bump go api client

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
go: use fixed names
2024-11-20 22:15:34 +01:00 · 2024-11-20 22:04:49 +01:00 · 2024-11-20 22:04:34 +01:00 · 2024-11-20 21:33:35 +01:00 · 2024-11-20 21:31:00 +01:00 · 2024-11-20 18:36:29 +01:00
169 changed files with 22525 additions and 6476 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.5
+current_version = 2024.10.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -116,7 +116,7 @@ jobs:
          poetry run make test
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
          flags: unit
          token: ${{ secrets.CODECOV_TOKEN }}
@ -140,7 +140,7 @@ jobs:
          poetry run coverage run manage.py test tests/integration
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
          flags: integration
          token: ${{ secrets.CODECOV_TOKEN }}
@ -198,7 +198,7 @@ jobs:
          poetry run coverage run manage.py test ${{ matrix.job.glob }}
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
          flags: e2e
          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -18,7 +18,7 @@ jobs:
          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
          docker buildx install
          mkdir -p ./gen-ts-api
-          docker build --no-cache -t testing:latest .
+          docker build -t testing:latest .
          echo "AUTHENTIK_IMAGE=testing" >> .env
          echo "AUTHENTIK_TAG=latest" >> .env
          docker compose up --no-start
--- a/2
+++ b/2
@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    go build -o /go/authentik ./cmd/server
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
--- a/9
+++ b/9
@ -149,7 +149,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.10.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
@ -165,7 +165,7 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.10.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
@ -184,13 +184,14 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	docker run \
 		--rm -v ${PWD}/${GEN_API_GO}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.10.0 generate \
 		-i /local/schema.yml \
 		-g go \
 		-o /local/ \
 		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
-	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
+	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/ ./${GEN_API_GO}/test
 	go run golang.org/x/tools/cmd/goimports@latest -w ./${GEN_API_GO}
 gen-dev-config:  ## Generate a local development config file
 	python -m scripts.generate_config
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2024.10.5"
+__version__ = "2024.10.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -293,7 +293,11 @@ class Importer:
        serializer_kwargs = {}
        model_instance = existing_models.first()
-        if not isinstance(model(), BaseMetaModel) and model_instance:
+        if (
            not isinstance(model(), BaseMetaModel)
            and model_instance
            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
        ):
            self.logger.debug(
                "Initialise serializer with instance",
                model=model,
@ -303,11 +307,12 @@ class Importer:
            serializer_kwargs["instance"] = model_instance
            serializer_kwargs["partial"] = True
        elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
-            raise EntryInvalidError.from_entry(
+            msg = (
-                (
+                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
                "and object exists already",
-                ),
+            )
            raise EntryInvalidError.from_entry(
                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
                entry,
            )
        else:
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@ -1,10 +1,12 @@
 """transactional application and provider creation"""
 from django.apps import apps
 from django.db.models import Model
 from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
-from rest_framework.permissions import IsAdminUser
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@ -22,6 +24,7 @@ from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.bindings import PolicyBindingSerializer
 def get_provider_serializer_mapping():
@ -45,6 +48,13 @@ class TransactionProviderField(DictField):
    """Dictionary field which can hold provider creation data"""
 class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
    """PolicyBindingSerializer which does not require target as target is set implicitly"""
    class Meta(PolicyBindingSerializer.Meta):
        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
 class TransactionApplicationSerializer(PassiveSerializer):
    """Serializer for creating a provider and an application in one transaction"""
@ -52,6 +62,8 @@ class TransactionApplicationSerializer(PassiveSerializer):
    provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
    provider = TransactionProviderField()
    policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
    _provider_model: type[Provider] = None
    def validate_provider_model(self, fq_model_name: str) -> str:
@ -96,6 +108,19 @@ class TransactionApplicationSerializer(PassiveSerializer):
                id="app",
            )
        )
        for binding in attrs.get("policy_bindings", []):
            binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
            for key, value in binding.items():
                if not isinstance(value, Model):
                    continue
                binding[key] = value.pk
            blueprint.entries.append(
                BlueprintEntry(
                    model="authentik_policies.policybinding",
                    state=BlueprintEntryDesiredState.MUST_CREATED,
                    identifiers=binding,
                )
            )
        importer = Importer(blueprint, {})
        try:
            valid, _ = importer.validate(raise_validation_errors=True)
@ -120,8 +145,7 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
    """Create provider and application and attach them in a single transaction"""
-    # TODO: Migrate to a more specific permission
+    permission_classes = [IsAuthenticated]
    permission_classes = [IsAdminUser]
    @extend_schema(
        request=TransactionApplicationSerializer(),
@ -133,8 +157,23 @@ class TransactionalApplicationView(APIView):
        """Convert data into a blueprint, validate it and apply it"""
        data = TransactionApplicationSerializer(data=request.data)
        data.is_valid(raise_exception=True)
-
+        blueprint: Blueprint = data.validated_data
-        importer = Importer(data.validated_data, {})
+        for entry in blueprint.entries:
            full_model = entry.get_model(blueprint)
            app, __, model = full_model.partition(".")
            if not request.user.has_perm(f"{app}.add_{model}"):
                raise PermissionDenied(
                    {
                        entry.id: _(
                            "User lacks permission to create {model}".format_map(
                                {
                                    "model": full_model,
                                }
                            )
                        )
                    }
                )
        importer = Importer(blueprint, {})
        applied = importer.apply()
        response = {"applied": False, "logs": []}
        response["applied"] = applied
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -666,7 +666,12 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.impersonate")
    @extend_schema(
-        request=OpenApiTypes.NONE,
+        request=inline_serializer(
            "ImpersonationSerializer",
            {
                "reason": CharField(required=True),
            },
        ),
        responses={
            "204": OpenApiResponse(description="Successfully started impersonation"),
            "401": OpenApiResponse(description="Access denied"),
@ -679,6 +684,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            LOGGER.debug("User attempted to impersonate", user=request.user)
            return Response(status=401)
        user_to_be = self.get_object()
        reason = request.data.get("reason", "")
        # Check both object-level perms and global perms
        if not request.user.has_perm(
            "authentik_core.impersonate", user_to_be
@ -688,11 +694,16 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if user_to_be.pk == self.request.user.pk:
            LOGGER.debug("User attempted to impersonate themselves", user=request.user)
            return Response(status=401)
        if not reason and request.tenant.impersonation_require_reason:
            LOGGER.debug(
                "User attempted to impersonate without providing a reason", user=request.user
            )
            return Response(status=401)
        request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
        request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
-        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
        return Response(status=201)
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.providers.saml.models import SAMLProvider
@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
        self.user = create_test_admin_user()
        self.provider = OAuth2Provider.objects.create(
            name="test",
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
+            redirect_uris="http://some-other-domain",
            authorization_flow=create_test_flow(),
        )
        self.allowed: Application = Application.objects.create(
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -29,7 +29,8 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            )
+            ),
            data={"reason": "some reason"},
        )
        response = self.client.get(reverse("authentik_api:user-me"))
@ -55,7 +56,8 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            )
+            ),
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 201)
@ -75,7 +77,8 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            )
+            ),
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 201)
@ -89,7 +92,8 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.other_user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 403)
@ -105,7 +109,8 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 401)
@ -118,7 +123,22 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 401)
        response = self.client.get(reverse("authentik_api:user-me"))
        response_body = loads(response.content.decode())
        self.assertEqual(response_body["user"]["username"], self.user.username)
    def test_impersonate_reason_required(self):
        """test impersonation that user must provide reason"""
        self.client.force_login(self.user)
        response = self.client.post(
            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
            data={"reason": ""},
        )
        self.assertEqual(response.status_code, 401)
--- a/authentik/core/tests/test_transactional_applications_api.py
+++ b/authentik/core/tests/test_transactional_applications_api.py
@ -1,11 +1,13 @@
 """Test Transactional API"""
 from django.urls import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
-from authentik.core.models import Application
+from authentik.core.models import Application, Group
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.lib.generators import generate_id
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
@ -13,7 +15,9 @@ class TestTransactionalApplicationsAPI(APITestCase):
    """Test Transactional API"""
    def setUp(self) -> None:
-        self.user = create_test_admin_user()
+        self.user = create_test_user()
        assign_perm("authentik_core.add_application", self.user)
        assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
    def test_create_transactional(self):
        """Test transactional Application + provider creation"""
@ -31,7 +35,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                    "redirect_uris": [],
                },
            },
        )
@ -42,6 +45,65 @@ class TestTransactionalApplicationsAPI(APITestCase):
        self.assertIsNotNone(app)
        self.assertEqual(app.provider.pk, provider.pk)
    def test_create_transactional_permission_denied(self):
        """Test transactional Application + provider creation (missing permissions)"""
        self.client.force_login(self.user)
        uid = generate_id()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_saml.samlprovider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                    "acs_url": "https://goauthentik.io",
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
            {"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
        )
    def test_create_transactional_bindings(self):
        """Test transactional Application + provider creation"""
        assign_perm("authentik_policies.add_policybinding", self.user)
        self.client.force_login(self.user)
        uid = generate_id()
        group = Group.objects.create(name=generate_id())
        authorization_flow = create_test_flow()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_oauth2.oauth2provider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(authorization_flow.pk),
                    "invalidation_flow": str(authorization_flow.pk),
                },
                "policy_bindings": [{"group": group.pk, "order": 0}],
            },
        )
        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
        provider = OAuth2Provider.objects.filter(name=uid).first()
        self.assertIsNotNone(provider)
        app = Application.objects.filter(slug=uid).first()
        self.assertIsNotNone(app)
        self.assertEqual(app.provider.pk, provider.pk)
        binding = PolicyBinding.objects.filter(target=app).first()
        self.assertIsNotNone(binding)
        self.assertEqual(binding.target, app)
        self.assertEqual(binding.group, group)
    def test_create_transactional_invalid(self):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
@ -58,7 +120,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
                    "name": uid,
                    "authorization_flow": "",
                    "invalidation_flow": "",
                    "redirect_uris": [],
                },
            },
        )
@ -71,3 +132,32 @@ class TestTransactionalApplicationsAPI(APITestCase):
                }
            },
        )
    def test_create_transactional_duplicate_name_provider(self):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
        uid = generate_id()
        OAuth2Provider.objects.create(
            name=uid,
            authorization_flow=create_test_flow(),
            invalidation_flow=create_test_flow(),
        )
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_oauth2.oauth2provider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
            {"provider": {"name": ["State is set to must_created and object exists already"]}},
        )
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 class TestCrypto(APITestCase):
@ -274,7 +274,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
@ -306,7 +306,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
--- a/authentik/enterprise/middleware.py
+++ b/authentik/enterprise/middleware.py
@ -6,7 +6,6 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
@ -60,9 +59,6 @@ class EnterpriseMiddleware:
        # Flow executor is mounted as an API path but explicitly allowed
        if request.resolver_match._func_path == class_to_path(FlowExecutorView):
            return True
        # Always allow making changes to users, even in case the license has ben exceeded
        if request.resolver_match._func_path == class_to_path(UserViewSet):
            return True
        # Only apply these restrictions to the API
        if "authentik_api" not in request.resolver_match.app_names:
            return True
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
@ -4,9 +4,7 @@ from typing import Any
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@ -28,7 +26,6 @@ HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
 DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
@method_decorator(xframe_options_sameorigin, name="dispatch")
 class GoogleChromeDeviceTrustConnector(View):
    """Google Chrome Device-trust connector based endpoint authenticator"""
--- a/authentik/enterprise/tests/test_read_only.py
+++ b/authentik/enterprise/tests/test_read_only.py
@ -215,49 +215,3 @@ class TestReadOnly(FlowTestCase):
            {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
        )
        self.assertEqual(response.status_code, 400)
    @patch(
        "authentik.enterprise.license.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=expiry_valid,
                name=generate_id(),
                internal_users=100,
                external_users=100,
            )
        ),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
        MagicMock(return_value=1000),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.get_external_user_count",
        MagicMock(return_value=1000),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.record_usage",
        MagicMock(),
    )
    def test_manage_users(self):
        """Test that managing users is still possible"""
        License.objects.create(key=generate_id())
        usage = LicenseUsage.objects.create(
            internal_user_count=100,
            external_user_count=100,
            status=LicenseUsageStatus.VALID,
        )
        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
        usage.save(update_fields=["record_date"])
        admin = create_test_admin_user()
        self.client.force_login(admin)
        # Reading is always allowed
        response = self.client.get(reverse("authentik_api:user-list"))
        self.assertEqual(response.status_code, 200)
        # Writing should also be allowed
        response = self.client.patch(reverse("authentik_api:user-detail", kwargs={"pk": admin.pk}))
        self.assertEqual(response.status_code, 200)
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -60,7 +60,7 @@ def default_event_duration():
    """Default duration an Event is saved.
    This is used as a fallback when no brand is available"""
    try:
-        tenant = get_current_tenant()
+        tenant = get_current_tenant(only=["event_retention"])
        return now() + timedelta_from_string(tenant.event_retention)
    except Tenant.DoesNotExist:
        return now() + timedelta(days=365)
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -2,7 +2,6 @@
 from typing import TYPE_CHECKING
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
@ -225,14 +224,6 @@ class ChallengeStageView(StageView):
                full_errors[field].append(field_error)
        challenge_response.initial_data["response_errors"] = full_errors
        if not challenge_response.is_valid():
            if settings.TEST:
                raise StageInvalidException(
                    (
                        f"Invalid challenge response: \n\t{challenge_response.errors}"
                        f"\n\nValidated data:\n\t {challenge_response.data}"
                        f"\n\nInitial data:\n\t {challenge_response.initial_data}"
                    ),
                )
            self.logger.error(
                "f(ch): invalid challenge response",
                errors=challenge_response.errors,
--- a/authentik/providers/oauth2/api/providers.py
+++ b/authentik/providers/oauth2/api/providers.py
@ -1,18 +1,15 @@
 """OAuth2Provider API Views"""
 from copy import copy
 from re import compile
 from re import error as RegexError
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ChoiceField
+from rest_framework.fields import CharField
 from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -23,39 +20,13 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
 from authentik.core.models import Provider
 from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
    AccessToken,
    OAuth2Provider,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.rbac.decorators import permission_required
 class RedirectURISerializer(PassiveSerializer):
    """A single allowed redirect URI entry"""
    matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
    url = CharField()
 class OAuth2ProviderSerializer(ProviderSerializer):
    """OAuth2Provider Serializer"""
    redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
    def validate_redirect_uris(self, data: list) -> list:
        for entry in data:
            if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
                url = entry.get("url")
                try:
                    compile(url)
                except RegexError:
                    raise ValidationError(
                        _("Invalid Regex Pattern: {url}".format(url=url))
                    ) from None
        return data
    class Meta:
        model = OAuth2Provider
        fields = ProviderSerializer.Meta.fields + [
@ -108,6 +79,7 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
        "refresh_token_validity",
        "include_claims_in_id_token",
        "signing_key",
        "redirect_uris",
        "sub_mode",
        "property_mappings",
        "issuer_mode",
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from authentik.events.models import Event, EventAction
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.views import bad_request_message
-from authentik.providers.oauth2.models import GrantTypes, RedirectURI
+from authentik.providers.oauth2.models import GrantTypes
 class OAuth2Error(SentryIgnoredException):
@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
    )
    provided_uri: str
-    allowed_uris: list[RedirectURI]
+    allowed_uris: list[str]
-    def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
+    def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None:
        super().__init__()
        self.provided_uri = provided_uri
        self.allowed_uris = allowed_uris
--- a/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py
+++ b/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py
@ -37,7 +37,7 @@ def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
 class Migration(migrations.Migration):
    dependencies = [
-        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
+        ("authentik_core", "0040_provider_invalidation_flow"),
        ("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"),
    ]
--- a/authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py
+++ b/authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py
@ -8,7 +8,7 @@ from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [
-        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
+        ("authentik_core", "0040_provider_invalidation_flow"),
        ("authentik_providers_oauth2", "0022_remove_accesstoken_session_id_and_more"),
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
--- a/authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py
+++ b/authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py
@ -1,49 +0,0 @@
 # Generated by Django 5.0.9 on 2024-11-04 12:56
 from dataclasses import asdict
 from django.apps.registry import Apps
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from django.db import migrations, models
 def migrate_redirect_uris(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    from authentik.providers.oauth2.models import RedirectURI, RedirectURIMatchingMode
    OAuth2Provider = apps.get_model("authentik_providers_oauth2", "oauth2provider")
    db_alias = schema_editor.connection.alias
    for provider in OAuth2Provider.objects.using(db_alias).all():
        uris = []
        for old in provider.old_redirect_uris.split("\n"):
            mode = RedirectURIMatchingMode.STRICT
            if old == "*" or old == ".*":
                mode = RedirectURIMatchingMode.REGEX
            uris.append(asdict(RedirectURI(mode, url=old)))
        provider._redirect_uris = uris
        provider.save()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0023_alter_accesstoken_refreshtoken_use_hash_index"),
    ]
    operations = [
        migrations.RenameField(
            model_name="oauth2provider",
            old_name="redirect_uris",
            new_name="old_redirect_uris",
        ),
        migrations.AddField(
            model_name="oauth2provider",
            name="_redirect_uris",
            field=models.JSONField(default=dict, verbose_name="Redirect URIs"),
        ),
        migrations.RunPython(migrate_redirect_uris, lambda *args: ...),
        migrations.RemoveField(
            model_name="oauth2provider",
            name="old_redirect_uris",
        ),
    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -3,7 +3,7 @@
 import base64
 import binascii
 import json
-from dataclasses import asdict, dataclass
+from dataclasses import asdict
 from functools import cached_property
 from hashlib import sha256
 from typing import Any
@ -12,7 +12,6 @@ from urllib.parse import urlparse, urlunparse
 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from dacite import Config
 from dacite.core import from_dict
 from django.contrib.postgres.indexes import HashIndex
 from django.db import models
@ -78,25 +77,11 @@ class IssuerMode(models.TextChoices):
    """Configure how the `iss` field is created."""
    GLOBAL = "global", _("Same identifier is used for all providers")
-    PER_PROVIDER = (
+    PER_PROVIDER = "per_provider", _(
-        "per_provider",
+        "Each provider has a different issuer, based on the application slug."
        _("Each provider has a different issuer, based on the application slug."),
    )
 class RedirectURIMatchingMode(models.TextChoices):
    STRICT = "strict", _("Strict URL comparison")
    REGEX = "regex", _("Regular Expression URL matching")
@dataclass
 class RedirectURI:
    """A single redirect URI entry"""
    matching_mode: RedirectURIMatchingMode
    url: str
 class ResponseTypes(models.TextChoices):
    """Response Type required by the client."""
@ -171,9 +156,11 @@ class OAuth2Provider(WebfingerProvider, Provider):
        verbose_name=_("Client Secret"),
        default=generate_client_secret,
    )
-    _redirect_uris = models.JSONField(
+    redirect_uris = models.TextField(
-        default=dict,
+        default="",
        blank=True,
        verbose_name=_("Redirect URIs"),
        help_text=_("Enter each URI on a new line."),
    )
    include_claims_in_id_token = models.BooleanField(
@ -284,33 +271,12 @@ class OAuth2Provider(WebfingerProvider, Provider):
        except Provider.application.RelatedObjectDoesNotExist:
            return None
    @property
    def redirect_uris(self) -> list[RedirectURI]:
        uris = []
        for entry in self._redirect_uris:
            uris.append(
                from_dict(
                    RedirectURI,
                    entry,
                    config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
                )
            )
        return uris
    @redirect_uris.setter
    def redirect_uris(self, value: list[RedirectURI]):
        cleansed = []
        for entry in value:
            cleansed.append(asdict(entry))
        self._redirect_uris = cleansed
    @property
    def launch_url(self) -> str | None:
        """Guess launch_url based on first redirect_uri"""
-        redirects = self.redirect_uris
+        if self.redirect_uris == "":
        if len(redirects) < 1:
            return None
-        main_url = redirects[0].url
+        main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
        try:
            launch_url = urlparse(main_url)._replace(path="")
            return urlunparse(launch_url)
--- a/authentik/providers/oauth2/tests/test_api.py
+++ b/authentik/providers/oauth2/tests/test_api.py
@ -10,13 +10,7 @@ from rest_framework.test import APITestCase
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 class TestAPI(APITestCase):
@ -27,7 +21,7 @@ class TestAPI(APITestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
        self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
@ -56,29 +50,9 @@ class TestAPI(APITestCase):
    @skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
    def test_launch_url(self):
        """Test launch_url"""
-        self.provider.redirect_uris = [
+        self.provider.redirect_uris = (
-            RedirectURI(
+            "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n"
-                RedirectURIMatchingMode.REGEX,
+        )
                "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/",
            ),
        ]
        self.provider.save()
        self.provider.refresh_from_db()
        self.assertIsNone(self.provider.launch_url)
    def test_validate_redirect_uris(self):
        """Test redirect_uris API"""
        response = self.client.post(
            reverse("authentik_api:oauth2provider-list"),
            data={
                "name": generate_id(),
                "authorization_flow": create_test_flow().pk,
                "invalidation_flow": create_test_flow().pk,
                "redirect_uris": [
                    {"matching_mode": "strict", "url": "http://goauthentik.io"},
                    {"matching_mode": "regex", "url": "**"},
                ],
            },
        )
        self.assertJSONEqual(response.content, {"redirect_uris": ["Invalid Regex Pattern: **"]})
        self.assertEqual(response.status_code, 400)
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -19,8 +19,6 @@ from authentik.providers.oauth2.models import (
    AuthorizationCode,
    GrantTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -41,7 +39,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
@ -66,7 +64,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
@ -86,7 +84,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -108,7 +106,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
+            redirect_uris="data:local.invalid",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
@ -127,7 +125,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[],
+            redirect_uris="",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -142,7 +140,7 @@ class TestAuthorize(OAuthTestCase):
        )
        OAuthAuthorizationParams.from_request(request)
        provider.refresh_from_db()
-        self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
+        self.assertEqual(provider.redirect_uris, "+")
    def test_invalid_redirect_uri_regex(self):
        """test missing/invalid redirect URI"""
@ -150,7 +148,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
+            redirect_uris="http://local.invalid?",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -172,7 +170,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
+            redirect_uris="+",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -215,7 +213,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -303,7 +301,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -345,7 +343,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -422,7 +420,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
            encryption_key=self.keypair,
        )
@ -488,7 +486,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -543,7 +541,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id=generate_id(),
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -601,7 +599,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id=generate_id(),
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
--- a/authentik/providers/oauth2/tests/test_introspect.py
+++ b/authentik/providers/oauth2/tests/test_introspect.py
@ -11,14 +11,7 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
    AccessToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    RefreshToken,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -30,7 +23,7 @@ class TesOAuth2Introspection(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        self.app = Application.objects.create(
@ -125,7 +118,7 @@ class TesOAuth2Introspection(OAuthTestCase):
        provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
--- a/authentik/providers/oauth2/tests/test_jwks.py
+++ b/authentik/providers/oauth2/tests/test_jwks.py
@ -13,7 +13,7 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.crypto.builder import PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 TEST_CORDS_CERT = """
@ -49,7 +49,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=create_test_cert(),
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
@ -68,7 +68,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
        response = self.client.get(
@ -82,7 +82,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
@ -99,7 +99,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
            encryption_key=create_test_cert(PrivateKeyAlg.ECDSA),
        )
@ -122,7 +122,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=cert,
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
--- a/authentik/providers/oauth2/tests/test_revoke.py
+++ b/authentik/providers/oauth2/tests/test_revoke.py
@ -10,14 +10,7 @@ from django.utils import timezone
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
    AccessToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    RefreshToken,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -29,7 +22,7 @@ class TesOAuth2Revoke(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        self.app = Application.objects.create(
--- a/authentik/providers/oauth2/tests/test_token.py
+++ b/authentik/providers/oauth2/tests/test_token.py
@ -22,8 +22,6 @@ from authentik.providers.oauth2.models import (
    AccessToken,
    AuthorizationCode,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    RefreshToken,
    ScopeMapping,
 )
@ -44,7 +42,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://TestServer")],
+            redirect_uris="http://TestServer",
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -71,7 +69,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -92,7 +90,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -120,7 +118,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        # Needs to be assigned to an application for iss to be set
@ -159,7 +157,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
            encryption_key=self.keypair,
        )
@ -190,7 +188,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -252,7 +250,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -310,7 +308,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
--- a/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
@ -19,12 +19,7 @@ from authentik.providers.oauth2.constants import (
    SCOPE_OPENID_PROFILE,
    TOKEN_TYPE,
 )
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 from authentik.providers.oauth2.views.jwks import JWKSView
 from authentik.sources.oauth.models import OAuthSource
@ -59,7 +54,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=self.cert,
        )
        self.provider.jwks_sources.add(self.source)
--- a/authentik/providers/oauth2/tests/test_token_cc_standard.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_standard.py
@ -19,13 +19,7 @@ from authentik.providers.oauth2.constants import (
    TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
    AccessToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -39,7 +33,7 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
@ -113,48 +107,6 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
            {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
        )
    def test_incorrect_scopes(self):
        """test scope that isn't configured"""
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE} extra_scope",
                "client_id": self.provider.client_id,
                "client_secret": self.provider.client_secret,
            },
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["token_type"], TOKEN_TYPE)
        token = AccessToken.objects.filter(
            provider=self.provider, token=body["access_token"]
        ).first()
        self.assertSetEqual(
            set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE}
        )
        _, alg = self.provider.jwt_key
        jwt = decode(
            body["access_token"],
            key=self.provider.signing_key.public_key,
            algorithms=[alg],
            audience=self.provider.client_id,
        )
        self.assertEqual(
            jwt["given_name"], "Autogenerated user from application test (client credentials)"
        )
        self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
        jwt = decode(
            body["id_token"],
            key=self.provider.signing_key.public_key,
            algorithms=[alg],
            audience=self.provider.client_id,
        )
        self.assertEqual(
            jwt["given_name"], "Autogenerated user from application test (client credentials)"
        )
        self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
    def test_successful(self):
        """test successful"""
        response = self.client.post(
--- a/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py
@ -20,12 +20,7 @@ from authentik.providers.oauth2.constants import (
    TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -39,7 +34,7 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
--- a/authentik/providers/oauth2/tests/test_token_cc_user_pw.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_user_pw.py
@ -19,12 +19,7 @@ from authentik.providers.oauth2.constants import (
    TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -38,7 +33,7 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
--- a/authentik/providers/oauth2/tests/test_token_device.py
+++ b/authentik/providers/oauth2/tests/test_token_device.py
@ -9,19 +9,8 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_code_fixed_length, generate_id
-from authentik.providers.oauth2.constants import (
+from authentik.providers.oauth2.constants import GRANT_TYPE_DEVICE_CODE
-    GRANT_TYPE_DEVICE_CODE,
+from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider, ScopeMapping
    SCOPE_OPENID,
    SCOPE_OPENID_EMAIL,
 )
 from authentik.providers.oauth2.models import (
    AccessToken,
    DeviceToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -35,7 +24,7 @@ class TestTokenDeviceCode(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
@ -91,28 +80,3 @@ class TestTokenDeviceCode(OAuthTestCase):
            },
        )
        self.assertEqual(res.status_code, 200)
    def test_code_mismatched_scope(self):
        """Test code with user (mismatched scopes)"""
        device_token = DeviceToken.objects.create(
            provider=self.provider,
            user_code=generate_code_fixed_length(),
            device_code=generate_id(),
            user=self.user,
            scope=[SCOPE_OPENID, SCOPE_OPENID_EMAIL],
        )
        res = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            data={
                "client_id": self.provider.client_id,
                "grant_type": GRANT_TYPE_DEVICE_CODE,
                "device_code": device_token.device_code,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} invalid",
            },
        )
        self.assertEqual(res.status_code, 200)
        body = loads(res.content)
        token = AccessToken.objects.filter(
            provider=self.provider, token=body["access_token"]
        ).first()
        self.assertSetEqual(set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL})
--- a/authentik/providers/oauth2/tests/test_token_pkce.py
+++ b/authentik/providers/oauth2/tests/test_token_pkce.py
@ -10,12 +10,7 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
    AuthorizationCode,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -35,7 +30,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -98,7 +93,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -159,7 +154,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -215,7 +210,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
--- a/authentik/providers/oauth2/tests/test_userinfo.py
+++ b/authentik/providers/oauth2/tests/test_userinfo.py
@ -11,14 +11,7 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, ScopeMapping
    AccessToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -32,7 +25,7 @@ class TestUserinfo(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -56,8 +56,6 @@ from authentik.providers.oauth2.models import (
    AuthorizationCode,
    GrantTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ResponseMode,
    ResponseTypes,
    ScopeMapping,
@ -189,39 +187,40 @@ class OAuthAuthorizationParams:
    def check_redirect_uri(self):
        """Redirect URI validation."""
-        allowed_redirect_urls = self.provider.redirect_uris
+        allowed_redirect_urls = self.provider.redirect_uris.split()
        if not self.redirect_uri:
            LOGGER.warning("Missing redirect uri.")
            raise RedirectUriError("", allowed_redirect_urls)
-        if len(allowed_redirect_urls) < 1:
+        if self.provider.redirect_uris == "":
            LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
-            self.provider.redirect_uris = [
+            self.provider.redirect_uris = self.redirect_uri
                RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
            ]
            self.provider.save()
-            allowed_redirect_urls = self.provider.redirect_uris
+            allowed_redirect_urls = self.provider.redirect_uris.split()
        if self.provider.redirect_uris == "*":
            LOGGER.info("Converting redirect_uris to regex", redirect=self.redirect_uri)
            self.provider.redirect_uris = ".*"
            self.provider.save()
            allowed_redirect_urls = self.provider.redirect_uris.split()
        match_found = False
        for allowed in allowed_redirect_urls:
            if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
                if self.redirect_uri == allowed.url:
                    match_found = True
                    break
            if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
        try:
-                    if fullmatch(allowed.url, self.redirect_uri):
+            if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
                        match_found = True
                        break
                except RegexError as exc:
                LOGGER.warning(
-                        "Failed to parse regular expression",
+                    "Invalid redirect uri (regex comparison)",
-                        exc=exc,
+                    redirect_uri_given=self.redirect_uri,
-                        url=allowed.url,
+                    redirect_uri_expected=allowed_redirect_urls,
                        provider=self.provider,
                )
        if not match_found:
                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
        except RegexError as exc:
            LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
            if not any(x == self.redirect_uri for x in allowed_redirect_urls):
                LOGGER.warning(
                    "Invalid redirect uri (strict comparison)",
                    redirect_uri_given=self.redirect_uri,
                    redirect_uri_expected=allowed_redirect_urls,
                )
                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) from None
        # Check against forbidden schemes
        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -162,5 +162,5 @@ class ProviderInfoView(View):
            OAuth2Provider, pk=application.provider_id
        )
        response = super().dispatch(request, *args, **kwargs)
-        cors_allow(request, response, *[x.url for x in self.provider.redirect_uris])
+        cors_allow(request, response, *self.provider.redirect_uris.split("\n"))
        return response
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -58,9 +58,7 @@ from authentik.providers.oauth2.models import (
    ClientTypes,
    DeviceToken,
    OAuth2Provider,
    RedirectURIMatchingMode,
    RefreshToken,
    ScopeMapping,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
 from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
@ -79,7 +77,7 @@ class TokenParams:
    redirect_uri: str
    grant_type: str
    state: str
-    scope: set[str]
+    scope: list[str]
    provider: OAuth2Provider
@ -114,26 +112,11 @@ class TokenParams:
            redirect_uri=request.POST.get("redirect_uri", ""),
            grant_type=request.POST.get("grant_type", ""),
            state=request.POST.get("state", ""),
-            scope=set(request.POST.get("scope", "").split()),
+            scope=request.POST.get("scope", "").split(),
            # PKCE parameter.
            code_verifier=request.POST.get("code_verifier"),
        )
    def __check_scopes(self):
        allowed_scope_names = set(
            ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
                "scope_name", flat=True
            )
        )
        scopes_to_check = self.scope
        if not scopes_to_check.issubset(allowed_scope_names):
            LOGGER.info(
                "Application requested scopes not configured, setting to overlap",
                scope_allowed=allowed_scope_names,
                scope_given=self.scope,
            )
            self.scope = self.scope.intersection(allowed_scope_names)
    def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs):
        with start_span(
            op="authentik.providers.oauth2.token.policy",
@ -166,7 +149,7 @@ class TokenParams:
                    client_id=self.provider.client_id,
                )
                raise TokenError("invalid_client")
-        self.__check_scopes()
+
        if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
            with start_span(
                op="authentik.providers.oauth2.post.parse.code",
@ -196,7 +179,42 @@ class TokenParams:
            LOGGER.warning("Missing authorization code")
            raise TokenError("invalid_grant")
-        self.__check_redirect_uri(request)
+        allowed_redirect_urls = self.provider.redirect_uris.split()
        # At this point, no provider should have a blank redirect_uri, in case they do
        # this will check an empty array and raise an error
        try:
            if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
                LOGGER.warning(
                    "Invalid redirect uri (regex comparison)",
                    redirect_uri=self.redirect_uri,
                    expected=allowed_redirect_urls,
                )
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
                    message="Invalid redirect URI used by provider",
                    provider=self.provider,
                    redirect_uri=self.redirect_uri,
                    expected=allowed_redirect_urls,
                ).from_http(request)
                raise TokenError("invalid_client")
        except RegexError as exc:
            LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
            if not any(x == self.redirect_uri for x in allowed_redirect_urls):
                LOGGER.warning(
                    "Invalid redirect uri (strict comparison)",
                    redirect_uri=self.redirect_uri,
                    expected=allowed_redirect_urls,
                )
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
                    message="Invalid redirect_uri configured",
                    provider=self.provider,
                ).from_http(request)
                raise TokenError("invalid_client") from None
        # Check against forbidden schemes
        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
            raise TokenError("invalid_request")
        self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
        if not self.authorization_code:
@ -236,48 +254,6 @@ class TokenParams:
        if not self.authorization_code.code_challenge and self.code_verifier:
            raise TokenError("invalid_grant")
    def __check_redirect_uri(self, request: HttpRequest):
        allowed_redirect_urls = self.provider.redirect_uris
        # At this point, no provider should have a blank redirect_uri, in case they do
        # this will check an empty array and raise an error
        match_found = False
        for allowed in allowed_redirect_urls:
            if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
                if self.redirect_uri == allowed.url:
                    match_found = True
                    break
            if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
                try:
                    if fullmatch(allowed.url, self.redirect_uri):
                        match_found = True
                        break
                except RegexError as exc:
                    LOGGER.warning(
                        "Failed to parse regular expression",
                        exc=exc,
                        url=allowed.url,
                        provider=self.provider,
                    )
                    Event.new(
                        EventAction.CONFIGURATION_ERROR,
                        message="Invalid redirect_uri configured",
                        provider=self.provider,
                    ).from_http(request)
        if not match_found:
            Event.new(
                EventAction.CONFIGURATION_ERROR,
                message="Invalid redirect URI used by provider",
                provider=self.provider,
                redirect_uri=self.redirect_uri,
                expected=allowed_redirect_urls,
            ).from_http(request)
            raise TokenError("invalid_client")
        # Check against forbidden schemes
        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
            raise TokenError("invalid_request")
    def __post_init_refresh(self, raw_token: str, request: HttpRequest):
        if not raw_token:
            LOGGER.warning("Missing refresh token")
@ -521,7 +497,7 @@ class TokenView(View):
        response = super().dispatch(request, *args, **kwargs)
        allowed_origins = []
        if self.provider:
-            allowed_origins = [x.url for x in self.provider.redirect_uris]
+            allowed_origins = self.provider.redirect_uris.split("\n")
        cors_allow(self.request, response, *allowed_origins)
        return response
@ -734,7 +710,7 @@ class TokenView(View):
            "id_token": access_token.id_token.to_jwt(self.provider),
        }
-        if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
+        if SCOPE_OFFLINE_ACCESS in self.params.scope:
            refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
            refresh_token = RefreshToken(
                user=self.params.device_code.user,
--- a/authentik/providers/oauth2/views/userinfo.py
+++ b/authentik/providers/oauth2/views/userinfo.py
@ -108,7 +108,7 @@ class UserInfoView(View):
        response = super().dispatch(request, *args, **kwargs)
        allowed_origins = []
        if self.token:
-            allowed_origins = [x.url for x in self.token.provider.redirect_uris]
+            allowed_origins = self.token.provider.redirect_uris.split("\n")
        cors_allow(self.request, response, *allowed_origins)
        return response
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -13,7 +13,6 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.api.providers import RedirectURISerializer
 from authentik.providers.oauth2.models import ScopeMapping
 from authentik.providers.oauth2.views.provider import ProviderInfoView
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
@ -40,7 +39,7 @@ class ProxyProviderSerializer(ProviderSerializer):
    """ProxyProvider Serializer"""
    client_id = CharField(read_only=True)
-    redirect_uris = RedirectURISerializer(many=True, read_only=True, source="_redirect_uris")
+    redirect_uris = CharField(read_only=True)
    outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
    def validate_basic_auth_enabled(self, value: bool) -> bool:
@ -122,6 +121,7 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
        "basic_auth_password_attribute": ["iexact"],
        "basic_auth_user_attribute": ["iexact"],
        "mode": ["iexact"],
        "redirect_uris": ["iexact"],
        "cookie_domain": ["iexact"],
    }
    search_fields = ["name"]
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@ -13,13 +13,7 @@ from rest_framework.serializers import Serializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.models import DomainlessURLValidator
 from authentik.outposts.models import OutpostModel
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
    ClientTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 SCOPE_AK_PROXY = "ak_proxy"
 OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback"
@ -30,14 +24,14 @@ def get_cookie_secret():
    return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32))
-def _get_callback_url(uri: str) -> list[RedirectURI]:
+def _get_callback_url(uri: str) -> str:
-    return [
+    return "\n".join(
-        RedirectURI(
+        [
-            RedirectURIMatchingMode.STRICT,
+            urljoin(uri, "outpost.goauthentik.io/callback")
-            urljoin(uri, "outpost.goauthentik.io/callback") + f"?{OUTPOST_CALLBACK_SIGNATURE}=true",
+            + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
-        ),
+            uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
        RedirectURI(RedirectURIMatchingMode.STRICT, uri + f"?{OUTPOST_CALLBACK_SIGNATURE}=true"),
        ]
    )
 class ProxyMode(models.TextChoices):
--- a/authentik/root/monitoring.py
+++ b/authentik/root/monitoring.py
@ -1,8 +1,6 @@
 """Metrics view"""
-from hmac import compare_digest
+from base64 import b64encode
 from pathlib import Path
 from tempfile import gettempdir
 from django.conf import settings
 from django.db import connections
@ -18,21 +16,22 @@ monitoring_set = Signal()
 class MetricsView(View):
-    """Wrapper around ExportToDjangoView with authentication, accessed by the authentik router"""
+    """Wrapper around ExportToDjangoView, using http-basic auth"""
    def __init__(self, **kwargs):
        _tmp = Path(gettempdir())
        with open(_tmp / "authentik-core-metrics.key") as _f:
            self.monitoring_key = _f.read()
    def get(self, request: HttpRequest) -> HttpResponse:
        """Check for HTTP-Basic auth"""
        auth_header = request.META.get("HTTP_AUTHORIZATION", "")
        auth_type, _, given_credentials = auth_header.partition(" ")
-        authed = auth_type == "Bearer" and compare_digest(given_credentials, self.monitoring_key)
+        credentials = f"monitor:{settings.SECRET_KEY}"
        expected = b64encode(str.encode(credentials)).decode()
        authed = auth_type == "Basic" and given_credentials == expected
        if not authed and not settings.DEBUG:
-            return HttpResponse(status=401)
+            response = HttpResponse(status=401)
            response["WWW-Authenticate"] = 'Basic realm="authentik-monitoring"'
            return response
        monitoring_set.send_robust(self)
        return ExportToDjangoView(request)
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -38,6 +38,7 @@ LANGUAGE_COOKIE_NAME = "authentik_language"
 SESSION_COOKIE_NAME = "authentik_session"
 SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
 APPEND_SLASH = False
 X_FRAME_OPTIONS = "SAMEORIGIN"
 AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
@ -303,12 +304,10 @@ DATABASES = {
        "USER": CONFIG.get("postgresql.user"),
        "PASSWORD": CONFIG.get("postgresql.password"),
        "PORT": CONFIG.get("postgresql.port"),
-        "OPTIONS": {
+        "SSLMODE": CONFIG.get("postgresql.sslmode"),
-            "sslmode": CONFIG.get("postgresql.sslmode"),
+        "SSLROOTCERT": CONFIG.get("postgresql.sslrootcert"),
-            "sslrootcert": CONFIG.get("postgresql.sslrootcert"),
+        "SSLCERT": CONFIG.get("postgresql.sslcert"),
-            "sslcert": CONFIG.get("postgresql.sslcert"),
+        "SSLKEY": CONFIG.get("postgresql.sslkey"),
            "sslkey": CONFIG.get("postgresql.sslkey"),
        },
        "TEST": {
            "NAME": CONFIG.get("postgresql.test.name"),
        },
--- a/authentik/root/tests.py
+++ b/authentik/root/tests.py
@ -1,9 +1,8 @@
 """root tests"""
-from pathlib import Path
+from base64 import b64encode
 from secrets import token_urlsafe
 from tempfile import gettempdir
 from django.conf import settings
 from django.test import TestCase
 from django.urls import reverse
@ -11,16 +10,6 @@ from django.urls import reverse
 class TestRoot(TestCase):
    """Test root application"""
    def setUp(self):
        _tmp = Path(gettempdir())
        self.token = token_urlsafe(32)
        with open(_tmp / "authentik-core-metrics.key", "w") as _f:
            _f.write(self.token)
    def tearDown(self):
        _tmp = Path(gettempdir())
        (_tmp / "authentik-core-metrics.key").unlink()
    def test_monitoring_error(self):
        """Test monitoring without any credentials"""
        response = self.client.get(reverse("metrics"))
@ -28,7 +17,8 @@ class TestRoot(TestCase):
    def test_monitoring_ok(self):
        """Test monitoring with credentials"""
-        auth_headers = {"HTTP_AUTHORIZATION": f"Bearer {self.token}"}
+        creds = "Basic " + b64encode(f"monitor:{settings.SECRET_KEY}".encode()).decode("utf-8")
        auth_headers = {"HTTP_AUTHORIZATION": creds}
        response = self.client.get(reverse("metrics"), **auth_headers)
        self.assertEqual(response.status_code, 200)
--- a/authentik/sources/kerberos/models.py
+++ b/authentik/sources/kerberos/models.py
@ -6,7 +6,6 @@ from tempfile import gettempdir
 from typing import Any
 import gssapi
 import kadmin
 import pglock
 from django.db import connection, models
 from django.db.models.fields import b64decode
@ -14,6 +13,8 @@ from django.http import HttpRequest
 from django.shortcuts import reverse
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
 from kadmin import KAdmin
 from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
@ -30,9 +31,8 @@ from authentik.flows.challenge import RedirectChallenge
 LOGGER = get_logger()
-# python-kadmin leaks file descriptors. As such, this global is used to reuse
+# Creating kadmin connections is expensive. As such, this global is used to reuse
-# existing kadmin connections instead of creating new ones, which results in less to no file
+# existing kadmin connections instead of creating new ones
 # descriptors leaks
 _kadmin_connections: dict[str, Any] = {}
@ -198,13 +198,13 @@ class KerberosSource(Source):
        conf_path.write_text(self.krb5_conf)
        return str(conf_path)
-    def _kadmin_init(self) -> "kadmin.KAdmin | None":
+    def _kadmin_init(self) -> KAdmin | None:
        # kadmin doesn't use a ccache for its connection
        # as such, we don't need to create a separate ccache for each source
        if not self.sync_principal:
            return None
        if self.sync_password:
-            return kadmin.init_with_password(
+            return KAdmin.with_password(
                self.sync_principal,
                self.sync_password,
            )
@ -215,18 +215,18 @@ class KerberosSource(Source):
                keytab_path.touch(mode=0o600)
                keytab_path.write_bytes(b64decode(self.sync_keytab))
                keytab = f"FILE:{keytab_path}"
-            return kadmin.init_with_keytab(
+            return KAdmin.with_keytab(
                self.sync_principal,
                keytab,
            )
        if self.sync_ccache:
-            return kadmin.init_with_ccache(
+            return KAdmin.with_ccache(
                self.sync_principal,
                self.sync_ccache,
            )
        return None
-    def connection(self) -> "kadmin.KAdmin | None":
+    def connection(self) -> KAdmin | None:
        """Get kadmin connection"""
        if str(self.pk) not in _kadmin_connections:
            kadm = self._kadmin_init()
@ -246,7 +246,7 @@ class KerberosSource(Source):
                    status["status"] = "no connection"
                    return status
                status["principal_exists"] = kadm.principal_exists(self.sync_principal)
-            except kadmin.KAdminError as exc:
+            except PyKAdminException as exc:
                status["status"] = str(exc)
        return status
--- a/authentik/sources/kerberos/signals.py
+++ b/authentik/sources/kerberos/signals.py
@ -1,8 +1,8 @@
 """authentik kerberos source signals"""
 import kadmin
 from django.db.models.signals import post_save
 from django.dispatch import receiver
 from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
@ -48,7 +48,7 @@ def kerberos_sync_password(sender, user: User, password: str, **_):
                source.connection().getprinc(user_source_connection.identifier).change_password(
                    password
                )
-            except kadmin.KAdminError as exc:
+            except PyKAdminException as exc:
                LOGGER.warning("failed to set Kerberos password", exc=exc, source=source)
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
--- a/authentik/sources/kerberos/sync.py
+++ b/authentik/sources/kerberos/sync.py
@ -2,9 +2,9 @@
 from typing import Any
 import kadmin
 from django.core.exceptions import FieldError
 from django.db import IntegrityError, transaction
 from kadmin import KAdmin
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.expression.exceptions import (
@ -30,7 +30,7 @@ class KerberosSync:
    _source: KerberosSource
    _logger: BoundLogger
-    _connection: "kadmin.KAdmin"
+    _connection: KAdmin
    mapper: SourceMapper
    user_manager: PropertyMappingManager
    group_manager: PropertyMappingManager
@ -161,7 +161,7 @@ class KerberosSync:
        user_count = 0
        with Krb5ConfContext(self._source):
-            for principal in self._connection.principals():
+            for principal in self._connection.list_principals(None):
                if self._handle_principal(principal):
                    user_count += 1
        return user_count
--- a/authentik/sources/kerberos/tests/test_auth.py
+++ b/authentik/sources/kerberos/tests/test_auth.py
@ -23,6 +23,7 @@ class TestKerberosAuth(KerberosTestCase):
        )
        self.user = User.objects.create(username=generate_id())
        self.user.set_unusable_password()
        self.user.save()
        UserKerberosSourceConnection.objects.create(
            source=self.source, user=self.user, identifier=self.realm.user_princ
        )
--- a/authentik/sources/kerberos/tests/test_spnego.py
+++ b/authentik/sources/kerberos/tests/test_spnego.py
@ -2,6 +2,8 @@
 from base64 import b64decode, b64encode
 from pathlib import Path
 from sys import platform
 from unittest import skipUnless
 import gssapi
 from django.urls import reverse
@ -36,6 +38,7 @@ class TestSPNEGOSource(KerberosTestCase):
        )
        self.assertEqual(response.status_code, 200)
    @skipUnless(platform.startswith("linux"), "Requires compatible GSSAPI implementation")
    def test_source_login(self):
        """test login view"""
        response = self.client.get(
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@ -332,7 +332,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
            serializer = SelectableStageSerializer(
                data={
                    "pk": stage.pk,
-                    "name": getattr(stage, "friendly_name", stage.name) or stage.name,
+                    "name": getattr(stage, "friendly_name", stage.name),
                    "verbose_name": str(stage._meta.verbose_name)
                    .replace("Setup Stage", "")
                    .strip(),
--- a/authentik/stages/authenticator_validate/tests/test_stage.py
+++ b/authentik/stages/authenticator_validate/tests/test_stage.py
@ -4,7 +4,6 @@ from unittest.mock import MagicMock, patch
 from django.test.client import RequestFactory
 from django.urls.base import reverse
 from django.utils.timezone import now
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation, FlowStageBinding, NotConfiguredAction
@ -14,7 +13,6 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
 from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage, TOTPDigits
 from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_validate.stage import PLAN_CONTEXT_DEVICE_CHALLENGES
@ -78,8 +76,8 @@ class AuthenticatorValidateStageTests(FlowTestCase):
        conf_stage = AuthenticatorStaticStage.objects.create(
            name=generate_id(),
        )
-        conf_stage2 = AuthenticatorTOTPStage.objects.create(
+        conf_stage2 = AuthenticatorStaticStage.objects.create(
-            name=generate_id(), digits=TOTPDigits.SIX
+            name=generate_id(),
        )
        stage = AuthenticatorValidateStage.objects.create(
            name=generate_id(),
@ -155,14 +153,10 @@ class AuthenticatorValidateStageTests(FlowTestCase):
            {
                "device_class": "static",
                "device_uid": "1",
                "challenge": {},
                "last_used": now(),
            },
            {
                "device_class": "totp",
                "device_uid": "2",
                "challenge": {},
                "last_used": now(),
            },
        ]
        session[SESSION_KEY_PLAN] = plan
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@ -26,7 +26,6 @@ from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET
 from authentik.lib.avatars import DEFAULT_AVATAR
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.root.middleware import ClientIPMiddleware
@ -77,7 +76,7 @@ class IdentificationChallenge(Challenge):
    allow_show_password = BooleanField(default=False)
    application_pre = CharField(required=False)
    flow_designation = ChoiceField(FlowDesignation.choices)
-    captcha_stage = CaptchaChallenge(required=False, allow_null=True)
+    captcha_stage = CaptchaChallenge(required=False)
    enroll_url = CharField(required=False)
    recovery_url = CharField(required=False)
@ -225,8 +224,6 @@ class IdentificationStageView(ChallengeStageView):
                        "js_url": current_stage.captcha_stage.js_url,
                        "site_key": current_stage.captcha_stage.public_key,
                        "interactive": current_stage.captcha_stage.interactive,
                        "pending_user": "",
                        "pending_user_avatar": DEFAULT_AVATAR,
                    }
                    if current_stage.captcha_stage
                    else None
--- a/authentik/tenants/api/settings.py
+++ b/authentik/tenants/api/settings.py
@ -23,6 +23,7 @@ class SettingsSerializer(ModelSerializer):
            "footer_links",
            "gdpr_compliance",
            "impersonation",
            "impersonation_require_reason",
            "default_token_duration",
            "default_token_length",
        ]
--- a/authentik/tenants/migrations/0004_tenant_impersonation_require_reason.py
+++ b/authentik/tenants/migrations/0004_tenant_impersonation_require_reason.py
@ -0,0 +1,21 @@
 # Generated by Django 5.0.9 on 2024-11-07 15:08
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_tenants", "0003_alter_tenant_default_token_duration"),
    ]
    operations = [
        migrations.AddField(
            model_name="tenant",
            name="impersonation_require_reason",
            field=models.BooleanField(
                default=True,
                help_text="Require administrators to provide a reason for impersonating a user.",
            ),
        ),
    ]
--- a/authentik/tenants/models.py
+++ b/authentik/tenants/models.py
@ -85,6 +85,10 @@ class Tenant(TenantMixin, SerializerModel):
    impersonation = models.BooleanField(
        help_text=_("Globally enable/disable impersonation."), default=True
    )
    impersonation_require_reason = models.BooleanField(
        help_text=_("Require administrators to provide a reason for impersonating a user."),
        default=True,
    )
    default_token_duration = models.TextField(
        help_text=_("Default token duration"),
        default=DEFAULT_TOKEN_DURATION,
--- a/authentik/tenants/utils.py
+++ b/authentik/tenants/utils.py
@ -8,9 +8,11 @@ from authentik.root.install_id import get_install_id
 from authentik.tenants.models import Tenant
-def get_current_tenant() -> Tenant:
+def get_current_tenant(only: list[str] | None = None) -> Tenant:
    """Get tenant for current request"""
-    return Tenant.objects.get(schema_name=connection.schema_name)
+    if only is None:
        only = []
    return Tenant.objects.only(*only).get(schema_name=connection.schema_name)
 def get_unique_identifier() -> str:
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.10.5 Blueprint schema",
+    "title": "authentik 2024.10.2 Blueprint schema",
    "required": [
        "version",
        "entries"
@ -5570,30 +5570,9 @@
                    "description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs."
                },
                "redirect_uris": {
                    "type": "array",
                    "items": {
                        "type": "object",
                        "properties": {
                            "matching_mode": {
                    "type": "string",
-                                "enum": [
+                    "title": "Redirect URIs",
-                                    "strict",
+                    "description": "Enter each URI on a new line."
                                    "regex"
                                ],
                                "title": "Matching mode"
                            },
                            "url": {
                                "type": "string",
                                "minLength": 1,
                                "title": "Url"
                            }
                        },
                        "required": [
                            "matching_mode",
                            "url"
                        ]
                    },
                    "title": "Redirect uris"
                },
                "sub_mode": {
                    "type": "string",
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.2}
    restart: unless-stopped
    command: server
    environment:
@ -52,7 +52,7 @@ services:
      - postgresql
      - redis
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.2}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -29,10 +29,10 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024083.13
+	goauthentik.io/api/v3 v3.2024102.3
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.23.0
+	golang.org/x/oauth2 v0.24.0
-	golang.org/x/sync v0.8.0
+	golang.org/x/sync v0.9.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
--- a/go.sum
+++ b/go.sum
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024083.13 h1:xKh3feJYUeLw583zZ5ifgV0qjD37ZCOzgXPfbHQSbHM=
+goauthentik.io/api/v3 v3.2024102.3 h1:akjkJMS7tj4Df/oRb0kylkZnRYskRhereXXbhvcvi1g=
-goauthentik.io/api/v3 v3.2024083.13/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024102.3/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -388,8 +388,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
-golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -400,8 +400,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
-const VERSION = "2024.10.5"
+const VERSION = "2024.10.2"
--- a/internal/outpost/ak/api.go
+++ b/internal/outpost/ak/api.go
@ -80,7 +80,7 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 	var outposts *api.PaginatedOutpostList
 	var err error
 	for {
-		outposts, _, err = apiClient.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
+		outposts, _, err = apiClient.OutpostsAPI.OutpostsInstancesList(context.Background()).Execute()
 		if err == nil {
 			break
@ -96,7 +96,7 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 	log.WithField("name", outpost.Name).Debug("Fetched outpost configuration")
-	akConfig, _, err := apiClient.RootApi.RootConfigRetrieve(context.Background()).Execute()
+	akConfig, _, err := apiClient.RootAPI.RootConfigRetrieve(context.Background()).Execute()
 	if err != nil {
 		log.WithError(err).Error("Failed to fetch global configuration")
 		return nil
@ -174,7 +174,7 @@ func (a *APIController) Token() string {
 func (a *APIController) OnRefresh() error {
 	// Because we don't know the outpost UUID, we simply do a list and pick the first
 	// The service account this token belongs to should only have access to a single outpost
-	outposts, _, err := a.Client.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
+	outposts, _, err := a.Client.OutpostsAPI.OutpostsInstancesList(context.Background()).Execute()
 	if err != nil {
 		log.WithError(err).Error("Failed to fetch outpost configuration")
 		return err
--- a/internal/outpost/ak/crypto.go
+++ b/internal/outpost/ak/crypto.go
@ -9,7 +9,7 @@ import (
 )
 type CryptoStore struct {
-	api *api.CryptoApiService
+	api *api.CryptoAPIService
 	log *log.Entry
@ -17,7 +17,7 @@ type CryptoStore struct {
 	certificates map[string]*tls.Certificate
 }
-func NewCryptoStore(cryptoApi *api.CryptoApiService) *CryptoStore {
+func NewCryptoStore(cryptoApi *api.CryptoAPIService) *CryptoStore {
 	return &CryptoStore{
 		api:          cryptoApi,
 		log:          log.WithField("logger", "authentik.outpost.cryptostore"),
--- a/internal/outpost/flow/executor.go
+++ b/internal/outpost/flow/executor.go
@ -139,7 +139,7 @@ func (fe *FlowExecutor) SetSession(s *http.Cookie) {
 func (fe *FlowExecutor) WarmUp() error {
 	gcsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.get_challenge")
 	defer gcsp.Finish()
-	req := fe.api.FlowsApi.FlowsExecutorGet(gcsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
+	req := fe.api.FlowsAPI.FlowsExecutorGet(gcsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
 	_, _, err := req.Execute()
 	return err
 }
@ -156,7 +156,7 @@ func (fe *FlowExecutor) Execute() (bool, error) {
 func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
 	// Get challenge
 	gcsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.get_challenge")
-	req := fe.api.FlowsApi.FlowsExecutorGet(gcsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
+	req := fe.api.FlowsAPI.FlowsExecutorGet(gcsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
 	challenge, _, err := req.Execute()
 	if err != nil {
 		return nil, err
@ -179,7 +179,7 @@ func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
 func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth int) (bool, error) {
 	// Resole challenge
 	scsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.solve_challenge")
-	responseReq := fe.api.FlowsApi.FlowsExecutorSolve(scsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
+	responseReq := fe.api.FlowsAPI.FlowsExecutorSolve(scsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
 	i := challenge.GetActualInstance()
 	if i == nil {
 		return false, errors.New("response request instance was null")
--- a/internal/outpost/ldap/bind/direct/bind.go
+++ b/internal/outpost/ldap/bind/direct/bind.go
@ -58,7 +58,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
-	access, _, err := fe.ApiClient().OutpostsApi.OutpostsLdapAccessCheck(
+	access, _, err := fe.ApiClient().OutpostsAPI.OutpostsLdapAccessCheck(
 		req.Context(), db.si.GetProviderID(),
 	).AppSlug(db.si.GetAppSlug()).Execute()
 	if !access.Access.Passing {
@ -84,7 +84,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 	req.Log().Info("User has access")
 	uisp := sentry.StartSpan(req.Context(), "authentik.providers.ldap.bind.user_info")
 	// Get user info to store in context
-	userInfo, _, err := fe.ApiClient().CoreApi.CoreUsersMeRetrieve(context.Background()).Execute()
+	userInfo, _, err := fe.ApiClient().CoreAPI.CoreUsersMeRetrieve(context.Background()).Execute()
 	if err != nil {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
--- a/internal/outpost/ldap/ldap.go
+++ b/internal/outpost/ldap/ldap.go
@ -30,7 +30,7 @@ func NewServer(ac *ak.APIController) *LDAPServer {
 	ls := &LDAPServer{
 		log:       log.WithField("logger", "authentik.outpost.ldap"),
 		ac:        ac,
-		cs:        ak.NewCryptoStore(ac.Client.CryptoApi),
+		cs:        ak.NewCryptoStore(ac.Client.CryptoAPI),
 		providers: []*ProviderInstance{},
 	}
 	s := ldap.NewServer()
--- a/internal/outpost/ldap/refresh.go
+++ b/internal/outpost/ldap/refresh.go
@ -30,7 +30,7 @@ func (ls *LDAPServer) getCurrentProvider(pk int32) *ProviderInstance {
 }
 func (ls *LDAPServer) Refresh() error {
-	apiProviders, err := ak.Paginator(ls.ac.Client.OutpostsApi.OutpostsLdapList(context.Background()), ak.PaginatorOptions{
+	apiProviders, err := ak.Paginator(ls.ac.Client.OutpostsAPI.OutpostsLdapList(context.Background()), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   ls.log,
 	})
--- a/internal/outpost/ldap/search/direct/direct.go
+++ b/internal/outpost/ldap/search/direct/direct.go
@ -113,7 +113,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 		errs.Go(func() error {
 			if flags.CanSearch {
 				uapisp := sentry.StartSpan(errCtx, "authentik.providers.ldap.search.api_user")
-				searchReq, skip := utils.ParseFilterForUser(c.CoreApi.CoreUsersList(uapisp.Context()).IncludeGroups(true), parsedFilter, false)
+				searchReq, skip := utils.ParseFilterForUser(c.CoreAPI.CoreUsersList(uapisp.Context()).IncludeGroups(true), parsedFilter, false)
 				if skip {
 					req.Log().Trace("Skip backend request")
@ -132,7 +132,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			} else {
 				if flags.UserInfo == nil {
 					uapisp := sentry.StartSpan(errCtx, "authentik.providers.ldap.search.api_user")
-					u, _, err := c.CoreApi.CoreUsersRetrieve(uapisp.Context(), flags.UserPk).Execute()
+					u, _, err := c.CoreAPI.CoreUsersRetrieve(uapisp.Context(), flags.UserPk).Execute()
 					uapisp.Finish()
 					if err != nil {
@ -155,7 +155,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 	if needGroups {
 		errs.Go(func() error {
 			gapisp := sentry.StartSpan(errCtx, "authentik.providers.ldap.search.api_group")
-			searchReq, skip := utils.ParseFilterForGroup(c.CoreApi.CoreGroupsList(gapisp.Context()).IncludeUsers(true), parsedFilter, false)
+			searchReq, skip := utils.ParseFilterForGroup(c.CoreAPI.CoreGroupsList(gapisp.Context()).IncludeUsers(true), parsedFilter, false)
 			if skip {
 				req.Log().Trace("Skip backend request")
 				return nil
--- a/internal/outpost/ldap/search/memory/memory.go
+++ b/internal/outpost/ldap/search/memory/memory.go
@ -39,12 +39,12 @@ func NewMemorySearcher(si server.LDAPServerInstance) *MemorySearcher {
 	}
 	ms.log.Debug("initialised memory searcher")
 	// Error is not handled here, we get an empty/truncated list and the error is logged
-	users, _ := ak.Paginator(ms.si.GetAPIClient().CoreApi.CoreUsersList(context.TODO()).IncludeGroups(true), ak.PaginatorOptions{
+	users, _ := ak.Paginator(ms.si.GetAPIClient().CoreAPI.CoreUsersList(context.TODO()).IncludeGroups(true), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   ms.log,
 	})
 	ms.users = users
-	groups, _ := ak.Paginator(ms.si.GetAPIClient().CoreApi.CoreGroupsList(context.TODO()).IncludeUsers(true), ak.PaginatorOptions{
+	groups, _ := ak.Paginator(ms.si.GetAPIClient().CoreAPI.CoreGroupsList(context.TODO()).IncludeUsers(true), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   ms.log,
 	})
--- a/internal/outpost/proxyv2/application/mode_common.go
+++ b/internal/outpost/proxyv2/application/mode_common.go
@ -120,7 +120,7 @@ func (a *Application) ReportMisconfiguration(r *http.Request, msg string, fields
 		ClientIp: *api.NewNullableString(api.PtrString(r.RemoteAddr)),
 		Context:  fields,
 	}
-	_, _, err := a.ak.Client.EventsApi.EventsEventsCreate(context.Background()).EventRequest(req).Execute()
+	_, _, err := a.ak.Client.EventsAPI.EventsEventsCreate(context.Background()).EventRequest(req).Execute()
 	if err != nil {
 		a.log.WithError(err).Warning("failed to report configuration error")
 	}
--- a/internal/outpost/proxyv2/proxyv2.go
+++ b/internal/outpost/proxyv2/proxyv2.go
@ -56,7 +56,7 @@ func NewProxyServer(ac *ak.APIController) *ProxyServer {
 		globalMux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
 	}
 	s := &ProxyServer{
-		cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi),
+		cryptoStore: ak.NewCryptoStore(ac.Client.CryptoAPI),
 		apps:        make(map[string]*application.Application),
 		log:         l,
 		mux:         rootMux,
--- a/internal/outpost/proxyv2/refresh.go
+++ b/internal/outpost/proxyv2/refresh.go
@ -15,7 +15,7 @@ import (
 )
 func (ps *ProxyServer) Refresh() error {
-	providers, err := ak.Paginator(ps.akAPI.Client.OutpostsApi.OutpostsProxyList(context.Background()), ak.PaginatorOptions{
+	providers, err := ak.Paginator(ps.akAPI.Client.OutpostsAPI.OutpostsProxyList(context.Background()), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   ps.log,
 	})
--- a/internal/outpost/radius/api.go
+++ b/internal/outpost/radius/api.go
@ -31,7 +31,7 @@ func parseCIDRs(raw string) []*net.IPNet {
 }
 func (rs *RadiusServer) Refresh() error {
-	apiProviders, err := ak.Paginator(rs.ac.Client.OutpostsApi.OutpostsRadiusList(context.Background()), ak.PaginatorOptions{
+	apiProviders, err := ak.Paginator(rs.ac.Client.OutpostsAPI.OutpostsRadiusList(context.Background()), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   rs.log,
 	})
--- a/internal/outpost/radius/handle_access_request.go
+++ b/internal/outpost/radius/handle_access_request.go
@ -45,7 +45,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 		_ = w.Write(r.Response(radius.CodeAccessReject))
 		return
 	}
-	access, _, err := fe.ApiClient().OutpostsApi.OutpostsRadiusAccessCheck(
+	access, _, err := fe.ApiClient().OutpostsAPI.OutpostsRadiusAccessCheck(
 		r.Context(), r.pi.providerId,
 	).AppSlug(r.pi.appSlug).Execute()
 	if err != nil {
--- a/internal/web/brand_tls/brand_tls.go
+++ b/internal/web/brand_tls/brand_tls.go
@ -22,7 +22,7 @@ type Watcher struct {
 }
 func NewWatcher(client *api.APIClient) *Watcher {
-	cs := ak.NewCryptoStore(client.CryptoApi)
+	cs := ak.NewCryptoStore(client.CryptoAPI)
 	l := log.WithField("logger", "authentik.router.brand_tls")
 	cert, err := crypto.GenerateSelfSignedCert()
 	if err != nil {
@ -47,7 +47,7 @@ func (w *Watcher) Start() {
 func (w *Watcher) Check() {
 	w.log.Info("updating brand certificates")
-	brands, err := ak.Paginator(w.client.CoreApi.CoreBrandsList(context.Background()), ak.PaginatorOptions{
+	brands, err := ak.Paginator(w.client.CoreAPI.CoreBrandsList(context.Background()), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   w.log,
 	})
--- a/internal/web/metrics.go
+++ b/internal/web/metrics.go
@ -1,15 +1,11 @@
 package web
 import (
 	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/securecookie"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@ -18,25 +14,14 @@ import (
 	"goauthentik.io/internal/utils/sentry"
 )
 const MetricsKeyFile = "authentik-core-metrics.key"
 var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
 	Name: "authentik_main_request_duration_seconds",
 	Help: "API request latencies in seconds",
 }, []string{"dest"})
 func (ws *WebServer) runMetricsServer() {
 	l := log.WithField("logger", "authentik.router.metrics")
 	tmp := os.TempDir()
 	key := base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64))
 	keyPath := path.Join(tmp, MetricsKeyFile)
 	err := os.WriteFile(keyPath, []byte(key), 0o600)
 	if err != nil {
 		l.WithError(err).Warning("failed to save metrics key")
 		return
 	}
 	m := mux.NewRouter()
 	l := log.WithField("logger", "authentik.router.metrics")
 	m.Use(sentry.SentryNoSampleMiddleware)
 	m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		promhttp.InstrumentMetricHandler(
@ -51,7 +36,7 @@ func (ws *WebServer) runMetricsServer() {
 			l.WithError(err).Warning("failed to get upstream metrics")
 			return
 		}
-		re.Header.Set("Authorization", fmt.Sprintf("Bearer %s", key))
+		re.SetBasicAuth("monitor", config.Get().SecretKey)
 		res, err := ws.upstreamHttpClient().Do(re)
 		if err != nil {
 			l.WithError(err).Warning("failed to get upstream metrics")
@ -64,13 +49,9 @@ func (ws *WebServer) runMetricsServer() {
 		}
 	})
 	l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
-	err = http.ListenAndServe(config.Get().Listen.Metrics, m)
+	err := http.ListenAndServe(config.Get().Listen.Metrics, m)
 	if err != nil {
 		l.WithError(err).Warning("Failed to start metrics server")
 	}
 	l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
 	err = os.Remove(keyPath)
 	if err != nil {
 		l.WithError(err).Warning("failed to remove metrics key file")
 	}
 }
--- a/internal/web/static.go
+++ b/internal/web/static.go
@ -42,11 +42,8 @@ func (ws *WebServer) configureStatic() {
 	// Media files, if backend is file
 	if config.Get().Storage.Media.Backend == "file" {
-		fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
+		fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))
-		staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		staticRouter.PathPrefix("/media/").Handler(http.StripPrefix("/media", fsMedia))
 		    w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
 		    fsMedia.ServeHTTP(w, r)
 		})
 	}
 	staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))
--- a/internal/web/web.go
+++ b/internal/web/web.go
@ -53,7 +53,7 @@ func NewWebServer() *WebServer {
 	loggingHandler.Use(web.NewLoggingHandler(l, nil))
 	tmp := os.TempDir()
-	socketPath := path.Join(tmp, UnixSocketName)
+	socketPath := path.Join(tmp, "authentik-core.sock")
 	// create http client to talk to backend, normal client if we're in debug more
 	// and a client that connects to our socket when in non debug mode
--- a/ldap.Dockerfile
+++ b/ldap.Dockerfile
@ -33,6 +33,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
 # Stage 2: Run
 FROM ghcr.io/goauthentik/fips-debian:bookworm-slim-fips
 ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
--- a/lifecycle/ak.py
+++ b/lifecycle/ak.py
@ -1,15 +1,17 @@
 """Wrapper for lifecycle/ak, to be installed by poetry"""
-from os import system
+from os import system, waitstatus_to_exitcode
 from pathlib import Path
-from sys import argv
+from sys import argv, exit
 def main():
    """Wrapper around ak bash script"""
    current_path = Path(__file__)
    args = " ".join(argv[1:])
-    system(f"{current_path.parent}/ak {args}")  # nosec
+    res = system(f"{current_path.parent}/ak {args}")  # nosec
    exit_code = waitstatus_to_exitcode(res)
    exit(exit_code)
 if __name__ == "__main__":
--- a/locale/de/LC_MESSAGES/django.mo
+++ b/locale/de/LC_MESSAGES/django.mo
--- a/locale/de/LC_MESSAGES/django.po
+++ b/locale/de/LC_MESSAGES/django.po
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-10-23 16:39+0000\n"
+"POT-Creation-Date: 2024-11-18 00:09+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -101,12 +101,21 @@ msgstr ""
 msgid "Brands"
 msgstr ""
 #: authentik/core/api/devices.py
 msgid "Extra description not available"
 msgstr ""
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
 "providers are returned. When set to false, backchannel providers are excluded"
 msgstr ""
 #: authentik/core/api/transactional_applications.py
 #, python-brace-format
 msgid "User lacks permission to create {model}"
 msgstr ""
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr ""
@ -1126,6 +1135,10 @@ msgstr ""
 msgid "Password not set in context"
 msgstr ""
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@ -2614,12 +2627,7 @@ msgid "Captcha Stages"
 msgstr ""
 #: authentik/stages/captcha/stage.py
-msgid "Unknown error"
+msgid "Invalid captcha response. Retrying may solve this issue."
 msgstr ""
 #: authentik/stages/captcha/stage.py
 #, python-brace-format
 msgid "Failed to validate token: {error}"
 msgstr ""
 #: authentik/stages/captcha/stage.py
@ -3206,6 +3214,10 @@ msgstr ""
 msgid "Globally enable/disable impersonation."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Require administrators to provide a reason for impersonating a user."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr ""
--- a/locale/fr/LC_MESSAGES/django.mo
+++ b/locale/fr/LC_MESSAGES/django.mo
--- a/locale/it/LC_MESSAGES/django.mo
+++ b/locale/it/LC_MESSAGES/django.mo
--- a/locale/it/LC_MESSAGES/django.po
+++ b/locale/it/LC_MESSAGES/django.po
@ -11,15 +11,17 @@
 # Marco Vitale, 2024
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2024
 # albanobattistella <albanobattistella@gmail.com>, 2024
 # Nicola Mersi, 2024
 # tom max, 2024
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-10-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-28 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: albanobattistella <albanobattistella@gmail.com>, 2024\n"
+"Last-Translator: tom max, 2024\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -583,6 +585,28 @@ msgstr "Limite massimo di connessioni raggiunto."
 msgid "(You are already connected in another tab/window)"
 msgstr "(Sei già connesso in un'altra scheda/finestra)"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
 "Fase di autenticazione per la verifica dispositivo Google tramite endpoint"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stages"
 msgstr ""
 "Fasi di autenticazione per la verifica dispositivo Google tramite endpoint"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Device"
 msgstr "Dispositivo di Accesso"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Devices"
 msgstr "Dispositivi di Accesso"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
 msgid "Verifying your browser..."
 msgstr "Verifica del tuo browser..."
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -2017,6 +2041,124 @@ msgstr ""
 msgid "Used recovery-link to authenticate."
 msgstr "Utilizzato il link di recupero per autenticarsi."
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos realm"
 msgstr "Dominio Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Custom krb5.conf to use. Uses the system one by default"
 msgstr ""
 "krb5.conf personalizzato da usare. Usa la configurazione di sistema per "
 "default"
 #: authentik/sources/kerberos/models.py
 msgid "Sync users from Kerberos into authentik"
 msgstr "Sincronizza utenti da Kerberos a authentik"
 #: authentik/sources/kerberos/models.py
 msgid "When a user changes their password, sync it back to Kerberos"
 msgstr "Quando un utente cambia la sua password, sincronizzala in Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Principal to authenticate to kadmin for sync."
 msgstr "Entità da autenticare su kadmin per la sincronizzazione."
 #: authentik/sources/kerberos/models.py
 msgid "Password to authenticate to kadmin for sync"
 msgstr "Password per autenticarsi in kadmin per sincronizzare"
 #: authentik/sources/kerberos/models.py
 msgid ""
 "Keytab to authenticate to kadmin for sync. Must be base64-encoded or in the "
 "form TYPE:residual"
 msgstr ""
 "Keytab per autenticarsi su kadmin per la sincronizzazione. Deve essere con "
 "codifica base64 o nel formato TYPE:residual"
 #: authentik/sources/kerberos/models.py
 msgid ""
 "Credentials cache to authenticate to kadmin for sync. Must be in the form "
 "TYPE:residual"
 msgstr ""
 "Credenziali memorizzate nella cache per autenticarsi su kadmin per la "
 "sincronizzazione. Devono essere nel formato TYPE:residual"
 #: authentik/sources/kerberos/models.py
 msgid ""
 "Force the use of a specific server name for SPNEGO. Must be in the form "
 "HTTP@hostname"
 msgstr ""
 "Forza l'uso di un nome server specifico per SPNEGO. Deve essere nel formato "
 "HTTP@nomehost"
 #: authentik/sources/kerberos/models.py
 msgid "SPNEGO keytab base64-encoded or path to keytab in the form FILE:path"
 msgstr ""
 "keytab SPNEGO con codifica base64 o percorso del keytab nel formato "
 "FILE:percorso"
 #: authentik/sources/kerberos/models.py
 msgid "Credential cache to use for SPNEGO in form type:residual"
 msgstr ""
 "Cache delle credenziali da utilizzare per SPNEGO nella forma  type:residual"
 #: authentik/sources/kerberos/models.py
 msgid ""
 "If enabled, the authentik-stored password will be updated upon login with "
 "the Kerberos password backend"
 msgstr ""
 "Se abilitato, la password memorizzata in authentik verrà aggiornata al login"
 " nel backend Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Source"
 msgstr "Sorgente Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Sources"
 msgstr "Sorgenti Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Source Property Mapping"
 msgstr "Mappa delle proprietà della sorgente kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Source Property Mappings"
 msgstr "Mappe delle proprietà della sorgente kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "User Kerberos Source Connection"
 msgstr "Connessione sorgente dell'utente kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "User Kerberos Source Connections"
 msgstr " Connessioni alle sorgente dell'utente kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Group Kerberos Source Connection"
 msgstr " Connessione sorgente del gruppo kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Group Kerberos Source Connections"
 msgstr "Connessioni alle sorgenti del gruppo kerberos"
 #: authentik/sources/kerberos/views.py
 msgid "SPNEGO authentication required"
 msgstr "autenticazione  SPNEGO necessaria"
 #: authentik/sources/kerberos/views.py
 msgid ""
 "\n"
 "                    Make sure you have valid tickets (obtainable via kinit)\n"
 "                    and configured the browser correctly.\n"
 "                    Please contact your administrator.\n"
 "                "
 msgstr ""
 "\n"
 "Assicurati di avere un ticket valido (ottenibile tramite kinit)\n"
 " e di aver configurato correttamente il browser. \n"
 "Contatta il tuo amministratore."
 #: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
@ -2735,13 +2877,10 @@ msgid "Captcha Stages"
 msgstr "Fasi Captcha"
 #: authentik/stages/captcha/stage.py
-msgid "Unknown error"
+msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr "Errore sconosciuto"
+msgstr ""
-
+"Risposta captcha non valida. Un nuovo tentativo potrebbe risolvere il "
-#: authentik/stages/captcha/stage.py
+"problema."
 #, python-brace-format
 msgid "Failed to validate token: {error}"
 msgstr "Impossibile convalidare il token: {error}"
 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
@ -3114,6 +3253,10 @@ msgstr "Database utente + password app"
 msgid "User database + LDAP password"
 msgstr "Database utenti + password LDAP"
 #: authentik/stages/password/models.py
 msgid "User database + Kerberos password"
 msgstr "Database utenti + password Kerberos"
 #: authentik/stages/password/models.py
 msgid "Selection of backends to test the password against."
 msgstr "Selezione di backend su cui testare la password."
--- a/locale/tr/LC_MESSAGES/django.mo
+++ b/locale/tr/LC_MESSAGES/django.mo
--- a/locale/tr/LC_MESSAGES/django.po
+++ b/locale/tr/LC_MESSAGES/django.po
--- a/locale/zh-Hans/LC_MESSAGES/django.mo
+++ b/locale/zh-Hans/LC_MESSAGES/django.mo
--- a/locale/zh-Hans/LC_MESSAGES/django.po
+++ b/locale/zh-Hans/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-10-23 16:39+0000\n"
+"POT-Creation-Date: 2024-11-18 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@ -110,6 +110,10 @@ msgstr "品牌"
 msgid "Brands"
 msgstr "品牌"
 #: authentik/core/api/devices.py
 msgid "Extra description not available"
 msgstr "额外描述不可用"
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -117,6 +121,11 @@ msgid ""
 "excluded"
 msgstr "如果未设置，则返回所有提供程序。如果启用，仅返回反向通道提供程序。如果禁用，则返回非反向通道提供程序"
 #: authentik/core/api/transactional_applications.py
 #, python-brace-format
 msgid "User lacks permission to create {model}"
 msgstr "用户缺少创建 {model} 的权限"
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "不允许以斜线开始或结尾。"
@ -1140,6 +1149,10 @@ msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"
 msgid "Password not set in context"
 msgstr "未在上下文中设置密码"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "无效密码。"
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@ -2649,13 +2662,8 @@ msgid "Captcha Stages"
 msgstr "验证码阶段"
 #: authentik/stages/captcha/stage.py
-msgid "Unknown error"
+msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr "未知错误"
+msgstr "无效的验证码响应。重试可能会解决此问题。"
 #: authentik/stages/captcha/stage.py
 #, python-brace-format
 msgid "Failed to validate token: {error}"
 msgstr "验证令牌失败：{error}"
 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
@ -3261,6 +3269,10 @@ msgstr "启用时，所有由用户造成的事件会在相应用户被删除时
 msgid "Globally enable/disable impersonation."
 msgstr "全局启用/禁用模拟身份。"
 #: authentik/tenants/models.py
 msgid "Require administrators to provide a reason for impersonating a user."
 msgstr "需要管理员提供模拟用户的原因。"
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr "默认令牌持续时间"
--- a/locale/zh_CN/LC_MESSAGES/django.mo
+++ b/locale/zh_CN/LC_MESSAGES/django.mo
--- a/locale/zh_CN/LC_MESSAGES/django.po
+++ b/locale/zh_CN/LC_MESSAGES/django.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-10-23 16:39+0000\n"
+"POT-Creation-Date: 2024-11-18 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@ -109,6 +109,10 @@ msgstr "品牌"
 msgid "Brands"
 msgstr "品牌"
 #: authentik/core/api/devices.py
 msgid "Extra description not available"
 msgstr "额外描述不可用"
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -116,6 +120,11 @@ msgid ""
 "excluded"
 msgstr "如果未设置，则返回所有提供程序。如果启用，仅返回反向通道提供程序。如果禁用，则返回非反向通道提供程序"
 #: authentik/core/api/transactional_applications.py
 #, python-brace-format
 msgid "User lacks permission to create {model}"
 msgstr "用户缺少创建 {model} 的权限"
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "不允许前缀或后缀斜线。"
@ -1139,6 +1148,10 @@ msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"
 msgid "Password not set in context"
 msgstr "未在上下文中设置密码"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "无效密码。"
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@ -2648,13 +2661,8 @@ msgid "Captcha Stages"
 msgstr "验证码阶段"
 #: authentik/stages/captcha/stage.py
-msgid "Unknown error"
+msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr "未知错误"
+msgstr "无效的验证码响应。重试可能会解决此问题。"
 #: authentik/stages/captcha/stage.py
 #, python-brace-format
 msgid "Failed to validate token: {error}"
 msgstr "验证令牌失败：{error}"
 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
@ -3260,6 +3268,10 @@ msgstr "启用时，所有由用户造成的事件会在相应用户被删除时
 msgid "Globally enable/disable impersonation."
 msgstr "全局启用/禁用模拟身份。"
 #: authentik/tenants/models.py
 msgid "Require administrators to provide a reason for impersonating a user."
 msgstr "需要管理员提供模拟用户的原因。"
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr "默认令牌持续时间"
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2024.10.5",
+    "version": "2024.10.2",
    "private": true
 }
--- a/poetry.lock
+++ b/poetry.lock
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.10.5"
+version = "2024.10.2"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
@ -131,15 +131,13 @@ pydantic-scim = "*"
 pyjwt = "*"
 pyrad = "*"
 python = "~3.12"
-# Fork of python-kadmin with compilation fixes as it's unmaintained
+python-kadmin-rs = "0.2.0"
 python-kadmin = { git = "https://github.com/authentik-community/python-kadmin.git", tag = "v0.2.0" }
 pyyaml = "*"
 requests-oauthlib = "*"
 scim2-filter-parser = "*"
 sentry-sdk = "*"
 service_identity = "*"
 setproctitle = "*"
 setuptools = "~69.1"
 structlog = "*"
 swagger-spec-validator = "*"
 tenant-schemas-celery = "*"
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2024.10.5
+  version: 2024.10.2
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -5295,6 +5295,12 @@ paths:
        required: true
      tags:
      - core
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ImpersonationRequest'
        required: true
      security:
      - authentik: []
      responses:
@ -20218,6 +20224,10 @@ paths:
            format: uuid
        explode: true
        style: form
      - in: query
        name: redirect_uris
        schema:
          type: string
      - in: query
        name: refresh_token_validity
        schema:
@ -20633,6 +20643,10 @@ paths:
            format: uuid
        explode: true
        style: form
      - in: query
        name: redirect_uris__iexact
        schema:
          type: string
      - name: search
        required: false
        in: query
@ -42712,6 +42726,14 @@ components:
            incorrect user info is entered.
      required:
      - name
    ImpersonationRequest:
      type: object
      properties:
        reason:
          type: string
          minLength: 1
      required:
      - reason
    InstallID:
      type: object
      properties:
@ -44052,11 +44074,6 @@ components:
      required:
      - challenge
      - name
    MatchingModeEnum:
      enum:
      - strict
      - regex
      type: string
    Metadata:
      type: object
      description: Serializer for blueprint metadata
@ -44759,9 +44776,8 @@ components:
          description: Key used to encrypt the tokens. When set, tokens will be encrypted
            and returned as JWEs.
        redirect_uris:
-          type: array
+          type: string
-          items:
+          description: Enter each URI on a new line.
            $ref: '#/components/schemas/RedirectURI'
        sub_mode:
          allOf:
          - $ref: '#/components/schemas/SubModeEnum'
@ -44790,7 +44806,6 @@ components:
      - meta_model_name
      - name
      - pk
      - redirect_uris
      - verbose_name
      - verbose_name_plural
    OAuth2ProviderRequest:
@ -44862,9 +44877,8 @@ components:
          description: Key used to encrypt the tokens. When set, tokens will be encrypted
            and returned as JWEs.
        redirect_uris:
-          type: array
+          type: string
-          items:
+          description: Enter each URI on a new line.
            $ref: '#/components/schemas/RedirectURIRequest'
        sub_mode:
          allOf:
          - $ref: '#/components/schemas/SubModeEnum'
@ -44886,7 +44900,6 @@ components:
      - authorization_flow
      - invalidation_flow
      - name
      - redirect_uris
    OAuth2ProviderSetupURLs:
      type: object
      description: OAuth2 Provider Metadata serializer
@ -48885,9 +48898,8 @@ components:
          description: Key used to encrypt the tokens. When set, tokens will be encrypted
            and returned as JWEs.
        redirect_uris:
-          type: array
+          type: string
-          items:
+          description: Enter each URI on a new line.
            $ref: '#/components/schemas/RedirectURIRequest'
        sub_mode:
          allOf:
          - $ref: '#/components/schemas/SubModeEnum'
@ -50032,6 +50044,10 @@ components:
        impersonation:
          type: boolean
          description: Globally enable/disable impersonation.
        impersonation_require_reason:
          type: boolean
          description: Require administrators to provide a reason for impersonating
            a user.
        default_token_duration:
          type: string
          minLength: 1
@ -51480,9 +51496,7 @@ components:
          description: When enabled, this provider will intercept the authorization
            header and authenticate requests based on its value.
        redirect_uris:
-          type: array
+          type: string
          items:
            $ref: '#/components/schemas/RedirectURI'
          readOnly: true
        cookie_domain:
          type: string
@ -52078,29 +52092,6 @@ components:
          type: string
      required:
      - to
    RedirectURI:
      type: object
      description: A single allowed redirect URI entry
      properties:
        matching_mode:
          $ref: '#/components/schemas/MatchingModeEnum'
        url:
          type: string
      required:
      - matching_mode
      - url
    RedirectURIRequest:
      type: object
      description: A single allowed redirect URI entry
      properties:
        matching_mode:
          $ref: '#/components/schemas/MatchingModeEnum'
        url:
          type: string
          minLength: 1
      required:
      - matching_mode
      - url
    Reputation:
      type: object
      description: Reputation Serializer
@ -53786,6 +53777,10 @@ components:
        impersonation:
          type: boolean
          description: Globally enable/disable impersonation.
        impersonation_require_reason:
          type: boolean
          description: Require administrators to provide a reason for impersonating
            a user.
        default_token_duration:
          type: string
          description: Default token duration
@ -53825,6 +53820,10 @@ components:
        impersonation:
          type: boolean
          description: Globally enable/disable impersonation.
        impersonation_require_reason:
          type: boolean
          description: Require administrators to provide a reason for impersonating
            a user.
        default_token_duration:
          type: string
          minLength: 1
@ -54681,6 +54680,10 @@ components:
          $ref: '#/components/schemas/ProviderModelEnum'
        provider:
          $ref: '#/components/schemas/modelRequest'
        policy_bindings:
          type: array
          items:
            $ref: '#/components/schemas/TransactionPolicyBindingRequest'
      required:
      - app
      - provider
@ -54698,6 +54701,41 @@ components:
      required:
      - applied
      - logs
    TransactionPolicyBindingRequest:
      type: object
      description: PolicyBindingSerializer which does not require target as target
        is set implicitly
      properties:
        policy:
          type: string
          format: uuid
          nullable: true
        group:
          type: string
          format: uuid
          nullable: true
        user:
          type: integer
          nullable: true
        negate:
          type: boolean
          description: Negates the outcome of the policy. Messages are unaffected.
        enabled:
          type: boolean
        order:
          type: integer
          maximum: 2147483647
          minimum: -2147483648
        timeout:
          type: integer
          maximum: 2147483647
          minimum: 0
          description: Timeout after which Policy execution is terminated.
        failure_result:
          type: boolean
          description: Result if the Policy execution fails.
      required:
      - order
    TypeCreate:
      type: object
      description: Types of an object that can be created
--- a/scripts/generate_config.py
+++ b/scripts/generate_config.py
@ -12,9 +12,6 @@ with open("local.env.yml", "w", encoding="utf-8") as _config:
            "secret_key": generate_id(),
            "postgresql": {
                "user": "postgres",
                "read_replicas": {
                    "0": {},
                },
            },
            "outposts": {
                "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
--- a/Show More
+++ b/Show More