web/admin: Fix layout centering. Adjust theming.

2025-04-22 20:11:33 +02:00
132 changed files with 6543 additions and 12728 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.4.1
+current_version = 2025.2.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -70,18 +70,22 @@ jobs:
      - name: checkout stable
        run: |
          # Copy current, latest config to local
          # Temporarly comment the .github backup while migrating to uv
          cp authentik/lib/default.yml local.env.yml
-          cp -R .github ..
+          # cp -R .github ..
          cp -R scripts ..
          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
-          rm -rf .github/ scripts/
+          # rm -rf .github/ scripts/
-          mv ../.github ../scripts .
+          # mv ../.github ../scripts .
          rm -rf scripts/
          mv ../scripts .
      - name: Setup authentik env (stable)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
        continue-on-error: true
      - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -3,10 +3,10 @@ on:
  push:
    branches: [main]
    paths:
-      - packages/docusaurus-config/**
+      - packages/docusaurus-config
-      - packages/eslint-config/**
+      - packages/eslint-config
-      - packages/prettier-config/**
+      - packages/prettier-config
-      - packages/tsconfig/**
+      - packages/tsconfig
  workflow_dispatch:
 jobs:
  publish:
--- a/3
+++ b/3
@ -40,8 +40,7 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
-RUN npm run build && \
+RUN npm run build
    npm run build:sfe
 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 | Version   | Supported |
 | --------- | --------- |
 | 2024.12.x | ✅        |
 | 2025.2.x  | ✅        |
 | 2025.4.x  | ✅        |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2025.4.1"
+__version__ = "2025.2.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/brands/migrations/0008_brand_branding_custom_css.py
+++ b/authentik/brands/migrations/0008_brand_branding_custom_css.py
@ -16,7 +16,7 @@ def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    if not path.exists():
        return
    css = path.read_text()
-    Brand.objects.using(db_alias).all().update(branding_custom_css=css)
+    Brand.objects.using(db_alias).update(branding_custom_css=css)
 class Migration(migrations.Migration):
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -99,17 +99,18 @@ class GroupSerializer(ModelSerializer):
            if superuser
            else "authentik_core.disable_group_superuser"
        )
-        if self.instance or superuser:
+        has_perm = user.has_perm(perm)
-            has_perm = user.has_perm(perm) or user.has_perm(perm, self.instance)
+        if self.instance and not has_perm:
-            if not has_perm:
+            has_perm = user.has_perm(perm, self.instance)
-                raise ValidationError(
+        if not has_perm:
-                    _(
+            raise ValidationError(
-                        (
+                _(
-                            "User does not have permission to set "
+                    (
-                            "superuser status to {superuser_status}."
+                        "User does not have permission to set "
-                        ).format_map({"superuser_status": superuser})
+                        "superuser status to {superuser_status}."
-                    )
+                    ).format_map({"superuser_status": superuser})
                )
            )
        return superuser
    class Meta:
--- a/authentik/core/management/commands/repair_permissions.py
+++ b/authentik/core/management/commands/repair_permissions.py
@ -2,7 +2,6 @@
 from django.apps import apps
 from django.contrib.auth.management import create_permissions
 from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user
@ -17,10 +16,6 @@ class Command(BaseCommand):
        """Check permissions for all apps"""
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
                # See https://code.djangoproject.com/ticket/28417
                # Remove potential lingering old permissions
                call_command("remove_stale_contenttypes", "--no-input")
                for app in apps.get_app_configs():
                    self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                    create_permissions(app, verbosity=0)
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -31,10 +31,7 @@ class PickleSerializer:
    def loads(self, data):
        """Unpickle data to be loaded from redis"""
-        try:
+        return pickle.loads(data)  # nosec
            return pickle.loads(data)  # nosec
        except Exception:
            return {}
 def _migrate_session(
--- a/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
+++ b/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
@ -1,27 +0,0 @@
 # Generated by Django 5.1.9 on 2025-05-14 11:15
 from django.apps.registry import Apps
 from django.db import migrations
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def remove_old_authenticated_session_content_type(
    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
 ):
    db_alias = schema_editor.connection.alias
    ContentType = apps.get_model("contenttypes", "ContentType")
    ContentType.objects.using(db_alias).filter(model="oldauthenticatedsession").delete()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0047_delete_oldauthenticatedsession"),
    ]
    operations = [
        migrations.RunPython(
            code=remove_old_authenticated_session_content_type,
        ),
    ]
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -124,16 +124,6 @@ class TestGroupsAPI(APITestCase):
            {"is_superuser": ["User does not have permission to set superuser status to True."]},
        )
    def test_superuser_no_perm_no_superuser(self):
        """Test creating a group without permission and without superuser flag"""
        assign_perm("authentik_core.add_group", self.login_user)
        self.client.force_login(self.login_user)
        res = self.client.post(
            reverse("authentik_api:group-list"),
            data={"name": generate_id(), "is_superuser": False},
        )
        self.assertEqual(res.status_code, 201)
    def test_superuser_update_no_perm(self):
        """Test updating a superuser group without permission"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
--- a/authentik/enterprise/license.py
+++ b/authentik/enterprise/license.py
@ -132,14 +132,13 @@ class LicenseKey:
        """Get a summarized version of all (not expired) licenses"""
        total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
        for lic in License.objects.all():
-            if lic.is_valid:
+            total.internal_users += lic.internal_users
-                total.internal_users += lic.internal_users
+            total.external_users += lic.external_users
                total.external_users += lic.external_users
                total.license_flags.extend(lic.status.license_flags)
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
                total.exp = exp_ts
            total.exp = max(total.exp, exp_ts)
            total.license_flags.extend(lic.status.license_flags)
        return total
    @staticmethod
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -39,10 +39,6 @@ class License(SerializerModel):
    internal_users = models.BigIntegerField()
    external_users = models.BigIntegerField()
    @property
    def is_valid(self) -> bool:
        return self.expiry >= now()
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.api import LicenseSerializer
--- a/authentik/enterprise/tests/test_license.py
+++ b/authentik/enterprise/tests/test_license.py
@ -8,7 +8,6 @@ from django.test import TestCase
 from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError
 from authentik.core.models import User
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import (
    THRESHOLD_READ_ONLY_WEEKS,
@ -72,9 +71,9 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_valid_multiple(self):
        """Check license verification"""
-        lic = License.objects.create(key=generate_id(), expiry=expiry_valid)
+        lic = License.objects.create(key=generate_id())
        self.assertTrue(lic.status.status().is_valid)
-        lic2 = License.objects.create(key=generate_id(), expiry=expiry_valid)
+        lic2 = License.objects.create(key=generate_id())
        self.assertTrue(lic2.status.status().is_valid)
        total = LicenseKey.get_total()
        self.assertEqual(total.internal_users, 200)
@ -233,9 +232,7 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_expiry_expired(self):
        """Check license verification"""
-        User.objects.all().delete()
+        License.objects.create(key=generate_id())
        License.objects.all().delete()
        License.objects.create(key=generate_id(), expiry=expiry_expired)
        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRED)
    @patch(
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -15,7 +15,6 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
        <link rel="prefetch" href="{{ flow_background_url }}" />
        {% include "base/header_js.html" %}
        <style>
          html,
@ -23,7 +22,7 @@
            height: 100%;
          }
          body {
-            background-image: url("{{ flow_background_url }}");
+            background-image: url("{{ flow.background_url }}");
            background-repeat: no-repeat;
            background-size: cover;
          }
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -5,7 +5,7 @@
 {% block head_before %}
 {{ block.super }}
-<link rel="prefetch" href="{{ flow_background_url }}" />
+<link rel="prefetch" href="{{ flow.background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
@ -21,7 +21,7 @@ window.authentik.flow = {
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
-    --ak-flow-background: url("{{ flow_background_url }}");
+    --ak-flow-background: url("{{ flow.background_url }}");
 }
 </style>
 {% endblock %}
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -13,9 +13,7 @@ class FlowInterfaceView(InterfaceView):
    """Flow interface"""
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        kwargs["flow"] = flow
        kwargs["flow_background_url"] = flow.background_url(self.request)
        kwargs["inspector"] = "inspector" in self.request.GET
        return super().get_context_data(**kwargs)
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -363,9 +363,6 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
        pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
        if not pool_options:
            pool_options = True
    # FIXME: Temporarily force pool to be deactivated.
    # See https://github.com/goauthentik/authentik/issues/14320
    pool_options = False
    db = {
        "default": {
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -494,88 +494,86 @@ class TestConfig(TestCase):
            },
        )
-    # FIXME: Temporarily force pool to be deactivated.
+    def test_db_pool(self):
-    # See https://github.com/goauthentik/authentik/issues/14320
+        """Test DB Config with pool"""
-    # def test_db_pool(self):
+        config = ConfigLoader()
-    #     """Test DB Config with pool"""
+        config.set("postgresql.host", "foo")
-    #     config = ConfigLoader()
+        config.set("postgresql.name", "foo")
-    #     config.set("postgresql.host", "foo")
+        config.set("postgresql.user", "foo")
-    #     config.set("postgresql.name", "foo")
+        config.set("postgresql.password", "foo")
-    #     config.set("postgresql.user", "foo")
+        config.set("postgresql.port", "foo")
-    #     config.set("postgresql.password", "foo")
+        config.set("postgresql.test.name", "foo")
-    #     config.set("postgresql.port", "foo")
+        config.set("postgresql.use_pool", True)
-    #     config.set("postgresql.test.name", "foo")
+        conf = django_db_config(config)
-    #     config.set("postgresql.use_pool", True)
+        self.assertEqual(
-    #     conf = django_db_config(config)
+            conf,
-    #     self.assertEqual(
+            {
-    #         conf,
+                "default": {
-    #         {
+                    "ENGINE": "authentik.root.db",
-    #             "default": {
+                    "HOST": "foo",
-    #                 "ENGINE": "authentik.root.db",
+                    "NAME": "foo",
-    #                 "HOST": "foo",
+                    "OPTIONS": {
-    #                 "NAME": "foo",
+                        "pool": True,
-    #                 "OPTIONS": {
+                        "sslcert": None,
-    #                     "pool": True,
+                        "sslkey": None,
-    #                     "sslcert": None,
+                        "sslmode": None,
-    #                     "sslkey": None,
+                        "sslrootcert": None,
-    #                     "sslmode": None,
+                    },
-    #                     "sslrootcert": None,
+                    "PASSWORD": "foo",
-    #                 },
+                    "PORT": "foo",
-    #                 "PASSWORD": "foo",
+                    "TEST": {"NAME": "foo"},
-    #                 "PORT": "foo",
+                    "USER": "foo",
-    #                 "TEST": {"NAME": "foo"},
+                    "CONN_MAX_AGE": 0,
-    #                 "USER": "foo",
+                    "CONN_HEALTH_CHECKS": False,
-    #                 "CONN_MAX_AGE": 0,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
-    #                 "CONN_HEALTH_CHECKS": False,
+                }
-    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
+            },
-    #             }
+        )
    #         },
    #     )
-    # def test_db_pool_options(self):
+    def test_db_pool_options(self):
-    #     """Test DB Config with pool"""
+        """Test DB Config with pool"""
-    #     config = ConfigLoader()
+        config = ConfigLoader()
-    #     config.set("postgresql.host", "foo")
+        config.set("postgresql.host", "foo")
-    #     config.set("postgresql.name", "foo")
+        config.set("postgresql.name", "foo")
-    #     config.set("postgresql.user", "foo")
+        config.set("postgresql.user", "foo")
-    #     config.set("postgresql.password", "foo")
+        config.set("postgresql.password", "foo")
-    #     config.set("postgresql.port", "foo")
+        config.set("postgresql.port", "foo")
-    #     config.set("postgresql.test.name", "foo")
+        config.set("postgresql.test.name", "foo")
-    #     config.set("postgresql.use_pool", True)
+        config.set("postgresql.use_pool", True)
-    #     config.set(
+        config.set(
-    #         "postgresql.pool_options",
+            "postgresql.pool_options",
-    #         base64.b64encode(
+            base64.b64encode(
-    #             dumps(
+                dumps(
-    #                 {
+                    {
-    #                     "max_size": 15,
+                        "max_size": 15,
-    #                 }
+                    }
-    #             ).encode()
+                ).encode()
-    #         ).decode(),
+            ).decode(),
-    #     )
+        )
-    #     conf = django_db_config(config)
+        conf = django_db_config(config)
-    #     self.assertEqual(
+        self.assertEqual(
-    #         conf,
+            conf,
-    #         {
+            {
-    #             "default": {
+                "default": {
-    #                 "ENGINE": "authentik.root.db",
+                    "ENGINE": "authentik.root.db",
-    #                 "HOST": "foo",
+                    "HOST": "foo",
-    #                 "NAME": "foo",
+                    "NAME": "foo",
-    #                 "OPTIONS": {
+                    "OPTIONS": {
-    #                     "pool": {
+                        "pool": {
-    #                         "max_size": 15,
+                            "max_size": 15,
-    #                     },
+                        },
-    #                     "sslcert": None,
+                        "sslcert": None,
-    #                     "sslkey": None,
+                        "sslkey": None,
-    #                     "sslmode": None,
+                        "sslmode": None,
-    #                     "sslrootcert": None,
+                        "sslrootcert": None,
-    #                 },
+                    },
-    #                 "PASSWORD": "foo",
+                    "PASSWORD": "foo",
-    #                 "PORT": "foo",
+                    "PORT": "foo",
-    #                 "TEST": {"NAME": "foo"},
+                    "TEST": {"NAME": "foo"},
-    #                 "USER": "foo",
+                    "USER": "foo",
-    #                 "CONN_MAX_AGE": 0,
+                    "CONN_MAX_AGE": 0,
-    #                 "CONN_HEALTH_CHECKS": False,
+                    "CONN_HEALTH_CHECKS": False,
-    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
-    #             }
+                }
-    #         },
+            },
-    #     )
+        )
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -74,8 +74,6 @@ class OutpostConfig:
    kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
    kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
    kubernetes_ingress_class_name: str | None = field(default=None)
    kubernetes_httproute_annotations: dict[str, str] = field(default_factory=dict)
    kubernetes_httproute_parent_refs: list[dict[str, str]] = field(default_factory=list)
    kubernetes_service_type: str = field(default="ClusterIP")
    kubernetes_disabled_components: list[str] = field(default_factory=list)
    kubernetes_image_pull_secrets: list[str] = field(default_factory=list)
--- a/authentik/providers/proxy/controllers/k8s/httproute.py
+++ b/authentik/providers/proxy/controllers/k8s/httproute.py
@ -1,234 +0,0 @@
 from dataclasses import asdict, dataclass, field
 from typing import TYPE_CHECKING
 from urllib.parse import urlparse
 from dacite.core import from_dict
 from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi, V1ObjectMeta
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.triggers import NeedsUpdate
 from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
 if TYPE_CHECKING:
    from authentik.outposts.controllers.kubernetes import KubernetesController
@dataclass(slots=True)
 class RouteBackendRef:
    name: str
    port: int
@dataclass(slots=True)
 class RouteSpecParentRefs:
    name: str
    sectionName: str | None = None
    port: int | None = None
    namespace: str | None = None
    kind: str = "Gateway"
    group: str = "gateway.networking.k8s.io"
@dataclass(slots=True)
 class HTTPRouteSpecRuleMatchPath:
    type: str
    value: str
@dataclass(slots=True)
 class HTTPRouteSpecRuleMatchHeader:
    name: str
    value: str
    type: str = "Exact"
@dataclass(slots=True)
 class HTTPRouteSpecRuleMatch:
    path: HTTPRouteSpecRuleMatchPath
    headers: list[HTTPRouteSpecRuleMatchHeader]
@dataclass(slots=True)
 class HTTPRouteSpecRule:
    backendRefs: list[RouteBackendRef]
    matches: list[HTTPRouteSpecRuleMatch]
@dataclass(slots=True)
 class HTTPRouteSpec:
    parentRefs: list[RouteSpecParentRefs]
    hostnames: list[str]
    rules: list[HTTPRouteSpecRule]
@dataclass(slots=True)
 class HTTPRouteMetadata:
    name: str
    namespace: str
    annotations: dict = field(default_factory=dict)
    labels: dict = field(default_factory=dict)
@dataclass(slots=True)
 class HTTPRoute:
    apiVersion: str
    kind: str
    metadata: HTTPRouteMetadata
    spec: HTTPRouteSpec
 class HTTPRouteReconciler(KubernetesObjectReconciler):
    """Kubernetes Gateway API HTTPRoute Reconciler"""
    def __init__(self, controller: "KubernetesController") -> None:
        super().__init__(controller)
        self.api_ex = ApiextensionsV1Api(controller.client)
        self.api = CustomObjectsApi(controller.client)
        self.crd_group = "gateway.networking.k8s.io"
        self.crd_version = "v1"
        self.crd_plural = "httproutes"
    @staticmethod
    def reconciler_name() -> str:
        return "httproute"
    @property
    def noop(self) -> bool:
        if not self.crd_exists():
            self.logger.debug("CRD doesn't exist")
            return True
        if not self.controller.outpost.config.kubernetes_httproute_parent_refs:
            self.logger.debug("HTTPRoute parentRefs not set.")
            return True
        return False
    def crd_exists(self) -> bool:
        """Check if the Gateway API resources exists"""
        return bool(
            len(
                self.api_ex.list_custom_resource_definition(
                    field_selector=f"metadata.name={self.crd_plural}.{self.crd_group}"
                ).items
            )
        )
    def reconcile(self, current: HTTPRoute, reference: HTTPRoute):
        super().reconcile(current, reference)
        if current.metadata.annotations != reference.metadata.annotations:
            raise NeedsUpdate()
        if current.spec.parentRefs != reference.spec.parentRefs:
            raise NeedsUpdate()
        if current.spec.hostnames != reference.spec.hostnames:
            raise NeedsUpdate()
        if current.spec.rules != reference.spec.rules:
            raise NeedsUpdate()
    def get_object_meta(self, **kwargs) -> V1ObjectMeta:
        return super().get_object_meta(
            **kwargs,
        )
    def get_reference_object(self) -> HTTPRoute:
        hostnames = []
        rules = []
        for proxy_provider in ProxyProvider.objects.filter(outpost__in=[self.controller.outpost]):
            proxy_provider: ProxyProvider
            external_host_name = urlparse(proxy_provider.external_host)
            if proxy_provider.mode in [ProxyMode.FORWARD_SINGLE, ProxyMode.FORWARD_DOMAIN]:
                rule = HTTPRouteSpecRule(
                    backendRefs=[RouteBackendRef(name=self.name, port=9000)],
                    matches=[
                        HTTPRouteSpecRuleMatch(
                            headers=[
                                HTTPRouteSpecRuleMatchHeader(
                                    name="Host",
                                    value=external_host_name.hostname,
                                )
                            ],
                            path=HTTPRouteSpecRuleMatchPath(
                                type="PathPrefix", value="/outpost.goauthentik.io"
                            ),
                        )
                    ],
                )
            else:
                rule = HTTPRouteSpecRule(
                    backendRefs=[RouteBackendRef(name=self.name, port=9000)],
                    matches=[
                        HTTPRouteSpecRuleMatch(
                            headers=[
                                HTTPRouteSpecRuleMatchHeader(
                                    name="Host",
                                    value=external_host_name.hostname,
                                )
                            ],
                            path=HTTPRouteSpecRuleMatchPath(type="PathPrefix", value="/"),
                        )
                    ],
                )
            hostnames.append(external_host_name.hostname)
            rules.append(rule)
        return HTTPRoute(
            apiVersion=f"{self.crd_group}/{self.crd_version}",
            kind="HTTPRoute",
            metadata=HTTPRouteMetadata(
                name=self.name,
                namespace=self.namespace,
                annotations=self.controller.outpost.config.kubernetes_httproute_annotations,
                labels=self.get_object_meta().labels,
            ),
            spec=HTTPRouteSpec(
                parentRefs=[
                    from_dict(RouteSpecParentRefs, spec)
                    for spec in self.controller.outpost.config.kubernetes_httproute_parent_refs
                ],
                hostnames=hostnames,
                rules=rules,
            ),
        )
    def create(self, reference: HTTPRoute):
        return self.api.create_namespaced_custom_object(
            group=self.crd_group,
            version=self.crd_version,
            plural=self.crd_plural,
            namespace=self.namespace,
            body=asdict(reference),
            field_manager=FIELD_MANAGER,
        )
    def delete(self, reference: HTTPRoute):
        return self.api.delete_namespaced_custom_object(
            group=self.crd_group,
            version=self.crd_version,
            plural=self.crd_plural,
            namespace=self.namespace,
            name=self.name,
        )
    def retrieve(self) -> HTTPRoute:
        return from_dict(
            HTTPRoute,
            self.api.get_namespaced_custom_object(
                group=self.crd_group,
                version=self.crd_version,
                plural=self.crd_plural,
                namespace=self.namespace,
                name=self.name,
            ),
        )
    def update(self, current: HTTPRoute, reference: HTTPRoute):
        return self.api.patch_namespaced_custom_object(
            group=self.crd_group,
            version=self.crd_version,
            plural=self.crd_plural,
            namespace=self.namespace,
            name=self.name,
            body=asdict(reference),
            field_manager=FIELD_MANAGER,
        )
--- a/authentik/providers/proxy/controllers/kubernetes.py
+++ b/authentik/providers/proxy/controllers/kubernetes.py
@ -3,7 +3,6 @@
 from authentik.outposts.controllers.base import DeploymentPort
 from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.outposts.models import KubernetesServiceConnection, Outpost
 from authentik.providers.proxy.controllers.k8s.httproute import HTTPRouteReconciler
 from authentik.providers.proxy.controllers.k8s.ingress import IngressReconciler
 from authentik.providers.proxy.controllers.k8s.traefik import TraefikMiddlewareReconciler
@ -19,10 +18,8 @@ class ProxyKubernetesController(KubernetesController):
            DeploymentPort(9443, "https", "tcp"),
        ]
        self.reconcilers[IngressReconciler.reconciler_name()] = IngressReconciler
        self.reconcilers[HTTPRouteReconciler.reconciler_name()] = HTTPRouteReconciler
        self.reconcilers[TraefikMiddlewareReconciler.reconciler_name()] = (
            TraefikMiddlewareReconciler
        )
        self.reconcile_order.append(IngressReconciler.reconciler_name())
        self.reconcile_order.append(HTTPRouteReconciler.reconciler_name())
        self.reconcile_order.append(TraefikMiddlewareReconciler.reconciler_name())
--- a/authentik/rbac/api/rbac.py
+++ b/authentik/rbac/api/rbac.py
@ -99,7 +99,6 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    filterset_class = PermissionFilter
    permission_classes = [IsAuthenticated]
    search_fields = [
        "name",
        "codename",
        "content_type__model",
        "content_type__app_label",
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.4.1 Blueprint schema",
+    "title": "authentik 2025.2.4 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
    restart: unless-stopped
    command: server
    environment:
@ -55,7 +55,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -27,7 +27,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025024.9
+	goauthentik.io/api/v3 v3.2025024.8
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.29.0
 	golang.org/x/sync v0.13.0
--- a/go.sum
+++ b/go.sum
@ -290,8 +290,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025024.9 h1:i3tbkyotE32ZpJ729BsPWTuLQUdtZ54Li4aP1amZzsM=
+goauthentik.io/api/v3 v3.2025024.8 h1:2mG4CqGSsmZq2CtRehxpDjsER43U/JQSoTOn5VC1ui4=
-goauthentik.io/api/v3 v3.2025024.9/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025024.8/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
-const VERSION = "2025.4.1"
+const VERSION = "2025.2.4"
--- a/ldap.Dockerfile
+++ b/ldap.Dockerfile
@ -56,7 +56,6 @@ EXPOSE 3389 6636 9300
 USER 1000
-ENV TMPDIR=/dev/shm/ \
+ENV GOFIPS=1
    GOFIPS=1
 ENTRYPOINT ["/ldap"]
--- a/lifecycle/ak
+++ b/lifecycle/ak
@ -62,8 +62,7 @@ function prepare_debug {
    export DEBIAN_FRONTEND=noninteractive
    apt-get update
    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
-    source "${VENV_PATH}/bin/activate"
+    VIRTUAL_ENV=/ak-root/.venv uv sync --frozen
    uv sync --active --frozen
    touch /unittest.xml
    chown authentik:authentik /unittest.xml
 }
@ -97,7 +96,6 @@ elif [[ "$1" == "test-all" ]]; then
 elif [[ "$1" == "healthcheck" ]]; then
    run_authentik healthcheck $(cat $MODE_FILE)
 elif [[ "$1" == "dump_config" ]]; then
    shift
    exec python -m authentik.lib.config $@
 elif [[ "$1" == "debug" ]]; then
    exec sleep infinity
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1012.0",
+                "aws-cdk": "^2.1010.0",
                "cross-env": "^7.0.3"
            },
            "engines": {
@ -17,9 +17,9 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1012.0",
+            "version": "2.1010.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1012.0.tgz",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1010.0.tgz",
-            "integrity": "sha512-C6jSWkqP0hkY2Cs300VJHjspmTXDTMfB813kwZvRbd/OsKBfTBJBbYU16VoLAp1LVEOnQMf8otSlaSgzVF0X9A==",
+            "integrity": "sha512-kYNzBXVUZoRrTuYxRRA2Loz/Uvay0MqHobg8KPZaWylIbw/meUDgtoATRNt+stOdJ9PHODTjWmlDKI+2/KoF+w==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1012.0",
+        "aws-cdk": "^2.1010.0",
        "cross-env": "^7.0.3"
    }
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.4.1
+    Default: 2025.2.4
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/lifecycle/system_migrations/tenant_to_brand.py
+++ b/lifecycle/system_migrations/tenant_to_brand.py
@ -3,7 +3,7 @@ from lifecycle.migrate import BaseMigration
 SQL_STATEMENT = """
 BEGIN TRANSACTION;
-ALTER TABLE IF EXISTS authentik_tenants_tenant RENAME TO authentik_brands_brand;
+ALTER TABLE authentik_tenants_tenant RENAME TO authentik_brands_brand;
 UPDATE django_migrations SET app = replace(app, 'authentik_tenants', 'authentik_brands');
 UPDATE django_content_type SET app_label = replace(app_label, 'authentik_tenants', 'authentik_brands');
 COMMIT;
--- a/locale/de/LC_MESSAGES/django.mo
+++ b/locale/de/LC_MESSAGES/django.mo
--- a/locale/de/LC_MESSAGES/django.po
+++ b/locale/de/LC_MESSAGES/django.po
@ -8,6 +8,7 @@
 # Jens L. <jens@goauthentik.io>, 2022
 # Lars Lehmann <lars@lars-lehmann.net>, 2023
 # Johannes —/—, 2023
 # Dominic Wagner <mail@dominic-wagner.de>, 2023
 # fde4f289d99ed356ff5cfdb762dc44aa_a8a971d, 2023
 # Christian Foellmann <foellmann@foe-services.de>, 2023
 # kidhab, 2023
@ -29,18 +30,17 @@
 # Alexander Möbius, 2025
 # Jonas, 2025
 # Niklas Kroese, 2025
 # datenschmutz, 2025
 # 97cce0ae0cad2a2cc552d3165d04643e_de3d740, 2025
-# Dominic Wagner <mail@dominic-wagner.de>, 2025
+# datenschmutz, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Dominic Wagner <mail@dominic-wagner.de>, 2025\n"
+"Last-Translator: datenschmutz, 2025\n"
 "Language-Team: German (https://app.transifex.com/authentik/teams/119923/de/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -214,7 +214,6 @@ msgid "User's display name."
 msgstr "Anzeigename"
 #: authentik/core/models.py authentik/providers/oauth2/models.py
 #: authentik/rbac/models.py
 msgid "User"
 msgstr "Benutzer"
@ -403,18 +402,6 @@ msgstr "Eigenschaft"
 msgid "Property Mappings"
 msgstr "Eigenschaften"
 #: authentik/core/models.py
 msgid "session data"
 msgstr ""
 #: authentik/core/models.py
 msgid "Session"
 msgstr "Sitzung"
 #: authentik/core/models.py
 msgid "Sessions"
 msgstr "Sitzungen"
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Authentifizierte Sitzung"
@ -524,38 +511,6 @@ msgstr "Lizenzverwendung"
 msgid "License Usage Records"
 msgstr "Lizenzverwendung Aufzeichnungen"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Zu prüfender Feldschlüssel, die in den Aufforderungsstufen definierten "
 "Feldschlüssel sind verfügbar."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Passwort nicht im Kontext festgelegt"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Enterprise ist erforderlich, um auf diese Funktion zuzugreifen."
@ -1348,6 +1303,12 @@ msgstr "Richtlinien Cache Metriken anzeigen"
 msgid "Clear Policy's cache metrics"
 msgstr "Richtlinien Cache Metriken löschen"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Zu prüfender Feldschlüssel, die in den Aufforderungsstufen definierten "
 "Feldschlüssel sind verfügbar."
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Wie häufig der Passwort-Hash auf haveibeenpwned vertreten sein darf"
@ -1359,6 +1320,10 @@ msgstr ""
 "Die Richtlinie wird verweigert, wenn die zxcvbn-Bewertung gleich oder "
 "kleiner diesem Wert ist."
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Passwort nicht im Kontext festgelegt"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Ungültiges Passwort."
@ -1400,6 +1365,20 @@ msgstr "Reputationswert"
 msgid "Reputation Scores"
 msgstr "Reputationswert"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr ""
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Erlaubnis verweigert"
@ -2229,10 +2208,6 @@ msgstr "Rolle"
 msgid "Roles"
 msgstr "Rollen"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Systemberechtigung"
@ -2503,22 +2478,6 @@ msgstr "LDAP Quelle Eigenschafts-Zuordnung"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP Quelle Eigenschafts-Zuordnungen"
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr ""
@ -2528,14 +2487,6 @@ msgstr ""
 msgid "No token received."
 msgstr "Kein Token empfangen."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Token-URL anfordern"
@ -2577,12 +2528,6 @@ msgstr ""
 msgid "Additional Scopes"
 msgstr "zusätzliche Scopes"
 #: authentik/sources/oauth/models.py
 msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Outh Quelle"
@ -3489,12 +3434,6 @@ msgstr ""
 "Wenn aktiviert, wird die Phase auch dann erfolgreich abgeschlossen und "
 "fortgesetzt, wenn falsche Benutzerdaten eingegeben wurden."
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Optionaler Registrierungs-Flow, der unten auf der Seite verlinkt ist."
@ -3887,14 +3826,6 @@ msgstr ""
 "Die Ereignisse werden nach dieser Dauer gelöscht (Format: "
 "Wochen=3;Tage=2;Stunden=3,Sekunden=2)."
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-22 13:40+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -1255,6 +1255,20 @@ msgstr ""
 msgid "Reputation Scores"
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr ""
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr ""
--- a/locale/es/LC_MESSAGES/django.mo
+++ b/locale/es/LC_MESSAGES/django.mo
--- a/locale/es/LC_MESSAGES/django.po
+++ b/locale/es/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/authentik/teams/119923/es/)\n"
@ -190,7 +190,6 @@ msgid "User's display name."
 msgstr "Nombre para mostrar del usuario."
 #: authentik/core/models.py authentik/providers/oauth2/models.py
 #: authentik/rbac/models.py
 msgid "User"
 msgstr "Usuario"
@ -379,18 +378,6 @@ msgstr "Asignación de Propiedades"
 msgid "Property Mappings"
 msgstr "Asignaciones de Propiedades"
 #: authentik/core/models.py
 msgid "session data"
 msgstr ""
 #: authentik/core/models.py
 msgid "Session"
 msgstr "Sesión"
 #: authentik/core/models.py
 msgid "Sessions"
 msgstr "Sesiones"
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sesión autenticada"
@ -498,38 +485,6 @@ msgstr "Uso de Licencias"
 msgid "License Usage Records"
 msgstr "Registro de Uso de Licencias"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Clave de campo a verificar, las claves de campo definidas en las etapas de "
 "Solicitud están disponibles."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "La contraseña no se ha establecido en contexto"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Se requiere de Enterprise para acceder esta característica."
@ -1313,6 +1268,12 @@ msgstr "Ver las métricas de caché de la Política"
 msgid "Clear Policy's cache metrics"
 msgstr "Borrar las métricas de caché de la Política"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Clave de campo a verificar, las claves de campo definidas en las etapas de "
 "Solicitud están disponibles."
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -1326,6 +1287,10 @@ msgstr ""
 "Si la puntuación zxcvbn es igual o menor que este valor, la política "
 "fallará."
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "La contraseña no se ha establecido en contexto"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Contraseña inválida."
@ -1367,6 +1332,20 @@ msgstr "Puntuación de Reputacion"
 msgid "Reputation Scores"
 msgstr "Puntuaciones de Reputacion"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr ""
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permiso denegado"
@ -2196,10 +2175,6 @@ msgstr "Rol"
 msgid "Roles"
 msgstr "Roles"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Permiso de sistema"
@ -2468,22 +2443,6 @@ msgstr "Asignación de Propiedades de Fuente de LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Asignaciones de Propiedades de Fuente de LDAP"
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "La contraseña no coincide con la complejidad de Active Directory."
@ -2492,14 +2451,6 @@ msgstr "La contraseña no coincide con la complejidad de Active Directory."
 msgid "No token received."
 msgstr "No se recibió ningún token."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Solicitar URL de token"
@ -2540,12 +2491,6 @@ msgstr "URL utilizada por authentik para obtener información del usuario."
 msgid "Additional Scopes"
 msgstr "Alcances Adicionales"
 #: authentik/sources/oauth/models.py
 msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Fuente de OAuth"
@ -3462,12 +3407,6 @@ msgstr ""
 "Cuando está habilitado, la etapa tendrá éxito y continuará incluso cuando se"
 " ingrese información de usuario incorrecta."
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@ -3855,14 +3794,6 @@ msgstr ""
 "Los Eventos serán eliminados después de este periodo. (Formato: "
 "weeks=3;days=2;hours=3,seconds=2)."
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/fi/LC_MESSAGES/django.mo
+++ b/locale/fi/LC_MESSAGES/django.mo
--- a/locale/fi/LC_MESSAGES/django.po
+++ b/locale/fi/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Ville Ranki, 2025\n"
 "Language-Team: Finnish (https://app.transifex.com/authentik/teams/119923/fi/)\n"
@ -186,7 +186,6 @@ msgid "User's display name."
 msgstr "Käyttäjän näytettävä nimi"
 #: authentik/core/models.py authentik/providers/oauth2/models.py
 #: authentik/rbac/models.py
 msgid "User"
 msgstr "Käyttäjä"
@ -372,18 +371,6 @@ msgstr "Ominaisuuskytkentä"
 msgid "Property Mappings"
 msgstr "Ominaisuuskytkennät"
 #: authentik/core/models.py
 msgid "session data"
 msgstr ""
 #: authentik/core/models.py
 msgid "Session"
 msgstr "Istunto"
 #: authentik/core/models.py
 msgid "Sessions"
 msgstr ""
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Autentikoitu istunto"
@ -491,38 +478,6 @@ msgstr "Lisenssin käyttö"
 msgid "License Usage Records"
 msgstr "Lisenssin käyttötiedot"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Kentän avain, joka tarkistetaan. Kysymysvaiheissa määritellyt kenttien "
 "avaimet ovat käytettävissä."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Salasanaa ei ole asetettu kontekstissa"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Tämän ominaisuuden käyttöön tarvitaan Enterprise-versiota."
@ -1296,6 +1251,12 @@ msgstr "Näytä käytäntövälimuistitilastot"
 msgid "Clear Policy's cache metrics"
 msgstr "Tyhjennä käytäntövälimuistitilastot"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Kentän avain, joka tarkistetaan. Kysymysvaiheissa määritellyt kenttien "
 "avaimet ovat käytettävissä."
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -1308,6 +1269,10 @@ msgstr ""
 "Jos zxcvbn-pistemäärä on tämä arvo tai pienempi, käytännön suorittaminen "
 "epäonnistuu."
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Salasanaa ei ole asetettu kontekstissa"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Virheellinen salasana."
@ -1349,6 +1314,20 @@ msgstr "Mainepistemäärä"
 msgid "Reputation Scores"
 msgstr "Mainepistemäärät"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr ""
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Käyttö evätty"
@ -2176,10 +2155,6 @@ msgstr "Rooli"
 msgid "Roles"
 msgstr "Roolit"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Järjestelmän käyttöoikeus"
@ -2445,22 +2420,6 @@ msgstr "LDAP-lähteen ominaisuuskytkentä"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP-lähteen ominaisuuskytkennät"
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Salasana ei vastaa Active Directoryn monimutkaisuusmääritystä."
@ -2469,14 +2428,6 @@ msgstr "Salasana ei vastaa Active Directoryn monimutkaisuusmääritystä."
 msgid "No token received."
 msgstr "Tunnistetta ei saatu."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Pyyntötunnisteen URL"
@ -2517,12 +2468,6 @@ msgstr "URL, jota authentik käyttää käyttäjätiedon hakemiseksi."
 msgid "Additional Scopes"
 msgstr "Lisäkäyttöalueet"
 #: authentik/sources/oauth/models.py
 msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth-lähde"
@ -3432,12 +3377,6 @@ msgstr ""
 "Kun tämä on käytössä, vaihe onnistuu ja suoritus jatkuu, vaikka olisi "
 "syötetty virheelliset käyttäjätiedot."
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@ -3815,14 +3754,6 @@ msgstr ""
 "Tapahtumat poistetaan tämän ajan jälkeen. (Muoto: "
 "weeks=3;days=2;hours=3;seconds=2)."
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/fr/LC_MESSAGES/django.mo
+++ b/locale/fr/LC_MESSAGES/django.mo
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
@ -9,8 +9,8 @@
 # Kyllian Delaye-Maillot, 2023
 # Manuel Viens, 2023
 # Mordecai, 2023
 # Tina, 2024
 # Charles Leclerc, 2025
 # Tina, 2025
 # nerdinator <florian.dupret@gmail.com>, 2025
 # Marc Schmitt, 2025
 # 
@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-17 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@ -502,38 +502,6 @@ msgstr "Utilisation de la licence"
 msgid "License Usage Records"
 msgstr "Registre d'utilisation de la licence"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Clé de champ à vérifier ; les clés de champ définies dans les étapes de "
 "d'invite sont disponibles."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr "Nombre de mots de passe à vérifier."
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Mot de passe non défini dans le contexte"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr "Ce mot de passe a déjà été utilisé. Veuillez en choisir un autre."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr "Politique d'unicité des mots de passe"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr "Politiques d'unicité des mots de passe"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr "Historique des mots de passe utilisateur"
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Entreprise est requis pour accéder à cette fonctionnalité."
@ -1328,6 +1296,12 @@ msgstr "Voir les métriques de cache de la politique"
 msgid "Clear Policy's cache metrics"
 msgstr "Nettoyer les métriques de cache de la politique"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Clé de champ à vérifier ; les clés de champ définies dans les étapes de "
 "d'invite sont disponibles."
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -1341,6 +1315,10 @@ msgstr ""
 "Si le score zxcvbn est égal ou inférieur à cette valeur, la politique "
 "échouera."
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Mot de passe non défini dans le contexte"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Mot de passe invalide."
@ -1382,6 +1360,22 @@ msgstr "Score de Réputation"
 msgid "Reputation Scores"
 msgstr "Scores de Réputation"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr "En attente de l'authentification..."
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 "Vous êtes déjà en cours d'authentification dans un autre onglet. Cette page "
 "se rafraîchira lorsque l'authentification sera terminée."
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr "S'authentifier dans cet onglet"
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permission refusée"
@ -3491,15 +3485,6 @@ msgstr ""
 "Lorsqu'activé, l'étape réussira et continuera même lorsque les informations "
 "utilisateurs entrées sont invalides."
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 "Afficher à l'utilisateur l'option \"Se souvenir de moi sur cet appareil\", "
 "afin de permettre aux utilisateurs réguliers de passer directement à la "
 "saisie de leur mot de passe."
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Flux d'inscription facultatif, qui sera accessible en bas de page."
--- a/locale/it/LC_MESSAGES/django.po
+++ b/locale/it/LC_MESSAGES/django.po
@ -12,17 +12,17 @@
 # tmassimi, 2024
 # Marc Schmitt, 2024
 # albanobattistella <albanobattistella@gmail.com>, 2024
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025
 # Matteo Piccina <altermatte@gmail.com>, 2025
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Matteo Piccina <altermatte@gmail.com>, 2025\n"
+"Last-Translator: Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -194,7 +194,6 @@ msgid "User's display name."
 msgstr "Nome visualizzato dell'utente."
 #: authentik/core/models.py authentik/providers/oauth2/models.py
 #: authentik/rbac/models.py
 msgid "User"
 msgstr "Utente"
@ -381,18 +380,6 @@ msgstr "Mappatura della proprietà"
 msgid "Property Mappings"
 msgstr "Mappatura delle proprietà"
 #: authentik/core/models.py
 msgid "session data"
 msgstr ""
 #: authentik/core/models.py
 msgid "Session"
 msgstr "Sessione"
 #: authentik/core/models.py
 msgid "Sessions"
 msgstr "Sessioni"
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sessione Autenticata"
@ -500,38 +487,6 @@ msgstr "Utilizzo della licenza"
 msgid "License Usage Records"
 msgstr "Registri sull'utilizzo della licenza"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Chiave di campo da verificare, sono disponibili le chiavi di campo definite "
 "nelle fasi Richiesta."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Password non impostata nel contesto"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Versione Enterprise richiesta per accedere a questa funzione"
@ -1319,6 +1274,12 @@ msgstr "Visualizza le metriche della cache della Policy"
 msgid "Clear Policy's cache metrics"
 msgstr "Cancellare le metriche della cache della Policy"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Chiave di campo da verificare, sono disponibili le chiavi di campo definite "
 "nelle fasi Richiesta."
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -1331,6 +1292,10 @@ msgstr ""
 "Se il punteggio zxcvbn è inferiore o uguale a questo valore, il criterio non"
 " verrà soddisfatto."
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Password non impostata nel contesto"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Password invalida."
@ -1372,6 +1337,22 @@ msgstr "Punteggio di reputazione"
 msgid "Reputation Scores"
 msgstr "Punteggi di reputazione"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr "In attesa di autenticazione..."
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 "Ti stai già autenticando in un'altra scheda. Questa pagina si aggiornerà una"
 " volta completata l'autenticazione."
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr "Autenticati in questa scheda"
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permesso negato"
@ -2201,10 +2182,6 @@ msgstr "Ruolo"
 msgid "Roles"
 msgstr "Ruoli"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Autorizzazione di sistema"
@ -2475,22 +2452,6 @@ msgstr "Mappatura delle proprietà sorgente LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Mappature delle proprietà della sorgente LDAP"
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "La password non soddisfa la complessità Active Directory."
@ -2499,14 +2460,6 @@ msgstr "La password non soddisfa la complessità Active Directory."
 msgid "No token received."
 msgstr "Nessun token ricevuto."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL di Richiesta Token"
@ -2547,12 +2500,6 @@ msgstr "URL utilizzato da authentik per ottenere le informazioni dell'utente."
 msgid "Additional Scopes"
 msgstr "Ambiti aggiuntivi"
 #: authentik/sources/oauth/models.py
 msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Sorgente OAuth"
@ -3479,12 +3426,6 @@ msgstr ""
 "Quando abilitato, la fase avrà successo e continuerà anche quando vengono "
 "inserite informazioni utente errate."
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Flusso di iscrizione opzionale, che è collegato in fondo alla pagina."
@ -3871,14 +3812,6 @@ msgstr ""
 "Gli eventi saranno cancellati dopo questa durata. (Formato: "
 "weeks=3;days=2;hours=3,seconds=2)."
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/ko/LC_MESSAGES/django.po
+++ b/locale/ko/LC_MESSAGES/django.po
@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-03-31 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: NavyStack, 2023\n"
 "Language-Team: Korean (https://app.transifex.com/authentik/teams/119923/ko/)\n"
@ -176,7 +176,6 @@ msgid "User's display name."
 msgstr "사용자의 표시 이름"
 #: authentik/core/models.py authentik/providers/oauth2/models.py
 #: authentik/rbac/models.py
 msgid "User"
 msgstr "사용자"
@ -345,18 +344,6 @@ msgstr "속성 매핑"
 msgid "Property Mappings"
 msgstr "속성 매핑"
 #: authentik/core/models.py
 msgid "session data"
 msgstr ""
 #: authentik/core/models.py
 msgid "Session"
 msgstr ""
 #: authentik/core/models.py
 msgid "Sessions"
 msgstr ""
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "인증된 세션"
@ -460,36 +447,6 @@ msgstr "라이선스 사용"
 msgid "License Usage Records"
 msgstr "라이선스 사용 기록"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "확인하려는 필드 키, 프롬프트 스테이지에서 정의된 필드 키를 사용할 수 있습니다."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "비밀번호가 컨텍스트에 설정되지 않음"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr ""
@ -1225,6 +1182,10 @@ msgstr "정책의 캐시 메트릭 보기"
 msgid "Clear Policy's cache metrics"
 msgstr "정책의 캐시 메트릭 삭제"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "확인하려는 필드 키, 프롬프트 스테이지에서 정의된 필드 키를 사용할 수 있습니다."
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "비밀번호 해시가 허용되는 해시 횟수"
@ -1234,6 +1195,10 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "만약 zxcvbn 점수가 이 값과 같거나 이 값보다 작다면, 정책이 실패합니다."
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "비밀번호가 컨텍스트에 설정되지 않음"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1275,6 +1240,20 @@ msgstr "평판 점수"
 msgid "Reputation Scores"
 msgstr "평판 점수"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr ""
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "권한 거부됨"
@ -2034,10 +2013,6 @@ msgstr "역할"
 msgid "Roles"
 msgstr "역할"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "시스템 권한"
@ -2256,13 +2231,6 @@ msgid ""
 "enabled on a single LDAP source."
 msgstr "사용자가 비밀번호를 변경하면 LDAP로 다시 동기화합니다. 이 기능은 단일의 LDAP 소스에서만 활성화할 수 있습니다."
 #: authentik/sources/ldap/models.py
 msgid ""
 "Lookup group membership based on a user attribute instead of a group "
 "attribute. This allows nested group resolution on systems like FreeIPA and "
 "Active Directory"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP 소스"
@ -2279,22 +2247,6 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "비밀번호가 Active Directory 복잡도와 일치하지 않습니다."
@ -2303,14 +2255,6 @@ msgstr "비밀번호가 Active Directory 복잡도와 일치하지 않습니다.
 msgid "No token received."
 msgstr "수신된 토큰이 없습니다."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "토큰 요청 URL"
@ -2349,12 +2293,6 @@ msgstr "사용자 정보를 가져오기 위해 authentik에서 사용하는 URL
 msgid "Additional Scopes"
 msgstr "추가 스코프"
 #: authentik/sources/oauth/models.py
 msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth 소스"
@ -3211,12 +3149,6 @@ msgid ""
 "info is entered."
 msgstr "활성화되면 잘못된 사용자 정보가 입력되더라도 단계가 성공하고 계속됩니다."
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "페이지 하단에 링크된,  선택적 등록 플로우를 참조하세요."
@ -3568,14 +3500,6 @@ msgid ""
 "weeks=3;days=2;hours=3,seconds=2)."
 msgstr "이 기간이 지나면 이벤트가 삭제됩니다. (서식: hours=-1;minutes=-2;seconds=-3)"
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/pl/LC_MESSAGES/django.po
+++ b/locale/pl/LC_MESSAGES/django.po
@ -7,18 +7,18 @@
 # Bartosz Karpiński, 2023
 # Michał Jastrzębski, 2024
 # Tomci 12 <drizztes@gmail.com>, 2024
 # Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2024
 # Marc Schmitt, 2025
 # Jens L. <jens@goauthentik.io>, 2025
 # Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
+"Last-Translator: Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2025\n"
 "Language-Team: Polish (https://app.transifex.com/authentik/teams/119923/pl/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -189,7 +189,6 @@ msgid "User's display name."
 msgstr "Wyświetlana nazwa użytkownika."
 #: authentik/core/models.py authentik/providers/oauth2/models.py
 #: authentik/rbac/models.py
 msgid "User"
 msgstr "Użytkownik"
@ -372,18 +371,6 @@ msgstr "Mapowanie właściwości"
 msgid "Property Mappings"
 msgstr "Mapowanie właściwości"
 #: authentik/core/models.py
 msgid "session data"
 msgstr ""
 #: authentik/core/models.py
 msgid "Session"
 msgstr "Sesja"
 #: authentik/core/models.py
 msgid "Sessions"
 msgstr "Sesje"
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sesja uwierzytelniona"
@ -492,38 +479,6 @@ msgstr "Wykorzystanie licencji"
 msgid "License Usage Records"
 msgstr "Rejestr wykorzystania licencji"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Klucz pola do sprawdzenia, dostępne są klucze pola zdefiniowane w etapach "
 "monitu."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Hasło nie jest ustawione w kontekście"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Wymagane jest konto Enterprise, aby uzyskać dostęp do tej funkcji."
@ -1302,6 +1257,12 @@ msgstr "Wyświetl metryki pamięci podręcznej Zasady"
 msgid "Clear Policy's cache metrics"
 msgstr "Wyczyść metryki pamięci podręcznej Zasady"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Klucz pola do sprawdzenia, dostępne są klucze pola zdefiniowane w etapach "
 "monitu."
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Ile razy skrót hasła może być na haveibeenpwned"
@ -1313,6 +1274,10 @@ msgstr ""
 "Jeśli wynik zxcvbn jest równy lub mniejszy od tej wartości, zasada zakończy "
 "się niepowodzeniem."
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Hasło nie jest ustawione w kontekście"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1354,6 +1319,20 @@ msgstr "Punkty reputacji"
 msgid "Reputation Scores"
 msgstr "Punkty reputacji"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr "Oczekiwanie na uwierzytelnienie..."
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr ""
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Odmowa uprawnień"
@ -2162,10 +2141,6 @@ msgstr "Rola"
 msgid "Roles"
 msgstr "Role"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Uprawnienie systemowe"
@ -2415,22 +2390,6 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Hasło nie pasuje do złożoności usługi Active Directory."
@ -2439,14 +2398,6 @@ msgstr "Hasło nie pasuje do złożoności usługi Active Directory."
 msgid "No token received."
 msgstr "Nie otrzymano tokena."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL żądania tokena"
@ -2489,12 +2440,6 @@ msgstr "URL używany przez authentik do uzyskania informacji o użytkowniku."
 msgid "Additional Scopes"
 msgstr "Dodatkowe zakresy"
 #: authentik/sources/oauth/models.py
 msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Źródło OAuth"
@ -3399,12 +3344,6 @@ msgstr ""
 "Po włączeniu tej opcji etap zakończy się powodzeniem i będzie kontynuowany "
 "nawet po wprowadzeniu nieprawidłowych danych użytkownika."
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@ -3788,14 +3727,6 @@ msgstr ""
 "Zdarzenia zostaną usunięte po upływie tego czasu. (Format: "
 "weeks=3;days=2;hours=3,seconds=2)."
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr "Opcja ta konfiguruje łącza stopki na stronach wykonawców przepływu."
--- a/locale/pt_BR/LC_MESSAGES/django.po
+++ b/locale/pt_BR/LC_MESSAGES/django.po
@ -18,7 +18,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Gil Poiares-Oliveira, 2025\n"
 "Language-Team: Portuguese (Brazil) (https://app.transifex.com/authentik/teams/119923/pt_BR/)\n"
@ -192,7 +192,6 @@ msgid "User's display name."
 msgstr "Nome de exibição do usuário."
 #: authentik/core/models.py authentik/providers/oauth2/models.py
 #: authentik/rbac/models.py
 msgid "User"
 msgstr "Usuário"
@ -377,18 +376,6 @@ msgstr "Mapeamento de propriedades"
 msgid "Property Mappings"
 msgstr "Mapeamentos de propriedades"
 #: authentik/core/models.py
 msgid "session data"
 msgstr ""
 #: authentik/core/models.py
 msgid "Session"
 msgstr ""
 #: authentik/core/models.py
 msgid "Sessions"
 msgstr ""
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sessão Autenticada"
@ -496,38 +483,6 @@ msgstr "Uso de licença"
 msgid "License Usage Records"
 msgstr "Registros de uso de licença"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Chave de campo para verificar, as chaves de campo definidas nos estágios de "
 "prompt estão disponíveis."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Senha não definida no contexto"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Entrerprise é necessário para acessar essa funcionalidade"
@ -1297,6 +1252,12 @@ msgstr ""
 msgid "Clear Policy's cache metrics"
 msgstr ""
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Chave de campo para verificar, as chaves de campo definidas nos estágios de "
 "prompt estão disponíveis."
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Quantas vezes o hash da senha pode estar em haveibeenpwned"
@ -1307,6 +1268,10 @@ msgid ""
 msgstr ""
 "Se a pontuação zxcvbn for igual ou menor que esse valor, a política falhará."
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Senha não definida no contexto"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1348,6 +1313,20 @@ msgstr "Pontuação de reputação"
 msgid "Reputation Scores"
 msgstr "Pontuações de reputação"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr ""
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permissão negada"
@ -2162,10 +2141,6 @@ msgstr ""
 msgid "Roles"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Permissão do sistema"
@ -2412,22 +2387,6 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "A senha não corresponde à complexidade do Active Directory."
@ -2436,14 +2395,6 @@ msgstr "A senha não corresponde à complexidade do Active Directory."
 msgid "No token received."
 msgstr "Nenhum token recebido."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL do token de solicitação"
@ -2484,12 +2435,6 @@ msgstr "URL usado pelo authentik para obter informações do usuário."
 msgid "Additional Scopes"
 msgstr "Escopos Adicionais"
 #: authentik/sources/oauth/models.py
 msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Fonte OAuth"
@ -3373,12 +3318,6 @@ msgid ""
 "info is entered."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Optional enrollment flow, which is linked at the bottom of the page."
@ -3739,14 +3678,6 @@ msgstr ""
 "Os eventos serão excluídos após esta duração.(Formato: "
 "semanas=3;dias=2;horas=3,segundos=2)."
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/ru/LC_MESSAGES/django.po
+++ b/locale/ru/LC_MESSAGES/django.po
@ -18,7 +18,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Russian (https://app.transifex.com/authentik/teams/119923/ru/)\n"
@ -191,7 +191,6 @@ msgid "User's display name."
 msgstr "Отображаемое имя пользователя."
 #: authentik/core/models.py authentik/providers/oauth2/models.py
 #: authentik/rbac/models.py
 msgid "User"
 msgstr "Пользователь"
@ -380,18 +379,6 @@ msgstr "Сопоставление свойств"
 msgid "Property Mappings"
 msgstr "Сопоставление свойств"
 #: authentik/core/models.py
 msgid "session data"
 msgstr ""
 #: authentik/core/models.py
 msgid "Session"
 msgstr ""
 #: authentik/core/models.py
 msgid "Sessions"
 msgstr ""
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Аутентифицированная Сессия"
@ -500,37 +487,6 @@ msgstr "Использование лицензии"
 msgid "License Usage Records"
 msgstr "Записи использования лицензии"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Ключ поля для проверки, доступны ключи поля, определенные в этапах запроса."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Пароль не задан в контексте"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Для доступа к этой функции требуется Enterprise."
@ -1311,6 +1267,11 @@ msgstr "Просмотр показателей кэша политики"
 msgid "Clear Policy's cache metrics"
 msgstr "Очистка показателей кэша политики"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Ключ поля для проверки, доступны ключи поля, определенные в этапах запроса."
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Как часто хэш пароля может быть представлен на haveibeenpwned"
@ -1322,6 +1283,10 @@ msgstr ""
 "Если показатель zxcvbn равен или меньше этого значения, политика будет "
 "провалена."
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Пароль не задан в контексте"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Неправильный пароль"
@ -1363,6 +1328,20 @@ msgstr "Оценка репутации"
 msgid "Reputation Scores"
 msgstr "Оценка репутации"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr ""
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Доступ запрещен"
@ -2185,10 +2164,6 @@ msgstr "Роль"
 msgid "Roles"
 msgstr "Роли"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Системное разрешение"
@ -2446,22 +2421,6 @@ msgstr "Сопоставление свойства LDAP источника"
 msgid "LDAP Source Property Mappings"
 msgstr "Сопоставление свойств LDAP источника"
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Пароль не соответствует сложности Active Directory."
@ -2470,14 +2429,6 @@ msgstr "Пароль не соответствует сложности Active D
 msgid "No token received."
 msgstr "Токен не был получен."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL-адрес запроса токена"
@ -2520,12 +2471,6 @@ msgstr ""
 msgid "Additional Scopes"
 msgstr "Дополнительные области"
 #: authentik/sources/oauth/models.py
 msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Источник OAuth"
@ -3431,12 +3376,6 @@ msgstr ""
 "При включении этап будет завершаться успешно и продолжаться даже в случае "
 "ввода неправильной информации о пользователе."
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@ -3828,14 +3767,6 @@ msgstr ""
 "По истечении этого времени события будут удалены. (Формат: недели=3; дни=2; "
 "часы=3, секунды=2)."
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/tr/LC_MESSAGES/django.mo
+++ b/locale/tr/LC_MESSAGES/django.mo
--- a/locale/tr/LC_MESSAGES/django.po
+++ b/locale/tr/LC_MESSAGES/django.po
@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-03-31 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Turkish (https://app.transifex.com/authentik/teams/119923/tr/)\n"
@ -187,7 +187,6 @@ msgid "User's display name."
 msgstr "Kullanıcının görünen adı."
 #: authentik/core/models.py authentik/providers/oauth2/models.py
 #: authentik/rbac/models.py
 msgid "User"
 msgstr "Kullanıcı"
@ -373,18 +372,6 @@ msgstr "Özellik Eşleme"
 msgid "Property Mappings"
 msgstr "Özellik Eşlemeleri"
 #: authentik/core/models.py
 msgid "session data"
 msgstr ""
 #: authentik/core/models.py
 msgid "Session"
 msgstr "Oturum"
 #: authentik/core/models.py
 msgid "Sessions"
 msgstr "Oturumlar"
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Kimliği Doğrulanmış Oturum"
@ -492,38 +479,6 @@ msgstr "Lisans Kullanımı"
 msgid "License Usage Records"
 msgstr "Lisans Kullanım Kayıtları"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Alan tuşu kontrol etmek için, İstem aşamalarında tanımlanan alan tuşları "
 "mevcuttur."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Parola bağlam içinde ayarlanmamış"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Bu özelliğe erişmek için Kurumsal Paket gereklidir."
@ -1298,6 +1253,12 @@ msgstr "İlke'nin önbellek ölçümlerini görüntüleme"
 msgid "Clear Policy's cache metrics"
 msgstr "İlke'nin önbellek ölçümlerini temizleyin"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
 "Alan tuşu kontrol etmek için, İstem aşamalarında tanımlanan alan tuşları "
 "mevcuttur."
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -1310,6 +1271,10 @@ msgstr ""
 "Eğer zxcvbn puanı bu değere eşit veya daha az ise, politika başarısız "
 "olacaktır."
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "Parola bağlam içinde ayarlanmamış"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1351,6 +1316,20 @@ msgstr "İtibar Puanı"
 msgid "Reputation Scores"
 msgstr "İtibar Puanları"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr ""
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "İzin reddedildi"
@ -2176,10 +2155,6 @@ msgstr "Rol"
 msgid "Roles"
 msgstr "Roller"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Sistem yetkisi"
@ -2423,13 +2398,6 @@ msgstr ""
 "Bir kullanıcı parolasını değiştirdiğinde, parolayı LDAP ile geri eşitleyin. "
 "Bu yalnızca tek bir LDAP kaynağında etkinleştirilebilir."
 #: authentik/sources/ldap/models.py
 msgid ""
 "Lookup group membership based on a user attribute instead of a group "
 "attribute. This allows nested group resolution on systems like FreeIPA and "
 "Active Directory"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP Kaynağı"
@ -2446,22 +2414,6 @@ msgstr "LDAP Kaynak Özellik Eşlemesi"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP Kaynak Özellik Eşlemeleri"
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Parola Active Directory Karmaşıklığıyla eşleşmiyor."
@ -2470,14 +2422,6 @@ msgstr "Parola Active Directory Karmaşıklığıyla eşleşmiyor."
 msgid "No token received."
 msgstr "Jeton alınmadı."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Jeton URL'si İste"
@ -2518,12 +2462,6 @@ msgstr "Kullanıcı bilgilerini almak için authentik tarafından kullanılan UR
 msgid "Additional Scopes"
 msgstr "Ek Kapsamlar"
 #: authentik/sources/oauth/models.py
 msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth Kaynağı"
@ -3422,12 +3360,6 @@ msgstr ""
 "Etkinleştirildiğinde, yanlış kullanıcı bilgisi girilse bile aşama başarılı "
 "olur ve devam eder."
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Sayfanın alt kısmında bağlanan isteğe bağlı kayıt akışı."
@ -3802,14 +3734,6 @@ msgstr ""
 "Olaylar bu süreden sonra silinecektir (Format: "
 "weeks=3;days=2;hours=3,seconds=2)."
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/zh-Hans/LC_MESSAGES/django.mo
+++ b/locale/zh-Hans/LC_MESSAGES/django.mo
--- a/locale/zh-Hans/LC_MESSAGES/django.po
+++ b/locale/zh-Hans/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-18 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@ -461,36 +461,6 @@ msgstr "许可证使用情况"
 msgid "License Usage Records"
 msgstr "许可证使用情况记录"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr "检查指定数量的密码。"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "未在上下文中设置密码"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr "此密码被使用过。请选择其他密码。"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr "密码唯一性策略"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr "密码唯一性策略"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr "用户密码历史记录"
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "访问此功能需要企业版。"
@ -1220,6 +1190,10 @@ msgstr "查看策略缓存指标"
 msgid "Clear Policy's cache metrics"
 msgstr "清除策略缓存指标"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "密码哈希允许出现在 HaveIBeenPwned 中多少次"
@ -1229,6 +1203,10 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "未在上下文中设置密码"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "无效密码。"
@ -1270,6 +1248,20 @@ msgstr "信誉分数"
 msgid "Reputation Scores"
 msgstr "信誉分数"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr "正在等待身份验证…"
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr "您正在另一个标签页中验证身份。身份验证完成后，此页面会刷新。"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr "在此标签页中验证身份"
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "权限被拒绝"
--- a/locale/zh_CN/LC_MESSAGES/django.po
+++ b/locale/zh_CN/LC_MESSAGES/django.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-18 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@ -460,36 +460,6 @@ msgstr "许可证使用情况"
 msgid "License Usage Records"
 msgstr "许可证使用情况记录"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr "检查指定数量的密码。"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "未在上下文中设置密码"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr "此密码被使用过。请选择其他密码。"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr "密码唯一性策略"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr "密码唯一性策略"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr "用户密码历史记录"
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "访问此功能需要企业版。"
@ -1219,6 +1189,10 @@ msgstr "查看策略缓存指标"
 msgid "Clear Policy's cache metrics"
 msgstr "清除策略缓存指标"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "密码哈希允许出现在 HaveIBeenPwned 中多少次"
@ -1228,6 +1202,10 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "未在上下文中设置密码"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "无效密码。"
@ -1269,6 +1247,20 @@ msgstr "信誉分数"
 msgid "Reputation Scores"
 msgstr "信誉分数"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr "正在等待身份验证…"
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr "您正在另一个标签页中验证身份。身份验证完成后，此页面会刷新。"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr "在此标签页中验证身份"
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "权限被拒绝"
--- a/locale/zh_TW/LC_MESSAGES/django.po
+++ b/locale/zh_TW/LC_MESSAGES/django.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: 刘松, 2025\n"
 "Language-Team: Chinese (Taiwan) (https://app.transifex.com/authentik/teams/119923/zh_TW/)\n"
@ -178,7 +178,6 @@ msgid "User's display name."
 msgstr "使用者的顯示名稱。"
 #: authentik/core/models.py authentik/providers/oauth2/models.py
 #: authentik/rbac/models.py
 msgid "User"
 msgstr "使用者"
@ -345,18 +344,6 @@ msgstr "屬性對應"
 msgid "Property Mappings"
 msgstr "屬性對應"
 #: authentik/core/models.py
 msgid "session data"
 msgstr ""
 #: authentik/core/models.py
 msgid "Session"
 msgstr "会话"
 #: authentik/core/models.py
 msgid "Sessions"
 msgstr "会话"
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "已認證會談"
@ -460,36 +447,6 @@ msgstr "授權使用情況"
 msgid "License Usage Records"
 msgstr "授權使用紀錄"
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "要檢查的欄位鍵，在提示階段中有可用的已定義欄位鍵。"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "未在上下文中設定密碼"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
 msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
 msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "企業版才能存取此功能。"
@ -1219,6 +1176,10 @@ msgstr "檢視原則的快取指標"
 msgid "Clear Policy's cache metrics"
 msgstr "清除原則的快取指標"
 #: authentik/policies/password/models.py
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "要檢查的欄位鍵，在提示階段中有可用的已定義欄位鍵。"
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "密碼雜湊在 haveibeenpwned 上允許出現的次數"
@ -1228,6 +1189,10 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "如果 zxcvbn 分數等於或小於此值，則該政策將失敗。"
 #: authentik/policies/password/models.py
 msgid "Password not set in context"
 msgstr "未在上下文中設定密碼"
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1269,6 +1234,20 @@ msgstr "信譽分數"
 msgid "Reputation Scores"
 msgstr "信譽分數"
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
 msgstr ""
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "權限不足。"
@ -2020,10 +1999,6 @@ msgstr "角色"
 msgid "Roles"
 msgstr "角色"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "系統權限"
@ -2265,22 +2240,6 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
 msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
 msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "密碼不符合 Active Directory 的複雜性要求。"
@ -2289,14 +2248,6 @@ msgstr "密碼不符合 Active Directory 的複雜性要求。"
 msgid "No token received."
 msgstr "未收到權杖。"
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "請求權杖的網址"
@ -2335,12 +2286,6 @@ msgstr "authentik 用來擷取使用者資訊的網址。"
 msgid "Additional Scopes"
 msgstr "附加範圍"
 #: authentik/sources/oauth/models.py
 msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth 來源"
@ -3192,12 +3137,6 @@ msgid ""
 "info is entered."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "可選的註冊流程，連結在頁面的底部。"
@ -3542,14 +3481,6 @@ msgid ""
 "weeks=3;days=2;hours=3,seconds=2)."
 msgstr "事件將在此期間後刪除。（格式：weeks=3;days=2;hours=3,seconds=2）"
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.4.1",
+    "version": "2025.2.4",
    "private": true
 }
--- a/packages/docusaurus-config/css/badges.css
+++ b/packages/docusaurus-config/css/badges.css
@ -18,7 +18,9 @@
 }
 .badge--support-community {
-    --ifm-badge-background-color: var(--ifm-color-secondary-contrast-foreground);
+    --ifm-badge-background-color: var(
        --ifm-color-secondary-contrast-foreground
    );
    --ifm-badge-border-color: var(--ifm-color-secondary-dark);
    --ifm-badge-color: var(--ifm-color-secondary-contrast-background);
 }
--- a/packages/docusaurus-config/css/fonts.css
+++ b/packages/docusaurus-config/css/fonts.css
@ -1,12 +1,12 @@
 :root {
    --ifm-font-family-base:
-        RedHatVF, system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell, Noto Sans,
+        RedHatVF, system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell,
-        sans-serif, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif,
+        Noto Sans, sans-serif, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial,
-        "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
+        sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
    --ifm-font-family-monospace:
-        RedHatMonoVF, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New",
+        RedHatMonoVF, SFMono-Regular, Menlo, Monaco, Consolas,
-        monospace;
+        "Liberation Mono", "Courier New", monospace;
    --ifm-heading-font-family: RedHatDisplayVF, var(--ifm-font-family-base);
--- a/packages/docusaurus-config/css/homepage.css
+++ b/packages/docusaurus-config/css/homepage.css
@ -7,7 +7,11 @@
 }
 .homepage_hero__subtitle p {
-    font-size: clamp(1.125rem, 0.9946rem + 0.6522vi, 1.5rem); /* Adjust font as page scales */
+    font-size: clamp(
        1.125rem,
        0.9946rem + 0.6522vi,
        1.5rem
    ); /* Adjust font as page scales */
    max-width: 28ch; /* Apply a maximum to keep everything in the box */
    text-wrap: balance; /* Prevent widows, orphans, and runts. Doesn't work in Safari */
 }
--- a/packages/docusaurus-config/css/menu.css
+++ b/packages/docusaurus-config/css/menu.css
@ -1,5 +1,5 @@
 :root {
-    --ifm-menu-link-padding-vertical: 0.5em;
+    --ifm-menu-link-padding-vertical: 1em;
 }
 .menu__list-item {
--- a/packages/docusaurus-config/css/navbar.css
+++ b/packages/docusaurus-config/css/navbar.css
@ -75,14 +75,17 @@
        --ifm-navbar-item-padding-horizontal: 1rem;
    }
-    .navbar {
+    .docs-wrapper .navbar {
        margin: 0;
        padding-inline-start: 0;
    }
    .navbar__brand {
        justify-content: center;
-        width: var(--doc-sidebar-width, 300px);
+    }
    .docs-wrapper .navbar__brand {
        width: var(--doc-sidebar-width);
        margin: 0;
    }
@ -119,8 +122,12 @@
        @media (min-width: 999px) {
            border-inline-start: 1px solid var(--ifm-hover-overlay);
-            margin-inline-start: calc(var(--ifm-navbar-item-padding-horizontal) / 2);
+            margin-inline-start: calc(
-            padding-inline-start: calc(var(--ifm-navbar-item-padding-horizontal) / 2);
+                var(--ifm-navbar-item-padding-horizontal) / 2
            );
            padding-inline-start: calc(
                var(--ifm-navbar-item-padding-horizontal) / 2
            );
        }
    }
@ -144,14 +151,19 @@
        hsl(236.84deg 34.55% 10.78%)
    );
    --docsearch-key-shadow:
-        inset 0 -2px 0 0 hsl(233.33deg 36% 24.51%), inset 0 0 1px 1px hsl(232.11deg 34.86% 57.25%),
+        inset 0 -2px 0 0 hsl(233.33deg 36% 24.51%),
        inset 0 0 1px 1px hsl(232.11deg 34.86% 57.25%),
        0 2px 2px 0 rgba(3, 4, 9, 0.3);
    --docsearch-key-pressed-shadow:
-        inset 0 -2px 0 0 #282d55, inset 0 0 1px 1px hsl(231.82deg 21.36% 40.39%),
+        inset 0 -2px 0 0 #282d55,
        inset 0 0 1px 1px hsl(231.82deg 21.36% 40.39%),
        0 1px 1px 0 hsl(230deg 50% 2.35% / 30.2%);
-    padding: var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal) !important;
+    padding: var(--ifm-navbar-item-padding-vertical)
-    padding-inline-end: calc(var(--ifm-navbar-item-padding-horizontal) * 1.25) !important;
+        var(--ifm-navbar-item-padding-horizontal) !important;
    padding-inline-end: calc(
        var(--ifm-navbar-item-padding-horizontal) * 1.25
    ) !important;
    .DocSearch-Button-Placeholder {
        font-family: var(--ifm-heading-font-family);
--- a/packages/docusaurus-config/css/root.css
+++ b/packages/docusaurus-config/css/root.css
@ -13,3 +13,7 @@
    --ifm-color-content: hsl(216 35% 3%);
 }
 body {
    overscroll-behavior-x: none;
 }
--- a/packages/docusaurus-config/lib/common.js
+++ b/packages/docusaurus-config/lib/common.js
@ -4,8 +4,8 @@
 * @import { Config as DocusaurusConfig } from "@docusaurus/types"
 * @import { UserThemeConfig } from "./theme.js"
 */
 import { deepmerge } from "deepmerge-ts";
 import { deepmerge } from "deepmerge-ts";
 import { createThemeConfig } from "./theme.js";
 //#region Types
--- a/packages/docusaurus-config/lib/theme.js
+++ b/packages/docusaurus-config/lib/theme.js
@ -4,6 +4,7 @@
 * @import { UserThemeConfig as UserThemeConfigCommon } from "@docusaurus/theme-common";
 * @import { UserThemeConfig as UserThemeConfigAlgolia } from "@docusaurus/theme-search-algolia";
 */
 import { deepmerge } from "deepmerge-ts";
 import { themes as prismThemes } from "prism-react-renderer";
--- a/packages/docusaurus-config/package-lock.json
+++ b/packages/docusaurus-config/package-lock.json
@ -1,12 +1,12 @@
 {
    "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.5",
+    "version": "1.0.2",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/docusaurus-config",
-            "version": "1.0.5",
+            "version": "1.0.2",
            "license": "MIT",
            "dependencies": {
                "deepmerge-ts": "^7.1.5",
--- a/packages/docusaurus-config/package.json
+++ b/packages/docusaurus-config/package.json
@ -1,6 +1,6 @@
 {
    "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.5",
+    "version": "1.0.4",
    "description": "authentik's Docusaurus config",
    "license": "MIT",
    "scripts": {
--- a/proxy.Dockerfile
+++ b/proxy.Dockerfile
@ -76,7 +76,6 @@ EXPOSE 9000 9300 9443
 USER 1000
-ENV TMPDIR=/dev/shm/ \
+ENV GOFIPS=1
    GOFIPS=1
 ENTRYPOINT ["/proxy"]
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.4.1"
+version = "2025.2.4"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.12.*"
--- a/rac.Dockerfile
+++ b/rac.Dockerfile
@ -56,7 +56,6 @@ HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/rac", "healthch
 USER 1000
-ENV TMPDIR=/dev/shm/ \
+ENV GOFIPS=1
    GOFIPS=1
 ENTRYPOINT ["/rac"]
--- a/radius.Dockerfile
+++ b/radius.Dockerfile
@ -56,7 +56,6 @@ EXPOSE 1812/udp 9300
 USER 1000
-ENV TMPDIR=/dev/shm/ \
+ENV GOFIPS=1
    GOFIPS=1
 ENTRYPOINT ["/radius"]
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.4.1
+  version: 2025.2.4
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
--- a/uv.lock
+++ b/uv.lock
@ -165,7 +165,7 @@ wheels = [
 [[package]]
 name = "authentik"
-version = "2025.4.1"
+version = "2025.2.4"
 source = { editable = "." }
 dependencies = [
    { name = "argon2-cffi" },
@ -1436,11 +1436,11 @@ wheels = [
 [[package]]
 name = "h11"
-version = "0.16.0"
+version = "0.14.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/01/ee/02a2c011bdab74c6fb3c75474d40b3052059d95df7e73351460c8588d963/h11-0.16.0.tar.gz", hash = "sha256:4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1", size = 101250 }
+sdist = { url = "https://files.pythonhosted.org/packages/f5/38/3af3d3633a34a3316095b39c8e8fb4853a28a536e55d347bd8d8e9a14b03/h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d", size = 100418 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/04/4b/29cac41a4d98d144bf5f6d33995617b185d14b22401f75ca86f384e87ff1/h11-0.16.0-py3-none-any.whl", hash = "sha256:63cf8bbe7522de3bf65932fda1d9c2772064ffb3dae62d55932da54b31cb6c86", size = 37515 },
+    { url = "https://files.pythonhosted.org/packages/95/04/ff642e65ad6b90db43e668d70ffb6736436c7ce41fcc549f4e9472234127/h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761", size = 58259 },
 ]
 [[package]]
@ -1467,15 +1467,15 @@ wheels = [
 [[package]]
 name = "httpcore"
-version = "1.0.9"
+version = "1.0.8"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "certifi" },
    { name = "h11" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/06/94/82699a10bca87a5556c9c59b5963f2d039dbd239f25bc2a63907a05a14cb/httpcore-1.0.9.tar.gz", hash = "sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8", size = 85484 }
+sdist = { url = "https://files.pythonhosted.org/packages/9f/45/ad3e1b4d448f22c0cff4f5692f5ed0666658578e358b8d58a19846048059/httpcore-1.0.8.tar.gz", hash = "sha256:86e94505ed24ea06514883fd44d2bc02d90e77e7979c8eb71b90f41d364a1bad", size = 85385 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7e/f5/f66802a942d491edb555dd61e3a9961140fd64c90bce1eafd741609d334d/httpcore-1.0.9-py3-none-any.whl", hash = "sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55", size = 78784 },
+    { url = "https://files.pythonhosted.org/packages/18/8d/f052b1e336bb2c1fc7ed1aaed898aa570c0b61a09707b108979d9fc6e308/httpcore-1.0.8-py3-none-any.whl", hash = "sha256:5254cf149bcb5f75e9d1b2b9f729ea4a4b883d1ad7379fc632b727cec23674be", size = 78732 },
 ]
 [[package]]
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@ -12,8 +12,8 @@
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2025.2.4-1745519715",
+        "@goauthentik/api": "^2025.2.4-1745325566",
-        "@lit-labs/ssr": "3.2.2",
+        "@lit-labs/ssr": "^3.2.2",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
        "@lit/reactive-element": "^2.0.4",
--- a/web/packages/sfe/src/index.ts
+++ b/web/packages/sfe/src/index.ts
@ -47,16 +47,7 @@ class SimpleFlowExecutor {
        return `${ak().api.base}api/v3/flows/executor/${this.flowSlug}/?query=${encodeURIComponent(window.location.search.substring(1))}`;
    }
    loading() {
        this.container.innerHTML = `<div class="d-flex justify-content-center">
            <div class="spinner-border spinner-border-md" role="status">
                <span class="sr-only">Loading...</span>
            </div>
        </div>`;
    }
    start() {
        this.loading();
        $.ajax({
            type: "GET",
            url: this.apiURL,
--- a/web/src/admin/AdminInterface/AdminInterface.ts
+++ b/web/src/admin/AdminInterface/AdminInterface.ts
@ -4,6 +4,7 @@ import { ROUTES } from "@goauthentik/admin/Routes";
 import {
    EVENT_API_DRAWER_TOGGLE,
    EVENT_NOTIFICATION_DRAWER_TOGGLE,
    EVENT_SIDEBAR_TOGGLE,
 } from "@goauthentik/common/constants";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { me } from "@goauthentik/common/users";
@ -11,6 +12,8 @@ import { WebsocketClient } from "@goauthentik/common/ws";
 import { AuthenticatedInterface } from "@goauthentik/elements/Interface";
 import "@goauthentik/elements/ak-locale-context";
 import "@goauthentik/elements/banner/EnterpriseStatusBanner";
 import "@goauthentik/elements/banner/EnterpriseStatusBanner";
 import "@goauthentik/elements/banner/VersionBanner";
 import "@goauthentik/elements/banner/VersionBanner";
 import "@goauthentik/elements/messages/MessageContainer";
 import "@goauthentik/elements/messages/MessageContainer";
@ -40,6 +43,8 @@ if (process.env.NODE_ENV === "development") {
@customElement("ak-interface-admin")
 export class AdminInterface extends AuthenticatedInterface {
    //#region Properties
    @property({ type: Boolean })
    notificationDrawerOpen = getURLParam("notificationDrawerOpen", false);
@ -54,6 +59,17 @@ export class AdminInterface extends AuthenticatedInterface {
    @query("ak-about-modal")
    aboutModal?: AboutModal;
    @state()
    sidebarVisible = false;
    #toggleSidebar = () => {
        this.sidebarVisible = !this.sidebarVisible;
    };
    //#endregion
    //#region Styles
    static get styles(): CSSResult[] {
        return [
            PFBase,
@ -67,23 +83,30 @@ export class AdminInterface extends AuthenticatedInterface {
                    z-index: auto !important;
                    background-color: transparent;
                }
                .display-none {
                    display: none;
                }
                .pf-c-page {
                    background-color: var(--pf-c-page--BackgroundColor) !important;
                }
-                /* Global page background colour */
+
-                :host([theme="dark"]) .pf-c-page {
+                :host([theme="dark"]) {
-                    --pf-c-page--BackgroundColor: var(--ak-dark-background);
+                    /* Global page background colour */
                    .pf-c-page {
                        --pf-c-page--BackgroundColor: var(--ak-dark-background);
                    }
                }
-                ak-enterprise-status,
+
-                ak-version-banner {
+                ak-page-navbar {
                    grid-area: header;
                }
                ak-admin-sidebar {
                    grid-area: nav;
                }
                .pf-c-drawer__panel {
                    z-index: var(--pf-global--ZIndex--xl);
                }
@ -91,6 +114,10 @@ export class AdminInterface extends AuthenticatedInterface {
        ];
    }
    //#endregion
    //#region Lifecycle
    constructor() {
        super();
        this.ws = new WebsocketClient();
@ -123,12 +150,26 @@ export class AdminInterface extends AuthenticatedInterface {
        }
    }
    async connectedCallback(): Promise<void> {
        super.connectedCallback();
        window.addEventListener(EVENT_SIDEBAR_TOGGLE, this.#toggleSidebar);
    }
    disconnectedCallback(): void {
        super.disconnectedCallback();
        window.removeEventListener(EVENT_SIDEBAR_TOGGLE, this.#toggleSidebar);
    }
    render(): TemplateResult {
        const sidebarClasses = {
            "pf-m-light": this.activeTheme === UiThemeEnum.Light,
            "pf-m-expanded": !this.sidebarVisible,
            "pf-m-collapsed": this.sidebarVisible,
        };
        const drawerOpen = this.notificationDrawerOpen || this.apiDrawerOpen;
        const drawerClasses = {
            "pf-m-expanded": drawerOpen,
            "pf-m-collapsed": !drawerOpen,
@ -136,11 +177,16 @@ export class AdminInterface extends AuthenticatedInterface {
        return html` <ak-locale-context>
            <div class="pf-c-page">
-                <ak-enterprise-status interface="admin"></ak-enterprise-status>
+                <ak-page-navbar>
-                <ak-version-banner></ak-version-banner>
+                    <ak-version-banner></ak-version-banner>
                    <ak-enterprise-status interface="admin"></ak-enterprise-status>
                </ak-page-navbar>
                <ak-admin-sidebar
-                    class="pf-c-page__sidebar ${classMap(sidebarClasses)}"
+                    class="pf-c-page__sidebar
                     ${classMap(sidebarClasses)}"
                ></ak-admin-sidebar>
                <div class="pf-c-page__drawer">
                    <div class="pf-c-drawer ${classMap(drawerClasses)}">
                        <div class="pf-c-drawer__main">
--- a/web/src/admin/AdminInterface/AdminSidebar.ts
+++ b/web/src/admin/AdminInterface/AdminSidebar.ts
@ -1,4 +1,3 @@
 import { EVENT_SIDEBAR_TOGGLE } from "@goauthentik/common/constants";
 import { me } from "@goauthentik/common/users";
 import { AKElement } from "@goauthentik/elements/Base";
 import {
@ -31,16 +30,9 @@ export class AkAdminSidebar extends WithCapabilitiesConfig(WithVersion(AKElement
        me().then((user: SessionUser) => {
            this.impersonation = user.original ? user.user.username : null;
        });
        this.toggleOpen = this.toggleOpen.bind(this);
        this.checkWidth = this.checkWidth.bind(this);
    }
    // This has to be a bound method so the event listener can be removed on disconnection as
    // needed.
    toggleOpen() {
        this.open = !this.open;
    }
    checkWidth() {
        // This works just fine, but it assumes that the `--ak-sidebar--minimum-auto-width` is in
        // REMs. If that changes, this code will have to be adjusted as well.
@ -52,7 +44,7 @@ export class AkAdminSidebar extends WithCapabilitiesConfig(WithVersion(AKElement
    connectedCallback() {
        super.connectedCallback();
-        window.addEventListener(EVENT_SIDEBAR_TOGGLE, this.toggleOpen);
+
        window.addEventListener("resize", this.checkWidth);
        // After connecting to the DOM, we can now perform this check to see if the sidebar should
        // be open by default.
@ -63,7 +55,6 @@ export class AkAdminSidebar extends WithCapabilitiesConfig(WithVersion(AKElement
    // connection, and removing them before disconnection.
    disconnectedCallback() {
        window.removeEventListener(EVENT_SIDEBAR_TOGGLE, this.toggleOpen);
        window.removeEventListener("resize", this.checkWidth);
        super.disconnectedCallback();
    }
@ -71,8 +62,9 @@ export class AkAdminSidebar extends WithCapabilitiesConfig(WithVersion(AKElement
    render() {
        return html`
            <ak-sidebar
-                class="pf-c-page__sidebar ${this.open ? "pf-m-expanded" : "pf-m-collapsed"} ${this
+                class="pf-c-page__sidebar
-                    .activeTheme === UiThemeEnum.Light
+                ${this.open ? "pf-m-expanded" : "pf-m-collapsed"} ${this.activeTheme ===
                UiThemeEnum.Light
                    ? "pf-m-light"
                    : ""}"
            >
@ -81,19 +73,6 @@ export class AkAdminSidebar extends WithCapabilitiesConfig(WithVersion(AKElement
        `;
    }
    updated() {
        // This is permissible as`:host.classList` is not one of the properties Lit uses as a
        // scheduling trigger. This sort of shenanigans can trigger an loop, in that it will trigger
        // a browser reflow, which may trigger some other styling the application is monitoring,
        // triggering a re-render which triggers a browser reflow, ad infinitum. But we've been
        // living with that since jQuery, and it's both well-known and fortunately rare.
        // eslint-disable-next-line wc/no-self-class
        this.classList.remove("pf-m-expanded", "pf-m-collapsed");
        // eslint-disable-next-line wc/no-self-class
        this.classList.add(this.open ? "pf-m-expanded" : "pf-m-collapsed");
    }
    renderSidebarItems(): TemplateResult {
        // The second attribute type is of string[] to help with the 'activeWhen' control, which was
        // commonplace and singular enough to merit its own handler.
--- a/web/src/admin/admin-overview/AdminOverviewPage.ts
+++ b/web/src/admin/admin-overview/AdminOverviewPage.ts
@ -94,10 +94,13 @@ export class AdminOverviewPage extends AdminOverviewBase {
    }
    render(): TemplateResult {
-        const name = this.user?.user.name ?? this.user?.user.username;
+        const username = this.user?.user.name || this.user?.user.username;
-        return html`<ak-page-header description=${msg("General system status")} ?hasIcon=${false}>
+        return html` <ak-page-header
-                <span slot="header"> ${msg(str`Welcome, ${name || ""}.`)} </span>
+                header=${msg(str`Welcome, ${username || ""}.`)}
                description=${msg("General system status")}
                ?hasIcon=${false}
            >
            </ak-page-header>
            <section class="pf-c-page__main-section">
                <div class="pf-l-grid pf-m-gutter">
--- a/web/src/admin/admin-settings/AdminSettingsPage.ts
+++ b/web/src/admin/admin-settings/AdminSettingsPage.ts
@ -83,13 +83,10 @@ export class AdminSettingsPage extends AKElement {
    }
    render() {
-        if (!this.settings) {
+        if (!this.settings) return nothing;
-            return nothing;
+
        }
        return html`
-            <ak-page-header icon="fa fa-cog" header="" description="">
+            <ak-page-header icon="fa fa-cog" header="${msg("System settings")}"> </ak-page-header>
                <span slot="header"> ${msg("System settings")} </span>
            </ak-page-header>
            <section class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter">
                <div class="pf-c-card">
                    <div class="pf-c-card__body">
--- a/web/src/admin/rbac/RoleObjectPermissionForm.ts
+++ b/web/src/admin/rbac/RoleObjectPermissionForm.ts
@ -89,24 +89,19 @@ export class RoleObjectPermissionForm extends ModelForm<RoleAssignData, number>
                >
                </ak-search-select>
            </ak-form-element-horizontal>
-            ${this.modelPermissions?.results
+            ${this.modelPermissions?.results.map((perm) => {
-                .filter((perm) => {
+                return html` <ak-form-element-horizontal name="permissions.${perm.codename}">
-                    const [_app, model] = this.model?.split(".") || "";
+                    <label class="pf-c-switch">
-                    return perm.codename !== `add_${model}`;
+                        <input class="pf-c-switch__input" type="checkbox" />
-                })
+                        <span class="pf-c-switch__toggle">
-                .map((perm) => {
+                            <span class="pf-c-switch__toggle-icon">
-                    return html` <ak-form-element-horizontal name="permissions.${perm.codename}">
+                                <i class="fas fa-check" aria-hidden="true"></i>
                        <label class="pf-c-switch">
                            <input class="pf-c-switch__input" type="checkbox" />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
                                    <i class="fas fa-check" aria-hidden="true"></i>
                                </span>
                            </span>
-                            <span class="pf-c-switch__label">${perm.name}</span>
+                        </span>
-                        </label>
+                        <span class="pf-c-switch__label">${perm.name}</span>
-                    </ak-form-element-horizontal>`;
+                    </label>
-                })}
+                </ak-form-element-horizontal>`;
            })}
        </form>`;
    }
 }
--- a/web/src/admin/rbac/RoleObjectPermissionTable.ts
+++ b/web/src/admin/rbac/RoleObjectPermissionTable.ts
@ -45,7 +45,7 @@ export class RoleAssignedObjectPermissionTable extends Table<RoleAssignedObjectP
            ordering: "codename",
        });
        modelPermissions.results = modelPermissions.results.filter((value) => {
-            return value.codename !== `add_${this.model?.split(".")[1]}`;
+            return !value.codename.startsWith("add_");
        });
        this.modelPermissions = modelPermissions;
        return perms;
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2025.4.1";
+export const VERSION = "2025.2.4";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
--- a/web/src/common/styles/authentik.css
+++ b/web/src/common/styles/authentik.css
@ -17,6 +17,13 @@
    /* Minimum width after which the sidebar becomes automatic */
    --ak-sidebar--minimum-auto-width: 80rem;
    /**
     * The height of the navbar and branded sidebar.
     * @todo This shouldn't be necessary. The sidebar can instead use a grid layout
     * ensuring they share the same height.
     */
    --ak-navbar--height: 7rem;
 }
@supports selector(::-webkit-scrollbar) {
--- a/web/src/components/ak-nav-buttons.ts
+++ b/web/src/components/ak-nav-buttons.ts
@ -67,6 +67,12 @@ export class NavigationButtons extends AKElement {
                :host([theme="light"]) .pf-c-page__header-tools-group .pf-c-button {
                    color: var(--ak-global--Color--100) !important;
                }
                @media (max-width: 768px) {
                    .pf-c-avatar {
                        display: none;
                    }
                }
            `,
        ];
    }
@ -156,9 +162,7 @@ export class NavigationButtons extends AKElement {
    }
    renderImpersonation() {
-        if (!this.me?.original) {
+        if (!this.me?.original) return nothing;
            return nothing;
        }
        const onClick = async () => {
            await new CoreApi(DEFAULT_CONFIG).coreUsersImpersonateEndRetrieve();
@ -175,6 +179,14 @@ export class NavigationButtons extends AKElement {
            </div>`;
    }
    renderAvatar() {
        return html`<img
            class="pf-c-avatar"
            src=${ifDefined(this.me?.user.avatar)}
            alt="${msg("Avatar image")}"
        />`;
    }
    get userDisplayName() {
        return match<UserDisplay | undefined, string | undefined>(this.uiConfig?.navbar.userDisplay)
            .with(UserDisplay.username, () => this.me?.user.username)
@ -212,11 +224,7 @@ export class NavigationButtons extends AKElement {
                      </div>
                  </div>`
                : nothing}
-            <img
+            ${this.renderAvatar()}
                class="pf-c-avatar"
                src=${ifDefined(this.me?.user.avatar)}
                alt="${msg("Avatar image")}"
            />
        </div>`;
    }
 }
--- a/web/src/elements/PageHeader.ts
+++ b/web/src/elements/PageHeader.ts
@ -10,15 +10,18 @@ import { me } from "@goauthentik/common/users";
 import "@goauthentik/components/ak-nav-buttons";
 import { AKElement } from "@goauthentik/elements/Base";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import { DefaultBrand } from "@goauthentik/elements/sidebar/SidebarBrand";
 import { themeImage } from "@goauthentik/elements/utils/images";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 import { msg } from "@lit/localize";
-import { CSSResult, TemplateResult, css, html, nothing } from "lit";
+import { CSSResult, LitElement, TemplateResult, css, html, nothing } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 import PFAvatar from "@patternfly/patternfly/components/Avatar/avatar.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFContent from "@patternfly/patternfly/components/Content/content.css";
 import PFDrawer from "@patternfly/patternfly/components/Drawer/drawer.css";
 import PFDropdown from "@patternfly/patternfly/components/Dropdown/dropdown.css";
 import PFNotificationBadge from "@patternfly/patternfly/components/NotificationBadge/notification-badge.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
@ -26,34 +29,52 @@ import PFBase from "@patternfly/patternfly/patternfly-base.css";
 import { SessionUser } from "@goauthentik/api";
-@customElement("ak-page-header")
+//#region Page Navbar
 export class PageHeader extends WithBrandConfig(AKElement) {
    @property()
    icon?: string;
-    @property({ type: Boolean })
+export interface PageNavbarDetails {
-    iconImage = false;
+    header?: string;
    @property()
    header = "";
    @property()
    description?: string;
    icon?: string;
    iconImage?: boolean;
 }
-    @property({ type: Boolean })
+/**
-    hasIcon = true;
+ * A global navbar component at the top of the page.
 *
 * Internally, this component listens for the `ak-page-header` event, which is
 * dispatched by the `ak-page-header` component.
 */
@customElement("ak-page-navbar")
 export class AKPageNavbar extends WithBrandConfig(AKElement) implements PageNavbarDetails {
    //#region Static Properties
-    @state()
+    private static elementRef: AKPageNavbar | null = null;
    me?: SessionUser;
-    @state()
+    static readonly setNavbarDetails = (detail: Partial<PageNavbarDetails>): void => {
-    uiConfig!: UIConfig;
+        const { elementRef } = AKPageNavbar;
        if (!elementRef) {
            console.debug(
                `ak-page-header: Could not find ak-page-navbar, skipping event dispatch.`,
            );
            return;
        }
        const { header, description, icon, iconImage } = detail;
        elementRef.header = header;
        elementRef.description = description;
        elementRef.icon = icon;
        elementRef.iconImage = iconImage || false;
        elementRef.hasIcon = !!icon;
    };
    static get styles(): CSSResult[] {
        return [
            PFBase,
            PFButton,
            PFPage,
            PFDrawer,
            PFNotificationBadge,
            PFContent,
            PFAvatar,
@ -63,55 +84,212 @@ export class PageHeader extends WithBrandConfig(AKElement) {
                    position: sticky;
                    top: 0;
                    z-index: var(--pf-global--ZIndex--lg);
                    --pf-c-page__header-tools--MarginRight: 0;
                    --ak-brand-logo-height: var(--pf-global--FontSize--4xl, 2.25rem);
                    --ak-brand-background-color: var(
                        --pf-c-page__sidebar--m-light--BackgroundColor
                    );
                }
-                .bar {
+
                :host([theme="dark"]) {
                    --ak-brand-background-color: var(--pf-c-page__sidebar--BackgroundColor);
                    --pf-c-page__sidebar--BackgroundColor: var(--ak-dark-background-light);
                    color: var(--ak-dark-foreground);
                }
                navbar {
                    border-bottom: var(--pf-global--BorderWidth--sm);
                    border-bottom-style: solid;
                    border-bottom-color: var(--pf-global--BorderColor--100);
                    background-color: var(--pf-c-page--BackgroundColor);
                    display: flex;
                    flex-direction: row;
-                    min-height: 114px;
+                    min-height: 6rem;
-                    max-height: 114px;
+
-                    background-color: var(--pf-c-page--BackgroundColor);
+                    display: grid;
                    row-gap: var(--pf-global--spacer--sm);
                    column-gap: var(--pf-global--spacer--sm);
                    grid-template-columns: [brand] auto [toggle] auto [primary] 1fr [secondary] auto;
                    grid-template-rows: auto auto;
                    grid-template-areas:
                        "brand toggle primary secondary"
                        "brand toggle description secondary";
                    @media (max-width: 768px) {
                        row-gap: var(--pf-global--spacer--xs);
                        align-items: center;
                        grid-template-areas:
                            "toggle primary secondary"
                            "toggle description description";
                        justify-content: space-between;
                        width: 100%;
                    }
                }
-                .pf-c-page__main-section.pf-m-light {
+
-                    background-color: transparent;
+                .items {
                    display: block;
                    &.primary {
                        grid-column: primary;
                        grid-row: primary / description;
                        align-content: center;
                        padding-block: var(--pf-global--spacer--md);
                        @media (min-width: 426px) {
                            &.block-sibling {
                                padding-block-end: 0;
                                grid-row: primary;
                            }
                        }
                        @media (max-width: 768px) {
                            padding-block: var(--pf-global--spacer--sm);
                        }
                        .accent-icon {
                            height: 1em;
                            width: 1em;
                            @media (max-width: 768px) {
                                display: none;
                            }
                        }
                    }
                    &.page-description {
                        grid-area: description;
                        padding-block-end: var(--pf-global--spacer--md);
                        @media (max-width: 425px) {
                            display: none;
                        }
                        @media (min-width: 769px) {
                            text-wrap: balance;
                        }
                    }
                    &.secondary {
                        grid-area: secondary;
                        flex: 0 0 auto;
                        justify-self: end;
                        padding-block: var(--pf-global--spacer--sm);
                        padding-inline-end: var(--pf-global--spacer--sm);
                        @media (min-width: 769px) {
                            align-content: center;
                            padding-block: var(--pf-global--spacer--md);
                            padding-inline-end: var(--pf-global--spacer--xl);
                        }
                    }
                }
-                .pf-c-page__main-section {
+
-                    flex-grow: 1;
+                .brand {
-                    flex-shrink: 1;
+                    grid-area: brand;
                    background-color: var(--ak-brand-background-color);
                    height: 100%;
                    width: var(--pf-c-page__sidebar--Width);
                    align-items: center;
                    padding-inline: var(--pf-global--spacer--sm);
                    display: flex;
                    flex-direction: column;
                    justify-content: center;
                    &.pf-m-collapsed {
                        display: none;
                    }
                    @media (max-width: 1279px) {
                        display: none;
                    }
                }
-                img.pf-icon {
+
-                    max-height: 24px;
+                .sidebar-trigger {
                    grid-area: toggle;
                    height: 100%;
                }
                .logo {
                    flex: 0 0 auto;
                    height: var(--ak-brand-logo-height);
                    & img {
                        height: 100%;
                    }
                }
                .sidebar-trigger,
                .notification-trigger {
-                    font-size: 24px;
+                    font-size: 1.5rem;
                }
                .notification-trigger.has-notifications {
                    color: var(--pf-global--active-color--100);
                }
                .page-title {
                    display: flex;
                    gap: var(--pf-global--spacer--xs);
                }
                h1 {
                    display: flex;
                    flex-direction: row;
                    align-items: center !important;
                }
                .pf-c-page__header-tools {
                    flex-shrink: 0;
                }
                .pf-c-page__header-tools-group {
                    height: 100%;
                }
                :host([theme="dark"]) .pf-c-page__header-tools {
                    color: var(--ak-dark-foreground) !important;
                }
            `,
        ];
    }
    //#endregion
    //#region Properties
    @property({ type: String })
    icon?: string;
    @property({ type: Boolean })
    iconImage = false;
    @property({ type: String })
    header?: string;
    @property({ type: String })
    description?: string;
    @property({ type: Boolean })
    hasIcon = true;
    @property({ type: Boolean })
    open = true;
    @state()
    me?: SessionUser;
    @state()
    uiConfig!: UIConfig;
    //#endregion
    //#endregion
    //#region Methods
    #toggleSidebar() {
        this.open = !this.open;
        this.dispatchEvent(
            new CustomEvent(EVENT_SIDEBAR_TOGGLE, {
                bubbles: true,
                composed: true,
            }),
        );
    }
    //#region Constructor
    constructor() {
        super();
        window.addEventListener(EVENT_WS_MESSAGE, () => {
@ -119,13 +297,23 @@ export class PageHeader extends WithBrandConfig(AKElement) {
        });
    }
-    async firstUpdated() {
+    connectedCallback(): void {
        super.connectedCallback();
        AKPageNavbar.elementRef = this;
    }
    disconnectedCallback(): void {
        super.disconnectedCallback();
        AKPageNavbar.elementRef = null;
    }
    public async firstUpdated() {
        this.me = await me();
        this.uiConfig = await uiConfig();
        this.uiConfig.navbar.userDisplay = UserDisplay.none;
    }
-    setTitle(header?: string) {
+    #setTitle(header?: string) {
        const currentIf = currentInterface();
        let title = this.brand?.brandingTitle || TITLE_DEFAULT;
        if (currentIf === "admin") {
@ -141,65 +329,146 @@ export class PageHeader extends WithBrandConfig(AKElement) {
    willUpdate() {
        // Always update title, even if there's no header value set,
        // as in that case we still need to return to the generic title
-        this.setTitle(this.header);
+        this.#setTitle(this.header);
    }
    //#region Render
    renderIcon() {
        if (this.icon) {
            if (this.iconImage && !this.icon.startsWith("fa://")) {
-                return html`<img class="pf-icon" src="${this.icon}" alt="page icon" />`;
+                return html`<img class="accent-icon pf-icon" src="${this.icon}" alt="page icon" />`;
            }
            const icon = this.icon.replaceAll("fa://", "fa ");
-            return html`<i class=${icon}></i>`;
+
            return html`<i class="accent-icon ${icon}"></i>`;
        }
        return nothing;
    }
    render(): TemplateResult {
-        return html`<div class="bar">
+        return html`<navbar aria-label="Main" class="navbar">
-            <button
+                <aside class="brand ${this.open ? "" : "pf-m-collapsed"}">
-                class="sidebar-trigger pf-c-button pf-m-plain"
+                    <a href="#/">
-                @click=${() => {
+                        <div class="logo">
-                    this.dispatchEvent(
+                            <img
-                        new CustomEvent(EVENT_SIDEBAR_TOGGLE, {
+                                src=${themeImage(
-                            bubbles: true,
+                                    this.brand?.brandingLogo ?? DefaultBrand.brandingLogo,
-                            composed: true,
+                                )}
-                        }),
+                                alt="${msg("authentik Logo")}"
-                    );
+                                loading="lazy"
-                }}
+                            />
-            >
+                        </div>
-                <i class="fas fa-bars"></i>
+                    </a>
-            </button>
+                </aside>
-            <section class="pf-c-page__main-section pf-m-light">
+                <button
-                <div class="pf-c-content">
+                    class="sidebar-trigger pf-c-button pf-m-plain"
-                    <h1>
+                    @click=${this.#toggleSidebar}
                    aria-label=${msg("Toggle sidebar")}
                    aria-expanded=${this.open ? "true" : "false"}
                >
                    <i class="fas fa-bars"></i>
                </button>
                <section
                    class="items primary pf-c-content ${this.description ? "block-sibling" : ""}"
                >
                    <h1 class="page-title">
                        ${this.hasIcon
-                            ? html`<slot name="icon">${this.renderIcon()}</slot>&nbsp;`
+                            ? html`<slot name="icon">${this.renderIcon()}</slot>`
                            : nothing}
-                        <slot name="header">${this.header}</slot>
+                        ${this.header}
                    </h1>
-                    ${this.description ? html`<p>${this.description}</p>` : html``}
+                </section>
-                </div>
+                ${this.description
-            </section>
+                    ? html`<section class="items page-description pf-c-content">
-            <div class="pf-c-page__header-tools">
+                          <p>${this.description}</p>
-                <div class="pf-c-page__header-tools-group">
+                      </section>`
-                    <ak-nav-buttons .uiConfig=${this.uiConfig} .me=${this.me}>
+                    : nothing}
-                        <a
+
-                            class="pf-c-button pf-m-secondary pf-m-small pf-u-display-none pf-u-display-block-on-md"
+                <section class="items secondary">
-                            href="${globalAK().api.base}if/user/"
+                    <div class="pf-c-page__header-tools-group">
-                            slot="extra"
+                        <ak-nav-buttons .uiConfig=${this.uiConfig} .me=${this.me}>
-                        >
+                            <a
-                            ${msg("User interface")}
+                                class="pf-c-button pf-m-secondary pf-m-small pf-u-display-none pf-u-display-block-on-md"
-                        </a>
+                                href="${globalAK().api.base}if/user/"
-                    </ak-nav-buttons>
+                                slot="extra"
-                </div>
+                            >
-            </div>
+                                ${msg("User interface")}
-        </div>`;
+                            </a>
                        </ak-nav-buttons>
                    </div>
                </section>
            </navbar>
            <slot></slot>`;
    }
    //#endregion
 }
 //#endregion
 //#region Page Header
 /**
 * A page header component, used to display the page title and description.
 *
 * Internally, this component dispatches the `ak-page-header` event, which is
 * listened to by the `ak-page-navbar` component.
 *
 * @singleton
 */
@customElement("ak-page-header")
 export class AKPageHeader extends LitElement implements PageNavbarDetails {
    @property({ type: String })
    header?: string;
    @property({ type: String })
    description?: string;
    @property({ type: String })
    icon?: string;
    @property({ type: Boolean })
    iconImage = false;
    static get styles(): CSSResult[] {
        return [
            css`
                :host {
                    display: none;
                }
            `,
        ];
    }
    connectedCallback(): void {
        super.connectedCallback();
        AKPageNavbar.setNavbarDetails({
            header: this.header,
            description: this.description,
            icon: this.icon,
            iconImage: this.iconImage,
        });
    }
    updated(): void {
        AKPageNavbar.setNavbarDetails({
            header: this.header,
            description: this.description,
            icon: this.icon,
            iconImage: this.iconImage,
        });
    }
 }
 //#endregion
 declare global {
    interface HTMLElementTagNameMap {
-        "ak-page-header": PageHeader;
+        "ak-page-header": AKPageHeader;
        "ak-page-navbar": AKPageNavbar;
    }
 }
--- a/web/src/elements/charts/Chart.ts
+++ b/web/src/elements/charts/Chart.ts
@ -85,6 +85,7 @@ export abstract class AKChart<T> extends AKElement {
                .container {
                    height: 100%;
                    width: 100%;
                    aspect-ratio: 1 / 1;
                    display: flex;
                    justify-content: center;
--- a/web/src/elements/sidebar/Sidebar.ts
+++ b/web/src/elements/sidebar/Sidebar.ts
@ -35,10 +35,7 @@ export class Sidebar extends AKElement {
                .pf-c-nav__section + .pf-c-nav__section {
                    --pf-c-nav__section--section--MarginTop: var(--pf-global--spacer--sm);
                }
-                .pf-c-nav__list .sidebar-brand {
+
                    max-height: 82px;
                    margin-bottom: -0.5rem;
                }
                nav {
                    display: flex;
                    flex-direction: column;
@ -70,7 +67,6 @@ export class Sidebar extends AKElement {
            class="pf-c-nav ${this.activeTheme === UiThemeEnum.Light ? "pf-m-light" : ""}"
            aria-label=${msg("Global")}
        >
            <ak-sidebar-brand></ak-sidebar-brand>
            <ul class="pf-c-nav__list">
                <slot></slot>
            </ul>
--- a/web/src/elements/sidebar/SidebarBrand.ts
+++ b/web/src/elements/sidebar/SidebarBrand.ts
@ -1,4 +1,3 @@
 import { EVENT_SIDEBAR_TOGGLE } from "@goauthentik/common/constants";
 import { AKElement } from "@goauthentik/elements/Base";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import { themeImage } from "@goauthentik/elements/utils/images";
@ -42,22 +41,16 @@ export class SidebarBrand extends WithBrandConfig(AKElement) {
                    display: flex;
                    flex-direction: row;
                    align-items: center;
-                    height: 114px;
+                    height: var(--ak-navbar-height);
                    min-height: 114px;
                    border-bottom: var(--pf-global--BorderWidth--sm);
                    border-bottom-style: solid;
                    border-bottom-color: var(--pf-global--BorderColor--100);
                }
                .pf-c-brand img {
                    padding: 0 0.5rem;
                    height: 42px;
                }
                button.pf-c-button.sidebar-trigger {
                    background-color: transparent;
                    border-radius: 0px;
                    height: 100%;
                    color: var(--ak-dark-foreground);
                }
            `,
        ];
    }
@ -70,32 +63,15 @@ export class SidebarBrand extends WithBrandConfig(AKElement) {
    }
    render(): TemplateResult {
-        return html` ${window.innerWidth <= MIN_WIDTH
+        return html` <a href="#/" class="pf-c-page__header-brand-link">
-                ? html`
+            <div class="pf-c-brand ak-brand">
-                      <button
+                <img
-                          class="sidebar-trigger pf-c-button"
+                    src=${themeImage(this.brand?.brandingLogo ?? DefaultBrand.brandingLogo)}
-                          @click=${() => {
+                    alt="${msg("authentik Logo")}"
-                              this.dispatchEvent(
+                    loading="lazy"
-                                  new CustomEvent(EVENT_SIDEBAR_TOGGLE, {
+                />
-                                      bubbles: true,
+            </div>
-                                      composed: true,
+        </a>`;
                                  }),
                              );
                          }}
                      >
                          <i class="fas fa-bars"></i>
                      </button>
                  `
                : html``}
            <a href="#/" class="pf-c-page__header-brand-link">
                <div class="pf-c-brand ak-brand">
                    <img
                        src=${themeImage(this.brand?.brandingLogo ?? DefaultBrand.brandingLogo)}
                        alt="${msg("authentik Logo")}"
                        loading="lazy"
                    />
                </div>
            </a>`;
    }
 }
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -1091,7 +1091,7 @@
      </trans-unit>
      <trans-unit id="sd62cfc27ad4aa33b">
        <source>Based on the User's Email</source>
-        <target>Basierend auf der E-Mail-Adresse des Benutzers</target>
+        <target>Basierend auf der E-Mail Adresse des Benutzers</target>
      </trans-unit>
      <trans-unit id="s55eb75bedf96be0f">
@ -2361,7 +2361,6 @@
      </trans-unit>
      <trans-unit id="s9307f3dbb07a73b5">
        <source>Only fail the policy, don't invalidate user's password</source>
        <target>Nur die Richtlinie fehlschlagen lassen, das Passwort des Benutzers nicht ungültig machen.</target>
      </trans-unit>
      <trans-unit id="scea1f16238093e35">
@ -2810,7 +2809,6 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="sfbc59ff17a73503d">
        <source>User path</source>
        <target>Nutzerpfad</target>
      </trans-unit>
      <trans-unit id="sd18170637295bace">
@ -2880,7 +2878,6 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s995535e7af30d754">
        <source>Use the user's email address, but deny enrollment when the email address already exists</source>
        <target>Verwende die E-Mail-Adresse des Benutzers, aber verweigere die Registrierung, wenn die E-Mail-Adresse bereits existiert.</target>
      </trans-unit>
      <trans-unit id="s542ecb4130f6cea5">
@ -2889,7 +2886,6 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s2a1debf34e5aeba4">
        <source>Use the user's username, but deny enrollment when the username already exists</source>
        <target>Verwende den Anmeldenamen des Benutzers, aber verweigere die Registrierung von der Anmeldename bereits existiert.</target>
      </trans-unit>
      <trans-unit id="s81ce0d54727f42d2">
@ -3744,9 +3740,6 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s14401ff4a0cba208">
        <source>Failed to update <x id="0" equiv-text="${this.objectLabel}"/>: <x id="1" equiv-text="${pluckErrorDetail(parsedError)}"/></source>
        <target>Aktualisieren von 
        <x id="0" equiv-text="${this.objectLabel}"/>fehlgeschlagen: 
        <x id="1" equiv-text="${e.toString()}"/></target>
      </trans-unit>
      <trans-unit id="sa95a538bfbb86111">
@ -4958,7 +4951,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="se50a08ab71bb96ed">
        <source>When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown.</source>
-        <target>Sofern eine gültige E-Mail-Adresse oder Benutzername angegeben wurde und diese Option aktiviert ist, wird das Profilbild und der Benutzername des Benutzers angezeigt. Ansonsten wird der vom Benutzer eingegebene Text angezeigt.</target>
+        <target>Sofern eine gültige E-Mailadresse oder Benutzername angegeben wurde und diese Option aktiviert ist, wird das Profilbild und der Benutzername des Benutzers angezeigt. Ansonsten wird der vom Benutzer eingegebene Text angezeigt.</target>
      </trans-unit>
      <trans-unit id="s0295ce5d6f635d75">
@ -6252,7 +6245,7 @@ Bindings to groups/users are checked against the user of the event.</source>
      </trans-unit>
      <trans-unit id="s670ad066cc0e50a3">
        <source>Login to continue to <x id="0" equiv-text="${this.challenge.applicationPre}"/>.</source>
-        <target>Anmelden, um mit <x id="0" equiv-text="${this.challenge.applicationPre}"/>  fortzufahren.</target>
+        <target>Anmelden um mit <x id="0" equiv-text="${this.challenge.applicationPre}"/>  fortzufahren.</target>
      </trans-unit>
      <trans-unit id="scf5ce91bfba10a61">
@ -7458,7 +7451,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s28b99b59541f54ca">
  <source>Connection failed after <x id="0" equiv-text="${this.connectionAttempt}"/> attempts.</source>
  <target>Verbindung nach <x id="0" equiv-text="${this.connectionAttempt}"/> Versuch(en) fehlgeschlagen.</target>
 </trans-unit>
 <trans-unit id="s7c7d956418e1c8c8">
  <source>Re-connecting in <x id="0" equiv-text="${Math.max(1, delay / 1000)}"/> second(s).</source>
@ -7580,11 +7572,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s456d88f3679190fd">
  <source>Allow users to change email</source>
-  <target>Benutzer können E-Mail-Adresse ändern</target>
+  <target>Benutzer können E-Mail ändern</target>
 </trans-unit>
 <trans-unit id="s5fc6c14d106f40d3">
  <source>Enable the ability for users to change their email.</source>
-  <target>Benutzer haben die Möglichkeit, ihre E-Mail-Adresse zu ändern.</target>
+  <target>Benutzer haben die Möglichkeit, ihre E-Mail zu ändern.</target>
 </trans-unit>
 <trans-unit id="s628e414bb2367057">
  <source>Allow users to change username</source>
@ -7809,7 +7801,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s8cc0075913c67566">
  <source>Enter the email associated with your account, and we'll send you a link to reset your password.</source>
-  <target>Gib die E-Mail-Adresse deines Accounts ein und du erhältst einen Link zum zurücksetzen des Passworts.</target>
+  <target>Gib die Email deines Accounts ein und du erhältst einen Link zum zurücksetzen des Passworts.</target>
 </trans-unit>
 <trans-unit id="s06bfe45ffef2cf60">
  <source>Stage name: <x id="0" equiv-text="${this.challenge.name}"/></source>
@ -7893,7 +7885,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sc1673c93148583ba">
  <source>Request failed. Please try again later.</source>
  <target>Anfrage fehlgeschlagen. Bitte versuchen Sie es später erneut.</target>
 </trans-unit>
 <trans-unit id="s85be1f5e7a0fa3b1">
  <source>Available Roles</source>
@ -8286,6 +8277,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s354405ae02cb262d">
  <source>Last seen: <x id="0" equiv-text="${formatElapsedTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</source>
  <target>Zuletzt gesehen: <x id="0" equiv-text="${getRelativeTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</target>
 </trans-unit>
 <trans-unit id="s5aebe06e3ddf6ca9">
  <source>Sign assertions</source>
@ -8857,11 +8849,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s61ffea061fae0af4">
  <source>No notifications found.</source>
  <target>Keine Benachrichtigungen gefunden.</target>
 </trans-unit>
 <trans-unit id="scf8d5cdc8b434982">
  <source>You don't have any notifications currently.</source>
  <target>Sie haben zur Zeit keine Benachrichtigungen.</target>
 </trans-unit>
 <trans-unit id="s358e08de4fbebf51">
  <source>Version <x id="0" equiv-text="${this.version?.versionCurrent || &quot;&quot;}"/></source>
--- a/web/xliff/fi.xlf
+++ b/web/xliff/fi.xlf
@ -9602,81 +9602,6 @@ Liitokset käyttäjiin/ryhmiin tarkistetaan tapahtuman käyttäjästä.</target>
 </trans-unit>
 <trans-unit id="s17359123e1f24504">
  <source>Field which contains DNs of groups the user is a member of. This field is used to lookup groups from users, e.g. 'memberOf'. To lookup nested groups in an Active Directory environment use 'memberOf:1.2.840.113556.1.4.1941:'.</source>
 </trans-unit>
 <trans-unit id="s891cd64acabf23bf">
  <source>Initial Permissions</source>
 </trans-unit>
 <trans-unit id="sedb57bf4b42a8e40">
  <source>Unknown Initial Permissions mode</source>
 </trans-unit>
 <trans-unit id="s6ea6a64acb45dfdf">
  <source>Successfully updated initial permissions.</source>
 </trans-unit>
 <trans-unit id="sfddf7896ab5938b6">
  <source>Successfully created initial permissions.</source>
 </trans-unit>
 <trans-unit id="s5c5f240cbb6d0bae">
  <source>When a user with the selected Role creates an object, the Initial Permissions will be applied to that object.</source>
 </trans-unit>
 <trans-unit id="sbf27294eef56ac81">
  <source>The Initial Permissions can either be placed on the User creating the object, or the Role selected in the previous field.</source>
 </trans-unit>
 <trans-unit id="s93f04537efda1b24">
  <source>Available Permissions</source>
 </trans-unit>
 <trans-unit id="s297bc57f9e494470">
  <source>Selected Permissions</source>
 </trans-unit>
 <trans-unit id="s0ea71d53764d781c">
  <source>Permissions to grant when a new object is created.</source>
 </trans-unit>
 <trans-unit id="s06fc21a40f5d7de1">
  <source>Set initial permissions for newly created objects.</source>
 </trans-unit>
 <trans-unit id="sc7104a4d0fc35c7c">
  <source>Update Initial Permissions</source>
 </trans-unit>
 <trans-unit id="s83fa005829a65be9">
  <source>Create Initial Permissions</source>
 </trans-unit>
 <trans-unit id="se37ac6cf9c72f21a">
  <source>Reputation: lower limit</source>
 </trans-unit>
 <trans-unit id="sa634ffa797037aac">
  <source>Reputation cannot decrease lower than this value. Zero or negative.</source>
 </trans-unit>
 <trans-unit id="s862986ce8e70edd7">
  <source>Reputation: upper limit</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
  <source>Reputation cannot increase higher than this value. Zero or positive.</source>
 </trans-unit>
 <trans-unit id="s4d5cb134999b50df">
  <source>HTTP Basic Auth</source>
 </trans-unit>
 <trans-unit id="s6927635d1c339cfc">
  <source>Include the client ID and secret as request parameters</source>
 </trans-unit>
 <trans-unit id="s4fca384c634e1a92">
  <source>Authorization code authentication method</source>
 </trans-unit>
 <trans-unit id="sdc02c276ed429008">
  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
 <trans-unit id="s844baf19a6c4a9b4">
  <source>Enable &quot;Remember me on this device&quot;</source>
 </trans-unit>
 <trans-unit id="sfa72bca733f40692">
  <source>When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.</source>
 </trans-unit>
 <trans-unit id="s1c336c2d6cef77b3">
  <source>Remember me on this device</source>
 </trans-unit>
 <trans-unit id="s86cf007b861152ca">
  <source>Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
  <source>Number of previous passwords to check</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@ -9788,23 +9788,18 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="s844baf19a6c4a9b4">
  <source>Enable "Remember me on this device"</source>
  <target>Activer "Se souvenir de moi sur cet appareil"</target>
 </trans-unit>
 <trans-unit id="sfa72bca733f40692">
  <source>When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.</source>
  <target>Si cette option est activée, l'utilisateur peut enregistrer son nom d'utilisateur dans un cookie, ce qui lui permet de passer directement à la saisie de son mot de passe.</target>
 </trans-unit>
 <trans-unit id="s1c336c2d6cef77b3">
  <source>Remember me on this device</source>
  <target>Se souvenir de moi sur cet appareil</target>
 </trans-unit>
 <trans-unit id="s86cf007b861152ca">
  <source>Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.</source>
  <target>Vérifiez que le nouveau mot de passe de l'utilisateur est différent de ses mots de passe précédents. Le nombre d'anciens mots de passe à vérifier est configurable.</target>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
  <source>Number of previous passwords to check</source>
  <target>Nombre d'anciens mots de passe à vérifier</target>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/it.xlf
+++ b/web/xliff/it.xlf
@ -9700,7 +9700,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
  <target>Ricerca tramite attributo utente</target>
 </trans-unit>
 <trans-unit id="s17359123e1f24504">
  <source>Field which contains DNs of groups the user is a member of. This field is used to lookup groups from users, e.g. 'memberOf'. To lookup nested groups in an Active Directory environment use 'memberOf:1.2.840.113556.1.4.1941:'.</source>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -8620,6 +8620,7 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="s354405ae02cb262d">
  <source>Last seen: <x id="0" equiv-text="${formatElapsedTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</source>
  <target>Son görülme: <x id="0" equiv-text="${getRelativeTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</target>
 </trans-unit>
 <trans-unit id="s5aebe06e3ddf6ca9">
  <source>Sign assertions</source>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -9801,11 +9801,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s86cf007b861152ca">
  <source>Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.</source>
  <target>确保用户的密码与之前使用的不同。可以配置检查多少个历史密码。</target>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
  <source>Number of previous passwords to check</source>
  <target>检查历史密码数量</target>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_CN.xlf
+++ b/web/xliff/zh_CN.xlf
@ -9798,14 +9798,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s1c336c2d6cef77b3">
  <source>Remember me on this device</source>
  <target>在此设备上记住我</target>
 </trans-unit>
 <trans-unit id="s86cf007b861152ca">
  <source>Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.</source>
  <target>确保用户的密码与之前使用的不同。可以配置检查多少个历史密码。</target>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
  <source>Number of previous passwords to check</source>
  <target>检查历史密码数量</target>
 </trans-unit>
    </body>
  </file>
--- a/website/docs/add-secure-apps/flows-stages/flow/examples/default_flows.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/examples/default_flows.md
@ -4,7 +4,7 @@ title: Default flows
 When you create a new provider, you can select certain default flows that will be used with the provider and its associated application. For example, you can [create a custom flow](../index.md#create-a-custom-flow) that override the defaults configured on the brand.
-If no default flow is selected when the provider is created, to determine which flow should be used authentik will first check if there is a default flow configured in the active [**Brand**](../../../../sys-mgmt/brands.md). If no default is configured there, authentik will go through all flows with the matching designation, sorted by `slug` and evaluate policies bound directly to the flows, and the first flow whose policies allow access will be picked.
+If no default flow is selected when the provider is created, to determine which flow should be used authentik will first check if there is a default flow configured in the active [**Brand**](../../../../customize/brands.md). If no default is configured there, authentik will go through all flows with the matching designation, sorted by `slug` and evaluate policies bound directly to the flows, and the first flow whose policies allow access will be picked.
 import DefaultFlowList from "../../flow/flow_list/\_defaultflowlist.mdx";
--- a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md
@ -42,7 +42,7 @@ By default, the captcha test keys are used. You can get a proper key [here](http
 ## Recovery with email verification
-Flow: right-click [here](/blueprints/example/flows-recovery-email-verification.yaml) and save the file.
+Flow: right-click [here](https://version-2024-12.goauthentik.io/assets/files/flows-recovery-email-verification-408d6afeff2fbf276bf43a949e332ef6.yaml) and save the file.
 Recovery flow, the user is sent an email after they've identified themselves. After they click on the link in the email, they are prompted for a new password and immediately logged on.
--- a/website/docs/add-secure-apps/flows-stages/flow/executors/user-settings.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/executors/user-settings.md
@ -6,4 +6,4 @@ The user interface (/if/user/) uses a specialized flow executor to allow individ
 Because the stages in a flow can change during its execution, be aware that configuring this executor to use any stage type other than Prompt or User Write will automatically trigger a redirect to the standard executor.
-An admin can customize which fields can be changed by the user by updating the default-user-settings-flow, or copying it to create a new flow with a Prompt Stage and a User Write Stage. Different variants of your flow can be applied to different [Brands](../../../../sys-mgmt/brands.md) on the same authentik instance.
+An admin can customize which fields can be changed by the user by updating the default-user-settings-flow, or copying it to create a new flow with a Prompt Stage and a User Write Stage. Different variants of your flow can be applied to different [Brands](../../../../customize/brands.md) on the same authentik instance.
--- a/website/docs/add-secure-apps/flows-stages/flow/index.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/index.md
@ -46,7 +46,7 @@ To create a flow, follow these steps:
 After creating the flow, you can then [bind specific stages](../stages/index.md#bind-a-stage-to-a-flow) to the flow and [bind policies](../../../customize/policies/working_with_policies.md) to the flow to further customize the user's log in and authentication process.
-To determine which flow should be used, authentik will first check which default authentication flow is configured in the active [**Brand**](../../../sys-mgmt/brands.md). If no default is configured there, the policies in all flows with the matching designation are checked, and the first flow with matching policies sorted by `slug` will be used.
+To determine which flow should be used, authentik will first check which default authentication flow is configured in the active [**Brand**](../../../customize/brands.md). If no default is configured there, the policies in all flows with the matching designation are checked, and the first flow with matching policies sorted by `slug` will be used.
 ## Flow configuration options
--- a/Show More
+++ b/Show More
`@ -6,4 +6,4 @@ The user interface (/if/user/) uses a specialized flow executor to allow individ`

	`Because the stages in a flow can change during its execution, be aware that configuring this executor to use any stage type other than Prompt or User Write will automatically trigger a redirect to the standard executor.`	`Because the stages in a flow can change during its execution, be aware that configuring this executor to use any stage type other than Prompt or User Write will automatically trigger a redirect to the standard executor.`

	`An admin can customize which fields can be changed by the user by updating the default-user-settings-flow, or copying it to create a new flow with a Prompt Stage and a User Write Stage. Different variants of your flow can be applied to different [Brands](../../../../sys-mgmt/brands.md) on the same authentik instance.`	`An admin can customize which fields can be changed by the user by updating the default-user-settings-flow, or copying it to create a new flow with a Prompt Stage and a User Write Stage. Different variants of your flow can be applied to different [Brands](../../../../customize/brands.md) on the same authentik instance.`