode": "ro"}},
+            "volumes": {str(Path(CONFIG_PATH).absolute()): {"bind": "/config.yml", "mode": "ro"}},
         }
 
     def create_objects(self):

web/package-lock.json

@@ -21,13 +21,13 @@
                 "@codemirror/legacy-modes": "^6.1.0",
                 "@formatjs/intl-listformat": "^7.0.3",
                 "@fortawesome/fontawesome-free": "^6.1.2",
-                "@goauthentik/api": "^2022.7.3-1659983945",
+                "@goauthentik/api": "^2022.8.1-1660661985",
                 "@jackfranklin/rollup-plugin-markdown": "^0.4.0",
                 "@lingui/cli": "^3.14.0",
                 "@lingui/core": "^3.14.0",
                 "@lingui/detect-locale": "^3.14.0",
                 "@lingui/macro": "^3.14.0",
-                "@patternfly/patternfly": "^4.202.1",
+                "@patternfly/patternfly": "^4.206.3",
                 "@polymer/iron-form": "^3.0.1",
                 "@polymer/paper-input": "^3.2.1",
                 "@rollup/plugin-babel": "^5.3.1",
@@ -35,8 +35,8 @@
                 "@rollup/plugin-node-resolve": "^13.3.0",
                 "@rollup/plugin-replace": "^4.0.0",
                 "@rollup/plugin-typescript": "^8.3.4",
-                "@sentry/browser": "^7.10.0",
-                "@sentry/tracing": "^7.10.0",
+                "@sentry/browser": "^7.11.1",
+                "@sentry/tracing": "^7.11.1",
                 "@squoosh/cli": "^0.7.2",
                 "@trivago/prettier-plugin-sort-imports": "^3.3.0",
                 "@types/chart.js": "^2.9.37",
@@ -59,7 +59,7 @@
                 "eslint-plugin-lit": "^1.6.1",
                 "flowchart.js": "^1.17.1",
                 "fuse.js": "^6.6.2",
-                "lit": "^2.3.0",
+                "lit": "^2.3.1",
                 "moment": "^2.29.4",
                 "prettier": "^2.7.1",
                 "rapidoc": "^9.3.3",
@@ -1929,9 +1929,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2022.7.3-1659983945",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.7.3-1659983945.tgz",
-            "integrity": "sha512-y/BVhn3BDrI5G8iIsRytU6Mz9uS1iNIpcrm0N6MyJoakSzCd5wRJuUU6gQdG1zzk1B2Mh+9eHzOhdFtrMc9TeA=="
+            "version": "2022.8.1-1660661985",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.8.1-1660661985.tgz",
+            "integrity": "sha512-KJyaUNm2Car6YC1yb7GqETRn8Y3Xij6/a7+Bo+q2IgfkOXjZQKGGoCoJL0UIHec2pN7gXaY1qP2i0vdGvXD6mg=="
         },
         "node_modules/@humanwhocodes/config-array": {
             "version": "0.10.4",
@@ -2480,9 +2480,9 @@
             }
         },
         "node_modules/@patternfly/patternfly": {
-            "version": "4.202.1",
-            "resolved": "https://registry.npmjs.org/@patternfly/patternfly/-/patternfly-4.202.1.tgz",
-            "integrity": "sha512-cQiiPqmwJOm9onuTfLPQNRlpAZwDIJ/zVfDQeaFqMQyPJtxtKn3lkphz5xErY5dPs9rR4X94ytQ1I9pkVzaPJQ=="
+            "version": "4.206.3",
+            "resolved": "https://registry.npmjs.org/@patternfly/patternfly/-/patternfly-4.206.3.tgz",
+            "integrity": "sha512-2Ar6qaZAozyx/KBzlqqskoEf45HUZIbk668qFwYHWaTkuucYw/usoxw03OwnGCS4GgBlMf06X2uonHgQLhVT8A=="
         },
         "node_modules/@polymer/font-roboto": {
             "version": "3.0.2",
@@ -2742,13 +2742,13 @@
             }
         },
         "node_modules/@sentry/browser": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-7.10.0.tgz",
-            "integrity": "sha512-RNOKCRonqzUOqyM/JcjxjCOMosfS0MRmzkBKWewfyXse9AqfqC9+y8BI5J7wFmpYCypQP72JROKPBaxi7rvOFw==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-7.11.1.tgz",
+            "integrity": "sha512-k2XHuzPfnm8VJPK5eWd1+Y5VCgN42sLveb8Qxc3prb5PSL416NWMLZaoB7RMIhy430fKrSFiosnm6QDk2M6pbA==",
             "dependencies": {
-                "@sentry/core": "7.10.0",
-                "@sentry/types": "7.10.0",
-                "@sentry/utils": "7.10.0",
+                "@sentry/core": "7.11.1",
+                "@sentry/types": "7.11.1",
+                "@sentry/utils": "7.11.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -2761,13 +2761,13 @@
             "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
         },
         "node_modules/@sentry/core": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.10.0.tgz",
-            "integrity": "sha512-uq6oUXPH+6cjsEL5/j/xSW91mVrJo7knTqax7E5MDiA5j98BPK4budGiBiPO7GEB856QhA7N+pOO0lccii5QYQ==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.11.1.tgz",
+            "integrity": "sha512-kaDSZ6VNuO4ZZdqUOOX6XM6x+kjo2bMnDQ3IJG51FPvVjr8lXYhXj1Ccxcot3pBYAIWPPby2+vNDOXllmXqoBA==",
             "dependencies": {
-                "@sentry/hub": "7.10.0",
-                "@sentry/types": "7.10.0",
-                "@sentry/utils": "7.10.0",
+                "@sentry/hub": "7.11.1",
+                "@sentry/types": "7.11.1",
+                "@sentry/utils": "7.11.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -2780,12 +2780,12 @@
             "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
         },
         "node_modules/@sentry/hub": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-7.10.0.tgz",
-            "integrity": "sha512-9Appy7J87EU7Xu2BDY1cLK79nsuE72geeYmG71lgdttTD3XOMcQBOxET4/2sAI+d/ansurXnURx+DAQ9FOKT+w==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-7.11.1.tgz",
+            "integrity": "sha512-M6ClgdXdptS0lUBKB5KpXXe2qMQhsoiEN2pEGRI6+auqhfHCUQB1ZXsfjiOYexKC9fwx7TyFyZ9Jcaf2DTxEhw==",
             "dependencies": {
-                "@sentry/types": "7.10.0",
-                "@sentry/utils": "7.10.0",
+                "@sentry/types": "7.11.1",
+                "@sentry/utils": "7.11.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -2798,13 +2798,13 @@
             "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
         },
         "node_modules/@sentry/tracing": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.10.0.tgz",
-            "integrity": "sha512-ojuBYS1bL/IGWKt/ItY4HmC8NElJrYtTUvm73VbhylhIO4zcn5ICHmgMFj1lqL9gQ1nCnAlifKiWIjL9qUatTA==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.11.1.tgz",
+            "integrity": "sha512-ilgnHfpdYUWKG/5yAXIfIbPVsCfrC4ONFBR/wN25/hdAyVfXMa3AJx7NCCXxZBOPDWH3hMW8rl4La5yuDbXofg==",
             "dependencies": {
-                "@sentry/hub": "7.10.0",
-                "@sentry/types": "7.10.0",
-                "@sentry/utils": "7.10.0",
+                "@sentry/hub": "7.11.1",
+                "@sentry/types": "7.11.1",
+                "@sentry/utils": "7.11.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -2817,19 +2817,19 @@
             "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
         },
         "node_modules/@sentry/types": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.10.0.tgz",
-            "integrity": "sha512-1UBwdbS0xXzANzp63g4eNQly/qKIXp0swP5OTKWoADvKBtL4anroLUA/l8ADMtuwFZYtVANc8WRGxM2+YmaXtg==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.11.1.tgz",
+            "integrity": "sha512-gIEhOPxC2cjrxQ0+K2SFJ1P6e/an5osSxVc9OOtekN28eHtVsXFCLB8XVWeNQnS7N2VkrVrkqORMBz1kvIcvVQ==",
             "engines": {
                 "node": ">=8"
             }
         },
         "node_modules/@sentry/utils": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.10.0.tgz",
-            "integrity": "sha512-/aD2DnfyOhV0Wdbb6VF78vu4fQIZJyuReDpBI7MV/EqcEB6FxUKq2YjinfKZF/exHEPig6Ag/Yt+CRFgvtVFuw==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.11.1.tgz",
+            "integrity": "sha512-tRVXNT5O9ilkV31pyHeTqA1PcPQfMV/2OR6yUYM4ah+QVISovC0f0ybhByuH5nYg6x/Gsnx1o7pc8L1GE3+O7A==",
             "dependencies": {
-                "@sentry/types": "7.10.0",
+                "@sentry/types": "7.11.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -6188,9 +6188,9 @@
             "integrity": "sha1-HADHQ7QzzQpOgHWPe2SldEDZ/wA="
         },
         "node_modules/lit": {
-            "version": "2.3.0",
-            "resolved": "https://registry.npmjs.org/lit/-/lit-2.3.0.tgz",
-            "integrity": "sha512-ynSGsUYKSGN2weFQ1F3SZq0Ihlj+vr/3KAET//Yf8Tz86L7lZizlw9Px+ab5iN8Si4RkVoLqd9YtKQmjdyKHNg==",
+            "version": "2.3.1",
+            "resolved": "https://registry.npmjs.org/lit/-/lit-2.3.1.tgz",
+            "integrity": "sha512-TejktDR4mqG3qB32Y8Lm5Lye3c8SUehqz7qRsxe1PqGYL6me2Ef+jeQAEqh20BnnGncv4Yxy2njEIT0kzK1WCw==",
             "dependencies": {
                 "@lit/reactive-element": "^1.4.0",
                 "lit-element": "^3.2.0",
@@ -10494,9 +10494,9 @@
             "integrity": "sha512-XwWADtfdSN73/udaFm+1mnGIj/ShDZNFMe/PRoqv3FhQ4GNI2PUN70yFTPsjq65Lw2C9i4TG5/hTbxXIXVCiqQ=="
         },
         "@goauthentik/api": {
-            "version": "2022.7.3-1659983945",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.7.3-1659983945.tgz",
-            "integrity": "sha512-y/BVhn3BDrI5G8iIsRytU6Mz9uS1iNIpcrm0N6MyJoakSzCd5wRJuUU6gQdG1zzk1B2Mh+9eHzOhdFtrMc9TeA=="
+            "version": "2022.8.1-1660661985",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.8.1-1660661985.tgz",
+            "integrity": "sha512-KJyaUNm2Car6YC1yb7GqETRn8Y3Xij6/a7+Bo+q2IgfkOXjZQKGGoCoJL0UIHec2pN7gXaY1qP2i0vdGvXD6mg=="
         },
         "@humanwhocodes/config-array": {
             "version": "0.10.4",
@@ -10920,9 +10920,9 @@
             }
         },
         "@patternfly/patternfly": {
-            "version": "4.202.1",
-            "resolved": "https://registry.npmjs.org/@patternfly/patternfly/-/patternfly-4.202.1.tgz",
-            "integrity": "sha512-cQiiPqmwJOm9onuTfLPQNRlpAZwDIJ/zVfDQeaFqMQyPJtxtKn3lkphz5xErY5dPs9rR4X94ytQ1I9pkVzaPJQ=="
+            "version": "4.206.3",
+            "resolved": "https://registry.npmjs.org/@patternfly/patternfly/-/patternfly-4.206.3.tgz",
+            "integrity": "sha512-2Ar6qaZAozyx/KBzlqqskoEf45HUZIbk668qFwYHWaTkuucYw/usoxw03OwnGCS4GgBlMf06X2uonHgQLhVT8A=="
         },
         "@polymer/font-roboto": {
             "version": "3.0.2",
@@ -11139,13 +11139,13 @@
             }
         },
         "@sentry/browser": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-7.10.0.tgz",
-            "integrity": "sha512-RNOKCRonqzUOqyM/JcjxjCOMosfS0MRmzkBKWewfyXse9AqfqC9+y8BI5J7wFmpYCypQP72JROKPBaxi7rvOFw==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-7.11.1.tgz",
+            "integrity": "sha512-k2XHuzPfnm8VJPK5eWd1+Y5VCgN42sLveb8Qxc3prb5PSL416NWMLZaoB7RMIhy430fKrSFiosnm6QDk2M6pbA==",
             "requires": {
-                "@sentry/core": "7.10.0",
-                "@sentry/types": "7.10.0",
-                "@sentry/utils": "7.10.0",
+                "@sentry/core": "7.11.1",
+                "@sentry/types": "7.11.1",
+                "@sentry/utils": "7.11.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -11157,13 +11157,13 @@
             }
         },
         "@sentry/core": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.10.0.tgz",
-            "integrity": "sha512-uq6oUXPH+6cjsEL5/j/xSW91mVrJo7knTqax7E5MDiA5j98BPK4budGiBiPO7GEB856QhA7N+pOO0lccii5QYQ==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.11.1.tgz",
+            "integrity": "sha512-kaDSZ6VNuO4ZZdqUOOX6XM6x+kjo2bMnDQ3IJG51FPvVjr8lXYhXj1Ccxcot3pBYAIWPPby2+vNDOXllmXqoBA==",
             "requires": {
-                "@sentry/hub": "7.10.0",
-                "@sentry/types": "7.10.0",
-                "@sentry/utils": "7.10.0",
+                "@sentry/hub": "7.11.1",
+                "@sentry/types": "7.11.1",
+                "@sentry/utils": "7.11.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -11175,12 +11175,12 @@
             }
         },
         "@sentry/hub": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-7.10.0.tgz",
-            "integrity": "sha512-9Appy7J87EU7Xu2BDY1cLK79nsuE72geeYmG71lgdttTD3XOMcQBOxET4/2sAI+d/ansurXnURx+DAQ9FOKT+w==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-7.11.1.tgz",
+            "integrity": "sha512-M6ClgdXdptS0lUBKB5KpXXe2qMQhsoiEN2pEGRI6+auqhfHCUQB1ZXsfjiOYexKC9fwx7TyFyZ9Jcaf2DTxEhw==",
             "requires": {
-                "@sentry/types": "7.10.0",
-                "@sentry/utils": "7.10.0",
+                "@sentry/types": "7.11.1",
+                "@sentry/utils": "7.11.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -11192,13 +11192,13 @@
             }
         },
         "@sentry/tracing": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.10.0.tgz",
-            "integrity": "sha512-ojuBYS1bL/IGWKt/ItY4HmC8NElJrYtTUvm73VbhylhIO4zcn5ICHmgMFj1lqL9gQ1nCnAlifKiWIjL9qUatTA==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.11.1.tgz",
+            "integrity": "sha512-ilgnHfpdYUWKG/5yAXIfIbPVsCfrC4ONFBR/wN25/hdAyVfXMa3AJx7NCCXxZBOPDWH3hMW8rl4La5yuDbXofg==",
             "requires": {
-                "@sentry/hub": "7.10.0",
-                "@sentry/types": "7.10.0",
-                "@sentry/utils": "7.10.0",
+                "@sentry/hub": "7.11.1",
+                "@sentry/types": "7.11.1",
+                "@sentry/utils": "7.11.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -11210,16 +11210,16 @@
             }
         },
         "@sentry/types": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.10.0.tgz",
-            "integrity": "sha512-1UBwdbS0xXzANzp63g4eNQly/qKIXp0swP5OTKWoADvKBtL4anroLUA/l8ADMtuwFZYtVANc8WRGxM2+YmaXtg=="
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.11.1.tgz",
+            "integrity": "sha512-gIEhOPxC2cjrxQ0+K2SFJ1P6e/an5osSxVc9OOtekN28eHtVsXFCLB8XVWeNQnS7N2VkrVrkqORMBz1kvIcvVQ=="
         },
         "@sentry/utils": {
-            "version": "7.10.0",
-            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.10.0.tgz",
-            "integrity": "sha512-/aD2DnfyOhV0Wdbb6VF78vu4fQIZJyuReDpBI7MV/EqcEB6FxUKq2YjinfKZF/exHEPig6Ag/Yt+CRFgvtVFuw==",
+            "version": "7.11.1",
+            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.11.1.tgz",
+            "integrity": "sha512-tRVXNT5O9ilkV31pyHeTqA1PcPQfMV/2OR6yUYM4ah+QVISovC0f0ybhByuH5nYg6x/Gsnx1o7pc8L1GE3+O7A==",
             "requires": {
-                "@sentry/types": "7.10.0",
+                "@sentry/types": "7.11.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -13676,9 +13676,9 @@
             "integrity": "sha1-HADHQ7QzzQpOgHWPe2SldEDZ/wA="
         },
         "lit": {
-            "version": "2.3.0",
-            "resolved": "https://registry.npmjs.org/lit/-/lit-2.3.0.tgz",
-            "integrity": "sha512-ynSGsUYKSGN2weFQ1F3SZq0Ihlj+vr/3KAET//Yf8Tz86L7lZizlw9Px+ab5iN8Si4RkVoLqd9YtKQmjdyKHNg==",
+            "version": "2.3.1",
+            "resolved": "https://registry.npmjs.org/lit/-/lit-2.3.1.tgz",
+            "integrity": "sha512-TejktDR4mqG3qB32Y8Lm5Lye3c8SUehqz7qRsxe1PqGYL6me2Ef+jeQAEqh20BnnGncv4Yxy2njEIT0kzK1WCw==",
             "requires": {
                 "@lit/reactive-element": "^1.4.0",
                 "lit-element": "^3.2.0",

web/package.json

@@ -64,13 +64,13 @@
         "@codemirror/legacy-modes": "^6.1.0",
         "@formatjs/intl-listformat": "^7.0.3",
         "@fortawesome/fontawesome-free": "^6.1.2",
-        "@goauthentik/api": "^2022.7.3-1659983945",
+        "@goauthentik/api": "^2022.8.1-1660661985",
         "@jackfranklin/rollup-plugin-markdown": "^0.4.0",
         "@lingui/cli": "^3.14.0",
         "@lingui/core": "^3.14.0",
         "@lingui/detect-locale": "^3.14.0",
         "@lingui/macro": "^3.14.0",
-        "@patternfly/patternfly": "^4.202.1",
+        "@patternfly/patternfly": "^4.206.3",
         "@polymer/iron-form": "^3.0.1",
         "@polymer/paper-input": "^3.2.1",
         "@rollup/plugin-babel": "^5.3.1",
@@ -78,8 +78,8 @@
         "@rollup/plugin-node-resolve": "^13.3.0",
         "@rollup/plugin-replace": "^4.0.0",
         "@rollup/plugin-typescript": "^8.3.4",
-        "@sentry/browser": "^7.10.0",
-        "@sentry/tracing": "^7.10.0",
+        "@sentry/browser": "^7.11.1",
+        "@sentry/tracing": "^7.11.1",
         "@squoosh/cli": "^0.7.2",
         "@trivago/prettier-plugin-sort-imports": "^3.3.0",
         "@types/chart.js": "^2.9.37",
@@ -102,7 +102,7 @@
         "eslint-plugin-lit": "^1.6.1",
         "flowchart.js": "^1.17.1",
         "fuse.js": "^6.6.2",
-        "lit": "^2.3.0",
+        "lit": "^2.3.1",
         "moment": "^2.29.4",
         "prettier": "^2.7.1",
         "rapidoc": "^9.3.3",

web/src/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2022.8.1";
+export const VERSION = "2022.8.2";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/elements/forms/Form.ts

@@ -75,24 +75,28 @@ export class Form<T> extends LitElement {
 
     updated(): void {
         this.shadowRoot
-            ?.querySelectorAll<HTMLInputElement>("input[name=name]")
+            ?.querySelectorAll("ak-form-element-horizontal[name=name]")
             .forEach((nameInput) => {
+                const input = nameInput.firstElementChild as HTMLInputElement;
                 const form = nameInput.closest("form");
                 if (form === null) {
                     return;
                 }
-                const slugField = form.querySelector<HTMLInputElement>("input[name=slug]");
-                if (!slugField) {
+                const slugFieldWrapper = form.querySelector(
+                    "ak-form-element-horizontal[name=slug]",
+                );
+                if (!slugFieldWrapper) {
                     return;
                 }
+                const slugField = slugFieldWrapper.firstElementChild as HTMLInputElement;
                 // Only attach handler if the slug is already equal to the name
                 // if not, they are probably completely different and shouldn't update
                 // each other
-                if (convertToSlug(nameInput.value) !== slugField.value) {
+                if (convertToSlug(input.value) !== slugField.value) {
                     return;
                 }
                 nameInput.addEventListener("input", () => {
-                    slugField.value = convertToSlug(nameInput.value);
+                    slugField.value = convertToSlug(input.value);
                 });
             });
     }

web/src/flows/stages/consent/ConsentStage.ts

@@ -37,13 +37,15 @@ export class ConsentStage extends BaseStage<ConsentChallenge, ConsentChallengeRe
     }
 
     renderPermissions(perms: Permission[]): TemplateResult {
-        const shouldShowId = perms.filter((perm) => perm.name === "").length === perms.length;
         return html`${perms.map((permission) => {
-            let name = permission.name;
-            if (permission.name === "" && shouldShowId) {
-                name = permission.id;
+            if (permission.name === "") {
+                return html``;
             }
-            return html`<li data-permission-code="${permission.id}">${name}</li>`;
+            // Special case for openid Scope
+            if (permission.id === "openid") {
+                return html``;
+            }
+            return html`<li data-permission-code="${permission.id}">${permission.name}</li>`;
         })}`;
     }
 

web/src/locales/de.po

@@ -186,6 +186,7 @@ msgid "Action"
 msgstr "Ereignis"
 
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/EventListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -291,6 +292,7 @@ msgstr "Zusätzliche Bereichszuordnungen, die an den Proxy übergeben werden."
 msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 msgstr "Zusätzliche Anwendungsbereiche (Scopes), die an den OAuth-Provider übergeben werden, getrennt durch ein Leerzeichen."
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
 msgid "Additional settings"
 msgstr "Weitere Einstellungen"
@@ -647,6 +649,10 @@ msgstr "Autorisierte Applikation:"
 msgid "Auto-detect (based on your browser)"
 msgstr "Automatische Erkennung (basierend auf Ihrem Browser)"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Automate and template configuration within authentik."
+msgstr ""
+
 #: src/interfaces/UserInterface.ts
 msgid "Avatar image"
 msgstr "Profilbild"
@@ -753,6 +759,15 @@ msgstr "Verknüpfung"
 msgid "Binding Type"
 msgstr "Verknüpfungstyp"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprint(s)"
+msgstr ""
+
+#: src/interfaces/AdminInterface.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprints"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Branding settings"
 msgstr "Branding-Einstellungen"
@@ -1143,6 +1158,10 @@ msgstr "Konfigurieren Sie, wie der Outpost die Benutzer des Core-Authentik-Serve
 #~ msgid "Configure settings relevant to your user profile."
 #~ msgstr "Konfigurieren Sie die für Ihr Benutzerprofil relevanten Einstellungen."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Configure the blueprint context, used for templating."
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Configure the maximum allowed time drift for an assertion."
 msgstr "Konfigurieren Sie die maximal zulässige Zeitdrift für eine 'Assertion'"
@@ -1232,6 +1251,7 @@ msgstr ""
 msgid "Content right"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
@@ -1286,6 +1306,8 @@ msgstr "Wiederherstellungslink kopieren"
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/ApplicationWizard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -1348,6 +1370,10 @@ msgstr "Anwendung erstellen"
 msgid "Create Binding"
 msgstr "Verknüpfung erstellen"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Create Blueprint Instance"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Create Certificate-Key Pair"
 msgstr "Zertifikat-Schlüsselpaar generieren"
@@ -1572,6 +1598,7 @@ msgstr "Definieren Sie, wie Benachrichtigungen an Benutzer gesendet werden, z. B
 #: src/elements/user/SessionList.ts
 #: src/elements/user/UserConsentList.ts
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -1755,6 +1782,10 @@ msgstr "Verzeichnis"
 msgid "Disabled"
 msgstr "Deaktiviert"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Disabled blueprints are never applied."
+msgstr ""
+
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
 msgid "Disconnect"
@@ -1936,6 +1967,8 @@ msgstr "Aktivieren Sie StartTLS"
 msgid "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 msgstr "Aktivieren Sie den Kompatibilitätsmodus, um die Kompatibilität mit Passwortmanagern auf mobilen Geräten zu erhöhen."
 
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -1972,6 +2005,7 @@ msgstr "Registrierungsablauf"
 msgid "EntityID/Issuer"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Error"
 msgstr "Fehler"
@@ -2943,6 +2977,10 @@ msgstr "Beschriftung neben/über der Eingabeaufforderung"
 msgid "Last IP"
 msgstr "Letzte IP"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Last applied"
+msgstr ""
+
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/users/RelatedUserList.ts
 #: src/pages/users/UserListPage.ts
@@ -3055,6 +3093,7 @@ msgstr "Wird geladen"
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/wizard/oauth/TypeOAuthCodeApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/TransportForm.ts
@@ -3358,6 +3397,9 @@ msgstr "Meine Anwendungen"
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/InitialApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
@@ -3530,6 +3572,7 @@ msgstr "Nginx (eigenständig)"
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
@@ -3878,6 +3921,10 @@ msgstr ""
 msgid "Order"
 msgstr "Reihenfolge"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Orphaned"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Other global settings"
 msgstr "Weitere globale Einstellungen"
@@ -4008,6 +4055,7 @@ msgstr "Passwort: Maskierte Eingabe, Passwort wird anhand von Quellen validiert.
 msgid "Passwordless flow"
 msgstr "Passwortloser Ablauf"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/users/UserForm.ts
 msgid "Path"
 msgstr ""
@@ -4023,6 +4071,10 @@ msgstr ""
 msgid "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 msgstr ""
 
+#: src/elements/user/UserConsentList.ts
+msgid "Permissions"
+msgstr ""
+
 #: src/pages/sources/saml/SAMLSourceForm.ts
 msgid "Persistent"
 msgstr "Persistent"
@@ -5189,6 +5241,7 @@ msgstr "Statisch: Statischer Wert, wird so angezeigt, wie er ist."
 msgid "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 msgstr "Den Fluss statisch verweigern. Um diese Phase effektiv zu nutzen, deaktivieren Sie *Evaluate on plan* für die entsprechende Bindung"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Status"
 msgstr "Status"
@@ -5216,6 +5269,7 @@ msgstr "Betreffmodus"
 msgid "Subject-alt name"
 msgstr "Betreff alternativer Name"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Successful"
 msgstr "Erfolgreich"
@@ -5262,6 +5316,10 @@ msgstr "Ablauf erfolgreich erstellt."
 msgid "Successfully created group."
 msgstr "Gruppe erfolgreich erstellt."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully created instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully created integration."
@@ -5428,6 +5486,10 @@ msgstr "Ablauf erfolgreich aktualisiert."
 msgid "Successfully updated group."
 msgstr "Gruppe erfolgreich aktualisiert."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully updated instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully updated integration."
@@ -6101,6 +6163,7 @@ msgstr "Defekte Outposts"
 msgid "Unique identifier the token is referenced by."
 msgstr "Einzigartige Kennung zur Referenzierung des Token."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Unknown"
 msgstr "Unbekannt"
@@ -6122,6 +6185,7 @@ msgstr "Aktuell!"
 
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationViewPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -6173,6 +6237,10 @@ msgstr "Anwendung aktualisieren"
 msgid "Update Binding"
 msgstr "Bindung aktualisieren"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Update Blueprint"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Update Certificate-Key Pair"
 msgstr "Aktualisieren Sie das Zertifikatschlüsselpaar"
@@ -6636,6 +6704,7 @@ msgstr "Wartezeit (min.)"
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Warning"
@@ -6813,6 +6882,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/groups/RelatedGroupList.ts

web/src/locales/en.po

@@ -171,6 +171,7 @@ msgid "Action"
 msgstr "Action"
 
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/EventListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -280,6 +281,7 @@ msgstr "Additional scope mappings, which are passed to the proxy."
 msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 msgstr "Additional scopes to be passed to the OAuth Provider, separated by space."
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
 msgid "Additional settings"
 msgstr "Additional settings"
@@ -640,6 +642,10 @@ msgstr "Authorized application:"
 msgid "Auto-detect (based on your browser)"
 msgstr "Auto-detect (based on your browser)"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Automate and template configuration within authentik."
+msgstr "Automate and template configuration within authentik."
+
 #: src/interfaces/UserInterface.ts
 msgid "Avatar image"
 msgstr "Avatar image"
@@ -749,6 +755,15 @@ msgstr "Binding"
 msgid "Binding Type"
 msgstr "Binding Type"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprint(s)"
+msgstr "Blueprint(s)"
+
+#: src/interfaces/AdminInterface.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprints"
+msgstr "Blueprints"
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Branding settings"
 msgstr "Branding settings"
@@ -1150,6 +1165,10 @@ msgstr "Configure how the outpost queries the core authentik server's users."
 #~ msgid "Configure settings relevant to your user profile."
 #~ msgstr "Configure settings relevant to your user profile."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Configure the blueprint context, used for templating."
+msgstr "Configure the blueprint context, used for templating."
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Configure the maximum allowed time drift for an assertion."
 msgstr "Configure the maximum allowed time drift for an assertion."
@@ -1241,6 +1260,7 @@ msgstr "Content left"
 msgid "Content right"
 msgstr "Content right"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
@@ -1296,6 +1316,8 @@ msgstr "Copy recovery link"
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/ApplicationWizard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -1358,6 +1380,10 @@ msgstr "Create Application"
 msgid "Create Binding"
 msgstr "Create Binding"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Create Blueprint Instance"
+msgstr "Create Blueprint Instance"
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Create Certificate-Key Pair"
 msgstr "Create Certificate-Key Pair"
@@ -1584,6 +1610,7 @@ msgstr "Define how notifications are sent to users, like Email or Webhook."
 #: src/elements/user/SessionList.ts
 #: src/elements/user/UserConsentList.ts
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -1780,6 +1807,10 @@ msgstr "Directory"
 msgid "Disabled"
 msgstr "Disabled"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Disabled blueprints are never applied."
+msgstr "Disabled blueprints are never applied."
+
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
 msgid "Disconnect"
@@ -1968,6 +1999,8 @@ msgstr "Enable StartTLS"
 msgid "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 msgstr "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -2004,6 +2037,7 @@ msgstr "Enrollment flow"
 msgid "EntityID/Issuer"
 msgstr "EntityID/Issuer"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Error"
 msgstr "Error"
@@ -2994,6 +3028,10 @@ msgstr "Label shown next to/above the prompt."
 msgid "Last IP"
 msgstr "Last IP"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Last applied"
+msgstr "Last applied"
+
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/users/RelatedUserList.ts
 #: src/pages/users/UserListPage.ts
@@ -3107,6 +3145,7 @@ msgstr "Loading"
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/wizard/oauth/TypeOAuthCodeApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/TransportForm.ts
@@ -3411,6 +3450,9 @@ msgstr "My applications"
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/InitialApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
@@ -3583,6 +3625,7 @@ msgstr "Nginx (standalone)"
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
@@ -3938,6 +3981,10 @@ msgstr "Or"
 msgid "Order"
 msgstr "Order"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Orphaned"
+msgstr "Orphaned"
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Other global settings"
 msgstr "Other global settings"
@@ -4072,6 +4119,7 @@ msgstr "Password: Masked input, password is validated against sources. Policies
 msgid "Passwordless flow"
 msgstr "Passwordless flow"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/users/UserForm.ts
 msgid "Path"
 msgstr "Path"
@@ -4087,6 +4135,10 @@ msgstr "Path new users will be created under. If left blank, the default path wi
 msgid "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 msgstr "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 
+#: src/elements/user/UserConsentList.ts
+msgid "Permissions"
+msgstr "Permissions"
+
 #: src/pages/sources/saml/SAMLSourceForm.ts
 msgid "Persistent"
 msgstr "Persistent"
@@ -5285,6 +5337,7 @@ msgstr "Static: Static value, displayed as-is."
 msgid "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 msgstr "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Status"
 msgstr "Status"
@@ -5320,6 +5373,7 @@ msgstr "Subject mode"
 msgid "Subject-alt name"
 msgstr "Subject-alt name"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Successful"
 msgstr "Successful"
@@ -5366,6 +5420,10 @@ msgstr "Successfully created flow."
 msgid "Successfully created group."
 msgstr "Successfully created group."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully created instance."
+msgstr "Successfully created instance."
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully created integration."
@@ -5534,6 +5592,10 @@ msgstr "Successfully updated flow."
 msgid "Successfully updated group."
 msgstr "Successfully updated group."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully updated instance."
+msgstr "Successfully updated instance."
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully updated integration."
@@ -6221,6 +6283,7 @@ msgstr "Unhealthy outposts"
 msgid "Unique identifier the token is referenced by."
 msgstr "Unique identifier the token is referenced by."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Unknown"
 msgstr "Unknown"
@@ -6243,6 +6306,7 @@ msgstr "Up-to-date!"
 
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationViewPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -6294,6 +6358,10 @@ msgstr "Update Application"
 msgid "Update Binding"
 msgstr "Update Binding"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Update Blueprint"
+msgstr "Update Blueprint"
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Update Certificate-Key Pair"
 msgstr "Update Certificate-Key Pair"
@@ -6763,6 +6831,7 @@ msgstr "Wait (min)"
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Warning"
@@ -6943,6 +7012,7 @@ msgstr "XML-based SSO standard. Use this if your application only supports SAML.
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/groups/RelatedGroupList.ts

web/src/locales/es.po

@@ -173,6 +173,7 @@ msgid "Action"
 msgstr "Acción"
 
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/EventListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -278,6 +279,7 @@ msgstr "Asignaciones de ámbitos adicionales, que se pasan al proxy."
 msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 msgstr "Ámbitos adicionales que se pasarán al proveedor de OAuth, separados por espacios."
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
 msgid "Additional settings"
 msgstr "Configuraciones adicionales"
@@ -634,6 +636,10 @@ msgstr "Solicitud autorizada:"
 msgid "Auto-detect (based on your browser)"
 msgstr "Detección automática (según su navegador)"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Automate and template configuration within authentik."
+msgstr ""
+
 #: src/interfaces/UserInterface.ts
 msgid "Avatar image"
 msgstr "Imagen de avatar"
@@ -743,6 +749,15 @@ msgstr "Vinculante"
 msgid "Binding Type"
 msgstr "Tipo de enlace"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprint(s)"
+msgstr ""
+
+#: src/interfaces/AdminInterface.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprints"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Branding settings"
 msgstr "Configuración de marca"
@@ -1134,6 +1149,10 @@ msgstr "Configure la forma en que el puesto avanzado consulta a los usuarios del
 #~ msgid "Configure settings relevant to your user profile."
 #~ msgstr "Configure los ajustes relevantes para su perfil de usuario."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Configure the blueprint context, used for templating."
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Configure the maximum allowed time drift for an assertion."
 msgstr "Configure la desviación de tiempo máxima permitida para una afirmación."
@@ -1223,6 +1242,7 @@ msgstr ""
 msgid "Content right"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
@@ -1277,6 +1297,8 @@ msgstr "Enlace de recuperación de copia"
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/ApplicationWizard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -1339,6 +1361,10 @@ msgstr "Crear aplicación"
 msgid "Create Binding"
 msgstr "Crear enlace"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Create Blueprint Instance"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Create Certificate-Key Pair"
 msgstr "Crear par de claves de certificado"
@@ -1563,6 +1589,7 @@ msgstr "Defina cómo se envían las notificaciones a los usuarios, como el corre
 #: src/elements/user/SessionList.ts
 #: src/elements/user/UserConsentList.ts
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -1746,6 +1773,10 @@ msgstr "Directorio"
 msgid "Disabled"
 msgstr "Discapacitado"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Disabled blueprints are never applied."
+msgstr ""
+
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
 msgid "Disconnect"
@@ -1927,6 +1958,8 @@ msgstr "Habilitar StartTLS"
 msgid "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 msgstr "Habilite el modo de compatibilidad, aumenta la compatibilidad con los administradores de contraseñas en dispositivos móviles."
 
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -1963,6 +1996,7 @@ msgstr "Flujo de inscripción"
 msgid "EntityID/Issuer"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Error"
 msgstr "Error"
@@ -2936,6 +2970,10 @@ msgstr "La etiqueta se muestra al lado o encima de la solicitud."
 msgid "Last IP"
 msgstr "Última IP"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Last applied"
+msgstr ""
+
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/users/RelatedUserList.ts
 #: src/pages/users/UserListPage.ts
@@ -3048,6 +3086,7 @@ msgstr "Cargando"
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/wizard/oauth/TypeOAuthCodeApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/TransportForm.ts
@@ -3351,6 +3390,9 @@ msgstr "Mis solicitudes"
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/InitialApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
@@ -3523,6 +3565,7 @@ msgstr "Nginx (independiente)"
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
@@ -3871,6 +3914,10 @@ msgstr ""
 msgid "Order"
 msgstr "Orden"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Orphaned"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Other global settings"
 msgstr "Otros ajustes globales"
@@ -4001,6 +4048,7 @@ msgstr "Contraseña: entrada enmascarada, la contraseña se valida contra las fu
 msgid "Passwordless flow"
 msgstr "Flujo sin contraseña"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/users/UserForm.ts
 msgid "Path"
 msgstr ""
@@ -4016,6 +4064,10 @@ msgstr ""
 msgid "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 msgstr ""
 
+#: src/elements/user/UserConsentList.ts
+msgid "Permissions"
+msgstr ""
+
 #: src/pages/sources/saml/SAMLSourceForm.ts
 msgid "Persistent"
 msgstr "persistente"
@@ -5183,6 +5235,7 @@ msgstr "Estático: valor estático, que se muestra tal cual."
 msgid "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 msgstr "Niega el flujo estáticamente. Para usar esta etapa de manera efectiva, desactive *Evaluar en plan* en el encuadernado respectivo."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Status"
 msgstr "Estatus"
@@ -5210,6 +5263,7 @@ msgstr "Modo asignatura"
 msgid "Subject-alt name"
 msgstr "Nombre de asunto ALT"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Successful"
 msgstr "Éxito"
@@ -5256,6 +5310,10 @@ msgstr "El flujo se creó correctamente."
 msgid "Successfully created group."
 msgstr "Se ha creado el grupo correctamente."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully created instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully created integration."
@@ -5422,6 +5480,10 @@ msgstr "Se actualizó correctamente el flujo."
 msgid "Successfully updated group."
 msgstr "El grupo se actualizó correctamente."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully updated instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully updated integration."
@@ -6095,6 +6157,7 @@ msgstr "Puestos avanzados insalubres"
 msgid "Unique identifier the token is referenced by."
 msgstr "Identificador único por el que se hace referencia al token."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Unknown"
 msgstr "Desconocido"
@@ -6116,6 +6179,7 @@ msgstr "¡Actuales!"
 
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationViewPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -6167,6 +6231,10 @@ msgstr "Aplicación de actualización"
 msgid "Update Binding"
 msgstr "Enlace de actualización"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Update Blueprint"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Update Certificate-Key Pair"
 msgstr "Actualizar par de claves de certificado"
@@ -6630,6 +6698,7 @@ msgstr "Espera (min)"
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Warning"
@@ -6807,6 +6876,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/groups/RelatedGroupList.ts

web/src/locales/fr_FR.po

@@ -176,6 +176,7 @@ msgid "Action"
 msgstr "Action"
 
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/EventListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -281,6 +282,7 @@ msgstr ""
 msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
 msgid "Additional settings"
 msgstr "Paramètres supplémentaire"
@@ -640,6 +642,10 @@ msgstr "Application autorisée :"
 msgid "Auto-detect (based on your browser)"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Automate and template configuration within authentik."
+msgstr ""
+
 #: src/interfaces/UserInterface.ts
 msgid "Avatar image"
 msgstr "Image d'avatar"
@@ -749,6 +755,15 @@ msgstr "Liaison"
 msgid "Binding Type"
 msgstr "Type de binding"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprint(s)"
+msgstr ""
+
+#: src/interfaces/AdminInterface.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprints"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Branding settings"
 msgstr "Paramètres de marque"
@@ -1143,6 +1158,10 @@ msgstr ""
 #~ msgid "Configure settings relevant to your user profile."
 #~ msgstr "Configure les paramètre applicable à votre profil."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Configure the blueprint context, used for templating."
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Configure the maximum allowed time drift for an assertion."
 msgstr "Configure la dérive temporelle maximale d'une assetion."
@@ -1234,6 +1253,7 @@ msgstr ""
 msgid "Content right"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
@@ -1289,6 +1309,8 @@ msgstr "Copier le lien de récupération"
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/ApplicationWizard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -1351,6 +1373,10 @@ msgstr "Créer une application"
 msgid "Create Binding"
 msgstr "Créer une liaison"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Create Blueprint Instance"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Create Certificate-Key Pair"
 msgstr "Créer une paire clé/certificat"
@@ -1577,6 +1603,7 @@ msgstr "Définit les méthodes d'envoi des notifications aux utilisateurs, telle
 #: src/elements/user/SessionList.ts
 #: src/elements/user/UserConsentList.ts
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -1763,6 +1790,10 @@ msgstr ""
 msgid "Disabled"
 msgstr "Désactivé"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Disabled blueprints are never applied."
+msgstr ""
+
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
 msgid "Disconnect"
@@ -1949,6 +1980,8 @@ msgstr "Activer StartTLS"
 msgid "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 msgstr "Activer le mode de compatibilité, améliore la compatibilité avec les gestionnaires de mot de passe sur les équipements mobiles."
 
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -1985,6 +2018,7 @@ msgstr "Flux d'inscription"
 msgid "EntityID/Issuer"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Error"
 msgstr "Erreur"
@@ -2967,6 +3001,10 @@ msgstr "Libellé affiché à côté/au-dessus du champ."
 msgid "Last IP"
 msgstr "Dernière IP"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Last applied"
+msgstr ""
+
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/users/RelatedUserList.ts
 #: src/pages/users/UserListPage.ts
@@ -3079,6 +3117,7 @@ msgstr "Chargement en cours"
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/wizard/oauth/TypeOAuthCodeApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/TransportForm.ts
@@ -3382,6 +3421,9 @@ msgstr "Mes applications"
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/InitialApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
@@ -3554,6 +3596,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
@@ -3906,6 +3949,10 @@ msgstr ""
 msgid "Order"
 msgstr "Tri"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Orphaned"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Other global settings"
 msgstr "Autres paramètres globaux"
@@ -4037,6 +4084,7 @@ msgstr "Mot de passe : Entrée masquée, le mot de passe est vérifié par les s
 msgid "Passwordless flow"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/users/UserForm.ts
 msgid "Path"
 msgstr ""
@@ -4052,6 +4100,10 @@ msgstr ""
 msgid "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 msgstr ""
 
+#: src/elements/user/UserConsentList.ts
+msgid "Permissions"
+msgstr ""
+
 #: src/pages/sources/saml/SAMLSourceForm.ts
 msgid "Persistent"
 msgstr "Persistant"
@@ -5236,6 +5288,7 @@ msgstr "Statique : valeur statique, affichée comme telle."
 msgid "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 msgstr "Refuser statiquement le flux. Pour utiliser cette étape efficacement, désactivez *Évaluer en planification* dans la liaison applicable."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Status"
 msgstr "Statut"
@@ -5271,6 +5324,7 @@ msgstr "Mode subject"
 msgid "Subject-alt name"
 msgstr "Nom alternatif subject"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Successful"
 msgstr "Réussite"
@@ -5317,6 +5371,10 @@ msgstr "Flux créé avec succès"
 msgid "Successfully created group."
 msgstr "Groupe créé avec succès"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully created instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully created integration."
@@ -5483,6 +5541,10 @@ msgstr "Flux mis à jour avec succès"
 msgid "Successfully updated group."
 msgstr "Groupe mis à jour avec succès"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully updated instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully updated integration."
@@ -6153,6 +6215,7 @@ msgstr "Avant-postes malades"
 msgid "Unique identifier the token is referenced by."
 msgstr "Identifiant unique par lequel le jeton est référencé."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Unknown"
 msgstr "Inconnu"
@@ -6174,6 +6237,7 @@ msgstr "À jour !"
 
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationViewPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -6225,6 +6289,10 @@ msgstr "Mettre à jour l'application"
 msgid "Update Binding"
 msgstr "Mettre à jour la liaison"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Update Blueprint"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Update Certificate-Key Pair"
 msgstr "Mettre à jour la paire clé/certificat"
@@ -6692,6 +6760,7 @@ msgstr "Attente (min)"
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Warning"
@@ -6868,6 +6937,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/groups/RelatedGroupList.ts

web/src/locales/pl.po

@@ -173,6 +173,7 @@ msgid "Action"
 msgstr "Akcja"
 
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/EventListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -278,6 +279,7 @@ msgstr "Dodatkowe mapowania zakresu, które są przekazywane do serwera proxy."
 msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 msgstr "Dodatkowe zakresy do przekazania do dostawcy OAuth, oddzielone spacją."
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
 msgid "Additional settings"
 msgstr "Dodatkowe ustawienia"
@@ -634,6 +636,10 @@ msgstr "Autoryzowana aplikacja:"
 msgid "Auto-detect (based on your browser)"
 msgstr "Automatycznie wykryj (na podstawie Twojej przeglądarki)"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Automate and template configuration within authentik."
+msgstr ""
+
 #: src/interfaces/UserInterface.ts
 msgid "Avatar image"
 msgstr "Obraz awatara"
@@ -740,6 +746,15 @@ msgstr "Wiązanie"
 msgid "Binding Type"
 msgstr "Typ wiązania"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprint(s)"
+msgstr ""
+
+#: src/interfaces/AdminInterface.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprints"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Branding settings"
 msgstr "Ustawienia brandingowe"
@@ -1131,6 +1146,10 @@ msgstr "Skonfiguruj sposób, w jaki placówka wysyła zapytania do użytkownikó
 #~ msgid "Configure settings relevant to your user profile."
 #~ msgstr "Skonfiguruj ustawienia odpowiednie dla Twojego profilu użytkownika."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Configure the blueprint context, used for templating."
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Configure the maximum allowed time drift for an assertion."
 msgstr "Skonfiguruj maksymalny dozwolony dryft czasu dla asercji."
@@ -1220,6 +1239,7 @@ msgstr ""
 msgid "Content right"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
@@ -1274,6 +1294,8 @@ msgstr "Skopiuj link odzyskiwania"
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/ApplicationWizard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -1336,6 +1358,10 @@ msgstr "Utwórz aplikację"
 msgid "Create Binding"
 msgstr "Utwórz powiązanie"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Create Blueprint Instance"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Create Certificate-Key Pair"
 msgstr "Utwórz parę certyfikat-klucz"
@@ -1560,6 +1586,7 @@ msgstr "Określ sposób wysyłania powiadomień do użytkowników, takich jak e-
 #: src/elements/user/SessionList.ts
 #: src/elements/user/UserConsentList.ts
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -1743,6 +1770,10 @@ msgstr "Katalog"
 msgid "Disabled"
 msgstr "Wyłączone"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Disabled blueprints are never applied."
+msgstr ""
+
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
 msgid "Disconnect"
@@ -1924,6 +1955,8 @@ msgstr "Włącz StartTLS"
 msgid "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 msgstr "Włącz tryb zgodności, zwiększa zgodność z menedżerami haseł na urządzeniach mobilnych."
 
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -1960,6 +1993,7 @@ msgstr "Przepływ rejestracji"
 msgid "EntityID/Issuer"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Error"
 msgstr "Błąd"
@@ -2933,6 +2967,10 @@ msgstr "Etykieta pokazana obok/nad monitem."
 msgid "Last IP"
 msgstr "Ostatni adres IP"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Last applied"
+msgstr ""
+
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/users/RelatedUserList.ts
 #: src/pages/users/UserListPage.ts
@@ -3045,6 +3083,7 @@ msgstr "Ładowanie"
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/wizard/oauth/TypeOAuthCodeApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/TransportForm.ts
@@ -3348,6 +3387,9 @@ msgstr "Moje aplikacje"
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/InitialApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
@@ -3520,6 +3562,7 @@ msgstr "Nginx (standalone)"
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
@@ -3868,6 +3911,10 @@ msgstr ""
 msgid "Order"
 msgstr "Kolejność"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Orphaned"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Other global settings"
 msgstr "Inne ustawienia globalne"
@@ -3998,6 +4045,7 @@ msgstr "Hasło: wejście zamaskowane, hasło jest sprawdzane w oparciu o źród
 msgid "Passwordless flow"
 msgstr "Przepływ bezhasłowy"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/users/UserForm.ts
 msgid "Path"
 msgstr ""
@@ -4013,6 +4061,10 @@ msgstr ""
 msgid "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 msgstr ""
 
+#: src/elements/user/UserConsentList.ts
+msgid "Permissions"
+msgstr ""
+
 #: src/pages/sources/saml/SAMLSourceForm.ts
 msgid "Persistent"
 msgstr "Trwały"
@@ -5180,6 +5232,7 @@ msgstr "Statyczny: wartość statyczna, wyświetlana w stanie, w jakim jest."
 msgid "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 msgstr "Statycznie zaprzeczaj przepływowi. Aby efektywnie korzystać z tego etapu, wyłącz opcję *Oceń zgodnie z planem* w odpowiednim powiązaniu."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Status"
 msgstr "Status"
@@ -5207,6 +5260,7 @@ msgstr "Tryb przedmiotu"
 msgid "Subject-alt name"
 msgstr "Alternatywna nazwa tematu"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Successful"
 msgstr "Pomyślny"
@@ -5253,6 +5307,10 @@ msgstr "Pomyślnie utworzono przepływ."
 msgid "Successfully created group."
 msgstr "Pomyślnie utworzono grupę."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully created instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully created integration."
@@ -5419,6 +5477,10 @@ msgstr "Pomyślnie zaktualizowano przepływ."
 msgid "Successfully updated group."
 msgstr "Pomyślnie zaktualizowano grupę."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully updated instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully updated integration."
@@ -6092,6 +6154,7 @@ msgstr "Niezdrowe placówki"
 msgid "Unique identifier the token is referenced by."
 msgstr "Unikalny identyfikator, do którego odwołuje się token."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Unknown"
 msgstr "Nieznany"
@@ -6113,6 +6176,7 @@ msgstr "Aktualny!"
 
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationViewPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -6164,6 +6228,10 @@ msgstr "Aktualizuj aplikację"
 msgid "Update Binding"
 msgstr "Zaktualizuj wiązanie"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Update Blueprint"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Update Certificate-Key Pair"
 msgstr "Aktualizuj parę certyfikat-klucz"
@@ -6627,6 +6695,7 @@ msgstr "Czekaj (min)"
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Warning"
@@ -6804,6 +6873,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/groups/RelatedGroupList.ts

web/src/locales/pseudo-LOCALE.po

@@ -171,6 +171,7 @@ msgid "Action"
 msgstr ""
 
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/EventListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -276,6 +277,7 @@ msgstr ""
 msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
 msgid "Additional settings"
 msgstr ""
@@ -632,6 +634,10 @@ msgstr ""
 msgid "Auto-detect (based on your browser)"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Automate and template configuration within authentik."
+msgstr ""
+
 #: src/interfaces/UserInterface.ts
 msgid "Avatar image"
 msgstr ""
@@ -741,6 +747,15 @@ msgstr ""
 msgid "Binding Type"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprint(s)"
+msgstr ""
+
+#: src/interfaces/AdminInterface.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprints"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Branding settings"
 msgstr ""
@@ -1138,6 +1153,10 @@ msgstr ""
 #~ msgid "Configure settings relevant to your user profile."
 #~ msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Configure the blueprint context, used for templating."
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Configure the maximum allowed time drift for an assertion."
 msgstr ""
@@ -1229,6 +1248,7 @@ msgstr ""
 msgid "Content right"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
@@ -1284,6 +1304,8 @@ msgstr ""
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/ApplicationWizard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -1346,6 +1368,10 @@ msgstr ""
 msgid "Create Binding"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Create Blueprint Instance"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Create Certificate-Key Pair"
 msgstr ""
@@ -1572,6 +1598,7 @@ msgstr ""
 #: src/elements/user/SessionList.ts
 #: src/elements/user/UserConsentList.ts
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -1766,6 +1793,10 @@ msgstr ""
 msgid "Disabled"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Disabled blueprints are never applied."
+msgstr ""
+
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
 msgid "Disconnect"
@@ -1954,6 +1985,8 @@ msgstr ""
 msgid "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -1990,6 +2023,7 @@ msgstr ""
 msgid "EntityID/Issuer"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Error"
 msgstr ""
@@ -2976,6 +3010,10 @@ msgstr ""
 msgid "Last IP"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Last applied"
+msgstr ""
+
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/users/RelatedUserList.ts
 #: src/pages/users/UserListPage.ts
@@ -3089,6 +3127,7 @@ msgstr ""
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/wizard/oauth/TypeOAuthCodeApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/TransportForm.ts
@@ -3393,6 +3432,9 @@ msgstr ""
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/InitialApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
@@ -3565,6 +3607,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
@@ -3920,6 +3963,10 @@ msgstr ""
 msgid "Order"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Orphaned"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Other global settings"
 msgstr ""
@@ -4054,6 +4101,7 @@ msgstr ""
 msgid "Passwordless flow"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/users/UserForm.ts
 msgid "Path"
 msgstr ""
@@ -4069,6 +4117,10 @@ msgstr ""
 msgid "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 msgstr ""
 
+#: src/elements/user/UserConsentList.ts
+msgid "Permissions"
+msgstr ""
+
 #: src/pages/sources/saml/SAMLSourceForm.ts
 msgid "Persistent"
 msgstr ""
@@ -5265,6 +5317,7 @@ msgstr ""
 msgid "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Status"
 msgstr ""
@@ -5300,6 +5353,7 @@ msgstr ""
 msgid "Subject-alt name"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Successful"
 msgstr ""
@@ -5346,6 +5400,10 @@ msgstr ""
 msgid "Successfully created group."
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully created instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully created integration."
@@ -5514,6 +5572,10 @@ msgstr ""
 msgid "Successfully updated group."
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully updated instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully updated integration."
@@ -6191,6 +6253,7 @@ msgstr ""
 msgid "Unique identifier the token is referenced by."
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Unknown"
 msgstr ""
@@ -6213,6 +6276,7 @@ msgstr ""
 
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationViewPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -6264,6 +6328,10 @@ msgstr ""
 msgid "Update Binding"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Update Blueprint"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Update Certificate-Key Pair"
 msgstr ""
@@ -6733,6 +6801,7 @@ msgstr ""
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Warning"
@@ -6909,6 +6978,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/groups/RelatedGroupList.ts

web/src/locales/tr.po

@@ -173,6 +173,7 @@ msgid "Action"
 msgstr "Eylem"
 
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/EventListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -278,6 +279,7 @@ msgstr "Proxy'ye iletilen ek kapsam eşlemeleri."
 msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 msgstr "OAuth Sağlayıcıya iletilecek ek kapsamlar, boşlukla ayrılmış."
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
 msgid "Additional settings"
 msgstr "Ek ayarlar"
@@ -634,6 +636,10 @@ msgstr "Yetkili başvuru:"
 msgid "Auto-detect (based on your browser)"
 msgstr "Otomatik algıla (tarayıcınıza göre)"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Automate and template configuration within authentik."
+msgstr ""
+
 #: src/interfaces/UserInterface.ts
 msgid "Avatar image"
 msgstr "Avatar resmi"
@@ -743,6 +749,15 @@ msgstr "Ciltleme"
 msgid "Binding Type"
 msgstr "Bağlama Tipi"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprint(s)"
+msgstr ""
+
+#: src/interfaces/AdminInterface.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprints"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Branding settings"
 msgstr "Markalama ayarları"
@@ -1134,6 +1149,10 @@ msgstr "Üssün çekirdek authentik sunucusunun kullanıcılarını nasıl sorgu
 #~ msgid "Configure settings relevant to your user profile."
 #~ msgstr "Kullanıcı profilinizle ilgili ayarları yapılandırın."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Configure the blueprint context, used for templating."
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Configure the maximum allowed time drift for an assertion."
 msgstr "Bir onaylama işlemi için izin verilen maksimum zaman kaymasını yapılandırın."
@@ -1223,6 +1242,7 @@ msgstr ""
 msgid "Content right"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
@@ -1277,6 +1297,8 @@ msgstr "Kurtarma bağlantısı kopyalama"
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/ApplicationWizard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -1339,6 +1361,10 @@ msgstr "Uygulama Oluştur"
 msgid "Create Binding"
 msgstr "Bağlama Oluştur"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Create Blueprint Instance"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Create Certificate-Key Pair"
 msgstr "Sertifika Anahtarı Çifti Oluştur"
@@ -1563,6 +1589,7 @@ msgstr "E-posta veya Webhook gibi kullanıcılara bildirimlerin nasıl gönderil
 #: src/elements/user/SessionList.ts
 #: src/elements/user/UserConsentList.ts
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -1746,6 +1773,10 @@ msgstr "Rehber"
 msgid "Disabled"
 msgstr "Devre Dışı"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Disabled blueprints are never applied."
+msgstr ""
+
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
 msgid "Disconnect"
@@ -1927,6 +1958,8 @@ msgstr "StartTLS'yi Etkinleştir"
 msgid "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 msgstr "Uyumluluk modunu etkinleştirin, mobil cihazlarda parola yöneticileri ile uyumluluğu artırır."
 
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -1963,6 +1996,7 @@ msgstr "Kayıt akışı"
 msgid "EntityID/Issuer"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Error"
 msgstr "Hata"
@@ -2937,6 +2971,10 @@ msgstr "Etiket, istemin yanında veya üstünde gösterilir."
 msgid "Last IP"
 msgstr "Son IP"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Last applied"
+msgstr ""
+
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/users/RelatedUserList.ts
 #: src/pages/users/UserListPage.ts
@@ -3049,6 +3087,7 @@ msgstr "Yükleniyor"
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/wizard/oauth/TypeOAuthCodeApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/TransportForm.ts
@@ -3352,6 +3391,9 @@ msgstr "Uygulamalarım"
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/InitialApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
@@ -3524,6 +3566,7 @@ msgstr "Nginx (bağımsız)"
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
@@ -3873,6 +3916,10 @@ msgstr ""
 msgid "Order"
 msgstr "Sıra"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Orphaned"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Other global settings"
 msgstr "Diğer genel ayarlar"
@@ -4003,6 +4050,7 @@ msgstr "Parola: Maskeli giriş, parola kaynaklara karşı doğrulanır. İlkeler
 msgid "Passwordless flow"
 msgstr "Parolasız akış"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/users/UserForm.ts
 msgid "Path"
 msgstr ""
@@ -4018,6 +4066,10 @@ msgstr ""
 msgid "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 msgstr ""
 
+#: src/elements/user/UserConsentList.ts
+msgid "Permissions"
+msgstr ""
+
 #: src/pages/sources/saml/SAMLSourceForm.ts
 msgid "Persistent"
 msgstr "Kalıcı"
@@ -5185,6 +5237,7 @@ msgstr "Statik: Statik değer, olduğu gibi görüntülenir."
 msgid "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 msgstr "Akışı statik olarak reddet. Bu aşamayı etkili bir şekilde kullanmak için ilgili bağlama üzerinde *Planda değerlendirme* devre dışı bırakın."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Status"
 msgstr "Durum"
@@ -5212,6 +5265,7 @@ msgstr "Konu modu"
 msgid "Subject-alt name"
 msgstr "Konu-alt adı"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Successful"
 msgstr "Başarılı"
@@ -5258,6 +5312,10 @@ msgstr "Akış başarıyla oluşturuldu."
 msgid "Successfully created group."
 msgstr "Grup başarıyla oluşturuldu."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully created instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully created integration."
@@ -5424,6 +5482,10 @@ msgstr "Akış başarıyla güncellendi."
 msgid "Successfully updated group."
 msgstr "Grup başarıyla güncellendi."
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully updated instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully updated integration."
@@ -6097,6 +6159,7 @@ msgstr "Sağlıksız üsler"
 msgid "Unique identifier the token is referenced by."
 msgstr "Belirteç tarafından başvurulan benzersiz tanımlayıcı."
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Unknown"
 msgstr "bilinmeyen"
@@ -6118,6 +6181,7 @@ msgstr "Güncel!"
 
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationViewPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -6169,6 +6233,10 @@ msgstr "Uygulamayı Güncelle"
 msgid "Update Binding"
 msgstr "Ciltlemeyi Güncelle"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Update Blueprint"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Update Certificate-Key Pair"
 msgstr "Sertifika Anahtarı Çiftini Güncelleştir"
@@ -6632,6 +6700,7 @@ msgstr "Bekle (dk)"
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Warning"
@@ -6809,6 +6878,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/groups/RelatedGroupList.ts

web/src/locales/zh-Hans.po

@@ -174,6 +174,7 @@ msgid "Action"
 msgstr "操作"
 
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/EventListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -278,6 +279,7 @@ msgstr "传递给代理的额外作用域映射。"
 msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 msgstr "要传递给 OAuth 提供商的额外作用域，用空格分隔。"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
 msgid "Additional settings"
 msgstr "其他设置"
@@ -632,6 +634,10 @@ msgstr "已授权应用程序："
 msgid "Auto-detect (based on your browser)"
 msgstr "自动检测（基于您的浏览器）"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Automate and template configuration within authentik."
+msgstr ""
+
 #: src/interfaces/UserInterface.ts
 msgid "Avatar image"
 msgstr "头像图片"
@@ -738,6 +744,15 @@ msgstr "绑定"
 msgid "Binding Type"
 msgstr "绑定类型"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprint(s)"
+msgstr ""
+
+#: src/interfaces/AdminInterface.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprints"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Branding settings"
 msgstr "品牌设置"
@@ -1129,6 +1144,10 @@ msgstr "配置前哨如何查询核心 authentik 服务器的用户。"
 #~ msgid "Configure settings relevant to your user profile."
 #~ msgstr "配置与您的用户资料相关的设置。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Configure the blueprint context, used for templating."
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Configure the maximum allowed time drift for an assertion."
 msgstr "为断言配置允许的最大时间漂移。"
@@ -1218,6 +1237,7 @@ msgstr "内容左侧"
 msgid "Content right"
 msgstr "内容右侧"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
@@ -1272,6 +1292,8 @@ msgstr "复制恢复链接"
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/ApplicationWizard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -1334,6 +1356,10 @@ msgstr "创建应用程序"
 msgid "Create Binding"
 msgstr "创建绑定"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Create Blueprint Instance"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Create Certificate-Key Pair"
 msgstr "创建证书密钥对"
@@ -1558,6 +1584,7 @@ msgstr "定义如何向用户发送通知，例如电子邮件或 Webhook。"
 #: src/elements/user/SessionList.ts
 #: src/elements/user/UserConsentList.ts
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -1740,6 +1767,10 @@ msgstr "目录"
 msgid "Disabled"
 msgstr "已禁用"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Disabled blueprints are never applied."
+msgstr ""
+
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
 msgid "Disconnect"
@@ -1920,6 +1951,8 @@ msgstr "启用 StartTLS"
 msgid "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 msgstr "启用兼容模式，增强与移动设备上密码管理器的兼容性。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -1956,6 +1989,7 @@ msgstr "注册流程"
 msgid "EntityID/Issuer"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Error"
 msgstr "错误"
@@ -2920,6 +2954,10 @@ msgstr "标签会显示在输入侧方/上方。"
 msgid "Last IP"
 msgstr "上次 IP"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Last applied"
+msgstr ""
+
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/users/RelatedUserList.ts
 #: src/pages/users/UserListPage.ts
@@ -3032,6 +3070,7 @@ msgstr "正在加载"
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/wizard/oauth/TypeOAuthCodeApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/TransportForm.ts
@@ -3334,6 +3373,9 @@ msgstr "我的应用"
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/InitialApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
@@ -3506,6 +3548,7 @@ msgstr "Nginx（独立）"
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
@@ -3850,6 +3893,10 @@ msgstr ""
 msgid "Order"
 msgstr "顺序"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Orphaned"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Other global settings"
 msgstr "其他全局设置"
@@ -3976,6 +4023,7 @@ msgstr "密码：屏蔽输入内容，密码根据来源进行验证。策略仍
 msgid "Passwordless flow"
 msgstr "无密码流程"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/users/UserForm.ts
 msgid "Path"
 msgstr ""
@@ -3991,6 +4039,10 @@ msgstr ""
 msgid "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 msgstr ""
 
+#: src/elements/user/UserConsentList.ts
+msgid "Permissions"
+msgstr ""
+
 #: src/pages/sources/saml/SAMLSourceForm.ts
 msgid "Persistent"
 msgstr "持久的"
@@ -5149,6 +5201,7 @@ msgstr "静态：静态值，按原样显示。"
 msgid "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 msgstr "静态拒绝流。要有效地使用此阶段，请在相应的绑定上禁用*规划时进行评估*。"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Status"
 msgstr "状态"
@@ -5176,6 +5229,7 @@ msgstr "Subject 模式"
 msgid "Subject-alt name"
 msgstr "替代名称"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Successful"
 msgstr "成功"
@@ -5222,6 +5276,10 @@ msgstr "已成功创建流程。"
 msgid "Successfully created group."
 msgstr "已成功创建组。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully created instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully created integration."
@@ -5387,6 +5445,10 @@ msgstr "已成功更新流程。"
 msgid "Successfully updated group."
 msgstr "已成功更新组。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully updated instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully updated integration."
@@ -6058,6 +6120,7 @@ msgstr "不健康的前哨"
 msgid "Unique identifier the token is referenced by."
 msgstr "引用令牌的唯一标识符。"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Unknown"
 msgstr "未知"
@@ -6079,6 +6142,7 @@ msgstr "最新！"
 
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationViewPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -6130,6 +6194,10 @@ msgstr "更新应用程序"
 msgid "Update Binding"
 msgstr "更新绑定"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Update Blueprint"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Update Certificate-Key Pair"
 msgstr "更新证书密钥对"
@@ -6592,6 +6660,7 @@ msgstr "等待（最短）"
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Warning"
@@ -6771,6 +6840,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/groups/RelatedGroupList.ts

web/src/locales/zh-Hant.po

@@ -175,6 +175,7 @@ msgid "Action"
 msgstr "操作"
 
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/EventListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -279,6 +280,7 @@ msgstr "传递给代理的其他作用域映射。"
 msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 msgstr "要传递给 OAuth 提供程序的其他作用域，用空格分隔。"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
 msgid "Additional settings"
 msgstr "其他设置"
@@ -634,6 +636,10 @@ msgstr "授权应用程序："
 msgid "Auto-detect (based on your browser)"
 msgstr "自动检测（基于您的浏览器）"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Automate and template configuration within authentik."
+msgstr ""
+
 #: src/interfaces/UserInterface.ts
 msgid "Avatar image"
 msgstr "Avatar image"
@@ -740,6 +746,15 @@ msgstr "绑定"
 msgid "Binding Type"
 msgstr "绑定类型"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprint(s)"
+msgstr ""
+
+#: src/interfaces/AdminInterface.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprints"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Branding settings"
 msgstr "品牌设置"
@@ -1131,6 +1146,10 @@ msgstr "配置前哨如何查询核心 authentik 服务器的用户。"
 #~ msgid "Configure settings relevant to your user profile."
 #~ msgstr "配置与您的用户配置文件相关的设置。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Configure the blueprint context, used for templating."
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Configure the maximum allowed time drift for an assertion."
 msgstr "为断言配置允许的最大时间漂移。"
@@ -1220,6 +1239,7 @@ msgstr ""
 msgid "Content right"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
@@ -1274,6 +1294,8 @@ msgstr "复制恢复链接"
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/ApplicationWizard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -1336,6 +1358,10 @@ msgstr "创建应用程序"
 msgid "Create Binding"
 msgstr "创建绑定"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Create Blueprint Instance"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Create Certificate-Key Pair"
 msgstr "创建证书密钥对"
@@ -1560,6 +1586,7 @@ msgstr "定义如何向用户发送通知，例如电子邮件或 Webhook。"
 #: src/elements/user/SessionList.ts
 #: src/elements/user/UserConsentList.ts
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -1743,6 +1770,10 @@ msgstr "目录"
 msgid "Disabled"
 msgstr "已禁用"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Disabled blueprints are never applied."
+msgstr ""
+
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
 msgid "Disconnect"
@@ -1923,6 +1954,8 @@ msgstr "启用 StartTLS"
 msgid "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 msgstr "启用兼容模式，增加与移动设备上密码管理器的兼容性。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -1959,6 +1992,7 @@ msgstr "注册流程"
 msgid "EntityID/Issuer"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Error"
 msgstr "错误"
@@ -2924,6 +2958,10 @@ msgstr "标签显示在提示符旁边/上方。"
 msgid "Last IP"
 msgstr "最后的 IP"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Last applied"
+msgstr ""
+
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/users/RelatedUserList.ts
 #: src/pages/users/UserListPage.ts
@@ -3036,6 +3074,7 @@ msgstr "正在加载"
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/wizard/oauth/TypeOAuthCodeApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/TransportForm.ts
@@ -3338,6 +3377,9 @@ msgstr "我的应用"
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/InitialApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
@@ -3510,6 +3552,7 @@ msgstr "Nginx (standalone)"
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
@@ -3855,6 +3898,10 @@ msgstr ""
 msgid "Order"
 msgstr "订购"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Orphaned"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Other global settings"
 msgstr "其他全局设置"
@@ -3981,6 +4028,7 @@ msgstr "密码：屏蔽输入，密码根据来源进行验证。策略仍需应
 msgid "Passwordless flow"
 msgstr "无密码流"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/users/UserForm.ts
 msgid "Path"
 msgstr ""
@@ -3996,6 +4044,10 @@ msgstr ""
 msgid "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 msgstr ""
 
+#: src/elements/user/UserConsentList.ts
+msgid "Permissions"
+msgstr ""
+
 #: src/pages/sources/saml/SAMLSourceForm.ts
 msgid "Persistent"
 msgstr "持久"
@@ -5156,6 +5208,7 @@ msgstr "静态：静态值，按原样显示。"
 msgid "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 msgstr "静态拒绝流。要有效地使用此阶段，请在相应的绑定上禁用*按计划评估*。"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Status"
 msgstr "状态"
@@ -5183,6 +5236,7 @@ msgstr "Subject 模式"
 msgid "Subject-alt name"
 msgstr "替代名称"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Successful"
 msgstr "成功"
@@ -5229,6 +5283,10 @@ msgstr "已成功创建流程。"
 msgid "Successfully created group."
 msgstr "已成功创建组。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully created instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully created integration."
@@ -5394,6 +5452,10 @@ msgstr "已成功更新流程。"
 msgid "Successfully updated group."
 msgstr "已成功更新组。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully updated instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully updated integration."
@@ -6067,6 +6129,7 @@ msgstr "不健康的 Outposts"
 msgid "Unique identifier the token is referenced by."
 msgstr "引用令牌的唯一标识符。"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Unknown"
 msgstr "未知"
@@ -6088,6 +6151,7 @@ msgstr "最新！"
 
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationViewPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -6139,6 +6203,10 @@ msgstr "更新应用程序"
 msgid "Update Binding"
 msgstr "更新绑定"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Update Blueprint"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Update Certificate-Key Pair"
 msgstr "更新证书密钥对"
@@ -6602,6 +6670,7 @@ msgstr "等待 (最短)"
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Warning"
@@ -6781,6 +6850,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/groups/RelatedGroupList.ts

web/src/locales/zh_TW.po

@@ -175,6 +175,7 @@ msgid "Action"
 msgstr "操作"
 
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/EventListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -279,6 +280,7 @@ msgstr "传递给代理的其他作用域映射。"
 msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 msgstr "要传递给 OAuth 提供程序的其他作用域，用空格分隔。"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
 msgid "Additional settings"
 msgstr "其他设置"
@@ -634,6 +636,10 @@ msgstr "授权应用程序："
 msgid "Auto-detect (based on your browser)"
 msgstr "自动检测（基于您的浏览器）"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Automate and template configuration within authentik."
+msgstr ""
+
 #: src/interfaces/UserInterface.ts
 msgid "Avatar image"
 msgstr "Avatar image"
@@ -740,6 +746,15 @@ msgstr "绑定"
 msgid "Binding Type"
 msgstr "绑定类型"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprint(s)"
+msgstr ""
+
+#: src/interfaces/AdminInterface.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Blueprints"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Branding settings"
 msgstr "品牌设置"
@@ -1131,6 +1146,10 @@ msgstr "配置前哨如何查询核心 authentik 服务器的用户。"
 #~ msgid "Configure settings relevant to your user profile."
 #~ msgstr "配置与您的用户配置文件相关的设置。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Configure the blueprint context, used for templating."
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Configure the maximum allowed time drift for an assertion."
 msgstr "为断言配置允许的最大时间漂移。"
@@ -1220,6 +1239,7 @@ msgstr ""
 msgid "Content right"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
@@ -1274,6 +1294,8 @@ msgstr "复制恢复链接"
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/ApplicationWizard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
@@ -1336,6 +1358,10 @@ msgstr "创建应用程序"
 msgid "Create Binding"
 msgstr "创建绑定"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Create Blueprint Instance"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Create Certificate-Key Pair"
 msgstr "创建证书密钥对"
@@ -1560,6 +1586,7 @@ msgstr "定义如何向用户发送通知，例如电子邮件或 Webhook。"
 #: src/elements/user/SessionList.ts
 #: src/elements/user/UserConsentList.ts
 #: src/pages/applications/ApplicationListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -1743,6 +1770,10 @@ msgstr "目录"
 msgid "Disabled"
 msgstr "已禁用"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Disabled blueprints are never applied."
+msgstr ""
+
 #: src/user/user-settings/sources/SourceSettingsOAuth.ts
 #: src/user/user-settings/sources/SourceSettingsPlex.ts
 msgid "Disconnect"
@@ -1923,6 +1954,8 @@ msgstr "启用 StartTLS"
 msgid "Enable compatibility mode, increases compatibility with password managers on mobile devices."
 msgstr "启用兼容模式，增加与移动设备上密码管理器的兼容性。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -1959,6 +1992,7 @@ msgstr "注册流程"
 msgid "EntityID/Issuer"
 msgstr ""
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Error"
 msgstr "错误"
@@ -2924,6 +2958,10 @@ msgstr "标签显示在提示符旁边/上方。"
 msgid "Last IP"
 msgstr "最后的 IP"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Last applied"
+msgstr ""
+
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/users/RelatedUserList.ts
 #: src/pages/users/UserListPage.ts
@@ -3036,6 +3074,7 @@ msgstr "正在加载"
 #: src/pages/applications/ApplicationCheckAccessForm.ts
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/wizard/oauth/TypeOAuthCodeApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/events/TransportForm.ts
@@ -3338,6 +3377,9 @@ msgstr "我的应用"
 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/wizard/InitialApplicationWizardPage.ts
+#: src/pages/blueprints/BlueprintForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairForm.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
@@ -3510,6 +3552,7 @@ msgstr "Nginx (standalone)"
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
@@ -3855,6 +3898,10 @@ msgstr ""
 msgid "Order"
 msgstr "订购"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Orphaned"
+msgstr ""
+
 #: src/pages/tenants/TenantForm.ts
 msgid "Other global settings"
 msgstr "其他全局设置"
@@ -3981,6 +4028,7 @@ msgstr "密码：屏蔽输入，密码根据来源进行验证。策略仍需应
 msgid "Passwordless flow"
 msgstr "无密码流"
 
+#: src/pages/blueprints/BlueprintForm.ts
 #: src/pages/users/UserForm.ts
 msgid "Path"
 msgstr ""
@@ -3996,6 +4044,10 @@ msgstr ""
 msgid "Path template for users created. Use placeholders like `%(slug)s` to insert the source slug."
 msgstr ""
 
+#: src/elements/user/UserConsentList.ts
+msgid "Permissions"
+msgstr ""
+
 #: src/pages/sources/saml/SAMLSourceForm.ts
 msgid "Persistent"
 msgstr "持久"
@@ -5156,6 +5208,7 @@ msgstr "静态：静态值，按原样显示。"
 msgid "Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding."
 msgstr "静态拒绝流。要有效地使用此阶段，请在相应的绑定上禁用*按计划评估*。"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Status"
 msgstr "状态"
@@ -5183,6 +5236,7 @@ msgstr "Subject 模式"
 msgid "Subject-alt name"
 msgstr "替代名称"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Successful"
 msgstr "成功"
@@ -5229,6 +5283,10 @@ msgstr "已成功创建流程。"
 msgid "Successfully created group."
 msgstr "已成功创建组。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully created instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully created integration."
@@ -5394,6 +5452,10 @@ msgstr "已成功更新流程。"
 msgid "Successfully updated group."
 msgstr "已成功更新组。"
 
+#: src/pages/blueprints/BlueprintForm.ts
+msgid "Successfully updated instance."
+msgstr ""
+
 #: src/pages/outposts/ServiceConnectionDockerForm.ts
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts
 msgid "Successfully updated integration."
@@ -6067,6 +6129,7 @@ msgstr "不健康的 Outposts"
 msgid "Unique identifier the token is referenced by."
 msgstr "引用令牌的唯一标识符。"
 
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Unknown"
 msgstr "未知"
@@ -6088,6 +6151,7 @@ msgstr "最新！"
 
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/applications/ApplicationViewPage.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 #: src/pages/events/RuleListPage.ts
 #: src/pages/events/TransportListPage.ts
@@ -6139,6 +6203,10 @@ msgstr "更新应用程序"
 msgid "Update Binding"
 msgstr "更新绑定"
 
+#: src/pages/blueprints/BlueprintListPage.ts
+msgid "Update Blueprint"
+msgstr ""
+
 #: src/pages/crypto/CertificateKeyPairListPage.ts
 msgid "Update Certificate-Key Pair"
 msgstr "更新证书密钥对"
@@ -6602,6 +6670,7 @@ msgstr "等待 (最短)"
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
 #: src/pages/admin-overview/cards/SystemStatusCard.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/events/RuleForm.ts
 #: src/pages/system-tasks/SystemTaskListPage.ts
 msgid "Warning"
@@ -6781,6 +6850,7 @@ msgstr ""
 #: src/elements/oauth/UserRefreshList.ts
 #: src/elements/user/UserDevicesList.ts
 #: src/pages/applications/ApplicationCheckAccessForm.ts
+#: src/pages/blueprints/BlueprintListPage.ts
 #: src/pages/groups/GroupListPage.ts
 #: src/pages/groups/MemberSelectModal.ts
 #: src/pages/groups/RelatedGroupList.ts

website/developer-docs/api/making-schema-changes.md

@@ -14,10 +14,10 @@ The generated files are stored in `/api` in the root of the repository.
 
 ## Building the Web Client
 
-The web client is used by the web-interface and web-FlowExecutor to communicate with authentik. To build the client, run `make gen-client-web`.
+The web client is used by the web-interface and web-FlowExecutor to communicate with authentik. To build the client, run `make gen-client-ts`.
 
-Since the client is normally distributed as an npm package, running `make gen-client-web` will overwrite the locally installed client with the newly built one.
+Since the client is normally distributed as an npm package, running `make gen-client-ts` will overwrite the locally installed client with the newly built one.
 
 :::warning
-Running `npm i` in the `/web` folder after using `make gen-client-web` will overwrite the custom client and revert to the upstream client.
+Running `npm i` in the `/web` folder after using `make gen-client-ts` will overwrite the custom client and revert to the upstream client.
 :::

website/developer-docs/blueprints/export.md

@@ -0,0 +1,27 @@
+---
+title: Export
+---
+
+## Global export
+
+:::info
+Requires authentik 2022.8.2
+:::
+
+To migrate existing configurations to blueprints, run `ak export_blueprint` within any authentik Worker container. This will output a blueprint for most currently created objects. Some objects will not be exported as they might have dependencies on other things.
+
+Exported blueprints don't use any of the YAML Tags, they just contain a list of entries as they are in the database.
+
+Note that fields which are write-only (for example, OAuth Provider's Secret Key) will not be added to the blueprint, as the serialisation logic from the API is used for blueprints.
+
+Additionally, default values will be skipped and not added to the blueprint.
+
+## Flow exports
+
+Instead of exporting everything from a single instance, there's also the option to export a single flow with it's attached stages, policies and other objects.
+
+This export can be triggered via the API or the Web UI by clicking the download button in the flow list.
+
+## Cleaning up
+
+Exports from either method will contain a (potentially) long list of objects, all with hardcoded primary keys and now ability for templating/instantiation. This is because currently, authentik does not check which primary keys are used where. It is assumed that for most exports, there'll be some manual changes done regardless, to filter out unwanted objects, adjust properties, etc.

website/developer-docs/blueprints/v1/example.md

@@ -0,0 +1,66 @@
+---
+title: Example
+---
+
+This is one of the default packaged blueprints to create the default authentication flow.
+
+```yaml
+version: 1
+metadata:
+    name: Default - Authentication flow
+entries:
+    # Order of entries is important when using !KeyOf, as tags are evaluated in order they are in
+    # the document
+    - attrs:
+          # Only options that are required should be set here. Default values should not be stated
+          # here, as they will prevent anyone from overwriting the value
+          designation: authentication
+          name: Welcome to authentik!
+          title: Welcome to authentik!
+      identifiers:
+          slug: default-authentication-flow
+      model: authentik_flows.flow
+      id: flow
+    - attrs:
+          configure_flow:
+              !Find [authentik_flows.flow, [slug, default-password-change]]
+      identifiers:
+          name: default-authentication-password
+      id: default-authentication-password
+      model: authentik_stages_password.passwordstage
+    - identifiers:
+          name: default-authentication-mfa-validation
+      # If we're fine with all defaults, `attrs` can be omitted
+      id: default-authentication-mfa-validation
+      model: authentik_stages_authenticator_validate.authenticatorvalidatestage
+    - identifiers:
+          name: default-authentication-identification
+      id: default-authentication-identification
+      model: authentik_stages_identification.identificationstage
+    - attrs:
+          session_duration: seconds=0
+      identifiers:
+          name: default-authentication-login
+      id: default-authentication-login
+      model: authentik_stages_user_login.userloginstage
+    - identifiers:
+          order: 10
+          stage: !KeyOf default-authentication-identification
+          target: !KeyOf flow
+      model: authentik_flows.flowstagebinding
+    - identifiers:
+          order: 20
+          stage: !KeyOf default-authentication-password
+          target: !KeyOf flow
+      model: authentik_flows.flowstagebinding
+    - identifiers:
+          order: 30
+          stage: !KeyOf default-authentication-mfa-validation
+          target: !KeyOf flow
+      model: authentik_flows.flowstagebinding
+    - identifiers:
+          order: 100
+          stage: !KeyOf default-authentication-login
+          target: !KeyOf flow
+      model: authentik_flows.flowstagebinding
+```

website/docs/outposts/_config.md

@@ -1,32 +1,7 @@
----
-title: Overview
----
-
-An outpost is a single deployment of a authentik component, which can be deployed in a completely separate environment. Currently, Proxy Provider and LDAP are supported as outposts.
-
-![](outposts.png)
-
-Upon creation, a service account and a token is generated. The service account only has permissions to read the outpost and provider configuration. This token is used by the Outpost to connect to authentik.
-
-authentik can manage the deployment, updating and general lifecycle of an Outpost. To communicate with the underlying platforms on which the outpost is deployed, authentik has several built-in integrations.
-
--   If you've deployed authentik on docker-compose, authentik automatically creates an integration for the local docker socket (See [Docker](./integrations/docker.md)).
--   If you've deployed authentik on Kubernetes, with `kubernetesIntegration` set to true (default), authentik automatically creates an integrations for the local Kubernetes Cluster (See [Kubernetes](./integrations/kubernetes.md)).
-
-To deploy an outpost with these integrations, simply select them during the creation of an Outpost. A background task is started, which creates the container/deployment. You can see that Status on the System Tasks page.
-
-To deploy an outpost manually, see:
-
--   [Kubernetes](./manual-deploy-kubernetes.md)
--   [docker-compose](./manual-deploy-docker-compose.md)
-
-## Configuration
-
-Outposts fetch their configuration from authentik. Below are all the options you can set, and how they influence the outpost.
-
 ```yaml
 # Log level that the outpost will set
 # Allowed levels: trace, debug, info, warning, error
+# Applies to: non-embedded
 log_level: debug
 ########################################
 # The settings below are only relevant when using a managed outpost
@@ -36,27 +11,33 @@ authentik_host: https://authentik.tld/
 # Disable SSL Validation for the authentik connection
 authentik_host_insecure: false
 # Optionally specify a different URL used for user-facing interactions
+# Applies to: proxy outposts
 authentik_host_browser:
 # Template used for objects created (deployments/containers, services, secrets, etc)
 object_naming_template: ak-outpost-%(name)s
 # Use a specific docker image for this outpost rather than the default. This also applies to Kubernetes
 # outposts.
+# Applies to: non-embedded
 container_image:
 ########################################
 # Docker outpost specific settings
 ########################################
 # Network the outpost container should be connected to
+# Applies to: non-embedded
 docker_network: null
 # Optionally disable mapping of ports to outpost container, may be useful when using docker networks
 # (Available with 2021.9.4+)
+# Applies to: non-embedded
 docker_map_ports: true
 # Optionally additional labels for docker containers
 # (Available with 2022.1.2)
+# Applies to: non-embedded
 docker_labels: null
 ########################################
 # Kubernetes outpost specific settings
 ########################################
 # Replica count for the deployment of the outpost
+# Applies to: non-embedded
 kubernetes_replicas: 1
 # Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)
 kubernetes_namespace: authentik
@@ -76,11 +57,6 @@ kubernetes_service_type: ClusterIP
 kubernetes_disabled_components: []
 # If the above docker image is in a private repository, use these secrets to pull.
 # NOTE: The secret must be created manually in the namespace first.
+# Applies to: non-embedded
 kubernetes_image_pull_secrets: []
 ```
-
-## Metrics
-
-Each authentik outpost has a Prometheus metrics endpoint accessible under port `:9300/metrics`. This endpoint is not mapped via docker, as the endpoint doesn't have any authentication.
-
-For the embedded outpost, the metrics of the outpost and the metrics of the core authentik server are both returned under the same endpoint.

website/docs/outposts/embedded/embedded.mdx

@@ -12,15 +12,19 @@ The embedded outpost cannot be disabled, if it doesn't make sense to use it in y
 
 ### Configuration
 
-Since the outpost uses OAuth2, there is some configuration required.
+Since authentik doesn't know it's own "primary" URL, there might be some configuration required.
 
-On a fresh authentik install, your Outpost list will look like this:
+By default, when opening the admin dashboard on a fresh install, authentik will automatically configure the outpost to use the same URL as was used to access authentik.
 
-![](./stock.png)
-
-Click the edit button on the right of the column, and set the value of `authentik_host` to the URL you want to login with.
+If this isn't correct, or needs to be changed, click the edit button on the right of the outpost, and set the value of `authentik_host` to the URL you want to login with.
 Make sure to set it to full URL, only configuring a hostname or FQDN will not work.
 
+Additionally, most of the other configuration options can be used as with any other outpost, except from items which are marked as "non-embedded"
+
+import Configuration from "../_config.md";
+
+<Configuration />
+
 ### Routing
 
 Routing is handled like this:

website/docs/outposts/index.mdx

@@ -0,0 +1,35 @@
+---
+title: Overview
+---
+
+An outpost is a single deployment of a authentik component, which can be deployed in a completely separate environment. Currently, Proxy Provider and LDAP are supported as outposts.
+
+![](outposts.png)
+
+Upon creation, a service account and a token is generated. The service account only has permissions to read the outpost and provider configuration. This token is used by the Outpost to connect to authentik.
+
+authentik can manage the deployment, updating and general lifecycle of an Outpost. To communicate with the underlying platforms on which the outpost is deployed, authentik has several built-in integrations.
+
+-   If you've deployed authentik on docker-compose, authentik automatically creates an integration for the local docker socket (See [Docker](./integrations/docker.md)).
+-   If you've deployed authentik on Kubernetes, with `kubernetesIntegration` set to true (default), authentik automatically creates an integrations for the local Kubernetes Cluster (See [Kubernetes](./integrations/kubernetes.md)).
+
+To deploy an outpost with these integrations, simply select them during the creation of an Outpost. A background task is started, which creates the container/deployment. You can see that Status on the System Tasks page.
+
+To deploy an outpost manually, see:
+
+-   [Kubernetes](./manual-deploy-kubernetes.md)
+-   [docker-compose](./manual-deploy-docker-compose.md)
+
+## Configuration
+
+Outposts fetch their configuration from authentik. Below are all the options you can set, and how they influence the outpost.
+
+import Configuration from "./_config.md";
+
+<Configuration />
+
+## Metrics
+
+Each authentik outpost has a Prometheus metrics endpoint accessible under port `:9300/metrics`. This endpoint is not mapped via docker, as the endpoint doesn't have any authentication.
+
+For the embedded outpost, the metrics of the outpost and the metrics of the core authentik server are both returned under the same endpoint.

website/docs/releases/v2022.8.md

@@ -55,6 +55,22 @@ slug: "2022.8"
 -   stages/consent: fix for post requests (#3339)
 -   stages/prompt: fix tests for file field
 
+## Fixed in 2022.8.2
+
+-   blueprints: add generic export next to flow exporter (#3439)
+-   blueprints: allow for adding remote blueprints (#3435)
+-   blueprints: fix exporter not ignoring non-SerializerModel objects
+-   blueprints: fix issue in prod setups with encoding dataclasses via json
+-   blueprints: remove \_state from exporter blueprints
+-   core: fix pre-hydrated config not being escaped properly
+-   events: correctly handle lists for cleaning/sanitization
+-   internal: fix routing for requests with querystring signature to embedded outpost
+-   lifecycle: add worker-status command to debug worker cpu usage issues
+-   providers/oauth2: fix oauth2 requests being logged as unauthenticated
+-   sources/oauth: fix missing doseq param for updating URL query string
+-   web/elements: fix automatic slug not working on newly opened forms
+-   web/flows: simplify consent's permission handling
+
 ## Upgrading
 
 This release does not introduce any new requirements.

website/integrations/services/github-enterprise-cloud/index.md

@@ -0,0 +1,55 @@
+---
+title: GitHub Enterprise Cloud
+---
+
+<span class="badge badge--secondary">Support level: Community</span>
+
+## What is GitHub Enterprise Cloud
+
+From https://docs.github.com/en/enterprise-cloud@latest/admin/overview/about-github-for-enterprises
+
+:::note
+GitHub is a complete developer platform to build, scale, and deliver secure software. Businesses use our suite of products to support the entire software development lifecycle, increasing development velocity and improving code quality.
+:::
+
+:::note
+GitHub Enterprise Cloud EMU (Enterprise Managed Users) are not compatible with authentik. GitHub currently only permits SAML/OIDC for EMU organizations with Okta and/or Azure AD.
+:::
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise
+-   `authentik.company` is the FQDN of the authentik Install
+
+Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
+
+-   ACS URL: `https://github.com/enterprises/foo/saml/consume`
+-   Audience: `https://github.com/enterprises/foo`
+-   Issuer: `https://github.com/enterprises/foo`
+-   Binding: `Post`
+
+Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
+
+Once the provider is created, it is advised to download the signing certificate as you will need it later.
+
+## GitHub Configuration
+
+Navigate to your enterprise settings by clicking your GitHub user portrait in the top right of GitHub.com, select `Your enterprises` and click `Settings` for the enterprise you wish to configure.
+
+In the left-hand navigation, within the `Settings` section, click `Authentication security`
+
+On this page:
+
+-   Select the `Require SAML authentication` checkbox.
+-   In `Sign on URL`, type `https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/`
+-   For `Issuer`, type `https://github.com/enterprises/foo` or the `Audience` you set in authentik
+-   For `Public certificate`, paste the _full_ signing certificate into this field.
+-   Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
+
+![Screenshot showing populated GitHub enterprise SAML settings](ghec_saml_settings.png)
+
+Once these fields are populated, you can use the `Test SAML configuation` button to test the authentication flow. If the flow completes successfully, you will see a green tick next to the Test button.
+
+Scroll down to hit the `Save` button below.

website/integrations/services/github-organization/index.md

@@ -0,0 +1,53 @@
+---
+title: GitHub Organization
+---
+
+<span class="badge badge--secondary">Support level: Community</span>
+
+## What is GitHub Organizations
+
+From https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations
+
+:::note
+Organizations are shared accounts where businesses and open-source projects can collaborate across many projects at once, with sophisticated security and administrative features.
+:::
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `github.com/orgs/foo` is your GitHub organization, where `foo` is the name of your org
+-   `authentik.company` is the FQDN of the authentik Install
+
+Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
+
+-   ACS URL: `https://github.com/orgs/foo/saml/consume`
+-   Audience: `https://github.com/orgs/foo`
+-   Issuer: `https://github.com/orgs/foo`
+-   Binding: `Post`
+
+Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
+
+Once the provider is created, it is advised to download the signing certificate as you will need it later.
+
+## GitHub Configuration
+
+Navigate to your organization settings by going to your organization page at https://github.com/foo, then click Settings.
+
+In the left-hand navigation, scroll down to the Security section and click `Authentication security`
+
+On this page:
+
+-   Select the `Enable SAML authentication` checkbox.
+-   In `sign-on URL`, type `https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/`
+-   For `Issuer`, type `https://github.com/orgs/foo` or the `Audience` you set in authentik
+-   For `Public certificate`, paste the _full_ signing certificate into this field.
+-   Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
+
+Once these fields are populated, you can use the `Test SAML configuation` button to test the authentication flow. If the flow completes successfully, you will see a green tick next to the Test button.
+
+Scroll down to hit the `Save` button below.
+
+![Screenshot showing populated GitHub organization SAML settings](ghorg_saml_settings.png)
+
+This enables SAML as an authentication _option_. If you want to _require_ SAML for your organization, visit your SSO url at `https://github.com/orgs/foo/sso` and sign in. Once signed in, you can navigate back to the `Authentication security` page and check `Require SAML SSO authentication for all members of the foo organization.`

website/integrations/services/oracle-cloud/index.md

@@ -0,0 +1,50 @@
+---
+title: Oracle Cloud
+---
+
+<span class="badge badge--secondary">Support level: Community</span>
+
+## What is Oracle Cloud
+
+From https://www.oracle.com/cloud/
+
+:::note
+Oracle Cloud is the first public cloud built from the ground up to be a better cloud for every application. By rethinking core engineering and systems design for cloud computing, we created innovations that accelerate migrations, deliver better reliability and performance for all applications, and offer the complete services customers need to build innovative cloud applications.
+:::
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `authentik.company` is the FQDN of authentik.
+
+### Step 1 - authentik
+
+In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
+
+:::note
+Only settings that have been modified from default have been listed.
+:::
+
+**Protocol Settings**
+
+-   Name: Oracle Cloud
+-   Client ID: Copy and Save this for Later
+-   Client Secret: Copy and Save this for later
+-   Signing Key: Select any available key
+
+Create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
+
+-   Name: Oracle Cloud
+-   Slug: oracle-cloud
+-   Provider: Oracle Cloud
+
+### Step 2 - Oracle Cloud
+
+In Oracle Cloud, open the top-left navigation and go to _Identity & Security_ and then _Domains_. Click on the domain of your choice. Click on _Security_ in the sidebar, then on _Identity providers_.
+
+Create a new _Social IdP_ via the _Add IdP_ button. Set the name to authentik and fill in the client ID and secret from above.
+
+Set the _Discovery service URL_ to `https://authentik.company/application/o/oracle-cloud/.well-known/openid-configuration` and save the IdP. The IdP has now been created but must be enabled before it can be used to login with.
+
+Navigate to _IdP Policies_ in the sidebar and open the default policy by clicking on it. Edit the first rule within the policy. Add authentik under _Assign identity providers_. Here you can optionally also remove username-based logins, however it is recommended to not remove the option until you've verified SSO works.

website/integrations/services/pgadmin/index.md

@@ -30,7 +30,6 @@ In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these s
 **Provider Settings**
 
 -   Name: pgAdmin
--   Client type: Confidential
 -   Client ID: Copy and Save this for Later
 -   Client Secret: Copy and Save this for later
 -   Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize`

website/integrations/services/portainer/index.md

@@ -34,7 +34,6 @@ Only settings that have been modified from default have been listed.
 **Protocol Settings**
 
 -   Name: Portainer
--   Client type: Confidential
 -   Client ID: Copy and Save this for Later
 -   Client Secret: Copy and Save this for later
 -   Redirect URIs/Origins: `https://port.company`

website/integrations/services/proxmox-ve/index.md

@@ -28,8 +28,8 @@ The following placeholders will be used:
 Under _Providers_, create an OAuth2/OpenID provider with these settings:
 
 -   Name: proxmox
--   Client Type: Confidential
 -   Redirect URI: `https://proxmox.company:8006` (Note the absence of the trailing slash, and the inclusion of the webinterface port)
+-   Signing Key: Select any available key
 
 ### Step 2
 

website/integrations/services/rocketchat/index.md

@@ -34,14 +34,12 @@ Only settings that have been modified from default have been listed.
 **Protocol Settings**
 
 -   Name: RocketChat
--   Client type: Confidential
 -   Client ID: Copy and Save this for Later
 -   Client Secret: Copy and Save this for later
 -   Redirect URIs/Origins:
 
 ```
 https://rocket.company/_oauth/authentik
-
 ```
 
 ![](./rocketchat1.png)

website/integrations/services/vikunja/index.md

@@ -34,7 +34,6 @@ Only settings that have been modified from default have been listed.
 **Protocol Settings**
 
 -   Name: Vikunja
--   Client type: Confidential
 -   Client ID: Copy and Save this for Later
 -   Client Secret: Copy and Save this for later
 -   Redirect URIs/Origins:
@@ -68,7 +67,7 @@ auth:
   # Take a look at the [default config file](https://github.com/go-vikunja/api/blob/main/config.yml.sample) for more information about how to configure openid authentication.
   openid:
     # Enable or disable OpenID Connect authentication
-    enabled: truefo
+    enabled: true
     # A list of enabled providers
     providers:
       # The name of the provider as it will appear in the frontend.

website/integrations/services/vmware-vcenter/index.md

@@ -55,11 +55,10 @@ Under _Sources_, click _Edit_ and ensure that "authentik default Active Director
 
 Under _Providers_, create an OAuth2/OpenID provider with these settings:
 
--   Client Type: Confidential
--   JWT Algorithm: RS256
 -   Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode`
 -   Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...".
 -   Scopes: Select the Scope Mapping you've created in Step 1
+-   Signing Key: Select any available key
 
 ![](./authentik_setup.png)
 

website/integrations/services/wiki-js/index.md

@@ -33,8 +33,6 @@ Add a _Generic OpenID Connect / OAuth2_ strategy and note the _Callback URL / Re
 
 In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
 
--   Client Type: Confidential
--   JWT Algorithm: RS256
 -   Redirect URI: The _Callback URL / Redirect URI_ you noted from the previous step.
 -   Scopes: Default OAUth mappings for: OpenID, email, profile.
 -   Signing Key: Select any available key

website/integrations/services/wordpress/index.md

@@ -34,7 +34,6 @@ Only settings that have been modified from default have been listed.
 **Protocol Settings**
 
 -   Name: Wordpress
--   Client type: Confidential
 -   Client ID: Copy and Save this for Later
 -   Client Secret: Copy and Save this for later
 -   Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`

website/integrations/sources/apple/index.md

@@ -9,7 +9,11 @@ Allows users to authenticate using their Apple ID.
 ## Preparation
 
 :::warning
-An Apple developer account is required for this.
+An Apple developer account is required.
+:::
+
+:::warning
+Apple mandates the use of a [registered TLD](https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains), as such this source will not work with .local and other non-public TLDs.
 :::
 
 The following placeholders will be used:

website/sidebarsDev.js

@@ -11,7 +11,12 @@ module.exports = {
                 type: "doc",
                 id: "blueprints/index",
             },
-            items: ["blueprints/v1/structure", "blueprints/v1/tags"],
+            items: [
+                "blueprints/export",
+                "blueprints/v1/structure",
+                "blueprints/v1/tags",
+                "blueprints/v1/example",
+            ],
         },
         {
             type: "category",
@@ -28,7 +33,7 @@ module.exports = {
         },
         {
             type: "category",
-            label: "Setup",
+            label: "Development",
             items: [
                 "setup/full-dev-environment",
                 "setup/frontend-only-dev-environment",

website/sidebarsIntegrations.js

@@ -48,7 +48,10 @@ module.exports = {
                 {
                     type: "category",
                     label: "Cloud Providers",
-                    items: ["services/aws/index"],
+                    items: [
+                        "services/aws/index",
+                        "services/oracle-cloud/index",
+                    ],
                 },
                 {
                     type: "category",
@@ -80,13 +83,21 @@ module.exports = {
                     type: "category",
                     label: "Developer tools",
                     items: [
-                        "services/gitea/index",
-                        "services/gitlab/index",
                         "services/sentry/index",
                         "services/sssd/index",
                         "services/weblate/index",
                     ],
                 },
+                {
+                    type: "category",
+                    label: "Version Control Systems",
+                    items: [
+                        "services/gitea/index",
+                        "services/github-enterprise-cloud/index",
+                        "services/github-organization/index",
+                        "services/gitlab/index",
+                    ],
+                },
                 "services/home-assistant/index",
                 "services/node-red/index",
                 "services/kimai/index",