core: enforce unique group name on database level

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-12-11 18:12:39 +01:00
302 changed files with 7869 additions and 17387 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.12.5
+current_version = 2024.10.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -35,6 +35,14 @@ runs:
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```

+            For arm64, use these values:
+
+            ```shell
+            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
+            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
+            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            ```
+
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
          <details>
@ -52,6 +60,18 @@ runs:
                    tag: ${{ inputs.tag }}
            ```

+            For arm64, use these values:
+
+            ```yaml
+            authentik:
+                outposts:
+                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            global:
+                image:
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}-arm64
+            ```
+
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
        edit-mode: replace
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -9,9 +9,6 @@ inputs:
  image-arch:
    required: false
    description: "Docker image arch"
-  release:
-    required: true
-    description: "True if this is a release build, false if this is a dev/PR build"

 outputs:
  shouldPush:
@ -32,24 +29,15 @@ outputs:
  imageTags:
    description: "Docker image tags"
    value: ${{ steps.ev.outputs.imageTags }}
-  imageTagsJSON:
-    description: "Docker image tags, as a JSON array"
-    value: ${{ steps.ev.outputs.imageTagsJSON }}
  attestImageNames:
    description: "Docker image names used for attestation"
    value: ${{ steps.ev.outputs.attestImageNames }}
-  cacheTo:
-    description: "cache-to value for the docker build step"
-    value: ${{ steps.ev.outputs.cacheTo }}
  imageMainTag:
    description: "Docker image main tag"
    value: ${{ steps.ev.outputs.imageMainTag }}
  imageMainName:
    description: "Docker image main name"
    value: ${{ steps.ev.outputs.imageMainName }}
-  imageBuildArgs:
-    description: "Docker image build args"
-    value: ${{ steps.ev.outputs.imageBuildArgs }}

 runs:
  using: "composite"
@ -60,8 +48,6 @@ runs:
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_ARCH: ${{ inputs.image-arch }}
-        RELEASE: ${{ inputs.release }}
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        REF: ${{ github.ref }}
      run: |
        python3 ${{ github.action_path }}/push_vars.py
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -2,7 +2,6 @@

 import configparser
 import os
-from json import dumps
 from time import time

 parser = configparser.ConfigParser()
@ -49,7 +48,7 @@ if is_release:
            ]
 else:
    suffix = ""
-    if image_arch:
+    if image_arch and image_arch != "amd64":
        suffix = f"-{image_arch}"
    for name in image_names:
        image_tags += [
@ -71,31 +70,12 @@ def get_attest_image_names(image_with_tags: list[str]):
    return ",".join(set(image_tags))


-# Generate `cache-to` param
-cache_to = ""
-if should_push:
-    _cache_tag = "buildcache"
-    if image_arch:
-        _cache_tag += f"-{image_arch}"
-    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
-
-
-image_build_args = []
-if os.getenv("RELEASE", "false").lower() == "true":
-    image_build_args = [f"VERSION={os.getenv('REF')}"]
-else:
-    image_build_args = [f"GIT_BUILD_HASH={sha}"]
-image_build_args = "\n".join(image_build_args)
-
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"shouldPush={str(should_push).lower()}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
    print(f"imageTags={','.join(image_tags)}", file=_output)
-    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
-    print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={image_build_args}", file=_output)
--- a/.github/actions/docker-push-variables/test.sh
+++ b/.github/actions/docker-push-variables/test.sh
@ -1,18 +1,7 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-# Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
    GITHUB_REF=ref \
    GITHUB_SHA=sha \
    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    python $SCRIPT_DIR/push_vars.py
-
-# Pushing PR/main
-GITHUB_OUTPUT=/dev/stdout \
-    GITHUB_REF=ref \
-    GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    DOCKER_USERNAME=foo \
    python $SCRIPT_DIR/push_vars.py
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -35,7 +35,7 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install --sync
+        poetry install
        cd web && npm ci
    - name: Generate config
      shell: poetry run python {0}
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -1,95 +0,0 @@
-# Re-usable workflow for a single-architecture build
-name: Single-arch Container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      image_arch:
-        required: true
-        type: string
-      runs-on:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: false
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs:
-      image-digest:
-        value: ${{ jobs.build.outputs.image-digest }}
-
-jobs:
-  build:
-    name: Build ${{ inputs.image_arch }}
-    runs-on: ${{ inputs.runs-on }}
-    outputs:
-      image-digest: ${{ steps.push.outputs.digest }}
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.3.0
-      - uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-          image-arch: ${{ inputs.image_arch }}
-          release: ${{ inputs.release }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        if: ${{ inputs.release }}
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: generate ts client
-        if: ${{ !inputs.release }}
-        run: make gen-client-ts
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          push: true
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            ${{ steps.ev.outputs.imageBuildArgs }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          platforms: linux/${{ inputs.image_arch }}
-          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
-          cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
--- a/.github/workflows/_reusable-docker-build.yaml
+++ b/.github/workflows/_reusable-docker-build.yaml
@ -1,102 +0,0 @@
-# Re-usable workflow for a multi-architecture build
-name: Multi-arch container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: true
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs: {}
-
-jobs:
-  build-server-amd64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: amd64
-      runs-on: ubuntu-latest
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  build-server-arm64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: arm64
-      runs-on: ubuntu-22.04-arm
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  get-tags:
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-amd64
-      - build-server-arm64
-    outputs:
-      tags: ${{ steps.ev.outputs.imageTagsJSON }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-  merge-server:
-    runs-on: ubuntu-latest
-    needs:
-      - get-tags
-      - build-server-amd64
-      - build-server-arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@v2
-        id: build
-        with:
-          tags: ${{ matrix.tag }}
-          sources: |
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -134,7 +134,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.11.0
+        uses: helm/kind-action@v1.10.0
      - name: run integration
        run: |
          poetry run coverage run manage.py test tests/integration
@ -223,18 +223,68 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - amd64
+          - arm64
+    needs: ci-core-mark
+    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-    needs: ci-core-mark
-    uses: ./.github/workflows/_reusable-docker-build.yaml
-    secrets: inherit
-    with:
-      image_name: ghcr.io/goauthentik/dev-server
-      release: false
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/dev-server
+          image-arch: ${{ matrix.arch }}
+      - name: Login to Container Registry
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: generate ts client
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          build-args: |
+            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          platforms: linux/${{ matrix.arch }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
  pr-comment:
    needs:
      - build
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -72,7 +72,7 @@ jobs:
          - rac
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -2,7 +2,7 @@ name: "CodeQL"

 on:
  push:
-    branches: [main, next, version*]
+    branches: [main, "*", next, version*]
  pull_request:
    branches: [main]
  schedule:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -7,23 +7,64 @@ on:

 jobs:
  build-server:
-    uses: ./.github/workflows/_reusable-docker-build.yaml
-    secrets: inherit
+    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-    with:
-      image_name: ghcr.io/goauthentik/server,beryju/authentik
-      release: true
-      registry_dockerhub: true
-      registry_ghcr: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/server,beryju/authentik
+      - name: Docker Login Registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          push: true
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            VERSION=${{ github.ref }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/amd64,linux/arm64
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
@ -147,8 +188,8 @@ jobs:
          aws-region: ${{ env.AWS_REGION }}
      - name: Upload template
        run: |
-          aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
+          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
+          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
    needs:
      - build-server
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -14,7 +14,16 @@ jobs:
      - uses: actions/checkout@v4
      - name: Pre-release test
        run: |
-          make test-docker
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          docker buildx install
+          mkdir -p ./gen-ts-api
+          docker build -t testing:latest .
+          echo "AUTHENTIK_IMAGE=testing" >> .env
+          echo "AUTHENTIK_TAG=latest" >> .env
+          docker compose up --no-start
+          docker compose start postgresql redis
+          docker compose run -u root server test-all
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -33,8 +33,7 @@
        "!If sequence",
        "!Index scalar",
        "!KeyOf scalar",
-        "!Value scalar",
-        "!AtIndex scalar"
+        "!Value scalar"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
--- a/10
+++ b/10
@ -19,18 +19,10 @@ Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
 docker-compose.yml              @goauthentik/infrastructure
-Makefile                        @goauthentik/infrastructure
-.editorconfig                   @goauthentik/infrastructure
-CODEOWNERS                      @goauthentik/infrastructure
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
-# Locale
-locale/                         @goauthentik/backend @goauthentik/frontend
-web/xliff/                      @goauthentik/backend @goauthentik/frontend
 # Docs & Website
 website/                        @goauthentik/docs
-CODE_OF_CONDUCT.md              @goauthentik/docs
 # Security
-SECURITY.md                     @goauthentik/security @goauthentik/docs
-website/docs/security/          @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security
--- a/32
+++ b/32
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT
@ -116,30 +116,15 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
    --mount=type=cache,target=/root/.cache/pip \
    --mount=type=cache,target=/root/.cache/pypoetry \
-    pip install --no-cache cffi && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        build-essential libffi-dev \
-        # Required for cryptography
-        curl pkg-config \
-        # Required for lxml
-        libxslt-dev zlib1g-dev \
-        # Required for xmlsec
-        libltdl-dev \
-        # Required for kadmin
-        sccache clang && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
-    . "$HOME/.cargo/env" && \
    python -m venv /ak-root/venv/ && \
    bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip poetry && \
-    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
+    pip3 install --upgrade pip && \
+    pip3 install poetry && \
    poetry install --only=main --no-ansi --no-interaction --no-root && \
-    pip uninstall cryptography -y && \
-    poetry install --only=main --no-ansi --no-interaction --no-root"
+    pip install --force-reinstall /wheels/*"

 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
@ -156,7 +141,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
    apt-get clean && \
@ -191,8 +176,9 @@ ENV TMPDIR=/dev/shm/ \
    PYTHONUNBUFFERED=1 \
    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
    VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false \
-    GOFIPS=1
+    POETRY_VIRTUALENVS_CREATE=false
+
+ENV GOFIPS=1

 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]

--- a/12
+++ b/12
@ -45,6 +45,15 @@ help:  ## Show this help
 go-test:
 	go test -timeout 0 -v -race -cover ./...

+test-docker:  ## Run all tests in a docker-compose
+	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	docker compose pull -q
+	docker compose up --no-start
+	docker compose start postgresql redis
+	docker compose run -u root server test-all
+	rm -f .env
+
 test: ## Run the server tests and produce a coverage report (locally)
 	coverage run manage.py test --keepdb authentik
 	coverage html
@ -254,9 +263,6 @@ docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}

-test-docker:
-	./scripts/test_docker.sh
-
 #########################
 ## CI
 #########################
--- a/SECURITY.md
+++ b/SECURITY.md
@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di

 ## Independent audits and pentests

-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation]](https://docs.goauthentik.io/docs/security).

 ## What authentik classifies as a CVE

@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
+| 2024.8.x  | ✅        |
 | 2024.10.x | ✅        |
-| 2024.12.x | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.12.5"
+__version__ = "2024.10.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@ -146,10 +146,6 @@ entries:
                  ]
              ]
              nested_context: !Context context2
-              at_index_sequence: !AtIndex [!Context sequence, 0]
-              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
-              at_index_mapping: !AtIndex [!Context mapping, "key2"]
-              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
      identifiers:
          name: test
      conditions:
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -215,10 +215,6 @@ class TestBlueprintsV1(TransactionTestCase):
                    },
                    "nested_context": "context-nested-value",
                    "env_null": None,
-                    "at_index_sequence": "foo",
-                    "at_index_sequence_default": "non existent",
-                    "at_index_mapping": 2,
-                    "at_index_mapping_default": "non existent",
                }
            ).exists()
        )
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -24,10 +24,6 @@ from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel


-class UNSET:
-    """Used to test whether a key has not been set."""
-
-
 def get_attrs(obj: SerializerModel) -> dict[str, Any]:
    """Get object's attributes via their serializer, and convert it to a normal dict"""
    serializer: Serializer = obj.serializer(obj)
@ -560,53 +556,6 @@ class Value(EnumeratedItem):
            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry) from exc


-class AtIndex(YAMLTag):
-    """Get value at index of a sequence or mapping"""
-
-    obj: YAMLTag | dict | list | tuple
-    attribute: int | str | YAMLTag
-    default: Any | UNSET
-
-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
-        super().__init__()
-        self.obj = loader.construct_object(node.value[0])
-        self.attribute = loader.construct_object(node.value[1])
-        if len(node.value) == 2:  # noqa: PLR2004
-            self.default = UNSET
-        else:
-            self.default = loader.construct_object(node.value[2])
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        if isinstance(self.obj, YAMLTag):
-            obj = self.obj.resolve(entry, blueprint)
-        else:
-            obj = self.obj
-        if isinstance(self.attribute, YAMLTag):
-            attribute = self.attribute.resolve(entry, blueprint)
-        else:
-            attribute = self.attribute
-
-        if isinstance(obj, list | tuple):
-            try:
-                return obj[attribute]
-            except TypeError as exc:
-                raise EntryInvalidError.from_entry(
-                    f"Invalid index for list: {attribute}", entry
-                ) from exc
-            except IndexError as exc:
-                if self.default is UNSET:
-                    raise EntryInvalidError.from_entry(
-                        f"Index out of range: {attribute}", entry
-                    ) from exc
-                return self.default
-        if attribute in obj:
-            return obj[attribute]
-        else:
-            if self.default is UNSET:
-                raise EntryInvalidError.from_entry(f"Key does not exist: {attribute}", entry)
-            return self.default
-
-
 class BlueprintDumper(SafeDumper):
    """Dump dataclasses to yaml"""

@ -657,7 +606,6 @@ class BlueprintLoader(SafeLoader):
        self.add_constructor("!Enumerate", Enumerate)
        self.add_constructor("!Value", Value)
        self.add_constructor("!Index", Index)
-        self.add_constructor("!AtIndex", AtIndex)


 class EntryInvalidError(SentryIgnoredException):
--- a/authentik/core/api/application_entitlements.py
+++ b/authentik/core/api/application_entitlements.py
@ -1,58 +0,0 @@
-"""Application Roles API Viewset"""
-
-from django.http import HttpRequest
-from django.utils.translation import gettext_lazy as _
-from rest_framework.exceptions import ValidationError
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
-from authentik.core.models import (
-    Application,
-    ApplicationEntitlement,
-)
-
-
-class ApplicationEntitlementSerializer(ModelSerializer):
-    """ApplicationEntitlement Serializer"""
-
-    def validate_app(self, app: Application) -> Application:
-        """Ensure user has permission to view"""
-        request: HttpRequest = self.context.get("request")
-        if not request and SERIALIZER_CONTEXT_BLUEPRINT in self.context:
-            return app
-        user = request.user
-        if user.has_perm("view_application", app) or user.has_perm(
-            "authentik_core.view_application"
-        ):
-            return app
-        raise ValidationError(_("User does not have access to application."), code="invalid")
-
-    class Meta:
-        model = ApplicationEntitlement
-        fields = [
-            "pbm_uuid",
-            "name",
-            "app",
-            "attributes",
-        ]
-
-
-class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
-    """ApplicationEntitlement Viewset"""
-
-    queryset = ApplicationEntitlement.objects.all()
-    serializer_class = ApplicationEntitlementSerializer
-    search_fields = [
-        "pbm_uuid",
-        "name",
-        "app",
-        "attributes",
-    ]
-    filterset_fields = [
-        "pbm_uuid",
-        "name",
-        "app",
-    ]
-    ordering = ["name"]
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -3,7 +3,6 @@
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import (
    BooleanField,
    CharField,
@ -17,6 +16,7 @@ from rest_framework.viewsets import ViewSet

 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
+from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
@ -73,9 +73,7 @@ class AdminDeviceViewSet(ViewSet):
    def get_devices(self, **kwargs):
        """Get all devices in all child classes"""
        for model in device_classes():
-            device_set = get_objects_for_user(
-                self.request.user, f"{model._meta.app_label}.view_{model._meta.model_name}", model
-            ).filter(**kwargs)
+            device_set = model.objects.filter(**kwargs)
            yield from device_set

    @extend_schema(
@ -88,6 +86,10 @@ class AdminDeviceViewSet(ViewSet):
        ],
        responses={200: DeviceSerializer(many=True)},
    )
+    @permission_required(
+        None,
+        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
+    )
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
        kwargs = {}
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -103,9 +103,6 @@ class GroupSerializer(ModelSerializer):
            "users": {
                "default": list,
            },
-            # TODO: This field isn't unique on the database which is hard to backport
-            # hence we just validate the uniqueness here
-            "name": {"validators": [UniqueValidator(Group.objects.all())]},
        }


--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -21,7 +21,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.lib.utils.file import (
    FilePathSerializer,
    FileUploadSerializer,
@ -76,7 +75,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):


 class SourceViewSet(
-    MultipleFieldLookupMixin,
    TypesMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
@ -89,7 +87,6 @@ class SourceViewSet(
    queryset = Source.objects.none()
    serializer_class = SourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    search_fields = ["slug", "name"]
    filterset_fields = ["slug", "name", "managed"]

@ -162,9 +159,9 @@ class SourceViewSet(


 class UserSourceConnectionSerializer(SourceSerializer):
-    """User source connection"""
+    """OAuth Source Serializer"""

-    source_obj = SourceSerializer(read_only=True, source="source")
+    source = SourceSerializer(read_only=True)

    class Meta:
        model = UserSourceConnection
@ -172,10 +169,10 @@ class UserSourceConnectionSerializer(SourceSerializer):
            "pk",
            "user",
            "source",
-            "source_obj",
            "created",
        ]
        extra_kwargs = {
+            "user": {"read_only": True},
            "created": {"read_only": True},
        }

@ -200,9 +197,9 @@ class UserSourceConnectionViewSet(


 class GroupSourceConnectionSerializer(SourceSerializer):
-    """Group Source Connection"""
+    """Group Source Connection Serializer"""

-    source_obj = SourceSerializer(read_only=True)
+    source = SourceSerializer(read_only=True)

    class Meta:
        model = GroupSourceConnection
@ -210,11 +207,12 @@ class GroupSourceConnectionSerializer(SourceSerializer):
            "pk",
            "group",
            "source",
-            "source_obj",
            "identifier",
            "created",
        ]
        extra_kwargs = {
+            "group": {"read_only": True},
+            "identifier": {"read_only": True},
            "created": {"read_only": True},
        }

--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@ -22,7 +22,7 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import Application, Provider
+from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.bindings import PolicyBindingSerializer

@ -51,13 +51,6 @@ class TransactionProviderField(DictField):
 class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
    """PolicyBindingSerializer which does not require target as target is set implicitly"""

-    def validate(self, attrs):
-        # As the PolicyBindingSerializer checks that the correct things can be bound to a target
-        # but we don't have a target here as that's set by the blueprint, pass in an empty app
-        # which will have the correct allowed combination of group/user/policy.
-        attrs["target"] = Application()
-        return super().validate(attrs)
-
    class Meta(PolicyBindingSerializer.Meta):
        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]

--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,14 +1,13 @@
 """User API Views"""

 from datetime import timedelta
-from importlib import import_module
 from json import loads
 from typing import Any

-from django.conf import settings
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
-from django.contrib.sessions.backends.base import SessionBase
+from django.contrib.sessions.backends.cache import KEY_PREFIX
+from django.core.cache import cache
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -92,7 +91,6 @@ from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage

 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


 class UserGroupSerializer(ModelSerializer):
@ -769,8 +767,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if not instance.is_active:
            sessions = AuthenticatedSession.objects.filter(user=instance)
            session_ids = sessions.values_list("session_key", flat=True)
-            for session in session_ids:
-                SessionStore(session).delete()
+            cache.delete_many(f"{KEY_PREFIX}{session}" for session in session_ids)
            sessions.delete()
            LOGGER.debug("Deleted user's sessions", user=instance.username)
        return response
--- a/authentik/core/migrations/0040_alter_group_name.py
+++ b/authentik/core/migrations/0040_alter_group_name.py
@ -0,0 +1,21 @@
+# Generated by Django 5.0.8 on 2024-08-08 12:09
+
+from django.db import migrations, models
+
+from authentik.lib.migrations import fallback_names
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
+    ]
+
+    operations = [
+        migrations.RunPython(fallback_names("authentik_core", "group", "name")),
+        migrations.AlterField(
+            model_name="group",
+            name="name",
+            field=models.TextField(unique=True, verbose_name="name"),
+        ),
+    ]
--- a/authentik/core/migrations/0041_applicationentitlement.py
+++ b/authentik/core/migrations/0041_applicationentitlement.py
@ -1,45 +0,0 @@
-# Generated by Django 5.0.9 on 2024-11-20 15:16
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0040_provider_invalidation_flow"),
-        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ApplicationEntitlement",
-            fields=[
-                (
-                    "policybindingmodel_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_policies.policybindingmodel",
-                    ),
-                ),
-                ("attributes", models.JSONField(blank=True, default=dict)),
-                ("name", models.TextField()),
-                (
-                    "app",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.application"
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Application Entitlement",
-                "verbose_name_plural": "Application Entitlements",
-                "unique_together": {("app", "name")},
-            },
-            bases=("authentik_policies.policybindingmodel", models.Model),
-        ),
-    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -173,7 +173,7 @@ class Group(SerializerModel, AttributesMixin):

    group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)

-    name = models.TextField(_("name"))
+    name = models.TextField(verbose_name=_("name"), unique=True)
    is_superuser = models.BooleanField(
        default=False, help_text=_("Users added to this group will be superusers.")
    )
@ -314,32 +314,6 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        always_merger.merge(final_attributes, self.attributes)
        return final_attributes

-    def app_entitlements(self, app: "Application | None") -> QuerySet["ApplicationEntitlement"]:
-        """Get all entitlements this user has for `app`."""
-        if not app:
-            return []
-        all_groups = self.all_groups()
-        qs = app.applicationentitlement_set.filter(
-            Q(
-                Q(bindings__user=self) | Q(bindings__group__in=all_groups),
-                bindings__negate=False,
-            )
-            | Q(
-                Q(~Q(bindings__user=self), bindings__user__isnull=False)
-                | Q(~Q(bindings__group__in=all_groups), bindings__group__isnull=False),
-                bindings__negate=True,
-            ),
-            bindings__enabled=True,
-        ).order_by("name")
-        return qs
-
-    def app_entitlements_attributes(self, app: "Application | None") -> dict:
-        """Get a dictionary containing all merged attributes from app entitlements for `app`."""
-        final_attributes = {}
-        for attrs in self.app_entitlements(app).values_list("attributes", flat=True):
-            always_merger.merge(final_attributes, attrs)
-        return final_attributes
-
    @property
    def serializer(self) -> Serializer:
        from authentik.core.api.users import UserSerializer
@ -607,31 +581,6 @@ class Application(SerializerModel, PolicyBindingModel):
        verbose_name_plural = _("Applications")


-class ApplicationEntitlement(AttributesMixin, SerializerModel, PolicyBindingModel):
-    """Application-scoped entitlement to control authorization in an application"""
-
-    name = models.TextField()
-
-    app = models.ForeignKey(Application, on_delete=models.CASCADE)
-
-    class Meta:
-        verbose_name = _("Application Entitlement")
-        verbose_name_plural = _("Application Entitlements")
-        unique_together = (("app", "name"),)
-
-    def __str__(self):
-        return f"Application Entitlement {self.name} for app {self.app_id}"
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.core.api.application_entitlements import ApplicationEntitlementSerializer
-
-        return ApplicationEntitlementSerializer
-
-    def supported_policy_binding_targets(self):
-        return ["group", "user"]
-
-
 class SourceUserMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning users"""

--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,10 +1,7 @@
 """authentik core signals"""

-from importlib import import_module
-
-from django.conf import settings
 from django.contrib.auth.signals import user_logged_in, user_logged_out
-from django.contrib.sessions.backends.base import SessionBase
+from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
@ -28,7 +25,6 @@ password_changed = Signal()
 login_failed = Signal()

 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


@receiver(post_save, sender=Application)
@ -64,7 +60,8 @@ def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
@receiver(pre_delete, sender=AuthenticatedSession)
 def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
    """Delete session when authenticated session is deleted"""
-    SessionStore(instance.session_key).delete()
+    cache_key = f"{KEY_PREFIX}{instance.session_key}"
+    cache.delete(cache_key)


@receiver(pre_save)
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -238,7 +238,13 @@ class SourceFlowManager:
                self.request.GET,
                flow_slug=flow_slug,
            )
-        flow_context.setdefault(PLAN_CONTEXT_REDIRECT, final_redirect)
+        # Ensure redirect is carried through when user was trying to
+        # authorize application
+        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
+            NEXT_ARG_NAME, "authentik_core:if-user"
+        )
+        if PLAN_CONTEXT_REDIRECT not in flow_context:
+            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect

        if not flow:
            return bad_request_message(
--- a/authentik/core/tests/test_application_entitlements.py
+++ b/authentik/core/tests/test_application_entitlements.py
@ -1,153 +0,0 @@
-"""Test Application Entitlements API"""
-
-from django.urls import reverse
-from guardian.shortcuts import assign_perm
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Application, ApplicationEntitlement, Group
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
-from authentik.lib.generators import generate_id
-from authentik.policies.dummy.models import DummyPolicy
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider
-
-
-class TestApplicationEntitlements(APITestCase):
-    """Test application entitlements"""
-
-    def setUp(self) -> None:
-        self.user = create_test_user()
-        self.other_user = create_test_user()
-        self.provider = OAuth2Provider.objects.create(
-            name="test",
-            authorization_flow=create_test_flow(),
-        )
-        self.app: Application = Application.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-            provider=self.provider,
-        )
-
-    def test_user(self):
-        """Test user-direct assignment"""
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        PolicyBinding.objects.create(target=ent, user=self.user, order=0)
-        ents = self.user.app_entitlements(self.app)
-        self.assertEqual(len(ents), 1)
-        self.assertEqual(ents[0].name, ent.name)
-
-    def test_group(self):
-        """Test direct group"""
-        group = Group.objects.create(name=generate_id())
-        self.user.ak_groups.add(group)
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        PolicyBinding.objects.create(target=ent, group=group, order=0)
-        ents = self.user.app_entitlements(self.app)
-        self.assertEqual(len(ents), 1)
-        self.assertEqual(ents[0].name, ent.name)
-
-    def test_group_indirect(self):
-        """Test indirect group"""
-        parent = Group.objects.create(name=generate_id())
-        group = Group.objects.create(name=generate_id(), parent=parent)
-        self.user.ak_groups.add(group)
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        PolicyBinding.objects.create(target=ent, group=parent, order=0)
-        ents = self.user.app_entitlements(self.app)
-        self.assertEqual(len(ents), 1)
-        self.assertEqual(ents[0].name, ent.name)
-
-    def test_negate_user(self):
-        """Test with negate flag"""
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        PolicyBinding.objects.create(target=ent, user=self.other_user, order=0, negate=True)
-        ents = self.user.app_entitlements(self.app)
-        self.assertEqual(len(ents), 1)
-        self.assertEqual(ents[0].name, ent.name)
-
-    def test_negate_group(self):
-        """Test with negate flag"""
-        other_group = Group.objects.create(name=generate_id())
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        PolicyBinding.objects.create(target=ent, group=other_group, order=0, negate=True)
-        ents = self.user.app_entitlements(self.app)
-        self.assertEqual(len(ents), 1)
-        self.assertEqual(ents[0].name, ent.name)
-
-    def test_api_perms_global(self):
-        """Test API creation with global permissions"""
-        assign_perm("authentik_core.add_applicationentitlement", self.user)
-        assign_perm("authentik_core.view_application", self.user)
-        self.client.force_login(self.user)
-        res = self.client.post(
-            reverse("authentik_api:applicationentitlement-list"),
-            data={
-                "name": generate_id(),
-                "app": self.app.pk,
-            },
-        )
-        self.assertEqual(res.status_code, 201)
-
-    def test_api_perms_scoped(self):
-        """Test API creation with scoped permissions"""
-        assign_perm("authentik_core.add_applicationentitlement", self.user)
-        assign_perm("authentik_core.view_application", self.user, self.app)
-        self.client.force_login(self.user)
-        res = self.client.post(
-            reverse("authentik_api:applicationentitlement-list"),
-            data={
-                "name": generate_id(),
-                "app": self.app.pk,
-            },
-        )
-        self.assertEqual(res.status_code, 201)
-
-    def test_api_perms_missing(self):
-        """Test API creation with no permissions"""
-        assign_perm("authentik_core.add_applicationentitlement", self.user)
-        self.client.force_login(self.user)
-        res = self.client.post(
-            reverse("authentik_api:applicationentitlement-list"),
-            data={
-                "name": generate_id(),
-                "app": self.app.pk,
-            },
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertJSONEqual(res.content, {"app": ["User does not have access to application."]})
-
-    def test_api_bindings_policy(self):
-        """Test that API doesn't allow policies to be bound to this"""
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        policy = DummyPolicy.objects.create(name=generate_id())
-        admin = create_test_admin_user()
-        self.client.force_login(admin)
-        response = self.client.post(
-            reverse("authentik_api:policybinding-list"),
-            data={
-                "target": ent.pbm_uuid,
-                "policy": policy.pk,
-                "order": 0,
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"non_field_errors": ["One of 'group', 'user' must be set."]},
-        )
-
-    def test_api_bindings_group(self):
-        """Test that API doesn't allow policies to be bound to this"""
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        group = Group.objects.create(name=generate_id())
-        admin = create_test_admin_user()
-        self.client.force_login(admin)
-        response = self.client.post(
-            reverse("authentik_api:policybinding-list"),
-            data={
-                "target": ent.pbm_uuid,
-                "group": group.pk,
-                "order": 0,
-            },
-        )
-        self.assertEqual(response.status_code, 201)
-        self.assertTrue(PolicyBinding.objects.filter(target=ent.pbm_uuid).exists())
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -6,7 +6,6 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path

-from authentik.core.api.application_entitlements import ApplicationEntitlementViewSet
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
@ -70,7 +69,6 @@ urlpatterns = [
 api_urlpatterns = [
    ("core/authenticated_sessions", AuthenticatedSessionViewSet),
    ("core/applications", ApplicationViewSet),
-    ("core/application_entitlements", ApplicationEntitlementViewSet),
    path(
        "core/transactional/applications/",
        TransactionalApplicationView.as_view(),
--- a/authentik/enterprise/providers/rac/models.py
+++ b/authentik/enterprise/providers/rac/models.py
@ -159,9 +159,9 @@ class ConnectionToken(ExpiringModel):
            default_settings["port"] = str(port)
        else:
            default_settings["hostname"] = self.endpoint.host
-        if self.endpoint.protocol == Protocols.RDP:
-            default_settings["resize-method"] = "display-update"
-        default_settings["client-name"] = f"authentik - {self.session.user}"
+        default_settings["client-name"] = "authentik"
+        # default_settings["enable-drive"] = "true"
+        # default_settings["drive-name"] = "authentik"
        settings = {}
        always_merger.merge(settings, default_settings)
        always_merger.merge(settings, self.endpoint.provider.settings)
--- a/authentik/enterprise/providers/rac/tests/test_models.py
+++ b/authentik/enterprise/providers/rac/tests/test_models.py
@ -50,10 +50,9 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
-                "resize-method": "display-update",
            },
        )
        # Set settings in provider
@ -64,11 +63,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "provider",
-                "resize-method": "display-update",
            },
        )
        # Set settings in endpoint
@ -81,11 +79,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "endpoint",
-                "resize-method": "display-update",
            },
        )
        # Set settings in token
@ -98,11 +95,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "token",
-                "resize-method": "display-update",
            },
        )
        # Set settings in property mapping (provider)
@ -118,11 +114,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "property_mapping_provider",
-                "resize-method": "display-update",
            },
        )
        # Set settings in property mapping (endpoint)
@ -140,12 +135,11 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "property_mapping_endpoint",
                "foo": "true",
                "bar": "6",
-                "resize-method": "display-update",
            },
        )
--- a/authentik/events/tasks.py
+++ b/authentik/events/tasks.py
@ -138,6 +138,7 @@ def notification_cleanup(self: SystemTask):
    """Cleanup seen notifications and notifications whose event expired."""
    notifications = Notification.objects.filter(Q(event=None) | Q(seen=True))
    amount = notifications.count()
-    notifications.delete()
+    for notification in notifications:
+        notification.delete()
    LOGGER.debug("Expired notifications", amount=amount)
    self.set_status(TaskStatus.SUCCESSFUL, f"Expired {amount} Notifications")
--- a/authentik/flows/migrations/0027_auto_20231028_1424.py
+++ b/authentik/flows/migrations/0027_auto_20231028_1424.py
@ -40,7 +40,6 @@ class Migration(migrations.Migration):
                    ("require_authenticated", "Require Authenticated"),
                    ("require_unauthenticated", "Require Unauthenticated"),
                    ("require_superuser", "Require Superuser"),
-                    ("require_redirect", "Require Redirect"),
                    ("require_outpost", "Require Outpost"),
                ],
                default="none",
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -33,7 +33,6 @@ class FlowAuthenticationRequirement(models.TextChoices):
    REQUIRE_AUTHENTICATED = "require_authenticated"
    REQUIRE_UNAUTHENTICATED = "require_unauthenticated"
    REQUIRE_SUPERUSER = "require_superuser"
-    REQUIRE_REDIRECT = "require_redirect"
    REQUIRE_OUTPOST = "require_outpost"


--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -42,8 +42,6 @@ PLAN_CONTEXT_OUTPOST = "outpost"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
-PLAN_CONTEXT_IS_REDIRECTED = "is_redirected"
-PLAN_CONTEXT_REDIRECT_STAGE_TARGET = "redirect_stage_target"
 CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"

@ -109,8 +107,6 @@ class FlowPlan:

    def pop(self):
        """Pop next pending stage from bottom of list"""
-        if not self.markers and not self.bindings:
-            return
        self.markers.pop(0)
        self.bindings.pop(0)

@ -158,13 +154,8 @@ class FlowPlan:
            final_stage: type[StageView] = self.bindings[-1].stage.view
            temp_exec = FlowExecutorView(flow=flow, request=request, plan=self)
            temp_exec.current_stage = self.bindings[-1].stage
-            temp_exec.current_stage_view = final_stage
-            temp_exec.setup(request, flow.slug)
            stage = final_stage(request=request, executor=temp_exec)
-            response = stage.dispatch(request)
-            # Ensure we clean the flow state we have in the session before we redirect away
-            temp_exec.stage_ok()
-            return response
+            return stage.dispatch(request)

        return redirect_with_qs(
            "authentik_core:if-flow",
@ -190,7 +181,7 @@ class FlowPlanner:
        self.flow = flow
        self._logger = get_logger().bind(flow_slug=flow.slug)

-    def _check_authentication(self, request: HttpRequest, context: dict[str, Any]):
+    def _check_authentication(self, request: HttpRequest):
        """Check the flow's authentication level is matched by `request`"""
        if (
            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
@ -207,11 +198,6 @@ class FlowPlanner:
            and not request.user.is_superuser
        ):
            raise FlowNonApplicableException()
-        if (
-            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_REDIRECT
-            and context.get(PLAN_CONTEXT_IS_REDIRECTED) is None
-        ):
-            raise FlowNonApplicableException()
        outpost_user = ClientIPMiddleware.get_outpost_user(request)
        if self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_OUTPOST:
            if not outpost_user:
@ -243,13 +229,18 @@ class FlowPlanner:
            )
            context = default_context or {}
            # Bit of a workaround here, if there is a pending user set in the default context
-            # we use that user for our cache key to make sure they don't get the generic response
+            # we use that user for our cache key
+            # to make sure they don't get the generic response
            if context and PLAN_CONTEXT_PENDING_USER in context:
                user = context[PLAN_CONTEXT_PENDING_USER]
            else:
                user = request.user
-
-            context.update(self._check_authentication(request, context))
+                # We only need to check the flow authentication if it's planned without a user
+                # in the context, as a user in the context can only be set via the explicit code API
+                # or if a flow is restarted due to `invalid_response_action` being set to
+                # `restart_with_context`, which can only happen if the user was already authorized
+                # to use the flow
+                context.update(self._check_authentication(request))
            # First off, check the flow's direct policy bindings
            # to make sure the user even has access to the flow
            engine = PolicyEngine(self.flow, user, request)
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -93,11 +93,7 @@ class ChallengeStageView(StageView):

    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Return a challenge for the frontend to solve"""
-        try:
-            challenge = self._get_challenge(*args, **kwargs)
-        except StageInvalidException as exc:
-            self.logger.debug("Got StageInvalidException", exc=exc)
-            return self.executor.stage_invalid()
+        challenge = self._get_challenge(*args, **kwargs)
        if not challenge.is_valid():
            self.logger.warning(
                "f(ch): Invalid challenge",
@ -173,7 +169,11 @@ class ChallengeStageView(StageView):
                stage_type=self.__class__.__name__, method="get_challenge"
            ).time(),
        ):
-            challenge = self.get_challenge(*args, **kwargs)
+            try:
+                challenge = self.get_challenge(*args, **kwargs)
+            except StageInvalidException as exc:
+                self.logger.debug("Got StageInvalidException", exc=exc)
+                return self.executor.stage_invalid()
        with start_span(
            op="authentik.flow.stage._get_challenge",
            name=self.__class__.__name__,
--- a/authentik/flows/tests/test_planner.py
+++ b/authentik/flows/tests/test_planner.py
@ -22,12 +22,7 @@ from authentik.flows.models import (
    FlowStageBinding,
    in_memory_stage,
 )
-from authentik.flows.planner import (
-    PLAN_CONTEXT_IS_REDIRECTED,
-    PLAN_CONTEXT_PENDING_USER,
-    FlowPlanner,
-    cache_key,
-)
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
 from authentik.flows.stage import StageView
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.outposts.apps import MANAGED_OUTPOST
@ -86,24 +81,6 @@ class TestFlowPlanner(TestCase):
        planner.allow_empty_flows = True
        planner.plan(request)

-    def test_authentication_redirect_required(self):
-        """Test flow authentication (redirect required)"""
-        flow = create_test_flow()
-        flow.authentication = FlowAuthenticationRequirement.REQUIRE_REDIRECT
-        request = self.request_factory.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        request.user = AnonymousUser()
-        planner = FlowPlanner(flow)
-        planner.allow_empty_flows = True
-
-        with self.assertRaises(FlowNonApplicableException):
-            planner.plan(request)
-
-        context = {}
-        context[PLAN_CONTEXT_IS_REDIRECTED] = create_test_flow()
-        planner.plan(request, context)
-
    @reconcile_app("authentik_outposts")
    def test_authentication_outpost(self):
        """Test flow authentication (outpost)"""
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -103,7 +103,7 @@ class FlowExecutorView(APIView):

    permission_classes = [AllowAny]

-    flow: Flow = None
+    flow: Flow

    plan: FlowPlan | None = None
    current_binding: FlowStageBinding | None = None
@ -114,8 +114,7 @@ class FlowExecutorView(APIView):

    def setup(self, request: HttpRequest, flow_slug: str):
        super().setup(request, flow_slug=flow_slug)
-        if not self.flow:
-            self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
+        self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
        self._logger = get_logger().bind(flow_slug=flow_slug)
        set_tag("authentik.flow", self.flow.slug)

@ -172,8 +171,7 @@ class FlowExecutorView(APIView):
                    # Existing plan is deleted from session and instance
                    self.plan = None
                    self.cancel()
-                else:
-                    self._logger.debug("f(exec): Continuing existing plan")
+                self._logger.debug("f(exec): Continuing existing plan")

            # Initial flow request, check if we have an upstream query string passed in
            request.session[SESSION_KEY_GET] = get_params
--- a/authentik/flows/views/inspector.py
+++ b/authentik/flows/views/inspector.py
@ -78,9 +78,7 @@ class FlowInspectorView(APIView):
        self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
        if settings.DEBUG:
            return
-        if request.user.has_perm("authentik_flows.inspect_flow") or request.user.has_perm(
-            "authentik_flows.inspect_flow", self.flow
-        ):
+        if request.user.has_perm("authentik_flow.inspect_flow", self.flow):
            return
        raise Http404

--- a/authentik/lib/api.py
+++ b/authentik/lib/api.py
@ -1,37 +0,0 @@
-from collections.abc import Callable, Sequence
-from typing import Self
-from uuid import UUID
-
-from django.db.models import Model, Q, QuerySet, UUIDField
-from django.shortcuts import get_object_or_404
-
-
-class MultipleFieldLookupMixin:
-    """Helper mixin class to add support for multiple lookup_fields.
-    `lookup_fields` needs to be set which specifies the actual fields to query, `lookup_field`
-    is only used to generate the URL."""
-
-    lookup_field: str
-    lookup_fields: str | Sequence[str]
-
-    get_queryset: Callable[[Self], QuerySet]
-    filter_queryset: Callable[[Self, QuerySet], QuerySet]
-
-    def get_object(self):
-        queryset: QuerySet = self.get_queryset()
-        queryset = self.filter_queryset(queryset)
-        if isinstance(self.lookup_fields, str):
-            self.lookup_fields = [self.lookup_fields]
-        query = Q()
-        model: Model = queryset.model
-        for field in self.lookup_fields:
-            field_inst = model._meta.get_field(field)
-            # Sanity check, if the field we're filtering again, only apply the filter if
-            # our value looks like a UUID
-            if isinstance(field_inst, UUIDField):
-                try:
-                    UUID(self.kwargs[self.lookup_field])
-                except ValueError:
-                    continue
-            query |= Q(**{field: self.kwargs[self.lookup_field]})
-        return get_object_or_404(queryset, query)
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -5,7 +5,6 @@ import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
-from copy import deepcopy
 from dataclasses import dataclass, field
 from enum import Enum
 from glob import glob
@ -280,25 +279,9 @@ class ConfigLoader:
            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
            return default

-    def get_optional_int(self, path: str, default=None) -> int | None:
-        """Wrapper for get that converts value into int or None if set"""
-        value = self.get(path, default)
-        if value is UNSET:
-            return default
-        try:
-            return int(value)
-        except (ValueError, TypeError) as exc:
-            if value is None or (isinstance(value, str) and value.lower() == "null"):
-                return None
-            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
-            return default
-
    def get_bool(self, path: str, default=False) -> bool:
        """Wrapper for get that converts value into boolean"""
-        value = self.get(path, UNSET)
-        if value is UNSET:
-            return default
-        return str(self.get(path)).lower() == "true"
+        return str(self.get(path, default)).lower() == "true"

    def get_keys(self, path: str, sep=".") -> list[str]:
        """List attribute keys by using yaml path"""
@ -353,71 +336,6 @@ def redis_url(db: int) -> str:
    return _redis_url


-def django_db_config(config: ConfigLoader | None = None) -> dict:
-    if not config:
-        config = CONFIG
-    db = {
-        "default": {
-            "ENGINE": "authentik.root.db",
-            "HOST": config.get("postgresql.host"),
-            "NAME": config.get("postgresql.name"),
-            "USER": config.get("postgresql.user"),
-            "PASSWORD": config.get("postgresql.password"),
-            "PORT": config.get("postgresql.port"),
-            "OPTIONS": {
-                "sslmode": config.get("postgresql.sslmode"),
-                "sslrootcert": config.get("postgresql.sslrootcert"),
-                "sslcert": config.get("postgresql.sslcert"),
-                "sslkey": config.get("postgresql.sslkey"),
-            },
-            "CONN_MAX_AGE": CONFIG.get_optional_int("postgresql.conn_max_age", 0),
-            "CONN_HEALTH_CHECKS": CONFIG.get_bool("postgresql.conn_health_checks", False),
-            "DISABLE_SERVER_SIDE_CURSORS": CONFIG.get_bool(
-                "postgresql.disable_server_side_cursors", False
-            ),
-            "TEST": {
-                "NAME": config.get("postgresql.test.name"),
-            },
-        }
-    }
-
-    conn_max_age = CONFIG.get_optional_int("postgresql.conn_max_age", UNSET)
-    disable_server_side_cursors = CONFIG.get_bool("postgresql.disable_server_side_cursors", UNSET)
-    if config.get_bool("postgresql.use_pgpool", False):
-        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
-        if disable_server_side_cursors is not UNSET:
-            db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = disable_server_side_cursors
-
-    if config.get_bool("postgresql.use_pgbouncer", False):
-        # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
-        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
-        # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
-        db["default"]["CONN_MAX_AGE"] = None  # persistent
-        if disable_server_side_cursors is not UNSET:
-            db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = disable_server_side_cursors
-        if conn_max_age is not UNSET:
-            db["default"]["CONN_MAX_AGE"] = conn_max_age
-
-    for replica in config.get_keys("postgresql.read_replicas"):
-        _database = deepcopy(db["default"])
-        for setting, current_value in db["default"].items():
-            if isinstance(current_value, dict):
-                continue
-            override = config.get(
-                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
-            )
-            if override is not UNSET:
-                _database[setting] = override
-        for setting in db["default"]["OPTIONS"].keys():
-            override = config.get(
-                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
-            )
-            if override is not UNSET:
-                _database["OPTIONS"][setting] = override
-        db[f"replica_{replica}"] = _database
-    return db
-
-
 if __name__ == "__main__":
    if len(argv) < 2:  # noqa: PLR2004
        print(dumps(CONFIG.raw, indent=4, cls=AttrEncoder))
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -6,6 +6,8 @@ postgresql:
  user: authentik
  port: 5432
  password: "env://POSTGRES_PASSWORD"
+  use_pgbouncer: false
+  use_pgpool: false
  test:
    name: test_authentik
  read_replicas: {}
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -9,14 +9,7 @@ from unittest import mock
 from django.conf import ImproperlyConfigured
 from django.test import TestCase

-from authentik.lib.config import (
-    ENV_PREFIX,
-    UNSET,
-    Attr,
-    AttrEncoder,
-    ConfigLoader,
-    django_db_config,
-)
+from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader


 class TestConfig(TestCase):
@ -182,283 +175,3 @@ class TestConfig(TestCase):
        config = ConfigLoader()
        config.set("foo.bar", "baz")
        self.assertEqual(list(config.get_keys("foo")), ["bar"])
-
-    def test_db_default(self):
-        """Test default DB Config"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.sslmode", "foo")
-        config.set("postgresql.sslrootcert", "foo")
-        config.set("postgresql.sslcert", "foo")
-        config.set("postgresql.sslkey", "foo")
-        config.set("postgresql.test.name", "foo")
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "sslcert": "foo",
-                        "sslkey": "foo",
-                        "sslmode": "foo",
-                        "sslrootcert": "foo",
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                }
-            },
-        )
-
-    def test_db_read_replicas(self):
-        """Test read replicas"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.sslmode", "foo")
-        config.set("postgresql.sslrootcert", "foo")
-        config.set("postgresql.sslcert", "foo")
-        config.set("postgresql.sslkey", "foo")
-        config.set("postgresql.test.name", "foo")
-        # Read replica
-        config.set("postgresql.read_replicas.0.host", "bar")
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "sslcert": "foo",
-                        "sslkey": "foo",
-                        "sslmode": "foo",
-                        "sslrootcert": "foo",
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                },
-                "replica_0": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "bar",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "sslcert": "foo",
-                        "sslkey": "foo",
-                        "sslmode": "foo",
-                        "sslrootcert": "foo",
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                },
-            },
-        )
-
-    def test_db_read_replicas_pgbouncer(self):
-        """Test read replicas"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.sslmode", "foo")
-        config.set("postgresql.sslrootcert", "foo")
-        config.set("postgresql.sslcert", "foo")
-        config.set("postgresql.sslkey", "foo")
-        config.set("postgresql.test.name", "foo")
-        config.set("postgresql.use_pgbouncer", True)
-        # Read replica
-        config.set("postgresql.read_replicas.0.host", "bar")
-        # Override conn_max_age
-        config.set("postgresql.read_replicas.0.conn_max_age", 10)
-        # This isn't supported
-        config.set("postgresql.read_replicas.0.use_pgbouncer", False)
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "DISABLE_SERVER_SIDE_CURSORS": True,
-                    "CONN_MAX_AGE": None,
-                    "CONN_HEALTH_CHECKS": False,
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "sslcert": "foo",
-                        "sslkey": "foo",
-                        "sslmode": "foo",
-                        "sslrootcert": "foo",
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                },
-                "replica_0": {
-                    "DISABLE_SERVER_SIDE_CURSORS": True,
-                    "CONN_MAX_AGE": 10,
-                    "CONN_HEALTH_CHECKS": False,
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "bar",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "sslcert": "foo",
-                        "sslkey": "foo",
-                        "sslmode": "foo",
-                        "sslrootcert": "foo",
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                },
-            },
-        )
-
-    def test_db_read_replicas_pgpool(self):
-        """Test read replicas"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.sslmode", "foo")
-        config.set("postgresql.sslrootcert", "foo")
-        config.set("postgresql.sslcert", "foo")
-        config.set("postgresql.sslkey", "foo")
-        config.set("postgresql.test.name", "foo")
-        config.set("postgresql.use_pgpool", True)
-        # Read replica
-        config.set("postgresql.read_replicas.0.host", "bar")
-        # This isn't supported
-        config.set("postgresql.read_replicas.0.use_pgpool", False)
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "DISABLE_SERVER_SIDE_CURSORS": True,
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "sslcert": "foo",
-                        "sslkey": "foo",
-                        "sslmode": "foo",
-                        "sslrootcert": "foo",
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                },
-                "replica_0": {
-                    "DISABLE_SERVER_SIDE_CURSORS": True,
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "bar",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "sslcert": "foo",
-                        "sslkey": "foo",
-                        "sslmode": "foo",
-                        "sslrootcert": "foo",
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                },
-            },
-        )
-
-    def test_db_read_replicas_diff_ssl(self):
-        """Test read replicas (with different SSL Settings)"""
-        """Test read replicas"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.sslmode", "foo")
-        config.set("postgresql.sslrootcert", "foo")
-        config.set("postgresql.sslcert", "foo")
-        config.set("postgresql.sslkey", "foo")
-        config.set("postgresql.test.name", "foo")
-        # Read replica
-        config.set("postgresql.read_replicas.0.host", "bar")
-        config.set("postgresql.read_replicas.0.sslcert", "bar")
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "sslcert": "foo",
-                        "sslkey": "foo",
-                        "sslmode": "foo",
-                        "sslrootcert": "foo",
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                },
-                "replica_0": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "bar",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "sslcert": "bar",
-                        "sslkey": "foo",
-                        "sslmode": "foo",
-                        "sslrootcert": "foo",
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                },
-            },
-        )
--- a/authentik/policies/api/bindings.py
+++ b/authentik/policies/api/bindings.py
@ -84,17 +84,19 @@ class PolicyBindingSerializer(ModelSerializer):

    def validate(self, attrs: OrderedDict) -> OrderedDict:
        """Check that either policy, group or user is set."""
-        target: PolicyBindingModel = attrs.get("target")
-        supported = target.supported_policy_binding_targets()
-        supported.sort()
-        count = sum([bool(attrs.get(x, None)) for x in supported])
+        count = sum(
+            [
+                bool(attrs.get("policy", None)),
+                bool(attrs.get("group", None)),
+                bool(attrs.get("user", None)),
+            ]
+        )
        invalid = count > 1
        empty = count < 1
-        warning = ", ".join(f"'{x}'" for x in supported)
        if invalid:
-            raise ValidationError(f"Only one of {warning} can be set.")
+            raise ValidationError("Only one of 'policy', 'group' or 'user' can be set.")
        if empty:
-            raise ValidationError(f"One of {warning} must be set.")
+            raise ValidationError("One of 'policy', 'group' or 'user' must be set.")
        return attrs


--- a/authentik/policies/migrations/0011_policybinding_failure_result_and_more.py
+++ b/authentik/policies/migrations/0011_policybinding_failure_result_and_more.py
@ -1,6 +1,4 @@
 # Generated by Django 4.2.5 on 2023-09-13 18:07
-import authentik.lib.models
-import django.db.models.deletion

 from django.db import migrations, models

@ -25,13 +23,4 @@ class Migration(migrations.Migration):
                default=30, help_text="Timeout after which Policy execution is terminated."
            ),
        ),
-        migrations.AlterField(
-            model_name="policybinding",
-            name="target",
-            field=authentik.lib.models.InheritanceForeignKey(
-                on_delete=django.db.models.deletion.CASCADE,
-                related_name="bindings",
-                to="authentik_policies.policybindingmodel",
-            ),
-        ),
    ]
--- a/authentik/policies/models.py
+++ b/authentik/policies/models.py
@ -47,10 +47,6 @@ class PolicyBindingModel(models.Model):
    def __str__(self) -> str:
        return f"PolicyBindingModel {self.pbm_uuid}"

-    def supported_policy_binding_targets(self):
-        """Return the list of objects that can be bound to this object."""
-        return ["policy", "user", "group"]
-

 class PolicyBinding(SerializerModel):
    """Relationship between a Policy and a PolicyBindingModel."""
@ -85,9 +81,7 @@ class PolicyBinding(SerializerModel):
        blank=True,
    )

-    target = InheritanceForeignKey(
-        PolicyBindingModel, on_delete=models.CASCADE, related_name="bindings"
-    )
+    target = InheritanceForeignKey(PolicyBindingModel, on_delete=models.CASCADE, related_name="+")
    negate = models.BooleanField(
        default=False,
        help_text=_("Negates the outcome of the policy. Messages are unaffected."),
--- a/authentik/policies/tests/test_bindings_api.py
+++ b/authentik/policies/tests/test_bindings_api.py
@ -38,7 +38,7 @@ class TestBindingsAPI(APITestCase):
        )
        self.assertJSONEqual(
            response.content.decode(),
-            {"non_field_errors": ["Only one of 'group', 'policy', 'user' can be set."]},
+            {"non_field_errors": ["Only one of 'policy', 'group' or 'user' can be set."]},
        )

    def test_invalid_too_little(self):
@ -49,5 +49,5 @@ class TestBindingsAPI(APITestCase):
        )
        self.assertJSONEqual(
            response.content.decode(),
-            {"non_field_errors": ["One of 'group', 'policy', 'user' must be set."]},
+            {"non_field_errors": ["One of 'policy', 'group' or 'user' must be set."]},
        )
--- a/authentik/providers/oauth2/migrations/0026_alter_accesstoken_session_and_more.py
+++ b/authentik/providers/oauth2/migrations/0026_alter_accesstoken_session_and_more.py
@ -1,38 +0,0 @@
-# Generated by Django 5.0.10 on 2024-12-12 17:16
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0040_provider_invalidation_flow"),
-        (
-            "authentik_providers_oauth2",
-            "0025_rename_jwks_sources_oauth2provider_jwt_federation_sources_and_more",
-        ),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="accesstoken",
-            name="session",
-            field=models.ForeignKey(
-                default=None,
-                null=True,
-                on_delete=django.db.models.deletion.CASCADE,
-                to="authentik_core.authenticatedsession",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="authorizationcode",
-            name="session",
-            field=models.ForeignKey(
-                default=None,
-                null=True,
-                on_delete=django.db.models.deletion.CASCADE,
-                to="authentik_core.authenticatedsession",
-            ),
-        ),
-    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -396,7 +396,7 @@ class BaseGrantModel(models.Model):
    _scope = models.TextField(default="", verbose_name=_("Scopes"))
    auth_time = models.DateTimeField(verbose_name="Authentication time")
    session = models.ForeignKey(
-        AuthenticatedSession, null=True, on_delete=models.CASCADE, default=None
+        AuthenticatedSession, null=True, on_delete=models.SET_DEFAULT, default=None
    )

    class Meta:
@ -497,11 +497,6 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):

    token = models.TextField(default=generate_client_secret)
    _id_token = models.TextField(verbose_name=_("ID Token"))
-    # Shadow the `session` field from `BaseGrantModel` as we want refresh tokens to persist even
-    # when the session is terminated.
-    session = models.ForeignKey(
-        AuthenticatedSession, null=True, on_delete=models.SET_DEFAULT, default=None
-    )

    class Meta:
        indexes = [
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -499,11 +499,11 @@ class OAuthFulfillmentStage(StageView):
            )

            challenge.is_valid()
-            self.executor.stage_ok()
+
            return HttpChallengeResponse(
                challenge=challenge,
            )
-        self.executor.stage_ok()
+
        return HttpResponseRedirectScheme(uri, allowed_schemes=[parsed.scheme])

    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
--- a/authentik/providers/proxy/controllers/k8s/traefik_3.py
+++ b/authentik/providers/proxy/controllers/k8s/traefik_3.py
@ -127,7 +127,6 @@ class Traefik3MiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware]
                    authResponseHeaders=[
                        "X-authentik-username",
                        "X-authentik-groups",
-                        "X-authentik-entitlements",
                        "X-authentik-email",
                        "X-authentik-name",
                        "X-authentik-uid",
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@ -147,7 +147,6 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
                "goauthentik.io/providers/oauth2/scope-openid",
                "goauthentik.io/providers/oauth2/scope-profile",
                "goauthentik.io/providers/oauth2/scope-email",
-                "goauthentik.io/providers/oauth2/scope-entitlements",
                "goauthentik.io/providers/proxy/scope-proxy",
            ]
        )
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@ -256,7 +256,7 @@ class AssertionProcessor:
        assertion.attrib["IssueInstant"] = self._issue_instant
        assertion.append(self.get_issuer())

-        if self.provider.signing_kp and self.provider.sign_assertion:
+        if self.provider.signing_kp:
            sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
                self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha1
            )
@ -295,18 +295,6 @@ class AssertionProcessor:

        response.append(self.get_issuer())

-        if self.provider.signing_kp and self.provider.sign_response:
-            sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
-                self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha1
-            )
-            signature = xmlsec.template.create(
-                response,
-                xmlsec.constants.TransformExclC14N,
-                sign_algorithm_transform,
-                ns=xmlsec.constants.DSigNs,
-            )
-            response.append(signature)
-
        status = SubElement(response, f"{{{NS_SAML_PROTOCOL}}}Status")
        status_code = SubElement(status, f"{{{NS_SAML_PROTOCOL}}}StatusCode")
        status_code.attrib["Value"] = "urn:oasis:names:tc:SAML:2.0:status:Success"
--- a/authentik/providers/saml/tests/test_auth_n_request.py
+++ b/authentik/providers/saml/tests/test_auth_n_request.py
@ -2,10 +2,8 @@

 from base64 import b64encode

-from defusedxml.lxml import fromstring
 from django.http.request import QueryDict
 from django.test import TestCase
-from lxml import etree  # nosec

 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
@ -13,14 +11,12 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
-from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.assertion import AssertionProcessor
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.sources.saml.exceptions import MismatchedRequestID
 from authentik.sources.saml.models import SAMLSource
 from authentik.sources.saml.processors.constants import (
-    NS_MAP,
    SAML_BINDING_REDIRECT,
    SAML_NAME_ID_FORMAT_EMAIL,
    SAML_NAME_ID_FORMAT_UNSPECIFIED,
@ -189,19 +185,6 @@ class TestAuthNRequest(TestCase):
        self.assertEqual(response.count(response_proc._assertion_id), 2)
        self.assertEqual(response.count(response_proc._response_id), 2)

-        schema = etree.XMLSchema(
-            etree.parse("schemas/saml-schema-protocol-2.0.xsd", parser=etree.XMLParser())  # nosec
-        )
-        self.assertTrue(schema.validate(lxml_from_string(response)))
-
-        response_xml = fromstring(response)
-        self.assertEqual(
-            len(response_xml.xpath("//saml:Assertion/ds:Signature", namespaces=NS_MAP)), 1
-        )
-        self.assertEqual(
-            len(response_xml.xpath("//samlp:Response/ds:Signature", namespaces=NS_MAP)), 1
-        )
-
        # Now parse the response (source)
        http_request.POST = QueryDict(mutable=True)
        http_request.POST["SAMLResponse"] = b64encode(response.encode()).decode()
--- a/authentik/rbac/api/rbac.py
+++ b/authentik/rbac/api/rbac.py
@ -2,10 +2,9 @@

 from django.apps import apps
 from django.contrib.auth.models import Permission
-from django.db.models import Q, QuerySet
+from django.db.models import QuerySet
 from django_filters.filters import ModelChoiceFilter
 from django_filters.filterset import FilterSet
-from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
    CharField,
@ -14,11 +13,8 @@ from rest_framework.fields import (
    ReadOnlyField,
    SerializerMethodField,
 )
-from rest_framework.filters import OrderingFilter, SearchFilter
-from rest_framework.permissions import IsAuthenticated
 from rest_framework.viewsets import ReadOnlyModelViewSet

-from authentik.blueprints.v1.importer import excluded_models
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User
 from authentik.lib.validators import RequiredTogetherValidator
@ -96,9 +92,7 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    queryset = Permission.objects.none()
    serializer_class = PermissionSerializer
    ordering = ["name"]
-    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
    filterset_class = PermissionFilter
-    permission_classes = [IsAuthenticated]
    search_fields = [
        "codename",
        "content_type__model",
@ -106,13 +100,13 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    ]

    def get_queryset(self) -> QuerySet:
-        query = Q()
-        for model in excluded_models():
-            query |= Q(
-                content_type__app_label=model._meta.app_label,
-                content_type__model=model._meta.model_name,
+        return (
+            Permission.objects.all()
+            .select_related("content_type")
+            .filter(
+                content_type__app_label__startswith="authentik",
            )
-        return Permission.objects.all().select_related("content_type").exclude(query)
+        )


 class PermissionAssignSerializer(PassiveSerializer):
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -12,7 +12,7 @@ from sentry_sdk import set_tag
 from xmlsec import enable_debug_trace

 from authentik import __version__
-from authentik.lib.config import CONFIG, django_db_config, redis_url
+from authentik.lib.config import CONFIG, redis_url
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
@ -114,7 +114,6 @@ TENANT_APPS = [
    "authentik.stages.invitation",
    "authentik.stages.password",
    "authentik.stages.prompt",
-    "authentik.stages.redirect",
    "authentik.stages.user_delete",
    "authentik.stages.user_login",
    "authentik.stages.user_logout",
@ -298,7 +297,47 @@ CHANNEL_LAYERS = {
 # https://docs.djangoproject.com/en/2.1/ref/settings/#databases

 ORIGINAL_BACKEND = "django_prometheus.db.backends.postgresql"
-DATABASES = django_db_config()
+DATABASES = {
+    "default": {
+        "ENGINE": "authentik.root.db",
+        "HOST": CONFIG.get("postgresql.host"),
+        "NAME": CONFIG.get("postgresql.name"),
+        "USER": CONFIG.get("postgresql.user"),
+        "PASSWORD": CONFIG.get("postgresql.password"),
+        "PORT": CONFIG.get("postgresql.port"),
+        "OPTIONS": {
+            "sslmode": CONFIG.get("postgresql.sslmode"),
+            "sslrootcert": CONFIG.get("postgresql.sslrootcert"),
+            "sslcert": CONFIG.get("postgresql.sslcert"),
+            "sslkey": CONFIG.get("postgresql.sslkey"),
+        },
+        "TEST": {
+            "NAME": CONFIG.get("postgresql.test.name"),
+        },
+    }
+}
+
+if CONFIG.get_bool("postgresql.use_pgpool", False):
+    DATABASES["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
+
+if CONFIG.get_bool("postgresql.use_pgbouncer", False):
+    # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
+    DATABASES["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
+    # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
+    DATABASES["default"]["CONN_MAX_AGE"] = None  # persistent
+
+for replica in CONFIG.get_keys("postgresql.read_replicas"):
+    _database = DATABASES["default"].copy()
+    for setting in DATABASES["default"].keys():
+        default = object()
+        if setting in ("TEST",):
+            continue
+        override = CONFIG.get(
+            f"postgresql.read_replicas.{replica}.{setting.lower()}", default=default
+        )
+        if override is not default:
+            _database[setting] = override
+    DATABASES[f"replica_{replica}"] = _database

 DATABASE_ROUTERS = (
    "authentik.tenants.db.FailoverRouter",
--- a/authentik/sources/kerberos/api/source.py
+++ b/authentik/sources/kerberos/api/source.py
@ -13,7 +13,6 @@ from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.api.tasks import SystemTaskSerializer
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.sources.kerberos.models import KerberosSource
 from authentik.sources.kerberos.tasks import CACHE_KEY_STATUS

@ -33,7 +32,6 @@ class KerberosSourceSerializer(SourceSerializer):
            "group_matching_mode",
            "realm",
            "krb5_conf",
-            "kadmin_type",
            "sync_users",
            "sync_users_password",
            "sync_principal",
@ -60,19 +58,17 @@ class KerberosSyncStatusSerializer(PassiveSerializer):
    tasks = SystemTaskSerializer(many=True, read_only=True)


-class KerberosSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class KerberosSourceViewSet(UsedByMixin, ModelViewSet):
    """Kerberos Source Viewset"""

    queryset = KerberosSource.objects.all()
    serializer_class = KerberosSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_fields = [
        "name",
        "slug",
        "enabled",
        "realm",
-        "kadmin_type",
        "sync_users",
        "sync_users_password",
        "sync_principal",
--- a/authentik/sources/kerberos/auth.py
+++ b/authentik/sources/kerberos/auth.py
@ -38,9 +38,7 @@ class KerberosBackend(InbuiltBackend):
        self, username: str, realm: str | None, password: str, **filters
    ) -> tuple[User | None, KerberosSource | None]:
        sources = KerberosSource.objects.filter(enabled=True)
-        user = User.objects.filter(
-            usersourceconnection__source__in=sources, username=username, **filters
-        ).first()
+        user = User.objects.filter(usersourceconnection__source__in=sources, **filters).first()

        if user is not None:
            # User found, let's get its connections for the sources that are available
@ -79,7 +77,7 @@ class KerberosBackend(InbuiltBackend):
                        password, sender=user_source_connection.source
                    )
                    user_source_connection.user.save()
-                return user_source_connection.user, user_source_connection.source
+                return user, user_source_connection.source
            # Password doesn't match, onto next source
            LOGGER.debug(
                "failed to kinit, password invalid",
--- a/authentik/sources/kerberos/migrations/0002_kerberossource_kadmin_type.py
+++ b/authentik/sources/kerberos/migrations/0002_kerberossource_kadmin_type.py
@ -1,22 +0,0 @@
-# Generated by Django 5.0.10 on 2024-12-06 19:24
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_sources_kerberos", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="kerberossource",
-            name="kadmin_type",
-            field=models.TextField(
-                choices=[("MIT", "Mit"), ("Heimdal", "Heimdal"), ("other", "Other")],
-                default="other",
-                help_text="KAdmin server type",
-            ),
-        ),
-    ]
--- a/authentik/sources/kerberos/models.py
+++ b/authentik/sources/kerberos/models.py
@ -13,7 +13,7 @@ from django.http import HttpRequest
 from django.shortcuts import reverse
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
-from kadmin import KAdmin, KAdminApiVersion
+from kadmin import KAdmin
 from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
@ -36,12 +36,6 @@ LOGGER = get_logger()
 _kadmin_connections: dict[str, Any] = {}


-class KAdminType(models.TextChoices):
-    MIT = "MIT"
-    HEIMDAL = "Heimdal"
-    OTHER = "other"
-
-
 class KerberosSource(Source):
    """Federate Kerberos realm with authentik"""

@ -50,9 +44,6 @@ class KerberosSource(Source):
        blank=True,
        help_text=_("Custom krb5.conf to use. Uses the system one by default"),
    )
-    kadmin_type = models.TextField(
-        choices=KAdminType.choices, default=KAdminType.OTHER, help_text=_("KAdmin server type")
-    )

    sync_users = models.BooleanField(
        default=False, help_text=_("Sync users from Kerberos into authentik"), db_index=True
@ -208,14 +199,6 @@ class KerberosSource(Source):
        return str(conf_path)

    def _kadmin_init(self) -> KAdmin | None:
-        api_version = None
-        match self.kadmin_type:
-            case KAdminType.MIT:
-                api_version = KAdminApiVersion.Version4
-            case KAdminType.HEIMDAL:
-                api_version = KAdminApiVersion.Version2
-            case KAdminType.OTHER:
-                api_version = KAdminApiVersion.Version2
        # kadmin doesn't use a ccache for its connection
        # as such, we don't need to create a separate ccache for each source
        if not self.sync_principal:
@ -224,7 +207,6 @@ class KerberosSource(Source):
            return KAdmin.with_password(
                self.sync_principal,
                self.sync_password,
-                api_version=api_version,
            )
        if self.sync_keytab:
            keytab = self.sync_keytab
@ -236,13 +218,11 @@ class KerberosSource(Source):
            return KAdmin.with_keytab(
                self.sync_principal,
                keytab,
-                api_version=api_version,
            )
        if self.sync_ccache:
            return KAdmin.with_ccache(
                self.sync_principal,
                self.sync_ccache,
-                api_version=api_version,
            )
        return None

--- a/authentik/sources/kerberos/sync.py
+++ b/authentik/sources/kerberos/sync.py
@ -43,10 +43,8 @@ class KerberosSync:
        self._messages = []
        self._logger = get_logger().bind(source=self._source, syncer=self.__class__.__name__)
        self.mapper = SourceMapper(self._source)
-        self.user_manager = self.mapper.get_manager(User, ["principal", "principal_obj"])
-        self.group_manager = self.mapper.get_manager(
-            Group, ["group_id", "principal", "principal_obj"]
-        )
+        self.user_manager = self.mapper.get_manager(User, ["principal"])
+        self.group_manager = self.mapper.get_manager(Group, ["group_id", "principal"])
        self.matcher = SourceMatcher(
            self._source, UserKerberosSourceConnection, GroupKerberosSourceConnection
        )
@ -69,16 +67,12 @@ class KerberosSync:

    def _handle_principal(self, principal: str) -> bool:
        try:
-            # TODO: handle permission error
-            principal_obj = self._connection.get_principal(principal)
-
            defaults = self.mapper.build_object_properties(
                object_type=User,
                manager=self.user_manager,
                user=None,
                request=None,
                principal=principal,
-                principal_obj=principal_obj,
            )
            self._logger.debug("Writing user with attributes", **defaults)
            if "username" not in defaults:
@ -97,7 +91,6 @@ class KerberosSync:
                    request=None,
                    group_id=group_id,
                    principal=principal,
-                    principal_obj=principal_obj,
                )
                for group_id in defaults.pop("groups", [])
            }
--- a/authentik/sources/ldap/api.py
+++ b/authentik/sources/ldap/api.py
@ -18,7 +18,6 @@ from authentik.core.api.property_mappings import PropertyMappingFilterSet, Prope
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.crypto.models import CertificateKeyPair
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.lib.sync.outgoing.api import SyncStatusSerializer
 from authentik.sources.ldap.models import LDAPSource, LDAPSourcePropertyMapping
 from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES
@ -104,13 +103,12 @@ class LDAPSourceSerializer(SourceSerializer):
        extra_kwargs = {"bind_password": {"write_only": True}}


-class LDAPSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
    """LDAP Source Viewset"""

    queryset = LDAPSource.objects.all()
    serializer_class = LDAPSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_fields = [
        "name",
        "slug",
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@ -16,7 +16,6 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.lib.utils.http import get_http_session
 from authentik.sources.oauth.models import OAuthSource
 from authentik.sources.oauth.types.registry import SourceType, registry
@ -171,13 +170,12 @@ class OAuthSourceFilter(FilterSet):
        ]


-class OAuthSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class OAuthSourceViewSet(UsedByMixin, ModelViewSet):
    """Source Viewset"""

    queryset = OAuthSource.objects.all()
    serializer_class = OAuthSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_class = OAuthSourceFilter
    search_fields = ["name", "slug"]
    ordering = ["name"]
--- a/authentik/sources/plex/api/source.py
+++ b/authentik/sources/plex/api/source.py
@ -18,7 +18,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.flows.challenge import RedirectChallenge
 from authentik.flows.views.executor import to_stage_response
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.rbac.decorators import permission_required
 from authentik.sources.plex.models import PlexSource, UserPlexSourceConnection
 from authentik.sources.plex.plex import PlexAuth, PlexSourceFlowManager
@ -46,13 +45,12 @@ class PlexTokenRedeemSerializer(PassiveSerializer):
    plex_token = CharField()


-class PlexSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class PlexSourceViewSet(UsedByMixin, ModelViewSet):
    """Plex source Viewset"""

    queryset = PlexSource.objects.all()
    serializer_class = PlexSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_fields = [
        "name",
        "slug",
--- a/authentik/sources/saml/api/source.py
+++ b/authentik/sources/saml/api/source.py
@ -9,7 +9,6 @@ from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.providers.saml.api.providers import SAMLMetadataSerializer
 from authentik.sources.saml.models import SAMLSource
 from authentik.sources.saml.processors.metadata import MetadataProcessor
@ -38,13 +37,12 @@ class SAMLSourceSerializer(SourceSerializer):
        ]


-class SAMLSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class SAMLSourceViewSet(UsedByMixin, ModelViewSet):
    """SAMLSource Viewset"""

    queryset = SAMLSource.objects.all()
    serializer_class = SAMLSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_fields = [
        "name",
        "slug",
--- a/authentik/sources/saml/tests/test_metadata.py
+++ b/authentik/sources/saml/tests/test_metadata.py
@ -17,7 +17,6 @@ class TestMetadataProcessor(TestCase):
    def setUp(self):
        self.factory = RequestFactory()
        self.source = SAMLSource.objects.create(
-            name=generate_id(),
            slug=generate_id(),
            issuer="authentik",
            signing_kp=create_test_cert(),
--- a/authentik/sources/saml/tests/test_property_mappings.py
+++ b/authentik/sources/saml/tests/test_property_mappings.py
@ -28,7 +28,6 @@ class TestPropertyMappings(TestCase):
    def setUp(self):
        self.factory = RequestFactory()
        self.source = SAMLSource.objects.create(
-            name=generate_id(),
            slug=generate_id(),
            issuer="authentik",
            allow_idp_initiated=True,
--- a/authentik/sources/saml/tests/test_response.py
+++ b/authentik/sources/saml/tests/test_response.py
@ -20,7 +20,6 @@ class TestResponseProcessor(TestCase):
    def setUp(self):
        self.factory = RequestFactory()
        self.source = SAMLSource.objects.create(
-            name=generate_id(),
            slug=generate_id(),
            issuer="authentik",
            allow_idp_initiated=True,
--- a/authentik/sources/saml/tests/test_views.py
+++ b/authentik/sources/saml/tests/test_views.py
@ -1,88 +0,0 @@
-"""SAML Source tests"""
-
-from base64 import b64encode
-
-from django.test import RequestFactory, TestCase
-from django.urls import reverse
-
-from authentik.core.tests.utils import create_test_flow
-from authentik.flows.planner import PLAN_CONTEXT_REDIRECT, FlowPlan
-from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
-from authentik.sources.saml.models import SAMLSource
-
-
-class TestViews(TestCase):
-    """Test SAML Views"""
-
-    def setUp(self):
-        self.factory = RequestFactory()
-        self.source = SAMLSource.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-            issuer="authentik",
-            allow_idp_initiated=True,
-            pre_authentication_flow=create_test_flow(),
-        )
-
-    def test_enroll(self):
-        """Enroll"""
-        flow = create_test_flow()
-        self.source.enrollment_flow = flow
-        self.source.save()
-
-        response = self.client.post(
-            reverse(
-                "authentik_sources_saml:acs",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-            data={
-                "SAMLResponse": b64encode(
-                    load_fixture("fixtures/response_success.xml").encode()
-                ).decode()
-            },
-        )
-        self.assertEqual(response.status_code, 302)
-        self.assertRedirects(
-            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
-        )
-        plan: FlowPlan = self.client.session.get(SESSION_KEY_PLAN)
-        self.assertIsNotNone(plan)
-
-    def test_enroll_redirect(self):
-        """Enroll when attempting to access a provider"""
-        initial_redirect = f"http://{generate_id()}"
-
-        session = self.client.session
-        old_plan = FlowPlan(generate_id())
-        old_plan.context[PLAN_CONTEXT_REDIRECT] = initial_redirect
-        session[SESSION_KEY_PLAN] = old_plan
-        session.save()
-
-        flow = create_test_flow()
-        self.source.enrollment_flow = flow
-        self.source.save()
-
-        response = self.client.post(
-            reverse(
-                "authentik_sources_saml:acs",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-            data={
-                "SAMLResponse": b64encode(
-                    load_fixture("fixtures/response_success.xml").encode()
-                ).decode()
-            },
-        )
-        self.assertEqual(response.status_code, 302)
-        self.assertRedirects(
-            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
-        )
-        plan: FlowPlan = self.client.session.get(SESSION_KEY_PLAN)
-        self.assertIsNotNone(plan)
-        self.assertEqual(plan.context.get(PLAN_CONTEXT_REDIRECT), initial_redirect)
--- a/authentik/sources/saml/views.py
+++ b/authentik/sources/saml/views.py
@ -28,11 +28,10 @@ from authentik.flows.planner import (
    PLAN_CONTEXT_REDIRECT,
    PLAN_CONTEXT_SOURCE,
    PLAN_CONTEXT_SSO,
-    FlowPlan,
    FlowPlanner,
 )
 from authentik.flows.stage import ChallengeStageView
-from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
+from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
 from authentik.lib.views import bad_request_message
 from authentik.providers.saml.utils.encoding import nice64
 from authentik.sources.saml.exceptions import MissingSAMLResponse, UnsupportedNameIDFormat
@ -149,15 +148,12 @@ class ACSView(View):
        processor = ResponseProcessor(source, request)
        try:
            processor.parse()
-        except (MissingSAMLResponse, VerificationError) as exc:
+        except MissingSAMLResponse as exc:
+            return bad_request_message(request, str(exc))
+        except VerificationError as exc:
            return bad_request_message(request, str(exc))

        try:
-            if SESSION_KEY_PLAN in request.session:
-                plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
-                plan_redirect = plan.context.get(PLAN_CONTEXT_REDIRECT)
-                if plan_redirect:
-                    self.request.session[SESSION_KEY_GET] = {NEXT_ARG_NAME: plan_redirect}
            return processor.prepare_flow_manager().get_flow()
        except (UnsupportedNameIDFormat, ValueError) as exc:
            return bad_request_message(request, str(exc))
--- a/authentik/sources/scim/api/sources.py
+++ b/authentik/sources/scim/api/sources.py
@ -7,7 +7,6 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.tokens import TokenSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.lib.api import MultipleFieldLookupMixin
 from authentik.sources.scim.models import SCIMSource


@ -48,13 +47,12 @@ class SCIMSourceSerializer(SourceSerializer):
        ]


-class SCIMSourceViewSet(MultipleFieldLookupMixin, UsedByMixin, ModelViewSet):
+class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
    """SCIMSource Viewset"""

    queryset = SCIMSource.objects.all()
    serializer_class = SCIMSourceSerializer
    lookup_field = "slug"
-    lookup_fields = ["slug", "pbm_uuid"]
    filterset_fields = ["name", "slug"]
    search_fields = ["name", "slug", "token__identifier", "token__user__username"]
    ordering = ["name"]
--- a/authentik/stages/authenticator_webauthn/mds/aaguid.json
+++ b/authentik/stages/authenticator_webauthn/mds/aaguid.json
@ -141,10 +141,5 @@
        "name": "Devolutions",
        "icon_dark": "data:image/svg+xml;base64,CjxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB3aWR0aD0iNzJweCIgaGVpZ2h0PSI3MnB4IiB2aWV3Qm94PSIwIDAgNzIgNzIiPgk8ZGVmcz4KICAgICAgICA8ZmlsdGVyIGlkPSJhIiB3aWR0aD0iMjAwJSIgaGVpZ2h0PSIyMDAlIj4KICAgICAgICAgICAgPGZlT2Zmc2V0IHJlc3VsdD0ib2ZmT3V0IiBpbj0iU291cmNlQWxwaGEiIGR5PSIyLjIiLz4KICAgICAgICAgICAgPGZlR2F1c3NpYW5CbHVyIHJlc3VsdD0iYmx1ck91dCIgaW49Im9mZk91dCIgc3RkRGV2aWF0aW9uPSIxLjUiLz4KICAgICAgICAgICAgPGZlQ29sb3JNYXRyaXggdmFsdWVzPSIwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwLjQgMCIvPgogICAgICAgICAgICA8ZmVNZXJnZT4KICAgICAgICAgICAgICAgIDxmZU1lcmdlTm9kZS8+CiAgICAgICAgICAgICAgICA8ZmVNZXJnZU5vZGUgaW49IlNvdXJjZUdyYXBoaWMiLz4KICAgICAgICAgICAgPC9mZU1lcmdlPgogICAgICAgIDwvZmlsdGVyPgogICAgPC9kZWZzPgo8cGF0aCBmaWxsPSIjZmZmZmZmIiBmaWx0ZXI9InVybCgjYSkiIGQ9Ik0zMS4wNTksNS4zOTVjMTYuODktMi43MjcsMzIuODE3LDguNzcyLDM1LjU0NSwyNS42NjJjMi43MjcsMTYuODktOC43NzIsMzIuODE3LTI1LjY2MiwzNS41NDUKCUMyNC4wNTEsNjkuMzI5LDguMTI0LDU3LjgzLDUuMzk3LDQwLjk0QzIuNjcsMjQuMDQ5LDE0LjE2OSw4LjEyMiwzMS4wNTksNS4zOTV6Ii8+CjxwYXRoIGZpbGw9IiMwMDY4YzMiIGQ9Ik01NS4zNjQsMTcuMjAyYy01LjA0Ny01LjE5Ny0xMS44MDItOC4xMDktMTkuMDItOC4yYy03LjE5MS0wLjA5LTEzLjk4NSwyLjY2OS0xOS4xNDksNy43NjgKCUMxMS45MSwyMS45ODksOSwyOC45NTUsOSwzNi4zOTJsMC4wNDQsMS4yNmMwLDEuMTgxLDAuOTYxLDIuMTQyLDIuMTQyLDIuMTQyczIuMTQxLTAuOTYsMi4xNDItMi4xNGwwLjAxLTAuOTEzCgljMC05Ljk0NSw4LjQ1My0yMC41OTMsMjEuMDM1LTIwLjU5M2MxMy4xMzIsMCwyMS4yNjEsMTAuNzEyLDIxLjI2MSwyMC42MzdjMCw1LjE3My0yLjA2Myw5LjkxOS01LjgwOCwxMy4zNjMKCUM0Ni4xNyw1My41MDksNDEuMjYsNTUuMzYsMzYsNTUuMzZjLTMuMTMsMC02LjIxOS0wLjc1NS04Ljk1OC0yLjE4NmwxOC44Ny04LjY4NmMxLjI2Ny0wLjU4MywyLjExNS0xLjgxLDIuMjEzLTMuMjAxCglzLTAuNTY5LTIuNzI1LTEuNzU0LTMuNDg3bC0xNS43MDYtOC40MTVjLTAuNTU0LTAuMzU3LTEuMjEzLTAuNDc3LTEuODU4LTAuMzM3Yy0wLjY0NCwwLjEzOS0xLjE5NSwwLjUyMS0xLjU1MiwxLjA3NQoJYy0wLjczNywxLjE0NC0wLjQwNiwyLjY3MywwLjcyMSwzLjM5N2w4LjQ1NCw2LjkyM2wtMTguNDE5LDguNDc4Yy0xLjQyNywwLjY1Ny0yLjI5OCwyLjEtMi4yMTgsMy42NzUKCWMwLjA0OCwwLjk0OSwwLjQ5MywxLjg4NCwxLjI1MywyLjYzNEMyMi4xNTgsNjAuMjY5LDI4Ljg0LDYzLDM1Ljk4NSw2M2MwLjQ0NSwwLDAuODkyLTAuMDExLDEuMzQxLTAuMDMyCgljMTQuMTU2LTAuNjczLDI1LjQzMi0xMi4zMTUsMjUuNjcxLTI2LjUwNUM2My4xMTgsMjkuMjM2LDYwLjQwNywyMi4zOTYsNTUuMzY0LDE3LjIwMnoiLz4KPC9zdmc+Cg==",
        "icon_light": "data:image/svg+xml;base64,CjxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB3aWR0aD0iNzJweCIgaGVpZ2h0PSI3MnB4IiB2aWV3Qm94PSIwIDAgNzIgNzIiPgk8ZGVmcz4KICAgICAgICA8ZmlsdGVyIGlkPSJhIiB3aWR0aD0iMjAwJSIgaGVpZ2h0PSIyMDAlIj4KICAgICAgICAgICAgPGZlT2Zmc2V0IHJlc3VsdD0ib2ZmT3V0IiBpbj0iU291cmNlQWxwaGEiIGR5PSIyLjIiLz4KICAgICAgICAgICAgPGZlR2F1c3NpYW5CbHVyIHJlc3VsdD0iYmx1ck91dCIgaW49Im9mZk91dCIgc3RkRGV2aWF0aW9uPSIxLjUiLz4KICAgICAgICAgICAgPGZlQ29sb3JNYXRyaXggdmFsdWVzPSIwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwLjQgMCIvPgogICAgICAgICAgICA8ZmVNZXJnZT4KICAgICAgICAgICAgICAgIDxmZU1lcmdlTm9kZS8+CiAgICAgICAgICAgICAgICA8ZmVNZXJnZU5vZGUgaW49IlNvdXJjZUdyYXBoaWMiLz4KICAgICAgICAgICAgPC9mZU1lcmdlPgogICAgICAgIDwvZmlsdGVyPgogICAgPC9kZWZzPgo8cGF0aCBmaWxsPSIjZmZmZmZmIiBmaWx0ZXI9InVybCgjYSkiIGQ9Ik0zMS4wNTksNS4zOTVjMTYuODktMi43MjcsMzIuODE3LDguNzcyLDM1LjU0NSwyNS42NjJjMi43MjcsMTYuODktOC43NzIsMzIuODE3LTI1LjY2MiwzNS41NDUKCUMyNC4wNTEsNjkuMzI5LDguMTI0LDU3LjgzLDUuMzk3LDQwLjk0QzIuNjcsMjQuMDQ5LDE0LjE2OSw4LjEyMiwzMS4wNTksNS4zOTV6Ii8+CjxwYXRoIGZpbGw9IiMwMDY4YzMiIGQ9Ik01NS4zNjQsMTcuMjAyYy01LjA0Ny01LjE5Ny0xMS44MDItOC4xMDktMTkuMDItOC4yYy03LjE5MS0wLjA5LTEzLjk4NSwyLjY2OS0xOS4xNDksNy43NjgKCUMxMS45MSwyMS45ODksOSwyOC45NTUsOSwzNi4zOTJsMC4wNDQsMS4yNmMwLDEuMTgxLDAuOTYxLDIuMTQyLDIuMTQyLDIuMTQyczIuMTQxLTAuOTYsMi4xNDItMi4xNGwwLjAxLTAuOTEzCgljMC05Ljk0NSw4LjQ1My0yMC41OTMsMjEuMDM1LTIwLjU5M2MxMy4xMzIsMCwyMS4yNjEsMTAuNzEyLDIxLjI2MSwyMC42MzdjMCw1LjE3My0yLjA2Myw5LjkxOS01LjgwOCwxMy4zNjMKCUM0Ni4xNyw1My41MDksNDEuMjYsNTUuMzYsMzYsNTUuMzZjLTMuMTMsMC02LjIxOS0wLjc1NS04Ljk1OC0yLjE4NmwxOC44Ny04LjY4NmMxLjI2Ny0wLjU4MywyLjExNS0xLjgxLDIuMjEzLTMuMjAxCglzLTAuNTY5LTIuNzI1LTEuNzU0LTMuNDg3bC0xNS43MDYtOC40MTVjLTAuNTU0LTAuMzU3LTEuMjEzLTAuNDc3LTEuODU4LTAuMzM3Yy0wLjY0NCwwLjEzOS0xLjE5NSwwLjUyMS0xLjU1MiwxLjA3NQoJYy0wLjczNywxLjE0NC0wLjQwNiwyLjY3MywwLjcyMSwzLjM5N2w4LjQ1NCw2LjkyM2wtMTguNDE5LDguNDc4Yy0xLjQyNywwLjY1Ny0yLjI5OCwyLjEtMi4yMTgsMy42NzUKCWMwLjA0OCwwLjk0OSwwLjQ5MywxLjg4NCwxLjI1MywyLjYzNEMyMi4xNTgsNjAuMjY5LDI4Ljg0LDYzLDM1Ljk4NSw2M2MwLjQ0NSwwLDAuODkyLTAuMDExLDEuMzQxLTAuMDMyCgljMTQuMTU2LTAuNjczLDI1LjQzMi0xMi4zMTUsMjUuNjcxLTI2LjUwNUM2My4xMTgsMjkuMjM2LDYwLjQwNywyMi4zOTYsNTUuMzY0LDE3LjIwMnoiLz4KPC9zdmc+Cg=="
-    },
-    "22248c4c-7a12-46e2-9a41-44291b373a4d": {
-		"name": "LogMeOnce",
-		"icon_dark": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+CjxzdmcgdmVyc2lvbj0iMS4xIiB2aWV3Qm94PSIwIDAgMjA0OCAyMDQ4IiB3aWR0aD0iMTI4IiBoZWlnaHQ9IjEyOCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTSAwIDAgTCAtNSAxIEwgLTE1IDQgTCAtMzggMTEgTCAtNTcgMTggTCAtNzYgMjkgTCAtOTAgMzggTCAtMTA5IDUyIEwgLTExNiA1OSBMIC0xMjcgNjggTCAtMTQwIDgxIEwgLTE0OCA4OCBMIC0xNDkgOTEgTCAtMTUxIDkxIEwgLTE2MSAxMDEgTCAtMTY5IDEwOCBMIC0xNjkgMTEwIEwgLTE3MSAxMTAgTCAtMTgwIDExOSBMIC0xODggMTI2IEwgLTIwMSAxMzcgTCAtMjEyIDE0NiBMIC0yMjYgMTU3IEwgLTIzOSAxNjcgTCAtMjUwIDE3NSBMIC0yNzAgMTg4IEwgLTI5MSAyMDIgTCAtMzA5IDIxMiBMIC0zMzAgMjI0IEwgLTM1MyAyMzUgTCAtMzg2IDI1MCBMIC00MDcgMjU5IEwgLTQ0OSAyNzMgTCAtNDcyIDI4MSBMIC01MDIgMjg5IEwgLTU1MSAyOTggTCAtNjE1IDMwOSBMIC02NDcgMzE2IEwgLTY4MSAzMjQgTCAtNjk4IDMzMCBMIC03MTQgMzM4IEwgLTczNSAzNTEgTCAtNzQ1IDM1OCBMIC03NTYgMzY3IEwgLTc2NCAzNzUgTCAtNzY2IDM3OSBMIC03NjggMzc5IEwgLTc3MyAzODUgTCAtNzgxIDM5NSBMIC03OTEgNDEwIEwgLTgwMSA0MjggTCAtODEwIDQ0NyBMIC04MTYgNDY1IEwgLTgyMiA1MDAgTCAtODI3IDU0NSBMIC04MzAgNTkyIEwgLTgzMiA2NTMgTCAtODMyIDcxMiBMIC04MzEgNzQyIEwgLTgyOCA3OTQgTCAtODIyIDg2NiBMIC04MTYgOTI4IEwgLTgxMiA5NTcgTCAtODAwIDEwMjAgTCAtNzg5IDEwNzIgTCAtNzgzIDEwOTggTCAtNzY1IDExNjIgTCAtNzUxIDEyMDcgTCAtNzQ0IDEyMjUgTCAtNzM0IDEyNTQgTCAtNzIwIDEyOTAgTCAtNzA0IDEzMjggTCAtNjg5IDEzNjEgTCAtNjY4IDE0MDMgTCAtNjUzIDE0MzEgTCAtNjM5IDE0NTYgTCAtNjIwIDE0ODggTCAtNjA3IDE1MDkgTCAtNTk0IDE1MjkgTCAtNTg0IDE1NDQgTCAtNTcxIDE1NjMgTCAtNTU4IDE1ODEgTCAtNTQ0IDE2MDAgTCAtNTMzIDE2MTUgTCAtNTIwIDE2MzIgTCAtNTA3IDE2NDggTCAtNDc5IDE2ODIgTCAtNDcwIDE2OTMgTCAtNDYwIDE3MDQgTCAtNDQ5IDE3MTYgTCAtNDQyIDE3MjQgTCAtNDMyIDE3MzQgTCAtNDI1IDE3NDIgTCAtMzY4IDE3OTkgTCAtMzUxIDE4MTUgTCAtMzM1IDE4MzAgTCAtMzI3IDE4MzcgTCAtMzE0IDE4NDkgTCAtMjg4IDE4NzEgTCAtMjcxIDE4ODUgTCAtMjYxIDE4OTMgTCAtMjQ0IDE5MDcgTCAtMjI4IDE5MTkgTCAtMjE1IDE5MjkgTCAtMTk2IDE5NDMgTCAtMTg0IDE5NTIgTCAtMTY4IDE5NjMgTCAtMTQ4IDE5NzcgTCAtMTMzIDE5ODcgTCAtMTEyIDIwMDAgTCAtODggMjAxMyBMIC03MiAyMDIxIEwgLTUyIDIwMzAgTCAtMzIgMjAzNyBMIDEyIDIwNDggTCA2MCAyMDQ4IEwgNjEgMjA0NyBMIDczIDIwNDQgTCAxMDAgMjAzNyBMIDEyMSAyMDI5IEwgMTQ5IDIwMTUgTCAxNjcgMjAwNSBMIDE4NiAxOTk0IEwgMjEwIDE5NzkgTCAyMzEgMTk2NSBMIDI2NiAxOTQxIEwgMjg0IDE5MjggTCAyOTUgMTkyMCBMIDMwNiAxOTExIEwgMzI0IDE4OTggTCAzMzggMTg4NyBMIDM0OSAxODc3IEwgMzU4IDE4NzAgTCAzNjkgMTg2MCBMIDM4MCAxODUxIEwgMzgwIDE4NDkgTCAzODIgMTg0OSBMIDM4NSAxODQ2IEwgMzk2IDE4MzcgTCA0MDMgMTgzMCBMIDQxMSAxODIzIEwgNDE4IDE4MTYgTCA0MjYgMTgwOSBMIDQ3NSAxNzYwIEwgNDc3IDE3NTYgTCA0NzkgMTc1NiBMIDQ4NyAxNzQ3IEwgNTAzIDE3MzAgTCA1MTAgMTcyMiBMIDUxOSAxNzEyIEwgNTI2IDE3MDQgTCA1MzggMTY5MSBMIDU0NyAxNjgwIEwgNTU4IDE2NjcgTCA1NjYgMTY1NiBMIDU3OSAxNjQwIEwgNTkwIDE2MjYgTCA2MDYgMTYwNSBMIDYyMSAxNTgzIEwgNjMxIDE1NjkgTCA2NDUgMTU0OSBMIDY1NSAxNTMzIEwgNjcwIDE1MTAgTCA2ODUgMTQ4NSBMIDY5NiAxNDY3IEwgNzA2IDE0NDkgTCA3MzAgMTQwNSBMIDc0NSAxMzc0IEwgNzYyIDEzMzggTCA3NzQgMTMxMCBMIDc5MiAxMjY3IEwgODExIDEyMTYgTCA4MjcgMTE2NiBMIDg0MiAxMTE3IEwgODU4IDEwNTEgTCA4NzAgOTk2IEwgODc1IDk2NyBMIDg4MSA5MTcgTCA4ODYgODgyIEwgODkxIDg0NiBMIDg5NCA4MTIgTCA4OTYgNzc0IEwgODk2IDY1NSBMIDg5NSA2MzAgTCA4OTIgNTkzIEwgODg4IDU1OSBMIDg3NyA0NzAgTCA4NzIgNDQ1IEwgODY1IDQyNiBMIDg1NyA0MTEgTCA4NDcgMzk1IEwgODM0IDM3OCBMIDgxNCAzNTggTCA4MDAgMzQ3IEwgNzg1IDMzNyBMIDc2NiAzMjcgTCA3NTAgMzIxIEwgNzI3IDMxNSBMIDY5MyAzMDggTCA2NTAgMzAxIEwgNTk3IDI5MiBMIDU3MCAyODYgTCA1NDggMjgwIEwgNTE1IDI3MCBMIDQ4NyAyNjEgTCA0NTkgMjUwIEwgNDM4IDI0MSBMIDQxNCAyMzAgTCAzODIgMjEzIEwgMzU4IDE5OSBMIDM0NyAxOTIgTCAzMzAgMTgwIEwgMzEyIDE2NyBMIDMwMCAxNTcgTCAyODYgMTQ2IEwgMjcxIDEzMyBMIDI2MyAxMjYgTCAyNTEgMTE1IEwgMjQwIDEwNiBMIDIyOCA5NSBMIDIwMCA3MSBMIDE4OSA2MiBMIDE3NCA1MCBMIDE1OCAzOCBMIDE0MiAyNyBMIDEyNyAxOSBMIDExNSAxNCBMIDk1IDggTCA3MSAwIEwgMCAwIHogTSAzMCA2MjIgTCA1MSA2MjMgTCA3OSA2MjcgTCAxMDAgNjMzIEwgMTIxIDY0MSBMIDE0MSA2NTIgTCAxNTcgNjYzIEwgMTcyIDY3NiBMIDE4NiA2OTAgTCAxODYgNjkyIEwgMTg4IDY5MiBMIDIwNiA3MTYgTCAyMTYgNzM0IEwgMjIxIDc0NSBMIDIyNiA3NTggTCAyMzMgNzg0IEwgMjM2IDc5OCBMIDIzNyA4MDggTCAyMzcgODQwIEwgMjMzIDg2NSBMIDIyNiA4OTEgTCAyMTkgOTA5IEwgMjA5IDkyOCBMIDE5NSA5NDkgTCAxODYgOTU5IEwgMTc5IDk2NyBMIDE2NiA5ODAgTCAxNTUgOTg5IEwgMTQyIDk5OCBMIDEyNiAxMDA3IEwgMTEzIDEwMTIgTCAxMTQgMTAyNCBMIDEyMiAxMDYwIEwgMTM3IDExMjMgTCAxNTYgMTIwOCBMIDE3MCAxMjcxIEwgMTc0IDEyOTYgTCAxNzYgMTMxMCBMIDE3NiAxMzM1IEwgMTczIDEzNDkgTCAxNjYgMTM1OSBMIDE1NyAxMzY3IEwgMTQ2IDEzNzIgTCAxNDAgMTM3NCBMIDExOSAxMzc2IEwgNTEgMTM3NiBMIC0zMiAxMzc3IEwgLTY0IDEzNzcgTCAtNzggMTM3NCBMIC04NSAxMzcwIEwgLTk4IDEzNTkgTCAtMTA2IDEzNDkgTCAtMTEwIDEzNDEgTCAtMTEyIDEzMzMgTCAtMTEyIDEzMTggTCAtMTA3IDEyODggTCAtMTAwIDEyNTYgTCAtODUgMTE5NiBMIC02OSAxMTI0IEwgLTU3IDEwNzIgTCAtNTAgMTAzNiBMIC00NyAxMDExIEwgLTUzIDEwMDkgTCAtNjkgMTAwMSBMIC04MSA5OTQgTCAtOTMgOTg1IEwgLTEwMyA5NzYgTCAtMTExIDk2OSBMIC0xMjAgOTYwIEwgLTEzMSA5NDYgTCAtMTQyIDkyOSBMIC0xNTIgOTEwIEwgLTE2MCA4OTAgTCAtMTY2IDg3MCBMIC0xNjkgODUzIEwgLTE3MCA4NDQgTCAtMTcwIDgxNCBMIC0xNjcgNzk0IEwgLTE2MSA3NjcgTCAtMTU0IDc0NiBMIC0xMzcgNzEzIEwgLTEyNiA2OTggTCAtMTE5IDY5MCBMIC0xMDggNjc4IEwgLTkzIDY2NSBMIC03NyA2NTMgTCAtNTYgNjQxIEwgLTM4IDYzMyBMIC0xNiA2MjcgTCAzIDYyNCBMIDMwIDYyMiB6ICIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoOTkxKSIgc3R5bGU9ImZpbGw6I2ZmZmZmZiIgLz4KPC9zdmc+Cg==",
-		"icon_light": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAyMDQ4IDIwNDgiIHdpZHRoPSIxMjgiIGhlaWdodD0iMTI4IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8cGF0aCB0cmFuc2Zvcm09InRyYW5zbGF0ZSg5OTEpIiBkPSJtMCAwaDcxbDI0IDggMjAgNiAxMiA1IDE1IDggMTYgMTEgMTYgMTIgMTUgMTIgMTEgOSAyOCAyNCAxMiAxMSAxMSA5IDEyIDExIDggNyAxNSAxMyAxNCAxMSAxMiAxMCAxOCAxMyAxNyAxMiAxMSA3IDI0IDE0IDMyIDE3IDI0IDExIDIxIDkgMjggMTEgMjggOSAzMyAxMCAyMiA2IDI3IDYgNTMgOSA0MyA3IDM0IDcgMjMgNiAxNiA2IDE5IDEwIDE1IDEwIDE0IDExIDIwIDIwIDEzIDE3IDEwIDE2IDggMTUgNyAxOSA1IDI1IDExIDg5IDQgMzQgMyAzNyAxIDI1djExOWwtMiAzOC0zIDM0LTUgMzYtNSAzNS02IDUwLTUgMjktMTIgNTUtMTYgNjYtMTUgNDktMTYgNTAtMTkgNTEtMTggNDMtMTIgMjgtMTcgMzYtMTUgMzEtMjQgNDQtMTAgMTgtMTEgMTgtMTUgMjUtMTUgMjMtMTAgMTYtMTQgMjAtMTAgMTQtMTUgMjItMTYgMjEtMTEgMTQtMTMgMTYtOCAxMS0xMSAxMy05IDExLTEyIDEzLTcgOC05IDEwLTcgOC0xNiAxNy04IDloLTJsLTIgNC00OSA0OS04IDctNyA3LTggNy03IDctMTEgOS0zIDNoLTJ2MmwtMTEgOS0xMSAxMC05IDctMTEgMTAtMTQgMTEtMTggMTMtMTEgOS0xMSA4LTE4IDEzLTM1IDI0LTIxIDE0LTI0IDE1LTE5IDExLTE4IDEwLTI4IDE0LTIxIDgtMjcgNy0xMiAzLTEgMWgtNDhsLTQ0LTExLTIwLTctMjAtOS0xNi04LTI0LTEzLTIxLTEzLTE1LTEwLTIwLTE0LTE2LTExLTEyLTktMTktMTQtMTMtMTAtMTYtMTItMTctMTQtMTAtOC0xNy0xNC0yNi0yMi0xMy0xMi04LTctMTYtMTUtMTctMTYtNTctNTctNy04LTEwLTEwLTctOC0xMS0xMi0xMC0xMS05LTExLTI4LTM0LTEzLTE2LTEzLTE3LTExLTE1LTE0LTE5LTEzLTE4LTEzLTE5LTEwLTE1LTEzLTIwLTEzLTIxLTE5LTMyLTE0LTI1LTE1LTI4LTIxLTQyLTE1LTMzLTE2LTM4LTE0LTM2LTEwLTI5LTctMTgtMTQtNDUtMTgtNjQtNi0yNi0xMS01Mi0xMi02My00LTI5LTYtNjItNi03Mi0zLTUyLTEtMzB2LTU5bDItNjEgMy00NyA1LTQ1IDYtMzUgNi0xOCA5LTE5IDEwLTE4IDEwLTE1IDgtMTAgNS02aDJsMi00IDgtOCAxMS05IDEwLTcgMjEtMTMgMTYtOCAxNy02IDM0LTggMzItNyA2NC0xMSA0OS05IDMwLTggMjMtOCA0Mi0xNCAyMS05IDMzLTE1IDIzLTExIDIxLTEyIDE4LTEwIDIxLTE0IDIwLTEzIDExLTggMTMtMTAgMTQtMTEgMTEtOSAxMy0xMSA4LTcgOS05aDJ2LTJsOC03IDEwLTEwaDJsMS0zIDgtNyAxMy0xMyAxMS05IDctNyAxOS0xNCAxNC05IDE5LTExIDE5LTcgMjMtNyAxMC0zeiIgZmlsbD0iI0YxODQyOSIvPgo8cGF0aCB0cmFuc2Zvcm09InRyYW5zbGF0ZSgxMDIxLDYyMikiIGQ9Im0wIDAgMjEgMSAyOCA0IDIxIDYgMjEgOCAyMCAxMSAxNiAxMSAxNSAxMyAxNCAxNHYyaDJsMTggMjQgMTAgMTggNSAxMSA1IDEzIDcgMjYgMyAxNCAxIDEwdjMybC00IDI1LTcgMjYtNyAxOC0xMCAxOS0xNCAyMS05IDEwLTcgOC0xMyAxMy0xMSA5LTEzIDktMTYgOS0xMyA1IDEgMTIgOCAzNiAxNSA2MyAxOSA4NSAxNCA2MyA0IDI1IDIgMTR2MjVsLTMgMTQtNyAxMC05IDgtMTEgNS02IDItMjEgMmgtNjhsLTgzIDFoLTMybC0xNC0zLTctNC0xMy0xMS04LTEwLTQtOC0yLTh2LTE1bDUtMzAgNy0zMiAxNS02MCAxNi03MiAxMi01MiA3LTM2IDMtMjUtNi0yLTE2LTgtMTItNy0xMi05LTEwLTktOC03LTktOS0xMS0xNC0xMS0xNy0xMC0xOS04LTIwLTYtMjAtMy0xNy0xLTl2LTMwbDMtMjAgNi0yNyA3LTIxIDE3LTMzIDExLTE1IDctOCAxMS0xMiAxNS0xMyAxNi0xMiAyMS0xMiAxOC04IDIyLTYgMTktM3oiIGZpbGw9IiNGRUZGRkUiLz4KPC9zdmc+Cg=="
-	}
-}
+    }
+}
--- a/authentik/stages/email/templates/email/password_reset.html
+++ b/authentik/stages/email/templates/email/password_reset.html
@ -37,7 +37,7 @@
 <tr>
  <td style="padding: 20px; font-size: 12px; color: #212124;" align="center">
    {% blocktrans with expires=expires|naturaltime %}
-    If you did not request a password change, please ignore this email. The link above is valid for {{ expires }}.
+    If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}.
    {% endblocktrans %}
  </td>
 </tr>
--- a/authentik/stages/email/templates/email/password_reset.txt
+++ b/authentik/stages/email/templates/email/password_reset.txt
@ -5,7 +5,7 @@ You recently requested to change your password for your authentik account. Use t
 {% endblocktrans %}
 {{ url }}
 {% blocktrans with expires=expires|naturaltime %}
-If you did not request a password change, please ignore this email. The link above is valid for {{ expires }}.
+If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}.
 {% endblocktrans %}

 -- 
--- a/authentik/stages/redirect/init.py
+++ b/authentik/stages/redirect/init.py
--- a/authentik/stages/redirect/api.py
+++ b/authentik/stages/redirect/api.py
@ -1,42 +0,0 @@
-"""RedirectStage API Views"""
-
-from django.utils.translation import gettext_lazy as _
-from rest_framework.serializers import ValidationError
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.used_by import UsedByMixin
-from authentik.flows.api.stages import StageSerializer
-from authentik.stages.redirect.models import RedirectMode, RedirectStage
-
-
-class RedirectStageSerializer(StageSerializer):
-    """RedirectStage Serializer"""
-
-    def validate(self, attrs):
-        mode = attrs.get("mode")
-        target_static = attrs.get("target_static")
-        target_flow = attrs.get("target_flow")
-        if mode == RedirectMode.STATIC and not target_static:
-            raise ValidationError(_("Target URL should be present when mode is Static."))
-        if mode == RedirectMode.FLOW and not target_flow:
-            raise ValidationError(_("Target Flow should be present when mode is Flow."))
-        return attrs
-
-    class Meta:
-        model = RedirectStage
-        fields = StageSerializer.Meta.fields + [
-            "keep_context",
-            "mode",
-            "target_static",
-            "target_flow",
-        ]
-
-
-class RedirectStageViewSet(UsedByMixin, ModelViewSet):
-    """RedirectStage Viewset"""
-
-    queryset = RedirectStage.objects.all()
-    serializer_class = RedirectStageSerializer
-    filterset_fields = ["name"]
-    search_fields = ["name"]
-    ordering = ["name"]
--- a/authentik/stages/redirect/apps.py
+++ b/authentik/stages/redirect/apps.py
@ -1,11 +0,0 @@
-"""authentik redirect app"""
-
-from django.apps import AppConfig
-
-
-class AuthentikStageRedirectConfig(AppConfig):
-    """authentik redirect app"""
-
-    name = "authentik.stages.redirect"
-    label = "authentik_stages_redirect"
-    verbose_name = "authentik Stages.Redirect"
--- a/authentik/stages/redirect/migrations/0001_initial.py
+++ b/authentik/stages/redirect/migrations/0001_initial.py
@ -1,49 +0,0 @@
-# Generated by Django 5.0.10 on 2024-12-11 14:40
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ("authentik_flows", "0027_auto_20231028_1424"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="RedirectStage",
-            fields=[
-                (
-                    "stage_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_flows.stage",
-                    ),
-                ),
-                ("keep_context", models.BooleanField(default=True)),
-                ("mode", models.TextField(choices=[("static", "Static"), ("flow", "Flow")])),
-                ("target_static", models.CharField(blank=True, default="")),
-                (
-                    "target_flow",
-                    models.ForeignKey(
-                        blank=True,
-                        null=True,
-                        on_delete=django.db.models.deletion.SET_NULL,
-                        to="authentik_flows.flow",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Redirect Stage",
-                "verbose_name_plural": "Redirect Stages",
-            },
-            bases=("authentik_flows.stage",),
-        ),
-    ]
--- a/authentik/stages/redirect/migrations/init.py
+++ b/authentik/stages/redirect/migrations/init.py
--- a/authentik/stages/redirect/models.py
+++ b/authentik/stages/redirect/models.py
@ -1,49 +0,0 @@
-"""authentik redirect stage"""
-
-from django.db import models
-from django.utils.translation import gettext_lazy as _
-from django.views import View
-from rest_framework.serializers import BaseSerializer
-
-from authentik.flows.models import Flow, Stage
-
-
-class RedirectMode(models.TextChoices):
-    """Mode a Redirect stage can operate in"""
-
-    STATIC = "static"
-    FLOW = "flow"
-
-
-class RedirectStage(Stage):
-    """Redirect the user to another flow, potentially with all gathered context"""
-
-    keep_context = models.BooleanField(default=True)
-    mode = models.TextField(choices=RedirectMode.choices)
-    target_static = models.CharField(blank=True, default="")
-    target_flow = models.ForeignKey(
-        Flow,
-        null=True,
-        blank=True,
-        on_delete=models.SET_NULL,
-    )
-
-    @property
-    def serializer(self) -> type[BaseSerializer]:
-        from authentik.stages.redirect.api import RedirectStageSerializer
-
-        return RedirectStageSerializer
-
-    @property
-    def view(self) -> type[View]:
-        from authentik.stages.redirect.stage import RedirectStageView
-
-        return RedirectStageView
-
-    @property
-    def component(self) -> str:
-        return "ak-stage-redirect-form"
-
-    class Meta:
-        verbose_name = _("Redirect Stage")
-        verbose_name_plural = _("Redirect Stages")
--- a/authentik/stages/redirect/stage.py
+++ b/authentik/stages/redirect/stage.py
@ -1,112 +0,0 @@
-"""authentik redirect stage"""
-
-from urllib.parse import urlsplit
-
-from django.http.response import HttpResponse
-from rest_framework.fields import CharField
-
-from authentik.flows.challenge import (
-    Challenge,
-    ChallengeResponse,
-    RedirectChallenge,
-)
-from authentik.flows.exceptions import FlowNonApplicableException
-from authentik.flows.models import (
-    Flow,
-)
-from authentik.flows.planner import (
-    PLAN_CONTEXT_IS_REDIRECTED,
-    PLAN_CONTEXT_REDIRECT_STAGE_TARGET,
-    FlowPlanner,
-)
-from authentik.flows.stage import ChallengeStageView
-from authentik.flows.views.executor import SESSION_KEY_GET, SESSION_KEY_PLAN, InvalidStageError
-from authentik.lib.utils.urls import reverse_with_qs
-from authentik.stages.redirect.models import RedirectMode, RedirectStage
-
-URL_SCHEME_FLOW = "ak-flow"
-
-
-class RedirectChallengeResponse(ChallengeResponse):
-    """Redirect challenge response"""
-
-    component = CharField(default="xak-flow-redirect")
-    to = CharField()
-
-
-class RedirectStageView(ChallengeStageView):
-    """Redirect stage to redirect to other Flows with context"""
-
-    response_class = RedirectChallengeResponse
-
-    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
-        return self.executor.stage_ok()
-
-    def parse_target(self, target: str) -> str | Flow:
-        parsed_target = urlsplit(target)
-
-        if parsed_target.scheme != URL_SCHEME_FLOW:
-            return target
-
-        flow = Flow.objects.filter(slug=parsed_target.netloc).first()
-        if not flow:
-            self.logger.warning(
-                f"Flow set by {PLAN_CONTEXT_REDIRECT_STAGE_TARGET} does not exist",
-                flow_slug=parsed_target.path,
-            )
-        return flow
-
-    def switch_flow_with_context(self, flow: Flow, keep_context=True) -> str:
-        """Switch to another flow, optionally keeping all context"""
-        self.logger.info(
-            "f(exec): Switching to new flow", new_flow=flow.slug, keep_context=keep_context
-        )
-        planner = FlowPlanner(flow)
-        planner.use_cache = False
-        default_context = self.executor.plan.context if keep_context else {}
-        try:
-            default_context[PLAN_CONTEXT_IS_REDIRECTED] = self.executor.flow
-            plan = planner.plan(self.request, default_context)
-        except FlowNonApplicableException as exc:
-            raise InvalidStageError() from exc
-        self.request.session[SESSION_KEY_PLAN] = plan
-        kwargs = self.executor.kwargs
-        kwargs.update({"flow_slug": flow.slug})
-        return reverse_with_qs(
-            "authentik_core:if-flow", self.request.session[SESSION_KEY_GET], kwargs=kwargs
-        )
-
-    def get_challenge(self, *args, **kwargs) -> Challenge:
-        """Get the redirect target. Prioritize `redirect_stage_target` if present."""
-
-        current_stage: RedirectStage = self.executor.current_stage
-        target: str | Flow = ""
-
-        target_url_override = self.executor.plan.context.get(PLAN_CONTEXT_REDIRECT_STAGE_TARGET, "")
-        if target_url_override:
-            target = self.parse_target(target_url_override)
-        # `target` is falsy if the override was to a Flow but that Flow doesn't exist.
-        if not target:
-            if current_stage.mode == RedirectMode.STATIC:
-                target = current_stage.target_static
-            if current_stage.mode == RedirectMode.FLOW:
-                target = current_stage.target_flow
-
-        if isinstance(target, str):
-            redirect_to = target
-        else:
-            redirect_to = self.switch_flow_with_context(
-                target, keep_context=current_stage.keep_context
-            )
-
-        if not redirect_to:
-            raise InvalidStageError(
-                "No target found for Redirect stage. The stage's target_flow may have been deleted."
-            )
-
-        return RedirectChallenge(
-            data={
-                "component": "xak-flow-redirect",
-                "to": redirect_to,
-            }
-        )
--- a/authentik/stages/redirect/tests.py
+++ b/authentik/stages/redirect/tests.py
@ -1,191 +0,0 @@
-"""Test Redirect stage"""
-
-from urllib.parse import urlencode
-
-from django.urls.base import reverse
-from rest_framework.exceptions import ValidationError
-
-from authentik.core.tests.utils import create_test_flow
-from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation, FlowStageBinding
-from authentik.flows.tests import FlowTestCase
-from authentik.lib.generators import generate_id
-from authentik.policies.expression.models import ExpressionPolicy
-from authentik.policies.models import PolicyBinding
-from authentik.stages.dummy.models import DummyStage
-from authentik.stages.redirect.api import RedirectStageSerializer
-from authentik.stages.redirect.models import RedirectMode, RedirectStage
-
-URL = "https://url.test/"
-URL_OVERRIDE = "https://urloverride.test/"
-
-
-class TestRedirectStage(FlowTestCase):
-    """Test Redirect stage API"""
-
-    def setUp(self):
-        super().setUp()
-        self.target_flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-        self.dummy_stage = DummyStage.objects.create(name="dummy")
-        FlowStageBinding.objects.create(target=self.target_flow, stage=self.dummy_stage, order=0)
-        self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-        self.stage = RedirectStage.objects.create(
-            name="redirect",
-            keep_context=True,
-            mode=RedirectMode.STATIC,
-            target_static=URL,
-            target_flow=self.target_flow,
-        )
-        self.binding = FlowStageBinding.objects.create(
-            target=self.flow,
-            stage=self.stage,
-            order=0,
-        )
-
-    def test_static(self):
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-
-        self.assertStageRedirects(response, URL)
-
-    def test_flow(self):
-        self.stage.mode = RedirectMode.FLOW
-        self.stage.save()
-
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-
-        self.assertStageRedirects(
-            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": self.target_flow.slug})
-        )
-
-    def test_flow_query(self):
-        self.stage.mode = RedirectMode.FLOW
-        self.stage.save()
-
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-            + "?"
-            + urlencode({"query": urlencode({"test": "foo"})})
-        )
-
-        self.assertStageRedirects(
-            response,
-            reverse("authentik_core:if-flow", kwargs={"flow_slug": self.target_flow.slug})
-            + "?"
-            + urlencode({"test": "foo"}),
-        )
-
-    def test_override_static(self):
-        policy = ExpressionPolicy.objects.create(
-            name=generate_id(),
-            expression=f"context['flow_plan'].context['redirect_stage_target'] = "
-            f"'{URL_OVERRIDE}'; return True",
-        )
-        PolicyBinding.objects.create(policy=policy, target=self.binding, order=0)
-
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-
-        self.assertStageRedirects(response, URL_OVERRIDE)
-
-    def test_override_flow(self):
-        target_flow_override = create_test_flow(FlowDesignation.AUTHENTICATION)
-        dummy_stage_override = DummyStage.objects.create(name="dummy_override")
-        FlowStageBinding.objects.create(
-            target=target_flow_override, stage=dummy_stage_override, order=0
-        )
-        policy = ExpressionPolicy.objects.create(
-            name=generate_id(),
-            expression=f"context['flow_plan'].context['redirect_stage_target'] = "
-            f"'ak-flow://{target_flow_override.slug}'; return True",
-        )
-        PolicyBinding.objects.create(policy=policy, target=self.binding, order=0)
-
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-
-        self.assertStageRedirects(
-            response,
-            reverse("authentik_core:if-flow", kwargs={"flow_slug": target_flow_override.slug}),
-        )
-
-    def test_override_nonexistant_flow(self):
-        policy = ExpressionPolicy.objects.create(
-            name=generate_id(),
-            expression="context['flow_plan'].context['redirect_stage_target'] = "
-            "'ak-flow://nonexistent'; return True",
-        )
-        PolicyBinding.objects.create(policy=policy, target=self.binding, order=0)
-
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-
-        self.assertStageRedirects(response, URL)
-
-    def test_target_flow_requires_redirect(self):
-        self.target_flow.authentication = FlowAuthenticationRequirement.REQUIRE_REDIRECT
-        self.target_flow.save()
-        self.stage.mode = RedirectMode.FLOW
-        self.stage.save()
-
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-
-        self.assertStageRedirects(
-            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": self.target_flow.slug})
-        )
-
-    def test_target_flow_non_applicable(self):
-        self.target_flow.authentication = FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
-        self.target_flow.save()
-        self.stage.mode = RedirectMode.FLOW
-        self.stage.save()
-
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-
-        self.assertStageResponse(response, component="ak-stage-access-denied")
-
-    def test_serializer(self):
-        with self.assertRaises(ValidationError):
-            RedirectStageSerializer(
-                data={
-                    "name": generate_id(20),
-                    "mode": RedirectMode.STATIC,
-                }
-            ).is_valid(raise_exception=True)
-
-        self.assertTrue(
-            RedirectStageSerializer(
-                data={
-                    "name": generate_id(20),
-                    "mode": RedirectMode.STATIC,
-                    "target_static": URL,
-                }
-            ).is_valid(raise_exception=True)
-        )
-
-        with self.assertRaises(ValidationError):
-            RedirectStageSerializer(
-                data={
-                    "name": generate_id(20),
-                    "mode": RedirectMode.FLOW,
-                }
-            ).is_valid(raise_exception=True)
-
-        self.assertTrue(
-            RedirectStageSerializer(
-                data={
-                    "name": generate_id(20),
-                    "mode": RedirectMode.FLOW,
-                    "target_flow": create_test_flow().flow_uuid,
-                }
-            ).is_valid(raise_exception=True)
-        )
--- a/authentik/stages/redirect/urls.py
+++ b/authentik/stages/redirect/urls.py
@ -1,5 +0,0 @@
-"""API URLs"""
-
-from authentik.stages.redirect.api import RedirectStageViewSet
-
-api_urlpatterns = [("stages/redirect", RedirectStageViewSet)]
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.12.5 Blueprint schema",
+    "title": "authentik 2024.10.5 Blueprint schema",
    "required": [
        "version",
        "entries"
@ -2801,46 +2801,6 @@
                            }
                        }
                    },
-                    {
-                        "type": "object",
-                        "required": [
-                            "model",
-                            "identifiers"
-                        ],
-                        "properties": {
-                            "model": {
-                                "const": "authentik_stages_redirect.redirectstage"
-                            },
-                            "id": {
-                                "type": "string"
-                            },
-                            "state": {
-                                "type": "string",
-                                "enum": [
-                                    "absent",
-                                    "present",
-                                    "created",
-                                    "must_created"
-                                ],
-                                "default": "present"
-                            },
-                            "conditions": {
-                                "type": "array",
-                                "items": {
-                                    "type": "boolean"
-                                }
-                            },
-                            "permissions": {
-                                "$ref": "#/$defs/model_authentik_stages_redirect.redirectstage_permissions"
-                            },
-                            "attrs": {
-                                "$ref": "#/$defs/model_authentik_stages_redirect.redirectstage"
-                            },
-                            "identifiers": {
-                                "$ref": "#/$defs/model_authentik_stages_redirect.redirectstage"
-                            }
-                        }
-                    },
                    {
                        "type": "object",
                        "required": [
@ -3201,46 +3161,6 @@
                            }
                        }
                    },
-                    {
-                        "type": "object",
-                        "required": [
-                            "model",
-                            "identifiers"
-                        ],
-                        "properties": {
-                            "model": {
-                                "const": "authentik_core.applicationentitlement"
-                            },
-                            "id": {
-                                "type": "string"
-                            },
-                            "state": {
-                                "type": "string",
-                                "enum": [
-                                    "absent",
-                                    "present",
-                                    "created",
-                                    "must_created"
-                                ],
-                                "default": "present"
-                            },
-                            "conditions": {
-                                "type": "array",
-                                "items": {
-                                    "type": "boolean"
-                                }
-                            },
-                            "permissions": {
-                                "$ref": "#/$defs/model_authentik_core.applicationentitlement_permissions"
-                            },
-                            "attrs": {
-                                "$ref": "#/$defs/model_authentik_core.applicationentitlement"
-                            },
-                            "identifiers": {
-                                "$ref": "#/$defs/model_authentik_core.applicationentitlement"
-                            }
-                        }
-                    },
                    {
                        "type": "object",
                        "required": [
@ -4103,7 +4023,6 @@
                        "require_authenticated",
                        "require_unauthenticated",
                        "require_superuser",
-                        "require_redirect",
                        "require_outpost"
                    ],
                    "title": "Authentication",
@ -4574,7 +4493,6 @@
                        "authentik.stages.invitation",
                        "authentik.stages.password",
                        "authentik.stages.prompt",
-                        "authentik.stages.redirect",
                        "authentik.stages.user_delete",
                        "authentik.stages.user_login",
                        "authentik.stages.user_logout",
@ -4670,7 +4588,6 @@
                        "authentik_stages_password.passwordstage",
                        "authentik_stages_prompt.prompt",
                        "authentik_stages_prompt.promptstage",
-                        "authentik_stages_redirect.redirectstage",
                        "authentik_stages_user_delete.userdeletestage",
                        "authentik_stages_user_login.userloginstage",
                        "authentik_stages_user_logout.userlogoutstage",
@ -4680,7 +4597,6 @@
                        "authentik_core.group",
                        "authentik_core.user",
                        "authentik_core.application",
-                        "authentik_core.applicationentitlement",
                        "authentik_core.token",
                        "authentik_enterprise.license",
                        "authentik_providers_google_workspace.googleworkspaceprovider",
@ -6410,7 +6326,6 @@
                            "authentik_brands.delete_brand",
                            "authentik_brands.view_brand",
                            "authentik_core.add_application",
-                            "authentik_core.add_applicationentitlement",
                            "authentik_core.add_authenticatedsession",
                            "authentik_core.add_group",
                            "authentik_core.add_groupsourceconnection",
@ -6423,7 +6338,6 @@
                            "authentik_core.add_usersourceconnection",
                            "authentik_core.assign_user_permissions",
                            "authentik_core.change_application",
-                            "authentik_core.change_applicationentitlement",
                            "authentik_core.change_authenticatedsession",
                            "authentik_core.change_group",
                            "authentik_core.change_groupsourceconnection",
@ -6434,7 +6348,6 @@
                            "authentik_core.change_user",
                            "authentik_core.change_usersourceconnection",
                            "authentik_core.delete_application",
-                            "authentik_core.delete_applicationentitlement",
                            "authentik_core.delete_authenticatedsession",
                            "authentik_core.delete_group",
                            "authentik_core.delete_groupsourceconnection",
@ -6450,7 +6363,6 @@
                            "authentik_core.reset_user_password",
                            "authentik_core.unassign_user_permissions",
                            "authentik_core.view_application",
-                            "authentik_core.view_applicationentitlement",
                            "authentik_core.view_authenticatedsession",
                            "authentik_core.view_group",
                            "authentik_core.view_groupsourceconnection",
@ -6901,10 +6813,6 @@
                            "authentik_stages_prompt.delete_promptstage",
                            "authentik_stages_prompt.view_prompt",
                            "authentik_stages_prompt.view_promptstage",
-                            "authentik_stages_redirect.add_redirectstage",
-                            "authentik_stages_redirect.change_redirectstage",
-                            "authentik_stages_redirect.delete_redirectstage",
-                            "authentik_stages_redirect.view_redirectstage",
                            "authentik_stages_source.add_sourcestage",
                            "authentik_stages_source.change_sourcestage",
                            "authentik_stages_source.delete_sourcestage",
@ -7068,16 +6976,6 @@
                    "title": "Krb5 conf",
                    "description": "Custom krb5.conf to use. Uses the system one by default"
                },
-                "kadmin_type": {
-                    "type": "string",
-                    "enum": [
-                        "MIT",
-                        "Heimdal",
-                        "other"
-                    ],
-                    "title": "Kadmin type",
-                    "description": "KAdmin server type"
-                },
                "sync_users": {
                    "type": "boolean",
                    "title": "Sync users",
@ -7215,10 +7113,6 @@
                    "type": "integer",
                    "title": "User"
                },
-                "source": {
-                    "type": "integer",
-                    "title": "Source"
-                },
                "identifier": {
                    "type": "string",
                    "minLength": 1,
@ -7261,20 +7155,6 @@
        "model_authentik_sources_kerberos.groupkerberossourceconnection": {
            "type": "object",
            "properties": {
-                "group": {
-                    "type": "string",
-                    "format": "uuid",
-                    "title": "Group"
-                },
-                "source": {
-                    "type": "integer",
-                    "title": "Source"
-                },
-                "identifier": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Identifier"
-                },
                "icon": {
                    "type": "string",
                    "minLength": 1,
@ -7818,14 +7698,6 @@
        "model_authentik_sources_oauth.useroauthsourceconnection": {
            "type": "object",
            "properties": {
-                "user": {
-                    "type": "integer",
-                    "title": "User"
-                },
-                "source": {
-                    "type": "integer",
-                    "title": "Source"
-                },
                "identifier": {
                    "type": "string",
                    "maxLength": 255,
@ -7876,20 +7748,6 @@
        "model_authentik_sources_oauth.groupoauthsourceconnection": {
            "type": "object",
            "properties": {
-                "group": {
-                    "type": "string",
-                    "format": "uuid",
-                    "title": "Group"
-                },
-                "source": {
-                    "type": "integer",
-                    "title": "Source"
-                },
-                "identifier": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Identifier"
-                },
                "icon": {
                    "type": "string",
                    "minLength": 1,
@ -8123,14 +7981,6 @@
        "model_authentik_sources_plex.userplexsourceconnection": {
            "type": "object",
            "properties": {
-                "user": {
-                    "type": "integer",
-                    "title": "User"
-                },
-                "source": {
-                    "type": "integer",
-                    "title": "Source"
-                },
                "identifier": {
                    "type": "string",
                    "minLength": 1,
@ -8178,20 +8028,6 @@
        "model_authentik_sources_plex.groupplexsourceconnection": {
            "type": "object",
            "properties": {
-                "group": {
-                    "type": "string",
-                    "format": "uuid",
-                    "title": "Group"
-                },
-                "source": {
-                    "type": "integer",
-                    "title": "Source"
-                },
-                "identifier": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Identifier"
-                },
                "icon": {
                    "type": "string",
                    "minLength": 1,
@ -8502,14 +8338,6 @@
        "model_authentik_sources_saml.usersamlsourceconnection": {
            "type": "object",
            "properties": {
-                "user": {
-                    "type": "integer",
-                    "title": "User"
-                },
-                "source": {
-                    "type": "integer",
-                    "title": "Source"
-                },
                "identifier": {
                    "type": "string",
                    "minLength": 1,
@ -8552,20 +8380,6 @@
        "model_authentik_sources_saml.groupsamlsourceconnection": {
            "type": "object",
            "properties": {
-                "group": {
-                    "type": "string",
-                    "format": "uuid",
-                    "title": "Group"
-                },
-                "source": {
-                    "type": "integer",
-                    "title": "Source"
-                },
-                "identifier": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Identifier"
-                },
                "icon": {
                    "type": "string",
                    "minLength": 1,
@ -11661,146 +11475,6 @@
                }
            }
        },
-        "model_authentik_stages_redirect.redirectstage": {
-            "type": "object",
-            "properties": {
-                "name": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Name"
-                },
-                "flow_set": {
-                    "type": "array",
-                    "items": {
-                        "type": "object",
-                        "properties": {
-                            "name": {
-                                "type": "string",
-                                "minLength": 1,
-                                "title": "Name"
-                            },
-                            "slug": {
-                                "type": "string",
-                                "maxLength": 50,
-                                "minLength": 1,
-                                "pattern": "^[-a-zA-Z0-9_]+$",
-                                "title": "Slug",
-                                "description": "Visible in the URL."
-                            },
-                            "title": {
-                                "type": "string",
-                                "minLength": 1,
-                                "title": "Title",
-                                "description": "Shown as the Title in Flow pages."
-                            },
-                            "designation": {
-                                "type": "string",
-                                "enum": [
-                                    "authentication",
-                                    "authorization",
-                                    "invalidation",
-                                    "enrollment",
-                                    "unenrollment",
-                                    "recovery",
-                                    "stage_configuration"
-                                ],
-                                "title": "Designation",
-                                "description": "Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
-                            },
-                            "policy_engine_mode": {
-                                "type": "string",
-                                "enum": [
-                                    "all",
-                                    "any"
-                                ],
-                                "title": "Policy engine mode"
-                            },
-                            "compatibility_mode": {
-                                "type": "boolean",
-                                "title": "Compatibility mode",
-                                "description": "Enable compatibility mode, increases compatibility with password managers on mobile devices."
-                            },
-                            "layout": {
-                                "type": "string",
-                                "enum": [
-                                    "stacked",
-                                    "content_left",
-                                    "content_right",
-                                    "sidebar_left",
-                                    "sidebar_right"
-                                ],
-                                "title": "Layout"
-                            },
-                            "denied_action": {
-                                "type": "string",
-                                "enum": [
-                                    "message_continue",
-                                    "message",
-                                    "continue"
-                                ],
-                                "title": "Denied action",
-                                "description": "Configure what should happen when a flow denies access to a user."
-                            }
-                        },
-                        "required": [
-                            "name",
-                            "slug",
-                            "title",
-                            "designation"
-                        ]
-                    },
-                    "title": "Flow set"
-                },
-                "keep_context": {
-                    "type": "boolean",
-                    "title": "Keep context"
-                },
-                "mode": {
-                    "type": "string",
-                    "enum": [
-                        "static",
-                        "flow"
-                    ],
-                    "title": "Mode"
-                },
-                "target_static": {
-                    "type": "string",
-                    "title": "Target static"
-                },
-                "target_flow": {
-                    "type": "string",
-                    "format": "uuid",
-                    "title": "Target flow"
-                }
-            },
-            "required": []
-        },
-        "model_authentik_stages_redirect.redirectstage_permissions": {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": [
-                    "permission"
-                ],
-                "properties": {
-                    "permission": {
-                        "type": "string",
-                        "enum": [
-                            "add_redirectstage",
-                            "change_redirectstage",
-                            "delete_redirectstage",
-                            "view_redirectstage"
-                        ]
-                    },
-                    "user": {
-                        "type": "integer"
-                    },
-                    "role": {
-                        "type": "string"
-                    }
-                }
-            }
-        },
        "model_authentik_stages_user_delete.userdeletestage": {
            "type": "object",
            "properties": {
@ -12659,7 +12333,6 @@
                            "authentik_brands.delete_brand",
                            "authentik_brands.view_brand",
                            "authentik_core.add_application",
-                            "authentik_core.add_applicationentitlement",
                            "authentik_core.add_authenticatedsession",
                            "authentik_core.add_group",
                            "authentik_core.add_groupsourceconnection",
@ -12672,7 +12345,6 @@
                            "authentik_core.add_usersourceconnection",
                            "authentik_core.assign_user_permissions",
                            "authentik_core.change_application",
-                            "authentik_core.change_applicationentitlement",
                            "authentik_core.change_authenticatedsession",
                            "authentik_core.change_group",
                            "authentik_core.change_groupsourceconnection",
@ -12683,7 +12355,6 @@
                            "authentik_core.change_user",
                            "authentik_core.change_usersourceconnection",
                            "authentik_core.delete_application",
-                            "authentik_core.delete_applicationentitlement",
                            "authentik_core.delete_authenticatedsession",
                            "authentik_core.delete_group",
                            "authentik_core.delete_groupsourceconnection",
@ -12699,7 +12370,6 @@
                            "authentik_core.reset_user_password",
                            "authentik_core.unassign_user_permissions",
                            "authentik_core.view_application",
-                            "authentik_core.view_applicationentitlement",
                            "authentik_core.view_authenticatedsession",
                            "authentik_core.view_group",
                            "authentik_core.view_groupsourceconnection",
@ -13150,10 +12820,6 @@
                            "authentik_stages_prompt.delete_promptstage",
                            "authentik_stages_prompt.view_prompt",
                            "authentik_stages_prompt.view_promptstage",
-                            "authentik_stages_redirect.add_redirectstage",
-                            "authentik_stages_redirect.change_redirectstage",
-                            "authentik_stages_redirect.delete_redirectstage",
-                            "authentik_stages_redirect.view_redirectstage",
                            "authentik_stages_source.add_sourcestage",
                            "authentik_stages_source.change_sourcestage",
                            "authentik_stages_source.delete_sourcestage",
@ -13312,52 +12978,6 @@
                }
            }
        },
-        "model_authentik_core.applicationentitlement": {
-            "type": "object",
-            "properties": {
-                "name": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Name"
-                },
-                "app": {
-                    "type": "integer",
-                    "title": "App"
-                },
-                "attributes": {
-                    "type": "object",
-                    "additionalProperties": true,
-                    "title": "Attributes"
-                }
-            },
-            "required": []
-        },
-        "model_authentik_core.applicationentitlement_permissions": {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": [
-                    "permission"
-                ],
-                "properties": {
-                    "permission": {
-                        "type": "string",
-                        "enum": [
-                            "add_applicationentitlement",
-                            "change_applicationentitlement",
-                            "delete_applicationentitlement",
-                            "view_applicationentitlement"
-                        ]
-                    },
-                    "user": {
-                        "type": "integer"
-                    },
-                    "role": {
-                        "type": "string"
-                    }
-                }
-            }
-        },
        "model_authentik_core.token": {
            "type": "object",
            "properties": {
--- a/blueprints/system/providers-oauth2.yaml
+++ b/blueprints/system/providers-oauth2.yaml
@ -42,21 +42,9 @@ entries:
            "given_name": request.user.name,
            "preferred_username": request.user.username,
            "nickname": request.user.username,
+            # groups is not part of the official userinfo schema, but is a quasi-standard
            "groups": [group.name for group in request.user.ak_groups.all()],
        }
-  - identifiers:
-      managed: goauthentik.io/providers/oauth2/scope-entitlements
-    model: authentik_providers_oauth2.scopemapping
-    attrs:
-      name: "authentik default OAuth Mapping: Application Entitlements"
-      scope_name: entitlements
-      description: "Application entitlements"
-      expression: |
-        entitlements = [entitlement.name for entitlement in request.user.app_entitlements(provider.application)]
-        return {
-            "entitlements": entitlements,
-            "roles": entitlements,
-        }
  - identifiers:
      managed: goauthentik.io/providers/oauth2/scope-offline_access
    model: authentik_providers_oauth2.scopemapping
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.5}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
    restart: unless-stopped
    command: server
    environment:
@ -54,7 +54,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.5}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -9,7 +9,7 @@ require (
 	github.com/coreos/go-oidc/v3 v3.11.0
 	github.com/getsentry/sentry-go v0.30.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
-	github.com/go-ldap/ldap/v3 v3.4.9
+	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/go-openapi/runtime v0.28.0
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/uuid v1.6.0
@ -29,7 +29,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024105.3
+	goauthentik.io/api/v3 v3.2024105.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.24.0
 	golang.org/x/sync v0.10.0
@ -45,7 +45,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
 	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
@ -76,9 +76,9 @@ require (
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -71,8 +71,8 @@ github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBd
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/getsentry/sentry-go v0.30.0 h1:lWUwDnY7sKHaVIoZ9wYqRHJ5iEmoc0pqcRqFkosKzBo=
 github.com/getsentry/sentry-go v0.30.0/go.mod h1:WU9B9/1/sHDqeV8T+3VwwbjeR5MSXs/6aqG3mqZrezA=
-github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
-github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
+github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@ -86,8 +86,8 @@ github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a h1:v6zMvHuY9
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I79BieaU4fxrw4LMXby6q5OS9XnoR9UIKLOzDFjUmuw=
 github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
 github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
-github.com/go-ldap/ldap/v3 v3.4.9 h1:KxX9eO44/MpqPXVVMPJDB+k/35GEePHE/Jfvl7oRMUo=
-github.com/go-ldap/ldap/v3 v3.4.9/go.mod h1:+CE/4PPOOdEPGTi2B7qXKQOq+pNBvXZtlBNcVZY0AWI=
+github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
+github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024105.3 h1:Vl1vwPkCtA8hChsxwO3NUI8nupFC7r93jUHvqM+kYVw=
-goauthentik.io/api/v3 v3.2024105.3/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024105.1 h1:PxOlStLdM+L80ciVJUWZRhf2VQrDVnNMcv+exeQ/qUA=
+goauthentik.io/api/v3 v3.2024105.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -309,12 +309,10 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -349,9 +347,6 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -383,11 +378,10 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -406,9 +400,6 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -444,20 +435,16 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -466,11 +453,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -516,8 +501,6 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2024.12.5"
+const VERSION = "2024.10.5"
--- a/internal/outpost/ak/api_ws.go
+++ b/internal/outpost/ak/api_ws.go
@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"maps"
 	"net/http"
 	"net/url"
 	"strconv"
@ -17,22 +16,11 @@ import (
 	"goauthentik.io/internal/constants"
 )

-func (ac *APIController) getWebsocketURL(akURL url.URL, outpostUUID string, query url.Values) *url.URL {
-	wsUrl := &url.URL{}
-	wsUrl.Scheme = strings.ReplaceAll(akURL.Scheme, "http", "ws")
-	wsUrl.Host = akURL.Host
-	_p, _ := url.JoinPath(akURL.Path, "ws/outpost/", outpostUUID, "/")
-	wsUrl.Path = _p
-	v := url.Values{}
-	maps.Insert(v, maps.All(akURL.Query()))
-	maps.Insert(v, maps.All(query))
-	wsUrl.RawQuery = v.Encode()
-	return wsUrl
-}
-
 func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
+	pathTemplate := "%s://%s%sws/outpost/%s/?%s"
 	query := akURL.Query()
 	query.Set("instance_uuid", ac.instanceUUID.String())
+	scheme := strings.ReplaceAll(akURL.Scheme, "http", "ws")

 	authHeader := fmt.Sprintf("Bearer %s", ac.token)

@ -49,9 +37,7 @@ func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
 		},
 	}

-	wsu := ac.getWebsocketURL(akURL, outpostUUID, query).String()
-	ac.logger.WithField("url", wsu).Debug("connecting to websocket")
-	ws, _, err := dialer.Dial(wsu, header)
+	ws, _, err := dialer.Dial(fmt.Sprintf(pathTemplate, scheme, akURL.Host, akURL.Path, outpostUUID, akURL.Query().Encode()), header)
 	if err != nil {
 		ac.logger.WithError(err).Warning("failed to connect websocket")
 		return err
--- a/internal/outpost/ak/api_ws_test.go
+++ b/internal/outpost/ak/api_ws_test.go
@ -1,42 +0,0 @@
-package ak
-
-import (
-	"net/url"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func URLMustParse(u string) *url.URL {
-	ur, err := url.Parse(u)
-	if err != nil {
-		panic(err)
-	}
-	return ur
-}
-
-func TestWebsocketURL(t *testing.T) {
-	u := URLMustParse("http://localhost:9000?foo=bar")
-	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
-	ac := &APIController{}
-	nu := ac.getWebsocketURL(*u, uuid, url.Values{})
-	assert.Equal(t, "ws://localhost:9000/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/?foo=bar", nu.String())
-}
-
-func TestWebsocketURL_Query(t *testing.T) {
-	u := URLMustParse("http://localhost:9000?foo=bar")
-	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
-	ac := &APIController{}
-	v := url.Values{}
-	v.Set("bar", "baz")
-	nu := ac.getWebsocketURL(*u, uuid, v)
-	assert.Equal(t, "ws://localhost:9000/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/?bar=baz&foo=bar", nu.String())
-}
-
-func TestWebsocketURL_Subpath(t *testing.T) {
-	u := URLMustParse("http://localhost:9000/foo/bar/")
-	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
-	ac := &APIController{}
-	nu := ac.getWebsocketURL(*u, uuid, url.Values{})
-	assert.Equal(t, "ws://localhost:9000/foo/bar/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/", nu.String())
-}
--- a/internal/outpost/proxyv2/application/claims.go
+++ b/internal/outpost/proxyv2/application/claims.go
@ -14,7 +14,6 @@ type Claims struct {
 	Name              string       `json:"name"`
 	PreferredUsername string       `json:"preferred_username"`
 	Groups            []string     `json:"groups"`
-	Entitlements      []string     `json:"entitlements"`
 	Sid               string       `json:"sid"`
 	Proxy             *ProxyClaims `json:"ak_proxy"`

--- a/internal/outpost/proxyv2/application/mode_common.go
+++ b/internal/outpost/proxyv2/application/mode_common.go
@ -41,7 +41,6 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
 	// https://goauthentik.io/docs/providers/proxy/proxy
 	headers.Set("X-authentik-username", c.PreferredUsername)
 	headers.Set("X-authentik-groups", strings.Join(c.Groups, "|"))
-	headers.Set("X-authentik-entitlements", strings.Join(c.Entitlements, "|"))
 	headers.Set("X-authentik-email", c.Email)
 	headers.Set("X-authentik-name", c.Name)
 	headers.Set("X-authentik-uid", c.Sub)
--- a/lifecycle/ak
+++ b/lifecycle/ak
@ -1,5 +1,4 @@
-#!/usr/bin/env -S bash
-set -e -o pipefail
+#!/usr/bin/env -S bash -e
 MODE_FILE="${TMPDIR}/authentik-mode"

 function log {
@ -88,6 +87,7 @@ elif [[ "$1" == "bash" ]]; then
 elif [[ "$1" == "test-all" ]]; then
    prepare_debug
    chmod 777 /root
+    pip install --force-reinstall /wheels/*
    check_if_root "python -m manage test authentik"
 elif [[ "$1" == "healthcheck" ]]; then
    run_authentik healthcheck $(cat $MODE_FILE)
--- a/Show More
+++ b/Show More