start config file watch

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
internal: fix cache-control header
2023-01-25 21:32:33 +01:00 · 2023-01-25 21:18:20 +01:00 · 2023-01-25 15:01:08 +01:00 · 2023-01-25 15:00:56 +01:00 · 2023-01-25 14:49:09 +01:00 · 2023-01-25 14:46:40 +01:00
157 changed files with 2612 additions and 1087 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.1.0
+current_version = 2023.1.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -38,6 +38,14 @@ runs:
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```
            For arm64, use these values:
            ```shell
            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
          <details>
@ -54,6 +62,17 @@ runs:
                tag: ${{ inputs.tag }}
            ```
            For arm64, use these values:
            ```yaml
            authentik:
                outposts:
                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            image:
                repository: ghcr.io/goauthentik/dev-server
                tag: ${{ inputs.tag }}-arm64
            ```
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
        edit-mode: replace
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -17,6 +17,9 @@ outputs:
  sha:
    description: "sha"
    value: ${{ steps.ev.outputs.sha }}
  shortHash:
    description: "shortHash"
    value: ${{ steps.ev.outputs.shortHash }}
  version:
    description: "version"
    value: ${{ steps.ev.outputs.version }}
@ -53,6 +56,7 @@ runs:
            print("branchNameContainer=%s" % safe_branch_name, file=_output)
            print("timestamp=%s" % int(time()), file=_output)
            print("sha=%s" % os.environ["GITHUB_SHA"], file=_output)
            print("shortHash=%s" % os.environ["GITHUB_SHA"][:7], file=_output)
            print("shouldBuild=%s" % should_build, file=_output)
            print("version=%s" % version, file=_output)
            print("versionFamily=%s" % version_family, file=_output)
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -118,13 +118,13 @@ jobs:
          - name: proxy
            glob: tests/e2e/test_provider_proxy*
          - name: oauth
-            glob: tests/e2e/test_provider_oauth2_!(oidc) tests/e2e/test_source_oauth*
+            glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
          - name: oauth-oidc
-            glob: tests/e2e/test_provider_oauth2_oidc*
+            glob: tests/e2e/test_provider_oidc*
          - name: saml
            glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
          - name: ldap
-            glob: tests/e2e/test_provider_ldap*
+            glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
          - name: flows
            glob: tests/e2e/test_flows*
    steps:
@ -148,7 +148,6 @@ jobs:
          npm run build
      - name: run e2e
        run: |
          shopt -s extglob
          poetry run coverage run manage.py test ${{ matrix.job.glob }}
          poetry run coverage xml
      - if: ${{ always() }}
@ -170,11 +169,6 @@ jobs:
    needs: ci-core-mark
    runs-on: ubuntu-latest
    timeout-minutes: 120
    strategy:
      fail-fast: false
      matrix:
        arch:
          - 'linux/amd64'
    steps:
      - uses: actions/checkout@v3
      - name: Set up QEMU
@ -202,14 +196,49 @@ jobs:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
-            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
+            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
          platforms: ${{ matrix.arch }}
      - name: Comment on PR
        if: github.event_name == 'pull_request'
        continue-on-error: true
        uses: ./.github/actions/comment-pr-instructions
        with:
-          tag: gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
+          tag: gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}
  build-arm64:
    needs: ci-core-mark
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v3
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2.1.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
      - name: Login to Container Registry
        uses: docker/login-action@v2
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        uses: docker/build-push-action@v3
        with:
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-arm64
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}-arm64
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
          platforms: linux/arm64
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -28,6 +28,8 @@ jobs:
        run: make gen-client-go
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
          args: --timeout 5000s
  test-unittest:
    runs-on: ubuntu-latest
    steps:
@ -86,7 +88,6 @@ jobs:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchNameContainer }}
            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}
            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.sha }}
          file: ${{ matrix.type }}.Dockerfile
          build-args: |
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -31,7 +31,7 @@ jobs:
        uses: docker/build-push-action@v3
        with:
          push: ${{ github.event_name == 'release' }}
-          secrets:
+          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          tags: |
@ -88,9 +88,6 @@ jobs:
            ghcr.io/goauthentik/${{ matrix.type }}:latest
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          build-args: |
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
  build-outpost-binary:
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -26,14 +26,14 @@ jobs:
        id: get_version
        uses: actions/github-script@v6
        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.BOT_GITHUB_TOKEN }}
          script: |
            return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1.1.4
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
          release_name: Release ${{ steps.get_version.outputs.result }}
--- a/.github/workflows/translation-compile.yml
+++ b/.github/workflows/translation-compile.yml
@ -19,6 +19,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run compile
@ -27,7 +29,7 @@ jobs:
        uses: peter-evans/create-pull-request@v4
        id: cpr
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          branch: compile-backend-translation
          commit-message: "core: compile backend translations"
          title: "core: compile backend translations"
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,8 +6,8 @@ Authentik takes security very seriously. We follow the rules of [responsible dis
 | Version   | Supported          |
 | --------- | ------------------ |
 | 2022.11.x | :white_check_mark: |
 | 2022.12.x | :white_check_mark: |
 | 2023.1.x  | :white_check_mark: |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
-__version__ = "2023.1.0"
+__version__ = "2023.1.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -31,6 +31,16 @@ def validate_auth(header: bytes) -> Optional[str]:
 def bearer_auth(raw_header: bytes) -> Optional[User]:
    """raw_header in the Format of `Bearer ....`"""
    user = auth_user_lookup(raw_header)
    if not user:
        return None
    if not user.is_active:
        raise AuthenticationFailed("Token invalid/expired")
    return user
 def auth_user_lookup(raw_header: bytes) -> Optional[User]:
    """raw_header in the Format of `Bearer ....`"""
    from authentik.providers.oauth2.models import RefreshToken
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@ -3,13 +3,12 @@ from base64 import b64encode
 from django.conf import settings
 from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.exceptions import AuthenticationFailed
 from authentik.api.authentication import bearer_auth
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import USER_ATTRIBUTE_SA, Token, TokenIntents
-from authentik.core.tests.utils import create_test_flow
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import OAuth2Provider, RefreshToken
@ -36,9 +35,18 @@ class TestAPIAuth(TestCase):
    def test_bearer_valid(self):
        """Test valid token"""
-        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=get_anonymous_user())
+        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=create_test_admin_user())
        self.assertEqual(bearer_auth(f"Bearer {token.key}".encode()), token.user)
    def test_bearer_valid_deactivated(self):
        """Test valid token"""
        user = create_test_admin_user()
        user.is_active = False
        user.save()
        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=user)
        with self.assertRaises(AuthenticationFailed):
            bearer_auth(f"Bearer {token.key}".encode())
    def test_managed_outpost(self):
        """Test managed outpost"""
        with self.assertRaises(AuthenticationFailed):
@ -56,7 +64,7 @@ class TestAPIAuth(TestCase):
            name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
        )
        refresh = RefreshToken.objects.create(
-            user=get_anonymous_user(),
+            user=create_test_admin_user(),
            provider=provider,
            refresh_token=generate_id(),
            _scope=SCOPE_AUTHENTIK_API,
@ -69,7 +77,7 @@ class TestAPIAuth(TestCase):
            name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
        )
        refresh = RefreshToken.objects.create(
-            user=get_anonymous_user(),
+            user=create_test_admin_user(),
            provider=provider,
            refresh_token=generate_id(),
            _scope="",
--- a/authentik/blueprints/apps.py
+++ b/authentik/blueprints/apps.py
@ -57,9 +57,10 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):
    def reconcile_blueprints_discover(self):
        """Run blueprint discovery"""
-        from authentik.blueprints.v1.tasks import blueprints_discover
+        from authentik.blueprints.v1.tasks import blueprints_discover, clear_failed_blueprints
        blueprints_discover.delay()
        clear_failed_blueprints.delay()
    def import_models(self):
        super().import_models()
--- a/authentik/blueprints/settings.py
+++ b/authentik/blueprints/settings.py
@ -9,4 +9,9 @@ CELERY_BEAT_SCHEDULE = {
        "schedule": crontab(minute=fqdn_rand("blueprints_v1_discover"), hour="*"),
        "options": {"queue": "authentik_scheduled"},
    },
    "blueprints_v1_cleanup": {
        "task": "authentik.blueprints.v1.tasks.clear_failed_blueprints",
        "schedule": crontab(minute=fqdn_rand("blueprints_v1_cleanup"), hour="*"),
        "options": {"queue": "authentik_scheduled"},
    },
 }
--- a/authentik/blueprints/tests/fixtures/static_prompt_export.yaml
+++ b/authentik/blueprints/tests/fixtures/static_prompt_export.yaml
@ -4,6 +4,7 @@ entries:
          pk: cb954fd4-65a5-4ad9-b1ee-180ee9559cf4
      model: authentik_stages_prompt.prompt
      attrs:
          name: qwerweqrq
          field_key: username
          label: Username
          type: username
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@ -13,7 +13,7 @@ from authentik.tenants.models import Tenant
 class TestPackaged(TransactionTestCase):
    """Empty class, test methods are added dynamically"""
-    @apply_blueprint("default/90-default-tenant.yaml")
+    @apply_blueprint("default/default-tenant.yaml")
    def test_decorator_static(self):
        """Test @apply_blueprint decorator"""
        self.assertTrue(Tenant.objects.filter(domain="authentik-default").exists())
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -262,15 +262,21 @@ class TestBlueprintsV1(TransactionTestCase):
        with transaction_rollback():
            # First stage fields
            username_prompt = Prompt.objects.create(
-                field_key="username", label="Username", order=0, type=FieldTypes.TEXT
+                name=generate_id(),
                field_key="username",
                label="Username",
                order=0,
                type=FieldTypes.TEXT,
            )
            password = Prompt.objects.create(
                name=generate_id(),
                field_key="password",
                label="Password",
                order=1,
                type=FieldTypes.PASSWORD,
            )
            password_repeat = Prompt.objects.create(
                name=generate_id(),
                field_key="password_repeat",
                label="Password (repeat)",
                order=2,
--- a/authentik/blueprints/v1/labels.py
+++ b/authentik/blueprints/v1/labels.py
@ -3,3 +3,4 @@
 LABEL_AUTHENTIK_SYSTEM = "blueprints.goauthentik.io/system"
 LABEL_AUTHENTIK_INSTANTIATE = "blueprints.goauthentik.io/instantiate"
 LABEL_AUTHENTIK_GENERATED = "blueprints.goauthentik.io/generated"
 LABEL_AUTHENTIK_DESCRIPTION = "blueprints.goauthentik.io/description"
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@ -219,3 +219,14 @@ def apply_blueprint(self: MonitoredTask, instance_pk: str):
    finally:
        if instance:
            instance.save()
@CELERY_APP.task()
 def clear_failed_blueprints():
    """Remove blueprints which couldn't be fetched"""
    # Exclude OCI blueprints as those might be temporarily unavailable
    for blueprint in BlueprintInstance.objects.exclude(path__startswith="oci://"):
        try:
            blueprint.retrieve()
        except BlueprintRetrievalFailed:
            blueprint.delete()
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -4,6 +4,8 @@ from json import loads
 from typing import Any, Optional
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
 from django.db.models.query import QuerySet
 from django.db.transaction import atomic
@ -57,6 +59,7 @@ from authentik.core.models import (
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
    AuthenticatedSession,
    Group,
    Token,
    TokenIntents,
@ -561,3 +564,14 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                )
            }
        )
    def partial_update(self, request: Request, *args, **kwargs) -> Response:
        response = super().partial_update(request, *args, **kwargs)
        instance: User = self.get_object()
        if not instance.is_active:
            sessions = AuthenticatedSession.objects.filter(user=instance)
            session_ids = sessions.values_list("session_key", flat=True)
            cache.delete_many(f"{KEY_PREFIX}{session}" for session in session_ids)
            sessions.delete()
            LOGGER.debug("Deleted user's sessions", user=instance.username)
        return response
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -1,10 +1,12 @@
 """Test Users API"""
 from json import loads
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, User
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
 from authentik.lib.config import CONFIG
@ -257,3 +259,26 @@ class TestUsersAPI(APITestCase):
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["user"]["avatar"], "bar")
    def test_session_delete(self):
        """Ensure sessions are deleted when a user is deactivated"""
        user = create_test_admin_user()
        session_id = generate_id()
        AuthenticatedSession.objects.create(
            user=user,
            session_key=session_id,
            last_ip="",
        )
        cache.set(KEY_PREFIX + session_id, "foo")
        self.client.force_login(self.admin)
        response = self.client.patch(
            reverse("authentik_api:user-detail", kwargs={"pk": user.pk}),
            data={
                "is_active": False,
            },
        )
        self.assertEqual(response.status_code, 200)
        self.assertIsNone(cache.get(KEY_PREFIX + session_id))
        self.assertFalse(AuthenticatedSession.objects.filter(session_key=session_id).exists())
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -235,9 +235,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
        data = CertificateGenerationSerializer(data=request.data)
        if not data.is_valid():
            return Response(data.errors, status=400)
        raw_san = data.validated_data.get("subject_alt_name", "")
        sans = raw_san.split(",") if raw_san != "" else []
        builder = CertificateBuilder(data.validated_data["common_name"])
        builder.build(
-            subject_alt_names=data.validated_data.get("subject_alt_name", "").split(","),
+            subject_alt_names=sans,
            validity_days=int(data.validated_data["validity_days"]),
        )
        instance = builder.save()
--- a/authentik/crypto/builder.py
+++ b/authentik/crypto/builder.py
@ -57,7 +57,10 @@ class CertificateBuilder:
        one_day = datetime.timedelta(1, 0, 0)
        self.__private_key = self.generate_private_key()
        self.__public_key = self.__private_key.public_key()
-        alt_names: list[x509.GeneralName] = [x509.DNSName(x) for x in subject_alt_names or []]
+        alt_names: list[x509.GeneralName] = []
        for alt_name in subject_alt_names or []:
            if alt_name.strip() != "":
                alt_names.append(x509.DNSName(alt_name))
        self.__builder = (
            x509.CertificateBuilder()
            .subject_name(
@ -76,12 +79,15 @@ class CertificateBuilder:
                    ]
                )
            )
            .add_extension(x509.SubjectAlternativeName(alt_names), critical=True)
            .not_valid_before(datetime.datetime.today() - one_day)
            .not_valid_after(datetime.datetime.today() + datetime.timedelta(days=validity_days))
            .serial_number(int(uuid.uuid4()))
            .public_key(self.__public_key)
        )
        if alt_names:
            self.__builder = self.__builder.add_extension(
                x509.SubjectAlternativeName(alt_names), critical=True
            )
        self.__certificate = self.__builder.sign(
            private_key=self.__private_key,
            algorithm=hashes.SHA256(),
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -4,6 +4,8 @@ from json import loads
 from os import makedirs
 from tempfile import TemporaryDirectory
 from cryptography.x509.extensions import SubjectAlternativeName
 from cryptography.x509.general_name import DNSName
 from django.urls import reverse
 from rest_framework.test import APITestCase
@ -70,11 +72,43 @@ class TestCrypto(APITestCase):
    def test_builder_api(self):
        """Test Builder (via API)"""
        self.client.force_login(create_test_admin_user())
        name = generate_id()
        self.client.post(
            reverse("authentik_api:certificatekeypair-generate"),
-            data={"common_name": "foo", "subject_alt_name": "bar,baz", "validity_days": 3},
+            data={"common_name": name, "subject_alt_name": "bar,baz", "validity_days": 3},
        )
-        self.assertTrue(CertificateKeyPair.objects.filter(name="foo").exists())
+        key = CertificateKeyPair.objects.filter(name=name).first()
        self.assertIsNotNone(key)
        ext: SubjectAlternativeName = key.certificate.extensions[0].value
        self.assertIsInstance(ext, SubjectAlternativeName)
        self.assertIsInstance(ext[0], DNSName)
        self.assertEqual(ext[0].value, "bar")
        self.assertIsInstance(ext[1], DNSName)
        self.assertEqual(ext[1].value, "baz")
    def test_builder_api_empty_san(self):
        """Test Builder (via API)"""
        self.client.force_login(create_test_admin_user())
        name = generate_id()
        self.client.post(
            reverse("authentik_api:certificatekeypair-generate"),
            data={"common_name": name, "subject_alt_name": "", "validity_days": 3},
        )
        key = CertificateKeyPair.objects.filter(name=name).first()
        self.assertIsNotNone(key)
        self.assertEqual(len(key.certificate.extensions), 0)
    def test_builder_api_empty_san_multiple(self):
        """Test Builder (via API)"""
        self.client.force_login(create_test_admin_user())
        name = generate_id()
        self.client.post(
            reverse("authentik_api:certificatekeypair-generate"),
            data={"common_name": name, "subject_alt_name": ", ", "validity_days": 3},
        )
        key = CertificateKeyPair.objects.filter(name=name).first()
        self.assertIsNotNone(key)
        self.assertEqual(len(key.certificate.extensions), 0)
    def test_builder_api_invalid(self):
        """Test Builder (via API) (invalid)"""
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -448,7 +448,7 @@ class NotificationTransport(SerializerModel):
            # pyright: reportGeneralTypeIssues=false
            return send_mail(mail.__dict__)  # pylint: disable=no-value-for-parameter
        except (SMTPException, ConnectionError, OSError) as exc:
-            raise NotificationTransportError from exc
+            raise NotificationTransportError(exc) from exc
    @property
    def serializer(self) -> "Serializer":
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -5,13 +5,20 @@ from contextlib import contextmanager
 from glob import glob
 from json import dumps, loads
 from json.decoder import JSONDecodeError
 from pathlib import Path
 from sys import argv, stderr
 from time import time
-from typing import Any
+from typing import Any, Optional
 from urllib.parse import urlparse
 import yaml
 from django.conf import ImproperlyConfigured
 from watchdog.events import (
    FileModifiedEvent,
    FileSystemEvent,
    FileSystemEventHandler,
 )
 from watchdog.observers import Observer
 SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] + glob(
    "/etc/authentik/config.d/*.yml", recursive=True
@ -38,9 +45,47 @@ class ConfigLoader:
    A variable like AUTHENTIK_POSTGRESQL__HOST would translate to postgresql.host"""
    loaded_file = []
    observer: Observer
    class FSObserver(FileSystemEventHandler):
        """File system observer"""
        loader: "ConfigLoader"
        path: str
        container: Optional[dict] = None
        key: Optional[str] = None
        def __init__(
            self,
            loader: "ConfigLoader",
            path: str,
            container: Optional[dict] = None,
            key: Optional[str] = None,
        ) -> None:
            super().__init__()
            self.loader = loader
            self.path = path
            self.container = container
            self.key = key
        def on_any_event(self, event: FileSystemEvent):
            if not isinstance(event, FileModifiedEvent):
                return
            if event.is_directory:
                return
            if event.src_path != self.path:
                return
            if self.container and self.key:
                with open(self.path, "r", encoding="utf8") as _file:
                    self.container[self.key] = _file.read()
            else:
                self.loader.log("info", "Updating from changed file", file=self.path)
                self.loader.update_from_file(self.path, watch=False)
    def __init__(self):
        super().__init__()
        self.observer = Observer()
        self.observer.start()
        self.__config = {}
        base_dir = os.path.realpath(os.path.join(os.path.dirname(__file__), "../.."))
        for path in SEARCH_PATHS:
@ -81,11 +126,11 @@ class ConfigLoader:
                root[key] = self.update(root.get(key, {}), value)
            else:
                if isinstance(value, str):
-                    value = self.parse_uri(value)
+                    value = self.parse_uri(value, root, key)
                root[key] = value
        return root
-    def parse_uri(self, value: str) -> str:
+    def parse_uri(self, value: str, container: dict[str, Any], key: Optional[str] = None, ) -> str:
        """Parse string values which start with a URI"""
        url = urlparse(value)
        if url.scheme == "env":
@ -93,13 +138,23 @@ class ConfigLoader:
        if url.scheme == "file":
            try:
                with open(url.path, "r", encoding="utf8") as _file:
-                    value = _file.read().strip()
+                    value = _file.read()
                if key:
                    self.observer.schedule(
                        ConfigLoader.FSObserver(
                            self,
                            url.path,
                            container,
                            key,
                        ),
                        Path(url.path).parent,
                    )
            except OSError as exc:
                self.log("error", f"Failed to read config value from {url.path}: {exc}")
                value = url.query
        return value
-    def update_from_file(self, path: str):
+    def update_from_file(self, path: str, watch=True):
        """Update config from file contents"""
        try:
            with open(path, encoding="utf8") as file:
@ -107,6 +162,8 @@ class ConfigLoader:
                    self.update(self.__config, yaml.safe_load(file))
                    self.log("debug", "Loaded config", file=path)
                    self.loaded_file.append(path)
                    if watch:
                        self.observer.schedule(ConfigLoader.FSObserver(self, path), Path(path).parent)
                except yaml.YAMLError as exc:
                    raise ImproperlyConfigured from exc
        except PermissionError as exc:
@ -181,13 +238,12 @@ class ConfigLoader:
            if comp not in root:
                root[comp] = {}
            root = root.get(comp, {})
-        root[path_parts[-1]] = value
+        self.parse_uri(value, root, path_parts[-1])
    def y_bool(self, path: str, default=False) -> bool:
        """Wrapper for y that converts value into boolean"""
        return str(self.y(path, default)).lower() == "true"
 CONFIG = ConfigLoader()
 if __name__ == "__main__":
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -5,7 +5,7 @@ from tempfile import mkstemp
 from django.conf import ImproperlyConfigured
 from django.test import TestCase
-from authentik.lib.config import ENV_PREFIX, ConfigLoader
+from authentik.lib.config import CONFIG, ENV_PREFIX, ConfigLoader
 class TestConfig(TestCase):
@ -31,8 +31,8 @@ class TestConfig(TestCase):
        """Test URI parsing (environment)"""
        config = ConfigLoader()
        environ["foo"] = "bar"
-        self.assertEqual(config.parse_uri("env://foo"), "bar")
+        self.assertEqual(config.parse_uri("env://foo", {}), "bar")
-        self.assertEqual(config.parse_uri("env://foo?bar"), "bar")
+        self.assertEqual(config.parse_uri("env://foo?bar", {}), "bar")
    def test_uri_file(self):
        """Test URI parsing (file load)"""
@ -41,8 +41,8 @@ class TestConfig(TestCase):
        write(file, "foo".encode())
        _, file2_name = mkstemp()
        chmod(file2_name, 0o000)  # Remove all permissions so we can't read the file
-        self.assertEqual(config.parse_uri(f"file://{file_name}"), "foo")
+        self.assertEqual(config.parse_uri(f"file://{file_name}", {}), "foo")
-        self.assertEqual(config.parse_uri(f"file://{file2_name}?def"), "def")
+        self.assertEqual(config.parse_uri(f"file://{file2_name}?def", {}), "def")
        unlink(file_name)
        unlink(file2_name)
@ -59,3 +59,13 @@ class TestConfig(TestCase):
        config.update_from_file(file2_name)
        unlink(file_name)
        unlink(file2_name)
    def test_update(self):
        """Test change to file"""
        file, file_name = mkstemp()
        write(file, b"test")
        CONFIG.y_set("test.file", f"file://{file_name}")
        self.assertEqual(CONFIG.y("test.file"), "test")
        write(file, "test2")
        self.assertEqual(CONFIG.y("test.file"), "test2")
        unlink(file_name)
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -183,7 +183,7 @@ class DockerController(BaseController):
        try:
            self.client.images.pull(image)
        except DockerException:  # pragma: no cover
-            image = f"goauthentik.io/{self.outpost.type}:latest"
+            image = f"ghcr.io/goauthentik/{self.outpost.type}:latest"
            self.client.images.pull(image)
        return image
--- a/authentik/policies/password/tests/test_flows.py
+++ b/authentik/policies/password/tests/test_flows.py
@ -4,6 +4,7 @@ from django.urls.base import reverse
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation, FlowStageBinding
 from authentik.flows.tests import FlowTestCase
 from authentik.lib.generators import generate_id
 from authentik.policies.password.models import PasswordPolicy
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
@ -16,6 +17,7 @@ class TestPasswordPolicyFlow(FlowTestCase):
        self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        password_prompt = Prompt.objects.create(
            name=generate_id(),
            field_key="password",
            label="PASSWORD_LABEL",
            type=FieldTypes.PASSWORD,
--- a/authentik/providers/oauth2/tests/test_jwks.py
+++ b/authentik/providers/oauth2/tests/test_jwks.py
@ -1,14 +1,42 @@
 """JWKS tests"""
 import base64
 import json
 from cryptography.hazmat.backends import default_backend
 from cryptography.x509 import load_der_x509_certificate
 from django.urls.base import reverse
 from jwt import PyJWKSet
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 TEST_CORDS_CERT = """
 -----BEGIN CERTIFICATE-----
 MIIB6jCCAZCgAwIBAgIRAOsdE3N7zETzs+7shTXGj5wwCgYIKoZIzj0EAwIwHjEc
 MBoGA1UEAwwTYXV0aGVudGlrIDIwMjIuMTIuMjAeFw0yMzAxMTYyMjU2MjVaFw0y
 NDAxMTIyMjU2MjVaMHgxTDBKBgNVBAMMQ0NsbDR2TzFJSGxvdFFhTGwwMHpES2tM
 WENYdzRPUFF2eEtZN1NrczAuc2VsZi1zaWduZWQuZ29hdXRoZW50aWsuaW8xEjAQ
 BgNVBAoMCWF1dGhlbnRpazEUMBIGA1UECwwLU2VsZi1zaWduZWQwWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAAQAwOGam7AKOi5LKmb9lK1rAzA2JTppqrFiIaUdjqmH
 ZICJP00Wt0dfqOtEjgMEv1Hhu1DmKZn2ehvpxwPSzBr5o1UwUzBRBgNVHREBAf8E
 RzBFgkNCNkw4YlI0UldJRU42NUZLamdUTzV1YmRvNUZWdkpNS2lxdjFZeTRULnNl
 bGYtc2lnbmVkLmdvYXV0aGVudGlrLmlvMAoGCCqGSM49BAMCA0gAMEUCIC/JAfnl
 uC30ihqepbiMCaTaPMbL8Ka2Lk92IYfMhf46AiEAz9Kmv6HF2D4MK54iwhz2WqvF
 8vo+OiGdTQ1Qoj7fgYU=
 -----END CERTIFICATE-----
 """
 TEST_CORDS_KEY = """
 -----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIKy6mPLJc5v71InMMvYaxyXI3xXpwQTPLyAYWVFnZHVioAoGCCqGSM49
 AwEHoUQDQgAEAMDhmpuwCjouSypm/ZStawMwNiU6aaqxYiGlHY6ph2SAiT9NFrdH
 X6jrRI4DBL9R4btQ5imZ9nob6ccD0swa+Q==
 -----END EC PRIVATE KEY-----
 """
 class TestJWKS(OAuthTestCase):
    """Test JWKS view"""
@ -29,6 +57,8 @@ class TestJWKS(OAuthTestCase):
        body = json.loads(response.content.decode())
        self.assertEqual(len(body["keys"]), 1)
        PyJWKSet.from_dict(body)
        key = body["keys"][0]
        load_der_x509_certificate(base64.b64decode(key["x5c"][0]), default_backend()).public_key()
    def test_hs256(self):
        """Test JWKS request with HS256"""
@ -60,3 +90,25 @@ class TestJWKS(OAuthTestCase):
        body = json.loads(response.content.decode())
        self.assertEqual(len(body["keys"]), 1)
        PyJWKSet.from_dict(body)
    def test_ecdsa_coords_mismatched(self):
        """Test JWKS request with ES256"""
        cert = CertificateKeyPair.objects.create(
            name=generate_id(),
            key_data=TEST_CORDS_KEY,
            certificate_data=TEST_CORDS_CERT,
        )
        provider = OAuth2Provider.objects.create(
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
            redirect_uris="http://local.invalid",
            signing_key=cert,
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
        response = self.client.get(
            reverse("authentik_providers_oauth2:jwks", kwargs={"application_slug": app.slug})
        )
        body = json.loads(response.content.decode())
        self.assertEqual(len(body["keys"]), 1)
        PyJWKSet.from_dict(body)
--- a/authentik/providers/oauth2/views/jwks.py
+++ b/authentik/providers/oauth2/views/jwks.py
@ -15,27 +15,49 @@ from cryptography.hazmat.primitives.serialization import Encoding
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.shortcuts import get_object_or_404
 from django.views import View
 from jwt.utils import base64url_encode
 from authentik.core.models import Application
 from authentik.crypto.models import CertificateKeyPair
 from authentik.providers.oauth2.models import JWTAlgorithms, OAuth2Provider
 def b64_enc(number: int) -> str:
    """Convert number to base64-encoded octet-value"""
    length = ((number).bit_length() + 7) // 8
    number_bytes = number.to_bytes(length, "big")
    final = urlsafe_b64encode(number_bytes).rstrip(b"=")
    return final.decode("ascii")
 # See https://notes.salrahman.com/generate-es256-es384-es512-private-keys/
 # and _CURVE_TYPES in the same file as the below curve files
 ec_crv_map = {
    SECP256R1: "P-256",
    SECP384R1: "P-384",
-    SECP521R1: "P-512",
+    SECP521R1: "P-521",
 }
 min_length_map = {
    SECP256R1: 32,
    SECP384R1: 48,
    SECP521R1: 66,
 }
 # https://github.com/jpadilla/pyjwt/issues/709
 def bytes_from_int(val: int, min_length: int = 0) -> bytes:
    """Custom bytes_from_int that accepts a minimum length"""
    remaining = val
    byte_length = 0
    while remaining != 0:
        remaining >>= 8
        byte_length += 1
    length = max([byte_length, min_length])
    return val.to_bytes(length, "big", signed=False)
 def to_base64url_uint(val: int, min_length: int = 0) -> bytes:
    """Custom to_base64url_uint that accepts a minimum length"""
    if val < 0:
        raise ValueError("Must be a positive integer")
    int_bytes = bytes_from_int(val, min_length)
    if len(int_bytes) == 0:
        int_bytes = b"\x00"
    return base64url_encode(int_bytes)
 class JWKSView(View):
@ -51,24 +73,25 @@ class JWKSView(View):
            public_key: RSAPublicKey = private_key.public_key()
            public_numbers = public_key.public_numbers()
            key_data = {
                "kid": key.kid,
                "kty": "RSA",
                "alg": JWTAlgorithms.RS256,
                "use": "sig",
-                "kid": key.kid,
+                "n": to_base64url_uint(public_numbers.n).decode(),
-                "n": b64_enc(public_numbers.n),
+                "e": to_base64url_uint(public_numbers.e).decode(),
                "e": b64_enc(public_numbers.e),
            }
        elif isinstance(private_key, EllipticCurvePrivateKey):
            public_key: EllipticCurvePublicKey = private_key.public_key()
            public_numbers = public_key.public_numbers()
            curve_type = type(public_key.curve)
            key_data = {
                "kid": key.kid,
                "kty": "EC",
                "alg": JWTAlgorithms.ES256,
                "use": "sig",
-                "kid": key.kid,
+                "x": to_base64url_uint(public_numbers.x, min_length_map[curve_type]).decode(),
-                "x": b64_enc(public_numbers.x),
+                "y": to_base64url_uint(public_numbers.y, min_length_map[curve_type]).decode(),
-                "y": b64_enc(public_numbers.y),
+                "crv": ec_crv_map.get(curve_type, public_key.curve.name),
                "crv": ec_crv_map.get(type(public_key.curve), public_key.curve.name),
            }
        else:
            return key_data
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@ -38,7 +38,6 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
            try:
                defaults = self.build_group_properties(group_dn, **attributes)
                defaults["parent"] = self._source.sync_parent_group
                self._logger.debug("Creating group with attributes", **defaults)
                if "name" not in defaults:
                    raise IntegrityError("Name was not set by propertymappings")
                # Special check for `users` field, as this is an M2M relation, and cannot be sync'd
@ -51,6 +50,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                    },
                    defaults,
                )
                self._logger.debug("Created group with attributes", **defaults)
            except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
--- a/authentik/sources/ldap/tests/test_auth.py
+++ b/authentik/sources/ldap/tests/test_auth.py
@ -33,11 +33,10 @@ class LDAPSyncTests(TestCase):
        """Test Cached auth"""
        self.source.property_mappings.set(
            LDAPPropertyMapping.objects.filter(
-                Q(name__startswith="authentik default LDAP Mapping")
+                Q(managed__startswith="goauthentik.io/sources/ldap/default-")
-                | Q(name__startswith="authentik default Active Directory Mapping")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/ms-")
            )
        )
        self.source.save()
        connection = PropertyMock(return_value=mock_ad_connection(LDAP_PASSWORD))
        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
            user_sync = UserLDAPSynchronizer(self.source)
--- a/authentik/stages/authenticator_duo/stage.py
+++ b/authentik/stages/authenticator_duo/stage.py
@ -1,5 +1,5 @@
 """Duo stage"""
-from django.http import HttpRequest, HttpResponse
+from django.http import HttpResponse
 from django.utils.timezone import now
 from rest_framework.fields import CharField
@ -10,7 +10,6 @@ from authentik.flows.challenge import (
    ChallengeTypes,
    WithUserInfoChallenge,
 )
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import InvalidStageError
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
@ -68,13 +67,6 @@ class AuthenticatorDuoStageView(ChallengeStageView):
            }
        )
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        user = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
        if not user:
            self.logger.debug("No pending user, continuing")
            return self.executor.stage_ok()
        return super().get(request, *args, **kwargs)
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        # Duo Challenge has already been validated
        stage: AuthenticatorDuoStage = self.executor.current_stage
--- a/authentik/stages/authenticator_sms/models.py
+++ b/authentik/stages/authenticator_sms/models.py
@ -76,13 +76,17 @@ class AuthenticatorSMSStage(ConfigurableStage, Stage):
            return self.send_generic(token, device)
        raise ValueError(f"invalid provider {self.provider}")
    def get_message(self, token: str) -> str:
        """Get SMS message"""
        return _("Use this code to authenticate in authentik: %(token)s" % {"token": token})
    def send_twilio(self, token: str, device: "SMSDevice"):
        """send sms via twilio provider"""
        client = Client(self.account_sid, self.auth)
        try:
            message = client.messages.create(
-                to=device.phone_number, from_=self.from_number, body=token
+                to=device.phone_number, from_=self.from_number, body=self.get_message(token)
            )
            LOGGER.debug("Sent SMS", to=device, message=message.sid)
        except TwilioRestException as exc:
@ -95,6 +99,7 @@ class AuthenticatorSMSStage(ConfigurableStage, Stage):
            "From": self.from_number,
            "To": device.phone_number,
            "Body": token,
            "Message": self.get_message(token),
        }
        if self.mapping:
--- a/authentik/stages/authenticator_sms/stage.py
+++ b/authentik/stages/authenticator_sms/stage.py
@ -12,9 +12,9 @@ from authentik.flows.challenge import (
    Challenge,
    ChallengeResponse,
    ChallengeTypes,
    ErrorDetailSerializer,
    WithUserInfoChallenge,
 )
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.stages.authenticator_sms.models import (
    AuthenticatorSMSStage,
@ -47,15 +47,9 @@ class AuthenticatorSMSChallengeResponse(ChallengeResponse):
    def validate(self, attrs: dict) -> dict:
        """Check"""
        stage: AuthenticatorSMSStage = self.device.stage
        if "code" not in attrs:
            self.device.phone_number = attrs["phone_number"]
-            hashed_number = hash_phone_number(self.device.phone_number)
+            self.stage.validate_and_send(attrs["phone_number"])
            query = Q(phone_number=hashed_number) | Q(phone_number=self.device.phone_number)
            if SMSDevice.objects.filter(query, stage=self.stage.executor.current_stage.pk).exists():
                raise ValidationError(_("Invalid phone number"))
            # No code yet, but we have a phone number, so send a verification message
            stage.send(self.device.token, self.device)
            return super().validate(attrs)
        if not self.device.verify_token(str(attrs["code"])):
            raise ValidationError(_("Code does not match"))
@ -68,6 +62,17 @@ class AuthenticatorSMSStageView(ChallengeStageView):
    response_class = AuthenticatorSMSChallengeResponse
    def validate_and_send(self, phone_number: str):
        """Validate phone number and send message"""
        stage: AuthenticatorSMSStage = self.executor.current_stage
        hashed_number = hash_phone_number(phone_number)
        query = Q(phone_number=hashed_number) | Q(phone_number=phone_number)
        if SMSDevice.objects.filter(query, stage=stage.pk).exists():
            raise ValidationError(_("Invalid phone number"))
        # No code yet, but we have a phone number, so send a verification message
        device: SMSDevice = self.request.session[SESSION_KEY_SMS_DEVICE]
        stage.send(device.token, device)
    def _has_phone_number(self) -> Optional[str]:
        context = self.executor.plan.context
        if "phone" in context.get(PLAN_CONTEXT_PROMPT, {}):
@ -95,24 +100,23 @@ class AuthenticatorSMSStageView(ChallengeStageView):
        return response
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        user = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
+        user = self.get_pending_user()
        if not user:
            self.logger.debug("No pending user, continuing")
            return self.executor.stage_ok()
        # Currently, this stage only supports one device per user. If the user already
        # has a device, just skip to the next stage
        if SMSDevice.objects.filter(user=user).exists():
            return self.executor.stage_ok()
        stage: AuthenticatorSMSStage = self.executor.current_stage
        if SESSION_KEY_SMS_DEVICE not in self.request.session:
            device = SMSDevice(user=user, confirmed=False, stage=stage, name="SMS Device")
            device.generate_token(commit=False)
            self.request.session[SESSION_KEY_SMS_DEVICE] = device
            if phone_number := self._has_phone_number():
                device.phone_number = phone_number
-            self.request.session[SESSION_KEY_SMS_DEVICE] = device
+                try:
                    self.validate_and_send(phone_number)
                except ValidationError as exc:
                    response = AuthenticatorSMSChallengeResponse()
                    response._errors.setdefault("phone_number", [])
                    response._errors["phone_number"].append(ErrorDetailSerializer(exc.detail))
                    return self.challenge_invalid(response)
        return super().get(request, *args, **kwargs)
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
--- a/authentik/stages/authenticator_sms/tests.py
+++ b/authentik/stages/authenticator_sms/tests.py
@ -80,6 +80,39 @@ class AuthenticatorSMSStageTests(FlowTestCase):
            phone_number_required=False,
        )
    def test_stage_context_data(self):
        """test stage context data"""
        self.client.get(
            reverse("authentik_flows:configure", kwargs={"stage_uuid": self.stage.stage_uuid}),
        )
        sms_send_mock = MagicMock()
        with (
            patch(
                (
                    "authentik.stages.authenticator_sms.stage."
                    "AuthenticatorSMSStageView._has_phone_number"
                ),
                MagicMock(
                    return_value="1234",
                ),
            ),
            patch(
                "authentik.stages.authenticator_sms.models.AuthenticatorSMSStage.send",
                sms_send_mock,
            ),
        ):
            response = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            )
            sms_send_mock.assert_called_once()
        self.assertStageResponse(
            response,
            self.flow,
            self.user,
            component="ak-stage-authenticator-sms",
            phone_number_required=False,
        )
    def test_stage_submit_full(self):
        """test stage (submit)"""
        self.client.get(
--- a/authentik/stages/authenticator_totp/stage.py
+++ b/authentik/stages/authenticator_totp/stage.py
@ -1,7 +1,8 @@
 """TOTP Setup stage"""
 from urllib.parse import quote
 from django.http import HttpRequest, HttpResponse
 from django.http.request import QueryDict
 from django.utils.text import slugify
 from django.utils.translation import gettext_lazy as _
 from django_otp.plugins.otp_totp.models import TOTPDevice
 from rest_framework.fields import CharField, IntegerField
@ -56,7 +57,7 @@ class AuthenticatorTOTPStageView(ChallengeStageView):
            data={
                "type": ChallengeTypes.NATIVE.value,
                "config_url": device.config_url.replace(
-                    OTP_TOTP_ISSUER, slugify(self.request.tenant.branding_title)
+                    OTP_TOTP_ISSUER, quote(self.request.tenant.branding_title)
                ),
            }
        )
--- a/authentik/stages/authenticator_validate/tests/test_webauthn.py
+++ b/authentik/stages/authenticator_validate/tests/test_webauthn.py
@ -9,9 +9,10 @@ from webauthn.helpers.bytes_to_base64url import bytes_to_base64url
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowStageBinding, NotConfiguredAction
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.stage import StageView
 from authentik.flows.tests import FlowTestCase
-from authentik.flows.views.executor import FlowExecutorView
+from authentik.flows.views.executor import SESSION_KEY_PLAN, FlowExecutorView
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
 from authentik.stages.authenticator_validate.challenge import (
@ -20,10 +21,14 @@ from authentik.stages.authenticator_validate.challenge import (
    validate_challenge_webauthn,
 )
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
-from authentik.stages.authenticator_validate.stage import AuthenticatorValidateStageView
+from authentik.stages.authenticator_validate.stage import (
    SESSION_KEY_DEVICE_CHALLENGES,
    AuthenticatorValidateStageView,
 )
 from authentik.stages.authenticator_webauthn.models import UserVerification, WebAuthnDevice
 from authentik.stages.authenticator_webauthn.stage import SESSION_KEY_WEBAUTHN_CHALLENGE
 from authentik.stages.identification.models import IdentificationStage, UserFields
 from authentik.stages.user_login.models import UserLoginStage
 class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
@ -185,10 +190,7 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
    def test_validate_challenge(self):
        """Test webauthn"""
-        request = get_request("/")
+        device = WebAuthnDevice.objects.create(
        request.user = self.user
        WebAuthnDevice.objects.create(
            user=self.user,
            public_key=(
                "pQECAyYgASFYIGsBLkklToCQkT7qJT_bJYN1sEc1oJdbnmoOc43i0J"
@ -204,49 +206,134 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
            not_configured_action=NotConfiguredAction.CONFIGURE,
            device_classes=[DeviceClasses.WEBAUTHN],
        )
-        stage_view = AuthenticatorValidateStageView(
+        session = self.client.session
-            FlowExecutorView(flow=flow, current_stage=stage), request=request
+        plan = FlowPlan(flow_pk=flow.pk.hex)
-        )
+        plan.append_stage(stage)
-        request = get_request("/")
+        plan.append_stage(UserLoginStage(name=generate_id()))
-        request.session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
        session[SESSION_KEY_PLAN] = plan
        session[SESSION_KEY_DEVICE_CHALLENGES] = [
            {
                "device_class": device.__class__.__name__.lower().replace("device", ""),
                "device_uid": device.pk,
                "challenge": {},
            }
        ]
        session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
            (
                "g98I51mQvZXo5lxLfhrD2zfolhZbLRyCgqkkYap1"
                "jwSaJ13BguoJWCF9_Lg3AgO4Wh-Bqa556JE20oKsYbl6RA"
            )
        )
-        request.session.save()
+        session.save()
-        stage_view = AuthenticatorValidateStageView(
+        response = self.client.post(
-            FlowExecutorView(flow=flow, current_stage=stage), request=request
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
+            data={
-        request.META["SERVER_NAME"] = "localhost"
+                "webauthn": {
-        request.META["SERVER_PORT"] = "9000"
+                    "id": "QKZ97ASJAOIDyipAs6mKUxDUZgDrWrbAsUb5leL7-oU",
-        validate_challenge_webauthn(
+                    "rawId": "QKZ97ASJAOIDyipAs6mKUxDUZgDrWrbAsUb5leL7-oU",
-            {
+                    "type": "public-key",
-                "id": "QKZ97ASJAOIDyipAs6mKUxDUZgDrWrbAsUb5leL7-oU",
+                    "assertionClientExtensions": "{}",
-                "rawId": "QKZ97ASJAOIDyipAs6mKUxDUZgDrWrbAsUb5leL7-oU",
+                    "response": {
-                "type": "public-key",
+                        "clientDataJSON": (
-                "assertionClientExtensions": "{}",
+                            "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiZzk4STUxbVF2WlhvNWx4T"
-                "response": {
+                            "GZockQyemZvbGhaYkxSeUNncWtrWWFwMWp3U2FKMTNCZ3VvSldDRjlfTGczQWdPNFdoLU"
-                    "clientDataJSON": (
+                            "JxYTU1NkpFMjBvS3NZYmw2UkEiLCJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjkwMDA"
-                        "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiZzk4STUxbVF2WlhvNWx4TGZo"
+                            "iLCJjcm9zc09yaWdpbiI6ZmFsc2UsIm90aGVyX2tleXNfY2FuX2JlX2FkZGVkX2hlcmUi"
-                        "ckQyemZvbGhaYkxSeUNncWtrWWFwMWp3U2FKMTNCZ3VvSldDRjlfTGczQWdPNFdoLUJxYTU1"
+                            "OiJkbyBub3QgY29tcGFyZSBjbGllbnREYXRhSlNPTiBhZ2FpbnN0IGEgdGVtcGxhdGUuI"
-                        "NkpFMjBvS3NZYmw2UkEiLCJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjkwMDAiLCJjcm9z"
+                            "FNlZSBodHRwczovL2dvby5nbC95YWJQZXgifQ==",
-                        "c09yaWdpbiI6ZmFsc2UsIm90aGVyX2tleXNfY2FuX2JlX2FkZGVkX2hlcmUiOiJkbyBub3Qg"
+                        ),
-                        "Y29tcGFyZSBjbGllbnREYXRhSlNPTiBhZ2FpbnN0IGEgdGVtcGxhdGUuIFNlZSBodHRwczov"
+                        "signature": (
-                        "L2dvby5nbC95YWJQZXgifQ==",
+                            "MEQCIFNlrHf9ablJAalXLWkrqvHB8oIu8kwvRpH3X3rbJVpI"
-                    ),
+                            "AiAqtOK6mIZPk62kZN0OzFsHfuvu_RlOl7zlqSNzDdz_Ag=="
-                    "signature": (
+                        ),
-                        "MEQCIFNlrHf9ablJAalXLWkrqvHB8oIu8kwvRpH3X3rbJVpI"
+                        "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MFAAAABQ==",
-                        "AiAqtOK6mIZPk62kZN0OzFsHfuvu_RlOl7zlqSNzDdz_Ag=="
+                        "userHandle": None,
-                    ),
+                    },
                    "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MFAAAABQ==",
                    "userHandle": None,
                },
            },
-            stage_view,
+            SERVER_NAME="localhost",
-            self.user,
+            SERVER_PORT="9000",
        )
        self.assertEqual(response.status_code, 302)
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
    def test_validate_challenge_userless(self):
        """Test webauthn"""
        device = WebAuthnDevice.objects.create(
            user=self.user,
            public_key=(
                "pQECAyYgASFYIGsBLkklToCQkT7qJT_bJYN1sEc1oJdbnmoOc43i0J"
                "H6IlggLTXytuhzFVYYAK4PQNj8_coGrbbzSfUxdiPAcZTQCyU"
            ),
            credential_id="QKZ97ASJAOIDyipAs6mKUxDUZgDrWrbAsUb5leL7-oU",
            sign_count=4,
            rp_id=generate_id(),
        )
        flow = create_test_flow()
        stage = AuthenticatorValidateStage.objects.create(
            name=generate_id(),
            not_configured_action=NotConfiguredAction.CONFIGURE,
            device_classes=[DeviceClasses.WEBAUTHN],
        )
        session = self.client.session
        plan = FlowPlan(flow_pk=flow.pk.hex)
        plan.append_stage(stage)
        plan.append_stage(UserLoginStage(name=generate_id()))
        session[SESSION_KEY_PLAN] = plan
        session[SESSION_KEY_DEVICE_CHALLENGES] = [
            {
                "device_class": device.__class__.__name__.lower().replace("device", ""),
                "device_uid": device.pk,
                "challenge": {},
            }
        ]
        session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
            (
                "g98I51mQvZXo5lxLfhrD2zfolhZbLRyCgqkkYap1"
                "jwSaJ13BguoJWCF9_Lg3AgO4Wh-Bqa556JE20oKsYbl6RA"
            )
        )
        session.save()
        response = self.client.post(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
            data={
                "webauthn": {
                    "id": "QKZ97ASJAOIDyipAs6mKUxDUZgDrWrbAsUb5leL7-oU",
                    "rawId": "QKZ97ASJAOIDyipAs6mKUxDUZgDrWrbAsUb5leL7-oU",
                    "type": "public-key",
                    "assertionClientExtensions": "{}",
                    "response": {
                        "clientDataJSON": (
                            "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiZzk4STUxbVF2WlhvNWx4T"
                            "GZockQyemZvbGhaYkxSeUNncWtrWWFwMWp3U2FKMTNCZ3VvSldDRjlfTGczQWdPNFdoLU"
                            "JxYTU1NkpFMjBvS3NZYmw2UkEiLCJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjkwMDA"
                            "iLCJjcm9zc09yaWdpbiI6ZmFsc2UsIm90aGVyX2tleXNfY2FuX2JlX2FkZGVkX2hlcmUi"
                            "OiJkbyBub3QgY29tcGFyZSBjbGllbnREYXRhSlNPTiBhZ2FpbnN0IGEgdGVtcGxhdGUuI"
                            "FNlZSBodHRwczovL2dvby5nbC95YWJQZXgifQ==",
                        ),
                        "signature": (
                            "MEQCIFNlrHf9ablJAalXLWkrqvHB8oIu8kwvRpH3X3rbJVpI"
                            "AiAqtOK6mIZPk62kZN0OzFsHfuvu_RlOl7zlqSNzDdz_Ag=="
                        ),
                        "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MFAAAABQ==",
                        "userHandle": None,
                    },
                },
            },
            SERVER_NAME="localhost",
            SERVER_PORT="9000",
        )
        self.assertEqual(response.status_code, 302)
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
    def test_validate_challenge_invalid(self):
        """Test webauthn"""
--- a/authentik/stages/authenticator_webauthn/stage.py
+++ b/authentik/stages/authenticator_webauthn/stage.py
@ -26,7 +26,6 @@ from authentik.flows.challenge import (
    ChallengeTypes,
    WithUserInfoChallenge,
 )
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.stages.authenticator_webauthn.models import AuthenticateWebAuthnStage, WebAuthnDevice
 from authentik.stages.authenticator_webauthn.utils import get_origin, get_rp_id
@ -113,13 +112,6 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView):
            }
        )
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        user = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
        if not user:
            self.logger.debug("No pending user, continuing")
            return self.executor.stage_ok()
        return super().get(request, *args, **kwargs)
    def get_response_instance(self, data: QueryDict) -> AuthenticatorWebAuthnChallengeResponse:
        response: AuthenticatorWebAuthnChallengeResponse = super().get_response_instance(data)
        response.request = self.request
--- a/authentik/stages/email/templates/email/password_reset.html
+++ b/authentik/stages/email/templates/email/password_reset.html
@ -17,7 +17,7 @@
            <tr>
                <td class="content-block">
                    {% blocktrans %}
-                    You recently requested to change your password for you authentik account. Use the button below to set a new password.
+                    You recently requested to change your password for your authentik account. Use the button below to set a new password.
                    {% endblocktrans %}
                </td>
            </tr>
--- a/authentik/stages/email/tests/test_stage.py
+++ b/authentik/stages/email/tests/test_stage.py
@ -62,9 +62,7 @@ class TestEmailStage(FlowTestCase):
        self.assertEqual(response.status_code, 200)
        self.assertEqual(len(mail.outbox), 1)
        self.assertEqual(mail.outbox[0].subject, "authentik")
-        self.assertNotIn(
+        self.assertNotIn("Password Reset", mail.outbox[0].alternatives[0][0])
            "You recently requested to change your password", mail.outbox[0].alternatives[0][0]
        )
    def test_without_user(self):
        """Test without pending user"""
--- a/authentik/stages/invitation/stage.py
+++ b/authentik/stages/invitation/stage.py
@ -2,6 +2,7 @@
 from typing import Optional
 from deepmerge import always_merger
 from django.core.exceptions import ValidationError
 from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext_lazy as _
@ -41,7 +42,11 @@ class InvitationStageView(StageView):
        token = self.get_token()
        if not token:
            return None
-        invite: Invitation = Invitation.objects.filter(pk=token).first()
+        try:
            invite: Invitation = Invitation.objects.filter(pk=token).first()
        except ValidationError:
            self.logger.debug("invalid invitation", token=token)
            return None
        if not invite:
            self.logger.debug("invalid invitation", token=token)
            return None
--- a/authentik/stages/prompt/api.py
+++ b/authentik/stages/prompt/api.py
@ -42,6 +42,7 @@ class PromptSerializer(ModelSerializer):
        model = Prompt
        fields = [
            "pk",
            "name",
            "field_key",
            "label",
            "type",
@ -59,5 +60,5 @@ class PromptViewSet(UsedByMixin, ModelViewSet):
    queryset = Prompt.objects.all().prefetch_related("promptstage_set")
    serializer_class = PromptSerializer
-    filterset_fields = ["field_key", "label", "type", "placeholder"]
+    filterset_fields = ["field_key", "name", "label", "type", "placeholder"]
-    search_fields = ["field_key", "label", "type", "placeholder"]
+    search_fields = ["field_key", "name", "label", "type", "placeholder"]
--- a/authentik/stages/prompt/migrations/0009_prompt_name.py
+++ b/authentik/stages/prompt/migrations/0009_prompt_name.py
@ -0,0 +1,40 @@
 # Generated by Django 4.1.5 on 2023-01-23 19:42
 from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def set_generated_name(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    Prompt = apps.get_model("authentik_stages_prompt", "prompt")
    for prompt in Prompt.objects.using(db_alias).all():
        name = prompt.field_key
        stage = prompt.promptstage_set.order_by("name").first()
        if stage:
            name += "_" + stage.name
        prompt.name = name
        prompt.save()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_stages_prompt", "0008_alter_prompt_type"),
    ]
    operations = [
        migrations.AddField(
            model_name="prompt",
            name="name",
            field=models.TextField(default="", unique=False, db_index=False, blank=False),
            preserve_default=False,
        ),
        migrations.RunPython(code=set_generated_name),
        migrations.AlterField(
            model_name="prompt",
            name="name",
            field=models.TextField(unique=True),
        ),
    ]
--- a/authentik/stages/prompt/models.py
+++ b/authentik/stages/prompt/models.py
@ -96,6 +96,7 @@ class Prompt(SerializerModel):
    """Single Prompt, part of a prompt stage."""
    prompt_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
    name = models.TextField(unique=True, blank=False)
    field_key = models.TextField(
        help_text=_("Name of the form field, also used to store the value")
--- a/authentik/stages/prompt/tests.py
+++ b/authentik/stages/prompt/tests.py
@ -30,6 +30,7 @@ class TestPromptStage(FlowTestCase):
        self.factory = RequestFactory()
        self.flow = create_test_flow()
        username_prompt = Prompt.objects.create(
            name=generate_id(),
            field_key="username_prompt",
            label="USERNAME_LABEL",
            type=FieldTypes.USERNAME,
@ -37,6 +38,7 @@ class TestPromptStage(FlowTestCase):
            placeholder="USERNAME_PLACEHOLDER",
        )
        text_prompt = Prompt.objects.create(
            name=generate_id(),
            field_key="text_prompt",
            label="TEXT_LABEL",
            type=FieldTypes.TEXT,
@ -44,6 +46,7 @@ class TestPromptStage(FlowTestCase):
            placeholder="TEXT_PLACEHOLDER",
        )
        email_prompt = Prompt.objects.create(
            name=generate_id(),
            field_key="email_prompt",
            label="EMAIL_LABEL",
            type=FieldTypes.EMAIL,
@ -51,6 +54,7 @@ class TestPromptStage(FlowTestCase):
            placeholder="EMAIL_PLACEHOLDER",
        )
        password_prompt = Prompt.objects.create(
            name=generate_id(),
            field_key="password_prompt",
            label="PASSWORD_LABEL",
            type=FieldTypes.PASSWORD,
@ -58,6 +62,7 @@ class TestPromptStage(FlowTestCase):
            placeholder="PASSWORD_PLACEHOLDER",
        )
        password2_prompt = Prompt.objects.create(
            name=generate_id(),
            field_key="password2_prompt",
            label="PASSWORD_LABEL",
            type=FieldTypes.PASSWORD,
@ -65,6 +70,7 @@ class TestPromptStage(FlowTestCase):
            placeholder="PASSWORD_PLACEHOLDER",
        )
        number_prompt = Prompt.objects.create(
            name=generate_id(),
            field_key="number_prompt",
            label="NUMBER_LABEL",
            type=FieldTypes.NUMBER,
@ -72,12 +78,14 @@ class TestPromptStage(FlowTestCase):
            placeholder="NUMBER_PLACEHOLDER",
        )
        hidden_prompt = Prompt.objects.create(
            name=generate_id(),
            field_key="hidden_prompt",
            type=FieldTypes.HIDDEN,
            required=True,
            placeholder="HIDDEN_PLACEHOLDER",
        )
        static_prompt = Prompt.objects.create(
            name=generate_id(),
            field_key="static_prompt",
            type=FieldTypes.STATIC,
            required=True,
--- a/authentik/stages/user_write/migrations/0007_remove_userwritestage_can_create_users_and_more.py
+++ b/authentik/stages/user_write/migrations/0007_remove_userwritestage_can_create_users_and_more.py
@ -11,9 +11,9 @@ def migrate_to_user_creation_mode(apps: Apps, schema_editor: BaseDatabaseSchemaE
    for stage in UserWriteStage.objects.using(schema_editor.connection.alias).all():
        if stage.can_create_users:
            stage.user_creation_mode = UserCreationMode.NEVER_CREATE
        else:
            stage.user_creation_mode = UserCreationMode.CREATE_WHEN_REQUIRED
        else:
            stage.user_creation_mode = UserCreationMode.NEVER_CREATE
        stage.save()
--- a/blueprints/default/90-default-tenant.yaml
+++ b/blueprints/default/90-default-tenant.yaml
--- a/blueprints/default/40-events-default.yaml
+++ b/blueprints/default/40-events-default.yaml
--- a/blueprints/default/10-flow-default-authentication-flow.yaml
+++ b/blueprints/default/10-flow-default-authentication-flow.yaml
--- a/blueprints/default/20-flow-default-authenticator-static-setup.yaml
+++ b/blueprints/default/20-flow-default-authenticator-static-setup.yaml
--- a/blueprints/default/20-flow-default-authenticator-totp-setup.yaml
+++ b/blueprints/default/20-flow-default-authenticator-totp-setup.yaml
--- a/blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml
+++ b/blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml
--- a/blueprints/default/10-flow-default-invalidation-flow.yaml
+++ b/blueprints/default/10-flow-default-invalidation-flow.yaml
--- a/blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml
+++ b/blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml
--- a/blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml
+++ b/blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml
--- a/blueprints/default/20-flow-default-source-authentication.yaml
+++ b/blueprints/default/20-flow-default-source-authentication.yaml
--- a/blueprints/default/20-flow-default-source-enrollment.yaml
+++ b/blueprints/default/20-flow-default-source-enrollment.yaml
@ -17,9 +17,10 @@ entries:
    placeholder_expression: false
    required: true
    type: text
  identifiers:
    field_key: username
    label: Username
  identifiers:
    name: default-source-enrollment-field-username
  id: prompt-field-username
  model: authentik_stages_prompt.prompt
 - attrs:
--- a/blueprints/default/20-flow-default-source-pre-authentication.yaml
+++ b/blueprints/default/20-flow-default-source-pre-authentication.yaml
--- a/blueprints/default/30-flow-default-user-settings-flow.yaml
+++ b/blueprints/default/30-flow-default-user-settings-flow.yaml
@ -21,9 +21,10 @@ entries:
    placeholder_expression: true
    required: true
    type: text
  identifiers:
    field_key: username
    label: Username
  identifiers:
    name: default-user-settings-field-username
  id: prompt-field-username
  model: authentik_stages_prompt.prompt
 - attrs:
@ -36,9 +37,10 @@ entries:
    placeholder_expression: true
    required: true
    type: text
  identifiers:
    field_key: name
    label: Name
  identifiers:
    name: default-user-settings-field-name
  id: prompt-field-name
  model: authentik_stages_prompt.prompt
 - attrs:
@ -51,9 +53,10 @@ entries:
    placeholder_expression: true
    required: true
    type: email
  identifiers:
    field_key: email
    label: Email
  identifiers:
    name: default-user-settings-field-email
  id: prompt-field-email
  model: authentik_stages_prompt.prompt
 - attrs:
@ -66,9 +69,10 @@ entries:
    placeholder_expression: true
    required: true
    type: ak-locale
  identifiers:
    field_key: attributes.settings.locale
    label: Locale
  identifiers:
    name: default-user-settings-field-locale
  id: prompt-field-locale
  model: authentik_stages_prompt.prompt
 - attrs:
--- a/blueprints/default/91-flow-oobe.yaml
+++ b/blueprints/default/91-flow-oobe.yaml
@ -19,10 +19,11 @@ entries:
    required: true
    sub_text: ''
    type: static
  id: prompt-field-header
  identifiers:
    field_key: oobe-header-text
    label: oobe-header-text
  id: prompt-field-header
  identifiers:
    name: initial-setup-field-header
  model: authentik_stages_prompt.prompt
 - attrs:
    order: 101
@ -31,10 +32,11 @@ entries:
    required: true
    sub_text: ''
    type: email
  id: prompt-field-email
  identifiers:
    field_key: email
    label: Email
  id: prompt-field-email
  identifiers:
    name: initial-setup-field-email
  model: authentik_stages_prompt.prompt
 - attrs:
    order: 300
@ -43,10 +45,11 @@ entries:
    required: true
    sub_text: ''
    type: password
  id: prompt-field-password
  identifiers:
    field_key: password
    label: Password
  id: prompt-field-password
  identifiers:
    name: initial-setup-field-password
  model: authentik_stages_prompt.prompt
 - attrs:
    order: 301
@ -55,10 +58,11 @@ entries:
    required: true
    sub_text: ''
    type: password
  id: prompt-field-password-repeat
  identifiers:
    field_key: password_repeat
    label: Password (repeat)
  id: prompt-field-password-repeat
  identifiers:
    name: initial-setup-field-password-repeat
  model: authentik_stages_prompt.prompt
 - attrs:
    expression: |
--- a/blueprints/default/0-flow-password-change.yaml
+++ b/blueprints/default/0-flow-password-change.yaml
@ -17,9 +17,10 @@ entries:
    placeholder_expression: false
    required: true
    type: password
  identifiers:
    field_key: password
    label: Password
  identifiers:
    name: default-password-change-field-password
  id: prompt-field-password
  model: authentik_stages_prompt.prompt
 - attrs:
@ -28,9 +29,10 @@ entries:
    placeholder_expression: false
    required: true
    type: password
  identifiers:
    field_key: password_repeat
    label: Password (repeat)
  identifiers:
    name: default-password-change-field-password-repeat
  id: prompt-field-password-repeat
  model: authentik_stages_prompt.prompt
 - attrs:
--- a/blueprints/example/flows-enrollment-2-stage.yaml
+++ b/blueprints/example/flows-enrollment-2-stage.yaml
@ -13,56 +13,61 @@ entries:
      title: Welcome to authentik!
      designation: enrollment
      authentication: require_unauthenticated
-  - identifiers:
+  - id: prompt-field-username
    model: authentik_stages_prompt.prompt
    identifiers:
      name: default-enrollment-field-username
    attrs:
      field_key: username
      label: Username
    id: prompt-field-username
    model: authentik_stages_prompt.prompt
    attrs:
      type: username
      required: true
      placeholder: Username
      placeholder_expression: false
      order: 0
  - identifiers:
-      field_key: password
+      name: default-enrollment-field-password
      label: Password
    id: prompt-field-password
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: password
      label: Password
      type: password
      required: true
      placeholder: Password
      placeholder_expression: false
      order: 0
  - identifiers:
-      field_key: password_repeat
+      name: default-enrollment-field-password-repeat
      label: Password (repeat)
    id: prompt-field-password-repeat
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: password_repeat
      label: Password (repeat)
      type: password
      required: true
      placeholder: Password (repeat)
      placeholder_expression: false
      order: 1
  - identifiers:
-      field_key: name
+      name: default-enrollment-field-name
      label: Name
    id: prompt-field-name
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: name
      label: Name
      type: text
      required: true
      placeholder: Name
      placeholder_expression: false
      order: 0
  - identifiers:
-      field_key: email
+      name: default-enrollment-field-email
      label: Email
    id: prompt-field-email
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: email
      label: Email
      type: email
      required: true
      placeholder: Email
--- a/blueprints/example/flows-enrollment-email-verification.yaml
+++ b/blueprints/example/flows-enrollment-email-verification.yaml
@ -14,55 +14,60 @@ entries:
      designation: enrollment
      authentication: require_unauthenticated
  - identifiers:
-      field_key: username
+      name: default-enrollment-field-username
      label: Username
    id: prompt-field-username
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: username
      label: Username
      type: username
      required: true
      placeholder: Username
      placeholder_expression: false
      order: 0
  - identifiers:
-      field_key: password
+      name: default-enrollment-field-password
      label: Password
    id: prompt-field-password
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: password
      label: Password
      type: password
      required: true
      placeholder: Password
      placeholder_expression: false
      order: 0
  - identifiers:
-      field_key: password_repeat
+      name: default-enrollment-field-password-repeat
      label: Password (repeat)
    id: prompt-field-password-repeat
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: password_repeat
      label: Password (repeat)
      type: password
      required: true
      placeholder: Password (repeat)
      placeholder_expression: false
      order: 1
  - identifiers:
-      field_key: name
+      name: default-enrollment-field-name
      label: Name
    id: prompt-field-name
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: name
      label: Name
      type: text
      required: true
      placeholder: Name
      placeholder_expression: false
      order: 0
  - identifiers:
-      field_key: email
+      name: default-enrollment-field-email
      label: Email
    id: prompt-field-email
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: email
      label: Email
      type: email
      required: true
      placeholder: Email
--- a/blueprints/example/flows-recovery-email-verification.yaml
+++ b/blueprints/example/flows-recovery-email-verification.yaml
@ -14,22 +14,24 @@ entries:
      designation: recovery
      authentication: require_unauthenticated
  - identifiers:
-      field_key: password
+      name: default-recovery-field-password
      label: Password
    id: prompt-field-password
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: password
      label: Password
      type: password
      required: true
      placeholder: Password
      order: 0
      placeholder_expression: false
  - identifiers:
-      field_key: password_repeat
+      name: default-recovery-field-password-repeat
      label: Password (repeat)
    id: prompt-field-password-repeat
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: password_repeat
      label: Password (repeat)
      type: password
      required: true
      placeholder: Password (repeat)
--- a/blueprints/migrations/migrate-prompt-name.yaml
+++ b/blueprints/migrations/migrate-prompt-name.yaml
@ -0,0 +1,70 @@
 version: 1
 metadata:
  labels:
    blueprints.goauthentik.io/description: Migrate to 2023.2, remove unused prompt fields
  name: Migration - Remove old prompt fields
 entries:
  - model: authentik_stages_prompt.prompt
    identifiers:
      name: admin_email_stage-default-oobe-password
    attrs:
      field_key: foo
      label: foo
      type: text
    state: absent
  - model: authentik_stages_prompt.prompt
    identifiers:
      name: attributes.settings.locale_default-user-settings
    attrs:
      field_key: foo
      label: foo
      type: text
    state: absent
  - model: authentik_stages_prompt.prompt
    identifiers:
      name: email_default-user-settings
    attrs:
      field_key: foo
      label: foo
      type: text
    state: absent
  - model: authentik_stages_prompt.prompt
    identifiers:
      name: name_default-user-settings
    attrs:
      field_key: foo
      label: foo
      type: text
    state: absent
  - model: authentik_stages_prompt.prompt
    identifiers:
      name: oobe-header-text_stage-default-oobe-password
    attrs:
      field_key: foo
      label: foo
      type: text
    state: absent
  - model: authentik_stages_prompt.prompt
    identifiers:
      name: password_default-password-change-prompt
    attrs:
      field_key: foo
      label: foo
      type: text
    state: absent
  - model: authentik_stages_prompt.prompt
    identifiers:
      name: password_repeat_default-password-change-prompt
    attrs:
      field_key: foo
      label: foo
      type: text
    state: absent
  - model: authentik_stages_prompt.prompt
    identifiers:
      name: username_default-source-enrollment-prompt
    attrs:
      field_key: foo
      label: foo
      type: text
    state: absent
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -32,7 +32,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.1.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.1.2}
    restart: unless-stopped
    command: server
    environment:
@ -47,10 +47,10 @@ services:
    env_file:
      - .env
    ports:
-      - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
+      - "${AUTHENTIK_PORT_HTTP:-9000}:9000"
-      - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
+      - "${AUTHENTIK_PORT_HTTPS:-9443}:9443"
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.1.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.1.2}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -25,7 +25,7 @@ require (
 	github.com/quasoft/memstore v0.0.0-20191010062613-2bce066d2b0b
 	github.com/sirupsen/logrus v1.9.0
 	github.com/stretchr/testify v1.8.1
-	goauthentik.io/api/v3 v3.2022122.8
+	goauthentik.io/api/v3 v3.2023012.2
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
 	gopkg.in/boj/redistore.v1 v1.0.0-20160128113310-fc113767cd6b
--- a/go.sum
+++ b/go.sum
@ -382,8 +382,8 @@ go.opentelemetry.io/otel/sdk v1.11.1 h1:F7KmQgoHljhUuJyA+9BiU+EkJfyX5nVVF4wyzWZp
 go.opentelemetry.io/otel/trace v1.11.1 h1:ofxdnzsNrGBYXbP7t7zpUK281+go5rF7dvdIZXF8gdQ=
 go.opentelemetry.io/otel/trace v1.11.1/go.mod h1:f/Q9G7vzk5u91PhbmKbg1Qn0rzH1LJ4vbPHFGkTPtOk=
 go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
-goauthentik.io/api/v3 v3.2022122.8 h1:6yJ7w1K7/h79IJC9VDUV0pb12oSQnIOcghzCCPz3sEU=
+goauthentik.io/api/v3 v3.2023012.2 h1:aP/JlZCxGaPuV+vPabL3Niz7lWAYnNolrINYSFBDFG0=
-goauthentik.io/api/v3 v3.2022122.8/go.mod h1:QM9J32HgYE4gL71lWAfAoXSPdSmLVLW08itfLI3Mo10=
+goauthentik.io/api/v3 v3.2023012.2/go.mod h1:QM9J32HgYE4gL71lWAfAoXSPdSmLVLW08itfLI3Mo10=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
-const VERSION = "2023.1.0"
+const VERSION = "2023.1.2"
--- a/internal/outpost/ak/outpost.go
+++ b/internal/outpost/ak/outpost.go
@ -1,8 +1,11 @@
 package ak
 import "context"
 type Outpost interface {
 	Start() error
 	Stop() error
 	Refresh() error
-	TimerFlowCacheExpiry()
+	TimerFlowCacheExpiry(context.Context)
 	Type() string
 }
--- a/internal/outpost/ak/periodical.go
+++ b/internal/outpost/ak/periodical.go
@ -1,15 +1,16 @@
 package ak
 import (
 	"context"
 	"time"
 )
 func (a *APIController) startPeriodicalTasks() {
-	go a.Server.TimerFlowCacheExpiry()
+	ctx, canc := context.WithCancel(context.Background())
-	go func() {
+	defer canc()
-		for range time.Tick(time.Duration(a.GlobalConfig.CacheTimeoutFlows) * time.Second) {
+	go a.Server.TimerFlowCacheExpiry(ctx)
-			a.logger.WithField("timer", "cache-timeout").Debug("Running periodical tasks")
+	for range time.Tick(time.Duration(a.GlobalConfig.CacheTimeoutFlows) * time.Second) {
-			a.Server.TimerFlowCacheExpiry()
+		a.logger.WithField("timer", "cache-timeout").Debug("Running periodical tasks")
-		}
+		a.Server.TimerFlowCacheExpiry(ctx)
-	}()
+	}
 }
--- a/internal/outpost/flow/executor.go
+++ b/internal/outpost/flow/executor.go
@ -143,6 +143,10 @@ func (fe *FlowExecutor) GetSession() *http.Cookie {
 	return fe.session
 }
 func (fe *FlowExecutor) SetSession(s *http.Cookie) {
 	fe.session = s
 }
 // WarmUp Ensure authentik's flow cache is warmed up
 func (fe *FlowExecutor) WarmUp() error {
 	gcsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.get_challenge")
--- a/internal/outpost/ldap/bind/binder.go
+++ b/internal/outpost/ldap/bind/binder.go
@ -1,9 +1,14 @@
 package bind
-import "github.com/nmcclain/ldap"
+import (
 	"context"
 	"github.com/nmcclain/ldap"
 )
 type Binder interface {
 	GetUsername(string) (string, error)
 	Bind(username string, req *Request) (ldap.LDAPResultCode, error)
-	TimerFlowCacheExpiry()
+	Unbind(username string, req *Request) (ldap.LDAPResultCode, error)
 	TimerFlowCacheExpiry(context.Context)
 }
--- a/internal/outpost/ldap/bind/direct/bind.go
+++ b/internal/outpost/ldap/bind/direct/bind.go
@ -0,0 +1,98 @@
 package direct
 import (
 	"context"
 	"github.com/getsentry/sentry-go"
 	"github.com/nmcclain/ldap"
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/flow"
 	"goauthentik.io/internal/outpost/ldap/bind"
 	"goauthentik.io/internal/outpost/ldap/flags"
 	"goauthentik.io/internal/outpost/ldap/metrics"
 )
 func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResultCode, error) {
 	fe := flow.NewFlowExecutor(req.Context(), db.si.GetAuthenticationFlowSlug(), db.si.GetAPIClient().GetConfig(), log.Fields{
 		"bindDN":    req.BindDN,
 		"client":    req.RemoteAddr(),
 		"requestId": req.ID(),
 	})
 	fe.DelegateClientIP(req.RemoteAddr())
 	fe.Params.Add("goauthentik.io/outpost/ldap", "true")
 	fe.Answers[flow.StageIdentification] = username
 	fe.Answers[flow.StagePassword] = req.BindPW
 	passed, err := fe.Execute()
 	flags := flags.UserFlags{
 		Session: fe.GetSession(),
 	}
 	db.si.SetFlags(req.BindDN, &flags)
 	if err != nil {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "flow_error",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to execute flow")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
 	if !passed {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "invalid_credentials",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().Info("Invalid credentials")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
 	access, err := fe.CheckApplicationAccess(db.si.GetAppSlug())
 	if !access {
 		req.Log().Info("Access denied for user")
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "access_denied",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		return ldap.LDAPResultInsufficientAccessRights, nil
 	}
 	if err != nil {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "access_check_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
 	}
 	req.Log().Info("User has access")
 	uisp := sentry.StartSpan(req.Context(), "authentik.providers.ldap.bind.user_info")
 	// Get user info to store in context
 	userInfo, _, err := fe.ApiClient().CoreApi.CoreUsersMeRetrieve(context.Background()).Execute()
 	if err != nil {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "user_info_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to get user info")
 		return ldap.LDAPResultOperationsError, nil
 	}
 	cs := db.SearchAccessCheck(userInfo.User)
 	flags.UserPk = userInfo.User.Pk
 	flags.CanSearch = cs != nil
 	db.si.SetFlags(req.BindDN, &flags)
 	if flags.CanSearch {
 		req.Log().WithField("group", cs).Info("Allowed access to search")
 	}
 	uisp.Finish()
 	return ldap.LDAPResultSuccess, nil
 }
--- a/internal/outpost/ldap/bind/direct/direct.go
+++ b/internal/outpost/ldap/bind/direct/direct.go
@ -5,16 +5,10 @@ import (
 	"errors"
 	"strings"
 	"github.com/getsentry/sentry-go"
 	goldap "github.com/go-ldap/ldap/v3"
 	"github.com/nmcclain/ldap"
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/api/v3"
 	"goauthentik.io/internal/outpost/flow"
 	"goauthentik.io/internal/outpost/ldap/bind"
 	"goauthentik.io/internal/outpost/ldap/flags"
 	"goauthentik.io/internal/outpost/ldap/metrics"
 	"goauthentik.io/internal/outpost/ldap/server"
 	"goauthentik.io/internal/outpost/ldap/utils"
 )
@ -53,90 +47,6 @@ func (db *DirectBinder) GetUsername(dn string) (string, error) {
 	return "", errors.New("failed to find cn")
 }
 func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResultCode, error) {
 	fe := flow.NewFlowExecutor(req.Context(), db.si.GetFlowSlug(), db.si.GetAPIClient().GetConfig(), log.Fields{
 		"bindDN":    req.BindDN,
 		"client":    req.RemoteAddr(),
 		"requestId": req.ID(),
 	})
 	fe.DelegateClientIP(req.RemoteAddr())
 	fe.Params.Add("goauthentik.io/outpost/ldap", "true")
 	fe.Answers[flow.StageIdentification] = username
 	fe.Answers[flow.StagePassword] = req.BindPW
 	passed, err := fe.Execute()
 	flags := flags.UserFlags{
 		Session: fe.GetSession(),
 	}
 	db.si.SetFlags(req.BindDN, flags)
 	if err != nil {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "flow_error",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to execute flow")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
 	if !passed {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "invalid_credentials",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().Info("Invalid credentials")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
 	access, err := fe.CheckApplicationAccess(db.si.GetAppSlug())
 	if !access {
 		req.Log().Info("Access denied for user")
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "access_denied",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		return ldap.LDAPResultInsufficientAccessRights, nil
 	}
 	if err != nil {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "access_check_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
 	}
 	req.Log().Info("User has access")
 	uisp := sentry.StartSpan(req.Context(), "authentik.providers.ldap.bind.user_info")
 	// Get user info to store in context
 	userInfo, _, err := fe.ApiClient().CoreApi.CoreUsersMeRetrieve(context.Background()).Execute()
 	if err != nil {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "user_info_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to get user info")
 		return ldap.LDAPResultOperationsError, nil
 	}
 	cs := db.SearchAccessCheck(userInfo.User)
 	flags.UserPk = userInfo.User.Pk
 	flags.CanSearch = cs != nil
 	db.si.SetFlags(req.BindDN, flags)
 	if flags.CanSearch {
 		req.Log().WithField("group", cs).Info("Allowed access to search")
 	}
 	uisp.Finish()
 	return ldap.LDAPResultSuccess, nil
 }
 // SearchAccessCheck Check if the current user is allowed to search
 func (db *DirectBinder) SearchAccessCheck(user api.UserSelf) *string {
 	for _, group := range user.Groups {
@ -153,8 +63,8 @@ func (db *DirectBinder) SearchAccessCheck(user api.UserSelf) *string {
 	return nil
 }
-func (db *DirectBinder) TimerFlowCacheExpiry() {
+func (db *DirectBinder) TimerFlowCacheExpiry(ctx context.Context) {
-	fe := flow.NewFlowExecutor(context.Background(), db.si.GetFlowSlug(), db.si.GetAPIClient().GetConfig(), log.Fields{})
+	fe := flow.NewFlowExecutor(ctx, db.si.GetAuthenticationFlowSlug(), db.si.GetAPIClient().GetConfig(), log.Fields{})
 	fe.Params.Add("goauthentik.io/outpost/ldap", "true")
 	fe.Params.Add("goauthentik.io/outpost/ldap-warmup", "true")
--- a/internal/outpost/ldap/bind/direct/unbind.go
+++ b/internal/outpost/ldap/bind/direct/unbind.go
@ -0,0 +1,29 @@
 package direct
 import (
 	"github.com/nmcclain/ldap"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/flow"
 	"goauthentik.io/internal/outpost/ldap/bind"
 )
 func (db *DirectBinder) Unbind(username string, req *bind.Request) (ldap.LDAPResultCode, error) {
 	flags := db.si.GetFlags(req.BindDN)
 	if flags == nil || flags.Session == nil {
 		return ldap.LDAPResultSuccess, nil
 	}
 	fe := flow.NewFlowExecutor(req.Context(), db.si.GetInvalidationFlowSlug(), db.si.GetAPIClient().GetConfig(), log.Fields{
 		"boundDN":   req.BindDN,
 		"client":    req.RemoteAddr(),
 		"requestId": req.ID(),
 	})
 	fe.SetSession(flags.Session)
 	fe.DelegateClientIP(req.RemoteAddr())
 	fe.Params.Add("goauthentik.io/outpost/ldap", "true")
 	_, err := fe.Execute()
 	if err != nil {
 		db.log.WithError(err).Warning("failed to logout user")
 	}
 	db.si.SetFlags(req.BindDN, nil)
 	return ldap.LDAPResultSuccess, nil
 }
--- a/internal/outpost/ldap/instance.go
+++ b/internal/outpost/ldap/instance.go
@ -27,10 +27,11 @@ type ProviderInstance struct {
 	searcher search.Searcher
 	binder   bind.Binder
-	appSlug  string
+	appSlug                string
-	flowSlug string
+	authenticationFlowSlug string
-	s        *LDAPServer
+	invalidationFlowSlug   string
-	log      *log.Entry
+	s                      *LDAPServer
 	log                    *log.Entry
 	tlsServerName       *string
 	cert                *tls.Certificate
@ -79,9 +80,13 @@ func (pi *ProviderInstance) GetFlags(dn string) *flags.UserFlags {
 	return flags
 }
-func (pi *ProviderInstance) SetFlags(dn string, flag flags.UserFlags) {
+func (pi *ProviderInstance) SetFlags(dn string, flag *flags.UserFlags) {
 	pi.boundUsersMutex.Lock()
-	pi.boundUsers[dn] = &flag
+	if flag == nil {
 		delete(pi.boundUsers, dn)
 	} else {
 		pi.boundUsers[dn] = flag
 	}
 	pi.boundUsersMutex.Unlock()
 }
@ -89,8 +94,12 @@ func (pi *ProviderInstance) GetAppSlug() string {
 	return pi.appSlug
 }
-func (pi *ProviderInstance) GetFlowSlug() string {
+func (pi *ProviderInstance) GetAuthenticationFlowSlug() string {
-	return pi.flowSlug
+	return pi.authenticationFlowSlug
 }
 func (pi *ProviderInstance) GetInvalidationFlowSlug() string {
 	return pi.invalidationFlowSlug
 }
 func (pi *ProviderInstance) GetSearchAllowedGroups() []*strfmt.UUID {
--- a/internal/outpost/ldap/ldap.go
+++ b/internal/outpost/ldap/ldap.go
@ -1,6 +1,7 @@
 package ldap
 import (
 	"context"
 	"crypto/tls"
 	"net"
 	"sync"
@ -40,6 +41,7 @@ func NewServer(ac *ak.APIController) *LDAPServer {
 	}
 	ls.defaultCert = &defaultCert
 	s.BindFunc("", ls)
 	s.UnbindFunc("", ls)
 	s.SearchFunc("", ls)
 	return ls
 }
@ -92,9 +94,13 @@ func (ls *LDAPServer) Start() error {
 	return nil
 }
-func (ls *LDAPServer) TimerFlowCacheExpiry() {
+func (ls *LDAPServer) Stop() error {
 	return nil
 }
 func (ls *LDAPServer) TimerFlowCacheExpiry(ctx context.Context) {
 	for _, p := range ls.providers {
-		ls.log.WithField("flow", p.flowSlug).Debug("Pre-heating flow cache")
+		ls.log.WithField("flow", p.authenticationFlowSlug).Debug("Pre-heating flow cache")
-		p.binder.TimerFlowCacheExpiry()
+		p.binder.TimerFlowCacheExpiry(ctx)
 	}
 }
--- a/internal/outpost/ldap/refresh.go
+++ b/internal/outpost/ldap/refresh.go
@ -28,6 +28,16 @@ func (ls *LDAPServer) getCurrentProvider(pk int32) *ProviderInstance {
 	return nil
 }
 func (ls *LDAPServer) getInvalidationFlow() string {
 	req, _, err := ls.ac.Client.CoreApi.CoreTenantsCurrentRetrieve(context.Background()).Execute()
 	if err != nil {
 		ls.log.WithError(err).Warning("failed to fetch tenant config")
 		return ""
 	}
 	flow := req.GetFlowInvalidation()
 	return flow
 }
 func (ls *LDAPServer) Refresh() error {
 	outposts, _, err := ls.ac.Client.OutpostsApi.OutpostsLdapList(context.Background()).Execute()
 	if err != nil {
@ -37,6 +47,7 @@ func (ls *LDAPServer) Refresh() error {
 		return errors.New("no ldap provider defined")
 	}
 	providers := make([]*ProviderInstance, len(outposts.Results))
 	invalidationFlow := ls.getInvalidationFlow()
 	for idx, provider := range outposts.Results {
 		userDN := strings.ToLower(fmt.Sprintf("ou=%s,%s", constants.OUUsers, *provider.BaseDn))
 		groupDN := strings.ToLower(fmt.Sprintf("ou=%s,%s", constants.OUGroups, *provider.BaseDn))
@ -53,22 +64,23 @@ func (ls *LDAPServer) Refresh() error {
 		}
 		providers[idx] = &ProviderInstance{
-			BaseDN:              *provider.BaseDn,
+			BaseDN:                 *provider.BaseDn,
-			VirtualGroupDN:      virtualGroupDN,
+			VirtualGroupDN:         virtualGroupDN,
-			GroupDN:             groupDN,
+			GroupDN:                groupDN,
-			UserDN:              userDN,
+			UserDN:                 userDN,
-			appSlug:             provider.ApplicationSlug,
+			appSlug:                provider.ApplicationSlug,
-			flowSlug:            provider.BindFlowSlug,
+			authenticationFlowSlug: provider.BindFlowSlug,
-			searchAllowedGroups: []*strfmt.UUID{(*strfmt.UUID)(provider.SearchGroup.Get())},
+			invalidationFlowSlug:   invalidationFlow,
-			boundUsersMutex:     sync.RWMutex{},
+			searchAllowedGroups:    []*strfmt.UUID{(*strfmt.UUID)(provider.SearchGroup.Get())},
-			boundUsers:          users,
+			boundUsersMutex:        sync.RWMutex{},
-			s:                   ls,
+			boundUsers:             users,
-			log:                 logger,
+			s:                      ls,
-			tlsServerName:       provider.TlsServerName,
+			log:                    logger,
-			uidStartNumber:      *provider.UidStartNumber,
+			tlsServerName:          provider.TlsServerName,
-			gidStartNumber:      *provider.GidStartNumber,
+			uidStartNumber:         *provider.UidStartNumber,
-			outpostName:         ls.ac.Outpost.Name,
+			gidStartNumber:         *provider.GidStartNumber,
-			outpostPk:           provider.Pk,
+			outpostName:            ls.ac.Outpost.Name,
 			outpostPk:              provider.Pk,
 		}
 		if kp := provider.Certificate.Get(); kp != nil {
 			err := ls.cs.AddKeypair(*kp)
--- a/internal/outpost/ldap/server/base.go
+++ b/internal/outpost/ldap/server/base.go
@ -11,7 +11,8 @@ type LDAPServerInstance interface {
 	GetAPIClient() *api.APIClient
 	GetOutpostName() string
-	GetFlowSlug() string
+	GetAuthenticationFlowSlug() string
 	GetInvalidationFlowSlug() string
 	GetAppSlug() string
 	GetSearchAllowedGroups() []*strfmt.UUID
@ -32,7 +33,7 @@ type LDAPServerInstance interface {
 	UsersForGroup(api.Group) []string
 	GetFlags(dn string) *flags.UserFlags
-	SetFlags(dn string, flags flags.UserFlags)
+	SetFlags(dn string, flags *flags.UserFlags)
 	GetBaseEntry() *ldap.Entry
 	GetNeededObjects(int, string, string) (bool, bool)
--- a/internal/outpost/ldap/unbind.go
+++ b/internal/outpost/ldap/unbind.go
@ -0,0 +1,53 @@
 package ldap
 import (
 	"net"
 	"github.com/getsentry/sentry-go"
 	"github.com/nmcclain/ldap"
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/ldap/bind"
 	"goauthentik.io/internal/outpost/ldap/metrics"
 )
 func (ls *LDAPServer) Unbind(boundDN string, conn net.Conn) (ldap.LDAPResultCode, error) {
 	req, span := bind.NewRequest(boundDN, "", conn)
 	selectedApp := ""
 	defer func() {
 		span.Finish()
 		metrics.Requests.With(prometheus.Labels{
 			"outpost_name": ls.ac.Outpost.Name,
 			"type":         "unbind",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Unbind request")
 	}()
 	defer func() {
 		err := recover()
 		if err == nil {
 			return
 		}
 		log.WithError(err.(error)).Error("recover in bind request")
 		sentry.CaptureException(err.(error))
 	}()
 	for _, instance := range ls.providers {
 		username, err := instance.binder.GetUsername(boundDN)
 		if err == nil {
 			selectedApp = instance.GetAppSlug()
 			return instance.binder.Unbind(username, req)
 		} else {
 			req.Log().WithError(err).Debug("Username not for instance")
 		}
 	}
 	req.Log().WithField("request", "unbind").Warning("No provider found for request")
 	metrics.RequestsRejected.With(prometheus.Labels{
 		"outpost_name": ls.ac.Outpost.Name,
 		"type":         "unbind",
 		"reason":       "no_provider",
 		"app":          "",
 	}).Inc()
 	return ldap.LDAPResultOperationsError, nil
 }
--- a/internal/outpost/ldap/utils/utils.go
+++ b/internal/outpost/ldap/utils/utils.go
@ -95,7 +95,12 @@ func IncludeObjectClass(searchOC string, ocs map[string]bool) bool {
 		return true
 	}
-	return ocs[searchOC]
+	for key, value := range ocs {
 		if strings.EqualFold(key, searchOC) {
 			return value
 		}
 	}
 	return false
 }
 func GetContainerEntry(filterOC string, dn string, ou string) *ldap.Entry {
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -70,19 +70,28 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 		ks = oidc.NewRemoteKeySet(ctx, p.OidcConfiguration.JwksUri)
 	}
 	var verifier = oidc.NewVerifier(p.OidcConfiguration.Issuer, ks, &oidc.Config{
 		ClientID:             *p.ClientId,
 		SupportedSigningAlgs: []string{"RS256", "HS256"},
 	})
 	redirectUri, _ := url.Parse(p.ExternalHost)
 	redirectUri.Path = path.Join(redirectUri.Path, "/outpost.goauthentik.io/callback")
 	redirectUri.RawQuery = url.Values{
 		CallbackSignature: []string{"true"},
 	}.Encode()
 	managed := false
 	if m := ak.Outpost.Managed.Get(); m != nil {
 		managed = *m == "goauthentik.io/outposts/embedded"
 	}
 	// Configure an OpenID Connect aware OAuth2 client.
-	endpoint := GetOIDCEndpoint(p, ak.Outpost.Config["authentik_host"].(string))
+	endpoint := GetOIDCEndpoint(
 		p,
 		ak.Outpost.Config["authentik_host"].(string),
 		managed,
 	)
 	verifier := oidc.NewVerifier(endpoint.Issuer, ks, &oidc.Config{
 		ClientID:             *p.ClientId,
 		SupportedSigningAlgs: []string{"RS256", "HS256"},
 	})
 	oauth2Config := oauth2.Config{
 		ClientID:     *p.ClientId,
 		ClientSecret: *p.ClientSecret,
--- a/internal/outpost/proxyv2/application/endpoint.go
+++ b/internal/outpost/proxyv2/application/endpoint.go
@ -15,11 +15,23 @@ type OIDCEndpoint struct {
 	TokenIntrospection string
 	EndSessionEndpoint string
 	JwksUri            string
 	Issuer             string
 }
-func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint {
+func updateURL(rawUrl string, scheme string, host string) string {
 	u, err := url.Parse(rawUrl)
 	if err != nil {
 		return rawUrl
 	}
 	u.Host = host
 	u.Scheme = scheme
 	return u.String()
 }
 func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint {
 	authUrl := p.OidcConfiguration.AuthorizationEndpoint
 	endUrl := p.OidcConfiguration.EndSessionEndpoint
 	tokenUrl := p.OidcConfiguration.TokenEndpoint
 	jwksUrl := p.OidcConfiguration.JwksUri
 	if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {
 		host := os.Getenv("AUTHENTIK_HOST")
@ -30,26 +42,15 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
 	ep := OIDCEndpoint{
 		Endpoint: oauth2.Endpoint{
 			AuthURL:   authUrl,
-			TokenURL:  p.OidcConfiguration.TokenEndpoint,
+			TokenURL:  tokenUrl,
 			AuthStyle: oauth2.AuthStyleInParams,
 		},
 		EndSessionEndpoint: endUrl,
 		JwksUri:            jwksUrl,
 		TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,
 		Issuer:             p.OidcConfiguration.Issuer,
 	}
-	authU, err := url.Parse(authUrl)
+	if !embedded {
 	if err != nil {
 		return ep
 	}
 	endU, err := url.Parse(endUrl)
 	if err != nil {
 		return ep
 	}
 	jwksU, err := url.Parse(jwksUrl)
 	if err != nil {
 		return ep
 	}
 	if authU.Host != "localhost:8000" {
 		return ep
 	}
 	if authentikHost == "" {
@ -60,14 +61,10 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
 	if err != nil {
 		return ep
 	}
-	authU.Host = aku.Host
+	ep.AuthURL = updateURL(authUrl, aku.Scheme, aku.Host)
-	authU.Scheme = aku.Scheme
+	ep.EndSessionEndpoint = updateURL(endUrl, aku.Scheme, aku.Host)
-	endU.Host = aku.Host
+	ep.JwksUri = updateURL(jwksUrl, aku.Scheme, aku.Host)
-	endU.Scheme = aku.Scheme
+	ep.TokenURL = updateURL(tokenUrl, aku.Scheme, aku.Host)
-	jwksU.Host = aku.Host
+	ep.Issuer = updateURL(ep.Issuer, aku.Scheme, aku.Host)
 	jwksU.Scheme = aku.Scheme
 	ep.AuthURL = authU.String()
 	ep.EndSessionEndpoint = endU.String()
 	ep.JwksUri = jwksU.String()
 	return ep
 }
--- a/internal/outpost/proxyv2/proxyv2.go
+++ b/internal/outpost/proxyv2/proxyv2.go
@ -81,7 +81,7 @@ func (ps *ProxyServer) Type() string {
 	return "proxy"
 }
-func (ps *ProxyServer) TimerFlowCacheExpiry() {}
+func (ps *ProxyServer) TimerFlowCacheExpiry(context.Context) {}
 func (ps *ProxyServer) GetCertificate(serverName string) *tls.Certificate {
 	app, ok := ps.apps[serverName]
@ -163,6 +163,10 @@ func (ps *ProxyServer) Start() error {
 	return nil
 }
 func (ps *ProxyServer) Stop() error {
 	return nil
 }
 func (ps *ProxyServer) serve(listener net.Listener) {
 	srv := &http.Server{Handler: ps.mux}
--- a/internal/web/static.go
+++ b/internal/web/static.go
@ -61,7 +61,7 @@ func (ws *WebServer) configureStatic() {
 func (ws *WebServer) staticHeaderMiddleware(h http.Handler) http.Handler {
 	etagHandler := etag.Handler(h, false)
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Cache-Control", "\"public, no-transform\"")
+		w.Header().Set("Cache-Control", "public, no-transform")
 		w.Header().Set("X-authentik-version", constants.VERSION)
 		w.Header().Set("Vary", "X-authentik-version, Etag")
 		etagHandler.ServeHTTP(w, r)
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-01-13 14:37+0000\n"
+"POT-Creation-Date: 2023-01-23 09:41+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -18,7 +18,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-#: authentik/admin/api/tasks.py:126
+#: authentik/admin/api/tasks.py:124
 #, python-format
 msgid "Successfully re-scheduled Task %(name)s!"
 msgstr ""
@ -177,26 +177,26 @@ msgstr ""
 msgid "Authenticated Sessions"
 msgstr ""
-#: authentik/core/sources/flow_manager.py:198
+#: authentik/core/sources/flow_manager.py:197
 msgid "source"
 msgstr ""
-#: authentik/core/sources/flow_manager.py:250
+#: authentik/core/sources/flow_manager.py:248
 msgid "Configured flow does not exist."
 msgstr ""
-#: authentik/core/sources/flow_manager.py:281
+#: authentik/core/sources/flow_manager.py:278
-#: authentik/core/sources/flow_manager.py:333
+#: authentik/core/sources/flow_manager.py:330
 #, python-format
 msgid "Successfully authenticated with %(source)s!"
 msgstr ""
-#: authentik/core/sources/flow_manager.py:305
+#: authentik/core/sources/flow_manager.py:302
 #, python-format
 msgid "Successfully linked %(source)s!"
 msgstr ""
-#: authentik/core/sources/flow_manager.py:324
+#: authentik/core/sources/flow_manager.py:321
 msgid "Source is not configured for enrollment."
 msgstr ""
@ -255,9 +255,9 @@ msgid "Powered by authentik"
 msgstr ""
 #: authentik/core/views/apps.py:48
-#: authentik/providers/oauth2/views/authorize.py:358
+#: authentik/providers/oauth2/views/authorize.py:357
 #: authentik/providers/oauth2/views/device_init.py:68
-#: authentik/providers/saml/views/sso.py:69
+#: authentik/providers/saml/views/sso.py:68
 #, python-format
 msgid "You're about to sign into %(application)s."
 msgstr ""
@ -284,89 +284,89 @@ msgstr ""
 msgid "Certificate-Key Pairs"
 msgstr ""
-#: authentik/events/models.py:288
+#: authentik/events/models.py:287
 msgid "Event"
 msgstr ""
-#: authentik/events/models.py:289
+#: authentik/events/models.py:288
 msgid "Events"
 msgstr ""
-#: authentik/events/models.py:295
+#: authentik/events/models.py:294
 msgid "authentik inbuilt notifications"
 msgstr ""
-#: authentik/events/models.py:296
+#: authentik/events/models.py:295
 msgid "Generic Webhook"
 msgstr ""
-#: authentik/events/models.py:297
+#: authentik/events/models.py:296
 msgid "Slack Webhook (Slack/Discord)"
 msgstr ""
-#: authentik/events/models.py:298
+#: authentik/events/models.py:297
 msgid "Email"
 msgstr ""
-#: authentik/events/models.py:316
+#: authentik/events/models.py:315
 msgid ""
 "Only send notification once, for example when sending a webhook into a chat "
 "channel."
 msgstr ""
-#: authentik/events/models.py:376
+#: authentik/events/models.py:375
 msgid "Severity"
 msgstr ""
-#: authentik/events/models.py:381
+#: authentik/events/models.py:380
 msgid "Dispatched for user"
 msgstr ""
-#: authentik/events/models.py:465
+#: authentik/events/models.py:464
 msgid "Notification Transport"
 msgstr ""
-#: authentik/events/models.py:466
+#: authentik/events/models.py:465
 msgid "Notification Transports"
 msgstr ""
-#: authentik/events/models.py:472
+#: authentik/events/models.py:471
 msgid "Notice"
 msgstr ""
-#: authentik/events/models.py:473
+#: authentik/events/models.py:472
 msgid "Warning"
 msgstr ""
-#: authentik/events/models.py:474
+#: authentik/events/models.py:473
 msgid "Alert"
 msgstr ""
-#: authentik/events/models.py:500
+#: authentik/events/models.py:499
 msgid "Notification"
 msgstr ""
-#: authentik/events/models.py:501
+#: authentik/events/models.py:500
 msgid "Notifications"
 msgstr ""
-#: authentik/events/models.py:521
+#: authentik/events/models.py:520
 msgid "Controls which severity level the created notifications will have."
 msgstr ""
-#: authentik/events/models.py:547
+#: authentik/events/models.py:546
 msgid "Notification Rule"
 msgstr ""
-#: authentik/events/models.py:548
+#: authentik/events/models.py:547
 msgid "Notification Rules"
 msgstr ""
-#: authentik/events/models.py:569
+#: authentik/events/models.py:568
 msgid "Webhook Mapping"
 msgstr ""
-#: authentik/events/models.py:570
+#: authentik/events/models.py:569
 msgid "Webhook Mappings"
 msgstr ""
@ -374,7 +374,7 @@ msgstr ""
 msgid "Task has not been run yet."
 msgstr ""
-#: authentik/flows/api/flows.py:297
+#: authentik/flows/api/flows.py:292
 #, python-format
 msgid "Flow not applicable to current user/request: %(messages)s"
 msgstr ""
@ -490,12 +490,12 @@ msgstr ""
 msgid "%(value)s is not in the correct format of 'hours=3;minutes=1'."
 msgstr ""
-#: authentik/outposts/api/service_connections.py:132
+#: authentik/outposts/api/service_connections.py:131
 msgid ""
 "You can only use an empty kubeconfig when connecting to a local cluster."
 msgstr ""
-#: authentik/outposts/api/service_connections.py:140
+#: authentik/outposts/api/service_connections.py:139
 msgid "Invalid kubeconfig"
 msgstr ""
@ -925,7 +925,7 @@ msgstr ""
 msgid "Device Tokens"
 msgstr ""
-#: authentik/providers/oauth2/views/authorize.py:412
+#: authentik/providers/oauth2/views/authorize.py:411
 #: authentik/providers/saml/views/flows.py:88
 #, python-format
 msgid "Redirecting to %(app)s..."
@ -974,36 +974,42 @@ msgid ""
 "with internal_host."
 msgstr ""
-#: authentik/providers/proxy/models.py:79
+#: authentik/providers/proxy/models.py:80
 msgid ""
 "When enabled, this provider will intercept the authorization header and "
 "authenticate requests based on its value."
 msgstr ""
 #: authentik/providers/proxy/models.py:86
 msgid "Set HTTP-Basic Authentication"
 msgstr ""
-#: authentik/providers/proxy/models.py:81
+#: authentik/providers/proxy/models.py:88
 msgid ""
 "Set a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
-#: authentik/providers/proxy/models.py:86
+#: authentik/providers/proxy/models.py:93
 msgid "HTTP-Basic Username Key"
 msgstr ""
-#: authentik/providers/proxy/models.py:96
+#: authentik/providers/proxy/models.py:103
 msgid "HTTP-Basic Password Key"
 msgstr ""
-#: authentik/providers/proxy/models.py:152
+#: authentik/providers/proxy/models.py:159
 msgid "Proxy Provider"
 msgstr ""
-#: authentik/providers/proxy/models.py:153
+#: authentik/providers/proxy/models.py:160
 msgid "Proxy Providers"
 msgstr ""
-#: authentik/providers/saml/api/providers.py:261
+#: authentik/providers/saml/api/providers.py:260
 msgid "Invalid XML Syntax"
 msgstr ""
-#: authentik/providers/saml/api/providers.py:271
+#: authentik/providers/saml/api/providers.py:270
 #, python-format
 msgid "Failed to import Metadata: %(message)s"
 msgstr ""
@ -1174,7 +1180,7 @@ msgstr ""
 msgid "LDAP Property Mappings"
 msgstr ""
-#: authentik/sources/ldap/signals.py:58
+#: authentik/sources/ldap/signals.py:56
 msgid "Password does not match Active Directory Complexity."
 msgstr ""
@ -1323,7 +1329,7 @@ msgstr ""
 msgid "User OAuth Source Connections"
 msgstr ""
-#: authentik/sources/oauth/views/callback.py:103
+#: authentik/sources/oauth/views/callback.py:100
 #, python-format
 msgid "Authentication failed: %(reason)s"
 msgstr ""
@ -1460,30 +1466,35 @@ msgstr ""
 msgid "Optionally modify the payload being sent to custom providers."
 msgstr ""
-#: authentik/stages/authenticator_sms/models.py:176
+#: authentik/stages/authenticator_sms/models.py:81
 #, python-format
 msgid "Use this code to authenticate in authentik: %(token)s"
 msgstr ""
 #: authentik/stages/authenticator_sms/models.py:181
 msgid "SMS Authenticator Setup Stage"
 msgstr ""
-#: authentik/stages/authenticator_sms/models.py:177
+#: authentik/stages/authenticator_sms/models.py:182
 msgid "SMS Authenticator Setup Stages"
 msgstr ""
-#: authentik/stages/authenticator_sms/models.py:222
+#: authentik/stages/authenticator_sms/models.py:227
 msgid "SMS Device"
 msgstr ""
-#: authentik/stages/authenticator_sms/models.py:223
+#: authentik/stages/authenticator_sms/models.py:228
 msgid "SMS Devices"
 msgstr ""
-#: authentik/stages/authenticator_sms/stage.py:56
+#: authentik/stages/authenticator_sms/stage.py:55
-msgid "Invalid phone number"
+#: authentik/stages/authenticator_totp/stage.py:42
 #: authentik/stages/authenticator_totp/stage.py:45
 msgid "Code does not match"
 msgstr ""
-#: authentik/stages/authenticator_sms/stage.py:61
+#: authentik/stages/authenticator_sms/stage.py:71
-#: authentik/stages/authenticator_totp/stage.py:41
+msgid "Invalid phone number"
 #: authentik/stages/authenticator_totp/stage.py:44
 msgid "Code does not match"
 msgstr ""
 #: authentik/stages/authenticator_static/models.py:47
@ -1694,7 +1705,7 @@ msgstr ""
 #: authentik/stages/email/templates/email/password_reset.html:19
 msgid ""
 "\n"
-"                    You recently requested to change your password for you "
+"                    You recently requested to change your password for your "
 "authentik account. Use the button below to set a new password.\n"
 "                    "
 msgstr ""
@ -1794,7 +1805,7 @@ msgstr ""
 msgid "Invitations"
 msgstr ""
-#: authentik/stages/invitation/stage.py:61
+#: authentik/stages/invitation/stage.py:66
 msgid "Invalid invite/invite not found"
 msgstr ""
--- a/locale/ko_KR/LC_MESSAGES/django.mo
+++ b/locale/ko_KR/LC_MESSAGES/django.mo
--- a/locale/pl/LC_MESSAGES/django.mo
+++ b/locale/pl/LC_MESSAGES/django.mo
--- a/locale/pl_PL/LC_MESSAGES/django.mo
+++ b/locale/pl_PL/LC_MESSAGES/django.mo
--- a/locale/pt_PT/LC_MESSAGES/django.mo
+++ b/locale/pt_PT/LC_MESSAGES/django.mo
--- a/poetry.lock
+++ b/poetry.lock
@ -789,63 +789,63 @@ files = [
 [[package]]
 name = "coverage"
-version = "7.0.5"
+version = "7.1.0"
 description = "Code coverage measurement for Python"
 category = "dev"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "coverage-7.0.5-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:2a7f23bbaeb2a87f90f607730b45564076d870f1fb07b9318d0c21f36871932b"},
+    {file = "coverage-7.1.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:3b946bbcd5a8231383450b195cfb58cb01cbe7f8949f5758566b881df4b33baf"},
-    {file = "coverage-7.0.5-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c18d47f314b950dbf24a41787ced1474e01ca816011925976d90a88b27c22b89"},
+    {file = "coverage-7.1.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:ec8e767f13be637d056f7e07e61d089e555f719b387a7070154ad80a0ff31801"},
-    {file = "coverage-7.0.5-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ef14d75d86f104f03dea66c13188487151760ef25dd6b2dbd541885185f05f40"},
+    {file = "coverage-7.1.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d4a5a5879a939cb84959d86869132b00176197ca561c664fc21478c1eee60d75"},
-    {file = "coverage-7.0.5-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:66e50680e888840c0995f2ad766e726ce71ca682e3c5f4eee82272c7671d38a2"},
+    {file = "coverage-7.1.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b643cb30821e7570c0aaf54feaf0bfb630b79059f85741843e9dc23f33aaca2c"},
-    {file = "coverage-7.0.5-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a9fed35ca8c6e946e877893bbac022e8563b94404a605af1d1e6accc7eb73289"},
+    {file = "coverage-7.1.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:32df215215f3af2c1617a55dbdfb403b772d463d54d219985ac7cd3bf124cada"},
-    {file = "coverage-7.0.5-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:d8d04e755934195bdc1db45ba9e040b8d20d046d04d6d77e71b3b34a8cc002d0"},
+    {file = "coverage-7.1.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:33d1ae9d4079e05ac4cc1ef9e20c648f5afabf1a92adfaf2ccf509c50b85717f"},
-    {file = "coverage-7.0.5-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:7e109f1c9a3ece676597831874126555997c48f62bddbcace6ed17be3e372de8"},
+    {file = "coverage-7.1.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:29571503c37f2ef2138a306d23e7270687c0efb9cab4bd8038d609b5c2393a3a"},
-    {file = "coverage-7.0.5-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:0a1890fca2962c4f1ad16551d660b46ea77291fba2cc21c024cd527b9d9c8809"},
+    {file = "coverage-7.1.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:63ffd21aa133ff48c4dff7adcc46b7ec8b565491bfc371212122dd999812ea1c"},
-    {file = "coverage-7.0.5-cp310-cp310-win32.whl", hash = "sha256:be9fcf32c010da0ba40bf4ee01889d6c737658f4ddff160bd7eb9cac8f094b21"},
+    {file = "coverage-7.1.0-cp310-cp310-win32.whl", hash = "sha256:4b14d5e09c656de5038a3f9bfe5228f53439282abcab87317c9f7f1acb280352"},
-    {file = "coverage-7.0.5-cp310-cp310-win_amd64.whl", hash = "sha256:cbfcba14a3225b055a28b3199c3d81cd0ab37d2353ffd7f6fd64844cebab31ad"},
+    {file = "coverage-7.1.0-cp310-cp310-win_amd64.whl", hash = "sha256:8361be1c2c073919500b6601220a6f2f98ea0b6d2fec5014c1d9cfa23dd07038"},
-    {file = "coverage-7.0.5-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:30b5fec1d34cc932c1bc04017b538ce16bf84e239378b8f75220478645d11fca"},
+    {file = "coverage-7.1.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:da9b41d4539eefd408c46725fb76ecba3a50a3367cafb7dea5f250d0653c1040"},
-    {file = "coverage-7.0.5-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1caed2367b32cc80a2b7f58a9f46658218a19c6cfe5bc234021966dc3daa01f0"},
+    {file = "coverage-7.1.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:c5b15ed7644ae4bee0ecf74fee95808dcc34ba6ace87e8dfbf5cb0dc20eab45a"},
-    {file = "coverage-7.0.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d254666d29540a72d17cc0175746cfb03d5123db33e67d1020e42dae611dc196"},
+    {file = "coverage-7.1.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d12d076582507ea460ea2a89a8c85cb558f83406c8a41dd641d7be9a32e1274f"},
-    {file = "coverage-7.0.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:19245c249aa711d954623d94f23cc94c0fd65865661f20b7781210cb97c471c0"},
+    {file = "coverage-7.1.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e2617759031dae1bf183c16cef8fcfb3de7617f394c813fa5e8e46e9b82d4222"},
-    {file = "coverage-7.0.5-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7b05ed4b35bf6ee790832f68932baf1f00caa32283d66cc4d455c9e9d115aafc"},
+    {file = "coverage-7.1.0-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c4e4881fa9e9667afcc742f0c244d9364d197490fbc91d12ac3b5de0bf2df146"},
-    {file = "coverage-7.0.5-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:29de916ba1099ba2aab76aca101580006adfac5646de9b7c010a0f13867cba45"},
+    {file = "coverage-7.1.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:9d58885215094ab4a86a6aef044e42994a2bd76a446dc59b352622655ba6621b"},
-    {file = "coverage-7.0.5-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:e057e74e53db78122a3979f908973e171909a58ac20df05c33998d52e6d35757"},
+    {file = "coverage-7.1.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:ffeeb38ee4a80a30a6877c5c4c359e5498eec095878f1581453202bfacc8fbc2"},
-    {file = "coverage-7.0.5-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:411d4ff9d041be08fdfc02adf62e89c735b9468f6d8f6427f8a14b6bb0a85095"},
+    {file = "coverage-7.1.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:3baf5f126f30781b5e93dbefcc8271cb2491647f8283f20ac54d12161dff080e"},
-    {file = "coverage-7.0.5-cp311-cp311-win32.whl", hash = "sha256:52ab14b9e09ce052237dfe12d6892dd39b0401690856bcfe75d5baba4bfe2831"},
+    {file = "coverage-7.1.0-cp311-cp311-win32.whl", hash = "sha256:ded59300d6330be27bc6cf0b74b89ada58069ced87c48eaf9344e5e84b0072f7"},
-    {file = "coverage-7.0.5-cp311-cp311-win_amd64.whl", hash = "sha256:1f66862d3a41674ebd8d1a7b6f5387fe5ce353f8719040a986551a545d7d83ea"},
+    {file = "coverage-7.1.0-cp311-cp311-win_amd64.whl", hash = "sha256:6a43c7823cd7427b4ed763aa7fb63901ca8288591323b58c9cd6ec31ad910f3c"},
-    {file = "coverage-7.0.5-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:b69522b168a6b64edf0c33ba53eac491c0a8f5cc94fa4337f9c6f4c8f2f5296c"},
+    {file = "coverage-7.1.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:7a726d742816cb3a8973c8c9a97539c734b3a309345236cd533c4883dda05b8d"},
-    {file = "coverage-7.0.5-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:436e103950d05b7d7f55e39beeb4d5be298ca3e119e0589c0227e6d0b01ee8c7"},
+    {file = "coverage-7.1.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bc7c85a150501286f8b56bd8ed3aa4093f4b88fb68c0843d21ff9656f0009d6a"},
-    {file = "coverage-7.0.5-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b8c56bec53d6e3154eaff6ea941226e7bd7cc0d99f9b3756c2520fc7a94e6d96"},
+    {file = "coverage-7.1.0-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f5b4198d85a3755d27e64c52f8c95d6333119e49fd001ae5798dac872c95e0f8"},
-    {file = "coverage-7.0.5-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7a38362528a9115a4e276e65eeabf67dcfaf57698e17ae388599568a78dcb029"},
+    {file = "coverage-7.1.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ddb726cb861c3117a553f940372a495fe1078249ff5f8a5478c0576c7be12050"},
-    {file = "coverage-7.0.5-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:f67472c09a0c7486e27f3275f617c964d25e35727af952869dd496b9b5b7f6a3"},
+    {file = "coverage-7.1.0-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:51b236e764840a6df0661b67e50697aaa0e7d4124ca95e5058fa3d7cbc240b7c"},
-    {file = "coverage-7.0.5-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:220e3fa77d14c8a507b2d951e463b57a1f7810a6443a26f9b7591ef39047b1b2"},
+    {file = "coverage-7.1.0-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:7ee5c9bb51695f80878faaa5598040dd6c9e172ddcf490382e8aedb8ec3fec8d"},
-    {file = "coverage-7.0.5-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:ecb0f73954892f98611e183f50acdc9e21a4653f294dfbe079da73c6378a6f47"},
+    {file = "coverage-7.1.0-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:c31b75ae466c053a98bf26843563b3b3517b8f37da4d47b1c582fdc703112bc3"},
-    {file = "coverage-7.0.5-cp37-cp37m-win32.whl", hash = "sha256:d8f3e2e0a1d6777e58e834fd5a04657f66affa615dae61dd67c35d1568c38882"},
+    {file = "coverage-7.1.0-cp37-cp37m-win32.whl", hash = "sha256:3b155caf3760408d1cb903b21e6a97ad4e2bdad43cbc265e3ce0afb8e0057e73"},
-    {file = "coverage-7.0.5-cp37-cp37m-win_amd64.whl", hash = "sha256:9e662e6fc4f513b79da5d10a23edd2b87685815b337b1a30cd11307a6679148d"},
+    {file = "coverage-7.1.0-cp37-cp37m-win_amd64.whl", hash = "sha256:2a60d6513781e87047c3e630b33b4d1e89f39836dac6e069ffee28c4786715f5"},
-    {file = "coverage-7.0.5-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:790e4433962c9f454e213b21b0fd4b42310ade9c077e8edcb5113db0818450cb"},
+    {file = "coverage-7.1.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:f2cba5c6db29ce991029b5e4ac51eb36774458f0a3b8d3137241b32d1bb91f06"},
-    {file = "coverage-7.0.5-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:49640bda9bda35b057b0e65b7c43ba706fa2335c9a9896652aebe0fa399e80e6"},
+    {file = "coverage-7.1.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:beeb129cacea34490ffd4d6153af70509aa3cda20fdda2ea1a2be870dfec8d52"},
-    {file = "coverage-7.0.5-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d66187792bfe56f8c18ba986a0e4ae44856b1c645336bd2c776e3386da91e1dd"},
+    {file = "coverage-7.1.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0c45948f613d5d18c9ec5eaa203ce06a653334cf1bd47c783a12d0dd4fd9c851"},
-    {file = "coverage-7.0.5-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:276f4cd0001cd83b00817c8db76730938b1ee40f4993b6a905f40a7278103b3a"},
+    {file = "coverage-7.1.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ef382417db92ba23dfb5864a3fc9be27ea4894e86620d342a116b243ade5d35d"},
-    {file = "coverage-7.0.5-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:95304068686545aa368b35dfda1cdfbbdbe2f6fe43de4a2e9baa8ebd71be46e2"},
+    {file = "coverage-7.1.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7c7c0d0827e853315c9bbd43c1162c006dd808dbbe297db7ae66cd17b07830f0"},
-    {file = "coverage-7.0.5-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:17e01dd8666c445025c29684d4aabf5a90dc6ef1ab25328aa52bedaa95b65ad7"},
+    {file = "coverage-7.1.0-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:e5cdbb5cafcedea04924568d990e20ce7f1945a1dd54b560f879ee2d57226912"},
-    {file = "coverage-7.0.5-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:ea76dbcad0b7b0deb265d8c36e0801abcddf6cc1395940a24e3595288b405ca0"},
+    {file = "coverage-7.1.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:9817733f0d3ea91bea80de0f79ef971ae94f81ca52f9b66500c6a2fea8e4b4f8"},
-    {file = "coverage-7.0.5-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:50a6adc2be8edd7ee67d1abc3cd20678987c7b9d79cd265de55941e3d0d56499"},
+    {file = "coverage-7.1.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:218fe982371ac7387304153ecd51205f14e9d731b34fb0568181abaf7b443ba0"},
-    {file = "coverage-7.0.5-cp38-cp38-win32.whl", hash = "sha256:e4ce984133b888cc3a46867c8b4372c7dee9cee300335e2925e197bcd45b9e16"},
+    {file = "coverage-7.1.0-cp38-cp38-win32.whl", hash = "sha256:04481245ef966fbd24ae9b9e537ce899ae584d521dfbe78f89cad003c38ca2ab"},
-    {file = "coverage-7.0.5-cp38-cp38-win_amd64.whl", hash = "sha256:4a950f83fd3f9bca23b77442f3a2b2ea4ac900944d8af9993743774c4fdc57af"},
+    {file = "coverage-7.1.0-cp38-cp38-win_amd64.whl", hash = "sha256:8ae125d1134bf236acba8b83e74c603d1b30e207266121e76484562bc816344c"},
-    {file = "coverage-7.0.5-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:3c2155943896ac78b9b0fd910fb381186d0c345911f5333ee46ac44c8f0e43ab"},
+    {file = "coverage-7.1.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:2bf1d5f2084c3932b56b962a683074a3692bce7cabd3aa023c987a2a8e7612f6"},
-    {file = "coverage-7.0.5-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:54f7e9705e14b2c9f6abdeb127c390f679f6dbe64ba732788d3015f7f76ef637"},
+    {file = "coverage-7.1.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:98b85dd86514d889a2e3dd22ab3c18c9d0019e696478391d86708b805f4ea0fa"},
-    {file = "coverage-7.0.5-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0ee30375b409d9a7ea0f30c50645d436b6f5dfee254edffd27e45a980ad2c7f4"},
+    {file = "coverage-7.1.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:38da2db80cc505a611938d8624801158e409928b136c8916cd2e203970dde4dc"},
-    {file = "coverage-7.0.5-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b78729038abea6a5df0d2708dce21e82073463b2d79d10884d7d591e0f385ded"},
+    {file = "coverage-7.1.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3164d31078fa9efe406e198aecd2a02d32a62fecbdef74f76dad6a46c7e48311"},
-    {file = "coverage-7.0.5-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:13250b1f0bd023e0c9f11838bdeb60214dd5b6aaf8e8d2f110c7e232a1bff83b"},
+    {file = "coverage-7.1.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:db61a79c07331e88b9a9974815c075fbd812bc9dbc4dc44b366b5368a2936063"},
-    {file = "coverage-7.0.5-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:2c407b1950b2d2ffa091f4e225ca19a66a9bd81222f27c56bd12658fc5ca1209"},
+    {file = "coverage-7.1.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:9ccb092c9ede70b2517a57382a601619d20981f56f440eae7e4d7eaafd1d1d09"},
-    {file = "coverage-7.0.5-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:c76a3075e96b9c9ff00df8b5f7f560f5634dffd1658bafb79eb2682867e94f78"},
+    {file = "coverage-7.1.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:33ff26d0f6cc3ca8de13d14fde1ff8efe1456b53e3f0273e63cc8b3c84a063d8"},
-    {file = "coverage-7.0.5-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:f26648e1b3b03b6022b48a9b910d0ae209e2d51f50441db5dce5b530fad6d9b1"},
+    {file = "coverage-7.1.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:d47dd659a4ee952e90dc56c97d78132573dc5c7b09d61b416a9deef4ebe01a0c"},
-    {file = "coverage-7.0.5-cp39-cp39-win32.whl", hash = "sha256:ba3027deb7abf02859aca49c865ece538aee56dcb4871b4cced23ba4d5088904"},
+    {file = "coverage-7.1.0-cp39-cp39-win32.whl", hash = "sha256:d248cd4a92065a4d4543b8331660121b31c4148dd00a691bfb7a5cdc7483cfa4"},
-    {file = "coverage-7.0.5-cp39-cp39-win_amd64.whl", hash = "sha256:949844af60ee96a376aac1ded2a27e134b8c8d35cc006a52903fc06c24a3296f"},
+    {file = "coverage-7.1.0-cp39-cp39-win_amd64.whl", hash = "sha256:7ed681b0f8e8bcbbffa58ba26fcf5dbc8f79e7997595bf071ed5430d8c08d6f3"},
-    {file = "coverage-7.0.5-pp37.pp38.pp39-none-any.whl", hash = "sha256:b9727ac4f5cf2cbf87880a63870b5b9730a8ae3a4a360241a0fdaa2f71240ff0"},
+    {file = "coverage-7.1.0-pp37.pp38.pp39-none-any.whl", hash = "sha256:755e89e32376c850f826c425ece2c35a4fc266c081490eb0a841e7c1cb0d3bda"},
-    {file = "coverage-7.0.5.tar.gz", hash = "sha256:051afcbd6d2ac39298d62d340f94dbb6a1f31de06dfaf6fcef7b759dd3860c45"},
+    {file = "coverage-7.1.0.tar.gz", hash = "sha256:10188fe543560ec4874f974b5305cd1a8bdcfa885ee00ea3a03733464c4ca265"},
 ]
 [package.extras]
@ -2084,27 +2084,25 @@ files = [
 [[package]]
 name = "paramiko"
-version = "2.12.0"
+version = "3.0.0"
 description = "SSH2 protocol library"
 category = "main"
 optional = false
-python-versions = "*"
+python-versions = ">=3.6"
 files = [
-    {file = "paramiko-2.12.0-py2.py3-none-any.whl", hash = "sha256:b2df1a6325f6996ef55a8789d0462f5b502ea83b3c990cbb5bbe57345c6812c4"},
+    {file = "paramiko-3.0.0-py3-none-any.whl", hash = "sha256:6bef55b882c9d130f8015b9a26f4bd93f710e90fe7478b9dcc810304e79b3cd8"},
-    {file = "paramiko-2.12.0.tar.gz", hash = "sha256:376885c05c5d6aa6e1f4608aac2a6b5b0548b1add40274477324605903d9cd49"},
+    {file = "paramiko-3.0.0.tar.gz", hash = "sha256:fedc9b1dd43bc1d45f67f1ceca10bc336605427a46dcdf8dec6bfea3edf57965"},
 ]
 [package.dependencies]
-bcrypt = ">=3.1.3"
+bcrypt = ">=3.2"
-cryptography = ">=2.5"
+cryptography = ">=3.3"
-pynacl = ">=1.0.1"
+pynacl = ">=1.5"
 six = "*"
 [package.extras]
-all = ["bcrypt (>=3.1.3)", "gssapi (>=1.4.1)", "invoke (>=1.3)", "pyasn1 (>=0.1.7)", "pynacl (>=1.0.1)", "pywin32 (>=2.1.8)"]
+all = ["gssapi (>=1.4.1)", "invoke (>=2.0)", "pyasn1 (>=0.1.7)", "pywin32 (>=2.1.8)"]
 ed25519 = ["bcrypt (>=3.1.3)", "pynacl (>=1.0.1)"]
 gssapi = ["gssapi (>=1.4.1)", "pyasn1 (>=0.1.7)", "pywin32 (>=2.1.8)"]
-invoke = ["invoke (>=1.3)"]
+invoke = ["invoke (>=2.0)"]
 [[package]]
 name = "pathspec"
@ -2853,14 +2851,14 @@ pyasn1 = ">=0.1.3"
 [[package]]
 name = "selenium"
-version = "4.7.2"
+version = "4.8.0"
 description = ""
 category = "dev"
 optional = false
-python-versions = "~=3.7"
+python-versions = ">=3.7"
 files = [
-    {file = "selenium-4.7.2-py3-none-any.whl", hash = "sha256:06a1c7d9f313130b21c3218ddd8852070d0e7419afdd31f96160cd576555a5ce"},
+    {file = "selenium-4.8.0-py3-none-any.whl", hash = "sha256:20f28ee4ea9b273b4112a7df5276ebb3052f79ff6eff42a564db6143e5926683"},
-    {file = "selenium-4.7.2.tar.gz", hash = "sha256:3aefa14a28a42e520550c1cd0f29cf1d566328186ea63aa9a3e01fb265b5894d"},
+    {file = "selenium-4.8.0.tar.gz", hash = "sha256:fee36724d6cf0b18c73781bb8ec7be4a35ab1e2564e64e64e64da75e50e052af"},
 ]
 [package.dependencies]
@ -2871,14 +2869,14 @@ urllib3 = {version = ">=1.26,<2.0", extras = ["socks"]}
 [[package]]
 name = "sentry-sdk"
-version = "1.13.0"
+version = "1.14.0"
 description = "Python client for Sentry (https://sentry.io)"
 category = "main"
 optional = false
 python-versions = "*"
 files = [
-    {file = "sentry-sdk-1.13.0.tar.gz", hash = "sha256:72da0766c3069a3941eadbdfa0996f83f5a33e55902a19ba399557cfee1dddcc"},
+    {file = "sentry-sdk-1.14.0.tar.gz", hash = "sha256:273fe05adf052b40fd19f6d4b9a5556316807246bd817e5e3482930730726bb0"},
-    {file = "sentry_sdk-1.13.0-py2.py3-none-any.whl", hash = "sha256:b7ff6318183e551145b5c4766eb65b59ad5b63ff234dffddc5fb50340cad6729"},
+    {file = "sentry_sdk-1.14.0-py2.py3-none-any.whl", hash = "sha256:72c00322217d813cf493fe76590b23a757e063ff62fec59299f4af7201dd4448"},
 ]
 [package.dependencies]
@ -2896,7 +2894,7 @@ falcon = ["falcon (>=1.4)"]
 fastapi = ["fastapi (>=0.79.0)"]
 flask = ["blinker (>=1.1)", "flask (>=0.11)"]
 httpx = ["httpx (>=0.16.0)"]
-opentelemetry = ["opentelemetry-distro (>=0.350b0)"]
+opentelemetry = ["opentelemetry-distro (>=0.35b0)"]
 pure-eval = ["asttokens", "executing", "pure-eval"]
 pymongo = ["pymongo (>=3.1)"]
 pyspark = ["pyspark (>=2.4.4)"]
--- a/pyproject.toml
+++ b/pyproject.toml
@ -107,10 +107,14 @@ DJANGO_SETTINGS_MODULE = "authentik.root.settings"
 python_files = ["tests.py", "test_*.py", "*_tests.py"]
 junit_family = "xunit2"
 addopts = "-p no:celery --junitxml=unittest.xml"
 filterwarnings = [
  "ignore:defusedxml.lxml is no longer supported and will be removed in a future release.:DeprecationWarning",
  "ignore:SelectableGroups dict interface is deprecated. Use select.:DeprecationWarning",
 ]
 [tool.poetry]
 name = "authentik"
-version = "2023.1.0"
+version = "2023.1.2"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2023.1.0
+  version: 2023.1.2
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -23008,6 +23008,10 @@ paths:
        name: label
        schema:
          type: string
      - in: query
        name: name
        schema:
          type: string
      - name: ordering
        required: false
        in: query
@ -34263,6 +34267,9 @@ components:
      type: object
      description: Prompt Serializer
      properties:
        name:
          type: string
          minLength: 1
        field_key:
          type: string
          minLength: 1
@ -35278,6 +35285,8 @@ components:
          format: uuid
          readOnly: true
          title: Prompt uuid
        name:
          type: string
        field_key:
          type: string
          description: Name of the form field, also used to store the value
@ -35304,6 +35313,7 @@ components:
      required:
      - field_key
      - label
      - name
      - pk
      - type
    PromptChallenge:
@ -35345,6 +35355,9 @@ components:
      type: object
      description: Prompt Serializer
      properties:
        name:
          type: string
          minLength: 1
        field_key:
          type: string
          minLength: 1
@ -35373,6 +35386,7 @@ components:
      required:
      - field_key
      - label
      - name
      - type
    PromptStage:
      type: object
--- a/tests/e2e/test_flows_authenticators.py
+++ b/tests/e2e/test_flows_authenticators.py
@ -26,8 +26,8 @@ class TestFlowsAuthenticator(SeleniumTestCase):
    @retry()
    @apply_blueprint(
-        "default/10-flow-default-authentication-flow.yaml",
+        "default/flow-default-authentication-flow.yaml",
-        "default/10-flow-default-invalidation-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
    )
    def test_totp_validate(self):
        """test flow with otp stages"""
@ -52,10 +52,10 @@ class TestFlowsAuthenticator(SeleniumTestCase):
    @retry()
    @apply_blueprint(
-        "default/10-flow-default-authentication-flow.yaml",
+        "default/flow-default-authentication-flow.yaml",
-        "default/10-flow-default-invalidation-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
    )
-    @apply_blueprint("default/20-flow-default-authenticator-totp-setup.yaml")
+    @apply_blueprint("default/flow-default-authenticator-totp-setup.yaml")
    def test_totp_setup(self):
        """test TOTP Setup stage"""
        flow: Flow = Flow.objects.get(slug="default-authentication-flow")
@ -98,10 +98,10 @@ class TestFlowsAuthenticator(SeleniumTestCase):
    @retry()
    @apply_blueprint(
-        "default/10-flow-default-authentication-flow.yaml",
+        "default/flow-default-authentication-flow.yaml",
-        "default/10-flow-default-invalidation-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
    )
-    @apply_blueprint("default/20-flow-default-authenticator-static-setup.yaml")
+    @apply_blueprint("default/flow-default-authenticator-static-setup.yaml")
    def test_static_setup(self):
        """test Static OTP Setup stage"""
        flow: Flow = Flow.objects.get(slug="default-authentication-flow")
--- a/tests/e2e/test_flows_enroll.py
+++ b/tests/e2e/test_flows_enroll.py
@ -41,19 +41,28 @@ class TestFlowsEnroll(SeleniumTestCase):
    @retry()
    @apply_blueprint(
-        "default/10-flow-default-authentication-flow.yaml",
+        "default/flow-default-authentication-flow.yaml",
-        "default/10-flow-default-invalidation-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
    )
    def test_enroll_2_step(self):
        """Test 2-step enroll flow"""
        # First stage fields
        username_prompt = Prompt.objects.create(
-            field_key="username", label="Username", order=0, type=FieldTypes.TEXT
+            name=generate_id(),
            field_key="username",
            label="Username",
            order=0,
            type=FieldTypes.TEXT,
        )
        password = Prompt.objects.create(
-            field_key="password", label="Password", order=1, type=FieldTypes.PASSWORD
+            name=generate_id(),
            field_key="password",
            label="Password",
            order=1,
            type=FieldTypes.PASSWORD,
        )
        password_repeat = Prompt.objects.create(
            name=generate_id(),
            field_key="password_repeat",
            label="Password (repeat)",
            order=2,
@ -62,10 +71,10 @@ class TestFlowsEnroll(SeleniumTestCase):
        # Second stage fields
        name_field = Prompt.objects.create(
-            field_key="name", label="Name", order=0, type=FieldTypes.TEXT
+            name=generate_id(), field_key="name", label="Name", order=0, type=FieldTypes.TEXT
        )
        email = Prompt.objects.create(
-            field_key="email", label="E-Mail", order=1, type=FieldTypes.EMAIL
+            name=generate_id(), field_key="email", label="E-Mail", order=1, type=FieldTypes.EMAIL
        )
        # Stages
@ -107,19 +116,28 @@ class TestFlowsEnroll(SeleniumTestCase):
    @retry()
    @apply_blueprint(
-        "default/10-flow-default-authentication-flow.yaml",
+        "default/flow-default-authentication-flow.yaml",
-        "default/10-flow-default-invalidation-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
    )
    def test_enroll_email(self):
        """Test enroll with Email verification"""
        # First stage fields
        username_prompt = Prompt.objects.create(
-            field_key="username", label="Username", order=0, type=FieldTypes.TEXT
+            name=generate_id(),
            field_key="username",
            label="Username",
            order=0,
            type=FieldTypes.TEXT,
        )
        password = Prompt.objects.create(
-            field_key="password", label="Password", order=1, type=FieldTypes.PASSWORD
+            name=generate_id(),
            field_key="password",
            label="Password",
            order=1,
            type=FieldTypes.PASSWORD,
        )
        password_repeat = Prompt.objects.create(
            name=generate_id(),
            field_key="password_repeat",
            label="Password (repeat)",
            order=2,
@ -128,10 +146,10 @@ class TestFlowsEnroll(SeleniumTestCase):
        # Second stage fields
        name_field = Prompt.objects.create(
-            field_key="name", label="Name", order=0, type=FieldTypes.TEXT
+            name=generate_id(), field_key="name", label="Name", order=0, type=FieldTypes.TEXT
        )
        email = Prompt.objects.create(
-            field_key="email", label="E-Mail", order=1, type=FieldTypes.EMAIL
+            name=generate_id(), field_key="email", label="E-Mail", order=1, type=FieldTypes.EMAIL
        )
        # Stages
--- a/tests/e2e/test_flows_login.py
+++ b/tests/e2e/test_flows_login.py
@ -12,8 +12,8 @@ class TestFlowsLogin(SeleniumTestCase):
    @retry()
    @apply_blueprint(
-        "default/10-flow-default-authentication-flow.yaml",
+        "default/flow-default-authentication-flow.yaml",
-        "default/10-flow-default-invalidation-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
    )
    def test_login(self):
        """test default login flow"""
--- a/tests/e2e/test_flows_stage_setup.py
+++ b/tests/e2e/test_flows_stage_setup.py
@ -18,10 +18,10 @@ class TestFlowsStageSetup(SeleniumTestCase):
    """test stage setup flows"""
    @retry()
-    @apply_blueprint("default/0-flow-password-change.yaml")
+    @apply_blueprint("default/flow-password-change.yaml")
    @apply_blueprint(
-        "default/10-flow-default-authentication-flow.yaml",
+        "default/flow-default-authentication-flow.yaml",
-        "default/10-flow-default-invalidation-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
    )
    def test_password_change(self):
        """test password change flow"""
--- a/Show More
+++ b/Show More