web: Flesh out static config exports.

2025-04-10 17:16:18 +02:00
1010 changed files with 21493 additions and 89926 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.6.2
+current_version = 2025.2.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -21,8 +21,6 @@ optional_value = final
 [bumpversion:file:package.json]
 [bumpversion:file:package-lock.json]
 [bumpversion:file:docker-compose.yml]
 [bumpversion:file:schema.yml]
@ -33,4 +31,6 @@ optional_value = final
 [bumpversion:file:internal/constants/constants.go]
 [bumpversion:file:web/src/common/constants.ts]
 [bumpversion:file:lifecycle/aws/template.yaml]
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -36,7 +36,7 @@ runs:
      with:
        go-version-file: "go.mod"
    - name: Setup docker cache
-      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
+      uses: ScribeMD/docker-cache@0.5.0
      with:
        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -23,13 +23,7 @@ updates:
  - package-ecosystem: npm
    directories:
      - "/web"
-      - "/web/packages/sfe"
+      - "/web/sfe"
      - "/web/packages/core"
      - "/web/packages/esbuild-plugin-live-reload"
      - "/packages/prettier-config"
      - "/packages/tsconfig"
      - "/packages/docusaurus-config"
      - "/packages/eslint-config"
    schedule:
      interval: daily
      time: "04:00"
@ -74,9 +68,6 @@ updates:
      wdio:
        patterns:
          - "@wdio/*"
      goauthentik:
        patterns:
          - "@goauthentik/*"
  - package-ecosystem: npm
    directory: "/website"
    schedule:
@ -97,9 +88,6 @@ updates:
          - "swc-*"
          - "lightningcss*"
          - "@rspack/binding*"
      goauthentik:
        patterns:
          - "@goauthentik/*"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
@ -130,15 +118,3 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
  - package-ecosystem: docker-compose
    directories:
      # - /scripts # Maybe
      - /tests/e2e
    schedule:
      interval: daily
      time: "04:00"
    open-pull-requests-limit: 10
    commit-message:
      prefix: "core:"
    labels:
      - dependencies
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@ -30,6 +30,7 @@ jobs:
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
          cache: "poetry"
      - name: Generate API Client
        run: make gen-client-py
      - name: Publish package
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -53,7 +53,6 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -62,7 +62,6 @@ jobs:
        psql:
          - 15-alpine
          - 16-alpine
          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
@ -71,18 +70,22 @@ jobs:
      - name: checkout stable
        run: |
          # Copy current, latest config to local
          # Temporarly comment the .github backup while migrating to uv
          cp authentik/lib/default.yml local.env.yml
-          cp -R .github ..
+          # cp -R .github ..
          cp -R scripts ..
          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
-          rm -rf .github/ scripts/
+          # rm -rf .github/ scripts/
-          mv ../.github ../scripts .
+          # mv ../.github ../scripts .
          rm -rf scripts/
          mv ../scripts .
      - name: Setup authentik env (stable)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
        continue-on-error: true
      - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
@ -117,7 +120,6 @@ jobs:
        psql:
          - 15-alpine
          - 16-alpine
          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
@ -202,7 +204,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
@ -210,7 +212,6 @@ jobs:
          npm ci
          make -C .. gen-client-ts
          npm run build
          npm run build:sfe
      - name: run e2e
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -29,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v7
        with:
          version: latest
          args: --timeout 5000s --verbose
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -37,7 +37,6 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/image-compress.yml
+++ b/.github/workflows/image-compress.yml
@ -53,7 +53,6 @@ jobs:
          body: ${{ steps.compress.outputs.markdown }}
          delete-branch: true
          signoff: true
          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        with:
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -1,47 +0,0 @@
 name: authentik-packages-npm-publish
 on:
  push:
    branches: [main]
    paths:
      - packages/docusaurus-config/**
      - packages/eslint-config/**
      - packages/prettier-config/**
      - packages/tsconfig/**
      - web/packages/esbuild-plugin-live-reload/**
  workflow_dispatch:
 jobs:
  publish:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        package:
          - packages/docusaurus-config
          - packages/eslint-config
          - packages/prettier-config
          - packages/tsconfig
          - web/packages/esbuild-plugin-live-reload
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
      - uses: actions/setup-node@v4
        with:
          node-version-file: ${{ matrix.package }}/package.json
          registry-url: "https://registry.npmjs.org"
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files: |
            ${{ matrix.package }}/package.json
      - name: Publish package
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: ${{ matrix.package }}
        run: |
          npm ci
          npm run build
          npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -52,6 +52,3 @@ jobs:
          body: "core, web: update translations"
          delete-branch: true
          signoff: true
          labels: dependencies
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@ -15,7 +15,6 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
    steps:
      - uses: actions/checkout@v4
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
@ -26,13 +25,23 @@ jobs:
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          title=$(gh pr view ${{ github.event.pull_request.number }} --json  "title" -q ".title")
+          title=$(curl -q -L \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${GH_TOKEN}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} | jq -r .title)
          echo "title=${title}" >> "$GITHUB_OUTPUT"
      - name: Rename
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
+          curl -L \
            -X PATCH \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${GH_TOKEN}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} \
            -d "{\"title\":\"translate: ${{ steps.title.outputs.title }}\"}"
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.gitignore
+++ b/.gitignore
@ -11,10 +11,6 @@ local_settings.py
 db.sqlite3
 media
 # Node
 node_modules
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
--- a/.prettierignore
+++ b/.prettierignore
@ -1,47 +0,0 @@
 # Prettier Ignorefile
 ## Static Files
 **/LICENSE
 authentik/stages/**/*
 ## Build asset directories
 coverage
 dist
 out
 .docusaurus
 website/docs/developer-docs/api/**/*
 ## Environment
 *.env
 ## Secrets
 *.secrets
 ## Yarn
 .yarn/**/*
 ## Node
 node_modules
 coverage
 ## Configs
 *.log
 *.yaml
 *.yml
 # Templates
 # TODO: Rename affected files to *.template.* or similar.
 *.html
 *.mdx
 *.md
 ## Import order matters
 poly.ts
 src/locale-codes.ts
 src/locales/
 # Storybook
 storybook-static/
 .storybook/css-import-maps*
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -16,7 +16,7 @@
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.tsdk": "./web/node_modules/typescript/lib",
    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
@ -30,5 +30,7 @@
        }
    ],
    "go.testFlags": ["-count=1"],
-    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
+    "github-actions.workflows.pinned.workflows": [
        ".github/workflows/ci-main.yml"
    ]
 }
--- a/2
+++ b/2
@ -23,8 +23,6 @@ docker-compose.yml              @goauthentik/infrastructure
 Makefile                        @goauthentik/infrastructure
 .editorconfig                   @goauthentik/infrastructure
 CODEOWNERS                      @goauthentik/infrastructure
 # Web packages
 packages/                       @goauthentik/frontend
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
--- a/14
+++ b/14
@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
 ENV NODE_ENV=production
@ -20,7 +20,7 @@ COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@ -40,8 +40,7 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
-RUN npm run build && \
+RUN npm run build
    npm run build:sfe
 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
@ -86,17 +85,18 @@ FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
 ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
    mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.8 AS uv
+FROM ghcr.io/astral-sh/uv:0.6.14 AS uv
 # Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.12.9-slim-bookworm-fips AS python-base
 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
--- a/51
+++ b/51
@ -1,7 +1,6 @@
 .PHONY: gen dev-reset all clean test web website
-SHELL := /usr/bin/env bash
+.SHELLFLAGS += ${SHELLFLAGS} -e
 .SHELLFLAGS += ${SHELLFLAGS} -e -o pipefail
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
@ -9,9 +8,9 @@ NPM_VERSION = $(shell python -m scripts.generate_semver)
 PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
-GEN_API_TS = gen-ts-api
+GEN_API_TS = "gen-ts-api"
-GEN_API_PY = gen-py-api
+GEN_API_PY = "gen-py-api"
-GEN_API_GO = gen-go-api
+GEN_API_GO = "gen-go-api"
 pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
 pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
@ -118,19 +117,14 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	npx prettier --write diff.md
 gen-clean-ts:  ## Remove generated API client for Typescript
-	rm -rf ${PWD}/${GEN_API_TS}/
+	rm -rf ./${GEN_API_TS}/
-	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
+	rm -rf ./web/node_modules/@goauthentik/api/
 gen-clean-go:  ## Remove generated API client for Go
-	mkdir -p ${PWD}/${GEN_API_GO}
+	rm -rf ./${GEN_API_GO}/
 ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
 	make -C ${PWD}/${GEN_API_GO} clean
 else
 	rm -rf ${PWD}/${GEN_API_GO}
 endif
 gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}/
+	rm -rf ./${GEN_API_PY}/
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
@ -147,8 +141,8 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--git-repo-id authentik \
 		--git-user-id goauthentik
 	mkdir -p web/node_modules/@goauthentik/api
-	cd ${PWD}/${GEN_API_TS} && npm i
+	cd ./${GEN_API_TS} && npm i
-	\cp -rf ${PWD}/${GEN_API_TS}/* web/node_modules/@goauthentik/api
+	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
@ -162,17 +156,24 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 		--additional-properties=packageVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
 	pip install ./${GEN_API_PY}
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ${PWD}/${GEN_API_GO}
+	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
-ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
-	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
-else
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
-	cd ${PWD}/${GEN_API_GO} && git pull
+	cp schema.yml ./${GEN_API_GO}/
-endif
+	docker run \
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
+		--rm -v ${PWD}/${GEN_API_GO}:/local \
-	make -C ${PWD}/${GEN_API_GO} build
+		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
 		-i /local/schema.yml \
 		-g go \
 		-o /local/ \
 		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 gen-dev-config:  ## Generate a local development config file
 	uv run scripts/generate_config.py
@ -243,7 +244,7 @@ docker:  ## Build a docker image of the current source tree
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 test-docker:
-	BUILD=true ${PWD}/scripts/test_docker.sh
+	BUILD=true ./scripts/test_docker.sh
 #########################
 ## CI
--- a/README.md
+++ b/README.md
@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)
 ## Adoption and Contributions
-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 | Version   | Supported |
 | --------- | --------- |
-| 2025.4.x  | ✅        |
+| 2024.12.x | ✅        |
-| 2025.6.x  | ✅        |
+| 2025.2.x  | ✅        |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2025.6.2"
+__version__ = "2025.2.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -1,12 +1,9 @@
 """API Authentication"""
 from hmac import compare_digest
 from pathlib import Path
 from tempfile import gettempdir
 from typing import Any
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
@ -14,17 +11,11 @@ from rest_framework.request import Request
 from structlog.stdlib import get_logger
 from authentik.core.middleware import CTX_AUTH_VIA
-from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 LOGGER = get_logger()
 _tmp = Path(gettempdir())
 try:
    with open(_tmp / "authentik-core-ipc.key") as _f:
        ipc_key = _f.read()
 except OSError:
    ipc_key = None
 def validate_auth(header: bytes) -> str | None:
@ -82,11 +73,6 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
    if user:
        CTX_AUTH_VIA.set("secret_key")
        return user
    # then try to auth via secret key (for embedded outpost/etc)
    user = token_ipc(auth_credentials)
    if user:
        CTX_AUTH_VIA.set("ipc")
        return user
    raise AuthenticationFailed("Token invalid/expired")
@ -104,43 +90,6 @@ def token_secret_key(value: str) -> User | None:
    return outpost.user
 class IPCUser(AnonymousUser):
    """'Virtual' user for IPC communication between authentik core and the authentik router"""
    username = "authentik:system"
    is_active = True
    is_superuser = True
    @property
    def type(self):
        return UserTypes.INTERNAL_SERVICE_ACCOUNT
    def has_perm(self, perm, obj=None):
        return True
    def has_perms(self, perm_list, obj=None):
        return True
    def has_module_perms(self, module):
        return True
    @property
    def is_anonymous(self):
        return False
    @property
    def is_authenticated(self):
        return True
 def token_ipc(value: str) -> User | None:
    """Check if the token is the secret key
    and return the service account for the managed outpost"""
    if not ipc_key or not compare_digest(value, ipc_key):
        return None
    return IPCUser()
 class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
    return component
-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
    """Workaround to set a default response for endpoints.
    Workaround suggested at
    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@ -7,7 +7,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer
+from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from authentik.blueprints.models import BlueprintInstance
@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.rbac.decorators import permission_required
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -164,7 +164,9 @@ class BlueprintEntry:
        """Get the blueprint model, with yaml tags resolved if present"""
        return str(self.tag_resolver(self.model, blueprint))
-    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
+    def get_permissions(
        self, blueprint: "Blueprint"
    ) -> Generator[BlueprintEntryPermission, None, None]:
        """Get permissions of this entry, with all yaml tags resolved"""
        for perm in self.permissions:
            yield BlueprintEntryPermission(
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -36,7 +36,6 @@ from authentik.core.models import (
    GroupSourceConnection,
    PropertyMapping,
    Provider,
    Session,
    Source,
    User,
    UserSourceConnection,
@ -109,7 +108,6 @@ def excluded_models() -> list[type[Model]]:
        Policy,
        PolicyBindingModel,
        # Classes that have other dependencies
        Session,
        AuthenticatedSession,
        # Classes which are only internally managed
        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -59,7 +59,6 @@ class BrandSerializer(ModelSerializer):
            "flow_device_code",
            "default_application",
            "web_certificate",
            "client_certificates",
            "attributes",
        ]
        extra_kwargs = {
@ -121,7 +120,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "domain",
        "branding_title",
        "web_certificate__name",
        "client_certificates__name",
    ]
    filterset_fields = [
        "brand_uuid",
@ -138,7 +136,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "flow_user_settings",
        "flow_device_code",
        "web_certificate",
        "client_certificates",
    ]
    ordering = ["domain"]
--- a/authentik/brands/migrations/0008_brand_branding_custom_css.py
+++ b/authentik/brands/migrations/0008_brand_branding_custom_css.py
@ -16,7 +16,7 @@ def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    if not path.exists():
        return
    css = path.read_text()
-    Brand.objects.using(db_alias).all().update(branding_custom_css=css)
+    Brand.objects.using(db_alias).update(branding_custom_css=css)
 class Migration(migrations.Migration):
--- a/authentik/brands/migrations/0010_brand_client_certificates_and_more.py
+++ b/authentik/brands/migrations/0010_brand_client_certificates_and_more.py
@ -1,37 +0,0 @@
 # Generated by Django 5.1.9 on 2025-05-19 15:09
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_brands", "0009_brand_branding_default_flow_background"),
        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
    ]
    operations = [
        migrations.AddField(
            model_name="brand",
            name="client_certificates",
            field=models.ManyToManyField(
                blank=True,
                default=None,
                help_text="Certificates used for client authentication.",
                to="authentik_crypto.certificatekeypair",
            ),
        ),
        migrations.AlterField(
            model_name="brand",
            name="web_certificate",
            field=models.ForeignKey(
                default=None,
                help_text="Web Certificate used by the authentik Core webserver.",
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                related_name="+",
                to="authentik_crypto.certificatekeypair",
            ),
        ),
    ]
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@ -73,13 +73,6 @@ class Brand(SerializerModel):
        default=None,
        on_delete=models.SET_DEFAULT,
        help_text=_("Web Certificate used by the authentik Core webserver."),
        related_name="+",
    )
    client_certificates = models.ManyToManyField(
        CertificateKeyPair,
        default=None,
        blank=True,
        help_text=_("Certificates used for client authentication."),
    )
    attributes = models.JSONField(default=dict, blank=True)
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -148,14 +148,3 @@ class TestBrands(APITestCase):
                "default_locale": "",
            },
        )
    def test_custom_css(self):
        """Test custom_css"""
        brand = create_test_brand()
        brand.branding_custom_css = """* {
            font-family: "Foo bar";
        }"""
        brand.save()
        res = self.client.get(reverse("authentik_core:if-user"))
        self.assertEqual(res.status_code, 200)
        self.assertIn(brand.branding_custom_css, res.content.decode())
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,12 +5,10 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from django.utils.html import _json_script_escapes
+from sentry_sdk import get_current_span
 from django.utils.safestring import mark_safe
 from authentik import get_full_version
 from authentik.brands.models import Brand
 from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant
 _q_default = Q(default=True)
@ -34,14 +32,13 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
-    # similarly to `json_script` we escape everything HTML-related, however django
+    trace = ""
-    # only directly exposes this as a function that also wraps it in a <script> tag
+    span = get_current_span()
-    # which we dont want for CSS
+    if span:
-    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
+        trace = span.to_traceparent()
    return {
        "brand": brand,
        "brand_css": brand_css,
        "footer_links": tenant.footer_links,
-        "html_meta": {**get_http_meta()},
+        "sentry_trace": trace,
        "version": get_full_version(),
    }
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -5,7 +5,6 @@ from typing import TypedDict
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.serializers import CharField, DateTimeField, IPAddressField
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
@ -55,11 +54,6 @@ class UserAgentDict(TypedDict):
 class AuthenticatedSessionSerializer(ModelSerializer):
    """AuthenticatedSession Serializer"""
    expires = DateTimeField(source="session.expires", read_only=True)
    last_ip = IPAddressField(source="session.last_ip", read_only=True)
    last_user_agent = CharField(source="session.last_user_agent", read_only=True)
    last_used = DateTimeField(source="session.last_used", read_only=True)
    current = SerializerMethodField()
    user_agent = SerializerMethodField()
    geo_ip = SerializerMethodField()
@ -68,19 +62,19 @@ class AuthenticatedSessionSerializer(ModelSerializer):
    def get_current(self, instance: AuthenticatedSession) -> bool:
        """Check if session is currently active session"""
        request: Request = self.context["request"]
-        return request._request.session.session_key == instance.session.session_key
+        return request._request.session.session_key == instance.session_key
    def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
        """Get parsed user agent"""
-        return user_agent_parser.Parse(instance.session.last_user_agent)
+        return user_agent_parser.Parse(instance.last_user_agent)
    def get_geo_ip(self, instance: AuthenticatedSession) -> GeoIPDict | None:  # pragma: no cover
        """Get GeoIP Data"""
-        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.session.last_ip)
+        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)
    def get_asn(self, instance: AuthenticatedSession) -> ASNDict | None:  # pragma: no cover
        """Get ASN Data"""
-        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.session.last_ip)
+        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)
    class Meta:
        model = AuthenticatedSession
@ -96,7 +90,6 @@ class AuthenticatedSessionSerializer(ModelSerializer):
            "last_used",
            "expires",
        ]
        extra_args = {"uuid": {"read_only": True}}
 class AuthenticatedSessionViewSet(
@ -108,10 +101,9 @@ class AuthenticatedSessionViewSet(
 ):
    """AuthenticatedSession Viewset"""
-    lookup_field = "uuid"
+    queryset = AuthenticatedSession.objects.all()
    queryset = AuthenticatedSession.objects.select_related("session").all()
    serializer_class = AuthenticatedSessionSerializer
-    search_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    search_fields = ["user__username", "last_ip", "last_user_agent"]
-    filterset_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
    ordering = ["user__username"]
    owner_field = "user"
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -99,17 +99,18 @@ class GroupSerializer(ModelSerializer):
            if superuser
            else "authentik_core.disable_group_superuser"
        )
-        if self.instance or superuser:
+        has_perm = user.has_perm(perm)
-            has_perm = user.has_perm(perm) or user.has_perm(perm, self.instance)
+        if self.instance and not has_perm:
-            if not has_perm:
+            has_perm = user.has_perm(perm, self.instance)
-                raise ValidationError(
+        if not has_perm:
-                    _(
+            raise ValidationError(
-                        (
+                _(
-                            "User does not have permission to set "
+                    (
-                            "superuser status to {superuser_status}."
+                        "User does not have permission to set "
-                        ).format_map({"superuser_status": superuser})
+                        "superuser status to {superuser_status}."
-                    )
+                    ).format_map({"superuser_status": superuser})
                )
            )
        return superuser
    class Meta:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,11 +1,14 @@
 """User API Views"""
 from datetime import timedelta
 from importlib import import_module
 from json import loads
 from typing import Any
 from django.conf import settings
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
 from django.contrib.sessions.backends.base import SessionBase
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -69,8 +72,8 @@ from authentik.core.middleware import (
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
    AuthenticatedSession,
    Group,
    Session,
    Token,
    TokenIntents,
    User,
@ -84,12 +87,12 @@ from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.flow import pickle_flow_token_for_email
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
 LOGGER = get_logger()
 SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore
 class UserGroupSerializer(ModelSerializer):
@ -452,7 +455,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    def list(self, request, *args, **kwargs):
        return super().list(request, *args, **kwargs)
-    def _create_recovery_link(self, for_email=False) -> tuple[str, Token]:
+    def _create_recovery_link(self) -> tuple[str, Token]:
        """Create a recovery link (when the current brand has a recovery flow set),
        that can either be shown to an admin or sent to the user directly"""
        brand: Brand = self.request._request.brand
@ -474,16 +477,12 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            raise ValidationError(
                {"non_field_errors": "Recovery flow not applicable to user"}
            ) from None
        _plan = FlowToken.pickle(plan)
        if for_email:
            _plan = pickle_flow_token_for_email(plan)
        token, __ = FlowToken.objects.update_or_create(
            identifier=f"{user.uid}-password-reset",
            defaults={
                "user": user,
                "flow": flow,
-                "_plan": _plan,
+                "_plan": FlowToken.pickle(plan),
                "revoke_on_execution": not for_email,
            },
        )
        querystring = urlencode({QS_KEY_TOKEN: token.key})
@ -653,7 +652,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if for_user.email == "":
            LOGGER.debug("User doesn't have an email address")
            raise ValidationError({"non_field_errors": "User does not have an email address set."})
-        link, token = self._create_recovery_link(for_email=True)
+        link, token = self._create_recovery_link()
        # Lookup the email stage to assure the current user can access it
        stages = get_objects_for_user(
            request.user, "authentik_stages_email.view_emailstage"
@ -777,6 +776,10 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        response = super().partial_update(request, *args, **kwargs)
        instance: User = self.get_object()
        if not instance.is_active:
-            Session.objects.filter(authenticatedsession__user=instance).delete()
+            sessions = AuthenticatedSession.objects.filter(user=instance)
            session_ids = sessions.values_list("session_key", flat=True)
            for session in session_ids:
                SessionStore(session).delete()
            sessions.delete()
            LOGGER.debug("Deleted user's sessions", user=instance.username)
        return response
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -20,8 +20,6 @@ from rest_framework.serializers import (
    raise_errors_on_nested_writes,
 )
 from authentik.rbac.permissions import assign_initial_permissions
 def is_dict(value: Any):
    """Ensure a value is a dictionary, useful for JSONFields"""
@ -31,14 +29,6 @@ def is_dict(value: Any):
 class ModelSerializer(BaseModelSerializer):
    def create(self, validated_data):
        instance = super().create(validated_data)
        request = self.context.get("request")
        if request and hasattr(request, "user") and not request.user.is_anonymous:
            assign_initial_permissions(request.user, instance)
        return instance
    def update(self, instance: Model, validated_data):
        raise_errors_on_nested_writes("update", self, validated_data)
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -24,15 +24,6 @@ class InbuiltBackend(ModelBackend):
        self.set_method("password", request)
        return user
    async def aauthenticate(
        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
    ) -> User | None:
        user = await super().aauthenticate(request, username=username, password=password, **kwargs)
        if not user:
            return None
        self.set_method("password", request)
        return user
    def set_method(self, method: str, request: HttpRequest | None, **kwargs):
        """Set method data on current flow, if possbiel"""
        if not request:
--- a/authentik/core/management/commands/clearsessions.py
+++ b/authentik/core/management/commands/clearsessions.py
@ -1,15 +0,0 @@
 """Change user type"""
 from importlib import import_module
 from django.conf import settings
 from authentik.tenants.management import TenantCommand
 class Command(TenantCommand):
    """Delete all sessions"""
    def handle_per_tenant(self, **options):
        engine = import_module(settings.SESSION_ENGINE)
        engine.SessionStore.clear_expired()
--- a/authentik/core/management/commands/repair_permissions.py
+++ b/authentik/core/management/commands/repair_permissions.py
@ -2,7 +2,6 @@
 from django.apps import apps
 from django.contrib.auth.management import create_permissions
 from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user
@ -17,10 +16,6 @@ class Command(BaseCommand):
        """Check permissions for all apps"""
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
                # See https://code.djangoproject.com/ticket/28417
                # Remove potential lingering old permissions
                call_command("remove_stale_contenttypes", "--no-input")
                for app in apps.get_app_configs():
                    self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                    create_permissions(app, verbosity=0)
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -2,14 +2,9 @@
 from collections.abc import Callable
 from contextvars import ContextVar
 from functools import partial
 from uuid import uuid4
 from django.contrib.auth.models import AnonymousUser
 from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
 from django.utils.deprecation import MiddlewareMixin
 from django.utils.functional import SimpleLazyObject
 from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@ -25,40 +20,6 @@ CTX_HOST = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + "host", default=None)
 CTX_AUTH_VIA = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + KEY_AUTH_VIA, default=None)
 def get_user(request):
    if not hasattr(request, "_cached_user"):
        user = None
        if (authenticated_session := request.session.get("authenticatedsession", None)) is not None:
            user = authenticated_session.user
        request._cached_user = user or AnonymousUser()
    return request._cached_user
 async def aget_user(request):
    if not hasattr(request, "_cached_user"):
        user = None
        if (
            authenticated_session := await request.session.aget("authenticatedsession", None)
        ) is not None:
            user = authenticated_session.user
        request._cached_user = user or AnonymousUser()
    return request._cached_user
 class AuthenticationMiddleware(MiddlewareMixin):
    def process_request(self, request):
        if not hasattr(request, "session"):
            raise ImproperlyConfigured(
                "The Django authentication middleware requires session "
                "middleware to be installed. Edit your MIDDLEWARE setting to "
                "insert "
                "'authentik.root.middleware.SessionMiddleware' before "
                "'authentik.core.middleware.AuthenticationMiddleware'."
            )
        request.user = SimpleLazyObject(lambda: get_user(request))
        request.auser = partial(aget_user, request)
 class ImpersonateMiddleware:
    """Middleware to impersonate users"""
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -1,242 +0,0 @@
 # Generated by Django 5.0.11 on 2025-01-27 12:58
 import uuid
 import pickle  # nosec
 from django.core import signing
 from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
 from django.db import migrations, models
 import django.db.models.deletion
 from django.conf import settings
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.utils.timezone import now, timedelta
 from authentik.lib.migrations import progress_bar
 from authentik.root.middleware import ClientIPMiddleware
 SESSION_CACHE_ALIAS = "default"
 class PickleSerializer:
    """
    Simple wrapper around pickle to be used in signing.dumps()/loads() and
    cache backends.
    """
    def __init__(self, protocol=None):
        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
    def dumps(self, obj):
        """Pickle data to be stored in redis"""
        return pickle.dumps(obj, self.protocol)
    def loads(self, data):
        """Unpickle data to be loaded from redis"""
        try:
            return pickle.loads(data)  # nosec
        except Exception:
            return {}
 def _migrate_session(
    apps,
    db_alias,
    session_key,
    session_data,
    expires,
 ):
    Session = apps.get_model("authentik_core", "Session")
    OldAuthenticatedSession = apps.get_model("authentik_core", "OldAuthenticatedSession")
    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
    old_auth_session = (
        OldAuthenticatedSession.objects.using(db_alias).filter(session_key=session_key).first()
    )
    args = {
        "session_key": session_key,
        "expires": expires,
        "last_ip": ClientIPMiddleware.default_ip,
        "last_user_agent": "",
        "session_data": {},
    }
    for k, v in session_data.items():
        if k == "authentik/stages/user_login/last_ip":
            args["last_ip"] = v
        elif k in ["last_user_agent", "last_used"]:
            args[k] = v
        elif args in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY]:
            pass
        else:
            args["session_data"][k] = v
    if old_auth_session:
        args["last_user_agent"] = old_auth_session.last_user_agent
        args["last_used"] = old_auth_session.last_used
    args["session_data"] = pickle.dumps(args["session_data"])
    session = Session.objects.using(db_alias).create(**args)
    if old_auth_session:
        AuthenticatedSession.objects.using(db_alias).create(
            session=session,
            user=old_auth_session.user,
            uuid=old_auth_session.uuid,
        )
 def migrate_redis_sessions(apps, schema_editor):
    from django.core.cache import caches
    db_alias = schema_editor.connection.alias
    cache = caches[SESSION_CACHE_ALIAS]
    # Not a redis cache, skipping
    if not hasattr(cache, "keys"):
        return
    print("\nMigrating Redis sessions to database, this might take a couple of minutes...")
    for key, session_data in progress_bar(cache.get_many(cache.keys(f"{KEY_PREFIX}*")).items()):
        _migrate_session(
            apps=apps,
            db_alias=db_alias,
            session_key=key.removeprefix(KEY_PREFIX),
            session_data=session_data,
            expires=now() + timedelta(seconds=cache.ttl(key)),
        )
 def migrate_database_sessions(apps, schema_editor):
    DjangoSession = apps.get_model("sessions", "Session")
    db_alias = schema_editor.connection.alias
    print("\nMigration database sessions, this might take a couple of minutes...")
    for django_session in progress_bar(DjangoSession.objects.using(db_alias).all()):
        session_data = signing.loads(
            django_session.session_data,
            salt="django.contrib.sessions.SessionStore",
            serializer=PickleSerializer,
        )
        _migrate_session(
            apps=apps,
            db_alias=db_alias,
            session_key=django_session.session_key,
            session_data=session_data,
            expires=django_session.expire_date,
        )
 class Migration(migrations.Migration):
    dependencies = [
        ("sessions", "0001_initial"),
        ("authentik_core", "0045_rename_new_identifier_usersourceconnection_identifier_and_more"),
        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
    ]
    operations = [
        # Rename AuthenticatedSession to OldAuthenticatedSession
        migrations.RenameModel(
            old_name="AuthenticatedSession",
            new_name="OldAuthenticatedSession",
        ),
        migrations.RenameIndex(
            model_name="oldauthenticatedsession",
            new_name="authentik_c_expires_cf4f72_idx",
            old_name="authentik_c_expires_08251d_idx",
        ),
        migrations.RenameIndex(
            model_name="oldauthenticatedsession",
            new_name="authentik_c_expirin_c1f17f_idx",
            old_name="authentik_c_expirin_9cd839_idx",
        ),
        migrations.RenameIndex(
            model_name="oldauthenticatedsession",
            new_name="authentik_c_expirin_e04f5d_idx",
            old_name="authentik_c_expirin_195a84_idx",
        ),
        migrations.RenameIndex(
            model_name="oldauthenticatedsession",
            new_name="authentik_c_session_a44819_idx",
            old_name="authentik_c_session_d0f005_idx",
        ),
        migrations.RunSQL(
            sql="ALTER INDEX authentik_core_authenticatedsession_user_id_5055b6cf RENAME TO authentik_core_oldauthenticatedsession_user_id_5055b6cf",
            reverse_sql="ALTER INDEX authentik_core_oldauthenticatedsession_user_id_5055b6cf RENAME TO authentik_core_authenticatedsession_user_id_5055b6cf",
        ),
        # Create new Session and AuthenticatedSession models
        migrations.CreateModel(
            name="Session",
            fields=[
                (
                    "session_key",
                    models.CharField(
                        max_length=40, primary_key=True, serialize=False, verbose_name="session key"
                    ),
                ),
                ("expires", models.DateTimeField(default=None, null=True)),
                ("expiring", models.BooleanField(default=True)),
                ("session_data", models.BinaryField(verbose_name="session data")),
                ("last_ip", models.GenericIPAddressField()),
                ("last_user_agent", models.TextField(blank=True)),
                ("last_used", models.DateTimeField(auto_now=True)),
            ],
            options={
                "default_permissions": [],
                "verbose_name": "Session",
                "verbose_name_plural": "Sessions",
            },
        ),
        migrations.AddIndex(
            model_name="session",
            index=models.Index(fields=["expires"], name="authentik_c_expires_d2f607_idx"),
        ),
        migrations.AddIndex(
            model_name="session",
            index=models.Index(fields=["expiring"], name="authentik_c_expirin_7c2cfb_idx"),
        ),
        migrations.AddIndex(
            model_name="session",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_c_expirin_1ab2e4_idx"
            ),
        ),
        migrations.AddIndex(
            model_name="session",
            index=models.Index(
                fields=["expires", "session_key"], name="authentik_c_expires_c49143_idx"
            ),
        ),
        migrations.CreateModel(
            name="AuthenticatedSession",
            fields=[
                (
                    "session",
                    models.OneToOneField(
                        on_delete=django.db.models.deletion.CASCADE,
                        primary_key=True,
                        serialize=False,
                        to="authentik_core.session",
                    ),
                ),
                ("uuid", models.UUIDField(default=uuid.uuid4, unique=True)),
                (
                    "user",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
                    ),
                ),
            ],
            options={
                "verbose_name": "Authenticated Session",
                "verbose_name_plural": "Authenticated Sessions",
            },
        ),
        migrations.RunPython(
            code=migrate_redis_sessions,
            reverse_code=migrations.RunPython.noop,
        ),
        migrations.RunPython(
            code=migrate_database_sessions,
            reverse_code=migrations.RunPython.noop,
        ),
    ]
--- a/authentik/core/migrations/0047_delete_oldauthenticatedsession.py
+++ b/authentik/core/migrations/0047_delete_oldauthenticatedsession.py
@ -1,18 +0,0 @@
 # Generated by Django 5.0.11 on 2025-01-27 13:02
 from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0046_session_and_more"),
        ("authentik_providers_rac", "0007_migrate_session"),
        ("authentik_providers_oauth2", "0028_migrate_session"),
    ]
    operations = [
        migrations.DeleteModel(
            name="OldAuthenticatedSession",
        ),
    ]
--- a/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
+++ b/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
@ -1,103 +0,0 @@
 # Generated by Django 5.1.9 on 2025-05-14 11:15
 from django.apps.registry import Apps, apps as global_apps
 from django.db import migrations
 from django.contrib.contenttypes.management import create_contenttypes
 from django.contrib.auth.management import create_permissions
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def migrate_authenticated_session_permissions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    """Migrate permissions from OldAuthenticatedSession to AuthenticatedSession"""
    db_alias = schema_editor.connection.alias
    # `apps` here is just an instance of `django.db.migrations.state.AppConfigStub`, we need the
    # real config for creating permissions and content types
    authentik_core_config = global_apps.get_app_config("authentik_core")
    # These are only ran by django after all migrations, but we need them right now.
    # `global_apps` is needed,
    create_permissions(authentik_core_config, using=db_alias, verbosity=1)
    create_contenttypes(authentik_core_config, using=db_alias, verbosity=1)
    # But from now on, this is just a regular migration, so use `apps`
    Permission = apps.get_model("auth", "Permission")
    ContentType = apps.get_model("contenttypes", "ContentType")
    try:
        old_ct = ContentType.objects.using(db_alias).get(
            app_label="authentik_core", model="oldauthenticatedsession"
        )
        new_ct = ContentType.objects.using(db_alias).get(
            app_label="authentik_core", model="authenticatedsession"
        )
    except ContentType.DoesNotExist:
        # This should exist at this point, but if not, let's cut our losses
        return
    # Get all permissions for the old content type
    old_perms = Permission.objects.using(db_alias).filter(content_type=old_ct)
    # Create equivalent permissions for the new content type
    for old_perm in old_perms:
        new_perm = (
            Permission.objects.using(db_alias)
            .filter(
                content_type=new_ct,
                codename=old_perm.codename,
            )
            .first()
        )
        if not new_perm:
            # This should exist at this point, but if not, let's cut our losses
            continue
        # Global user permissions
        User = apps.get_model("authentik_core", "User")
        User.user_permissions.through.objects.using(db_alias).filter(
            permission=old_perm
        ).all().update(permission=new_perm)
        # Global role permissions
        DjangoGroup = apps.get_model("auth", "Group")
        DjangoGroup.permissions.through.objects.using(db_alias).filter(
            permission=old_perm
        ).all().update(permission=new_perm)
        # Object user permissions
        UserObjectPermission = apps.get_model("guardian", "UserObjectPermission")
        UserObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
            permission=new_perm, content_type=new_ct
        )
        # Object role permissions
        GroupObjectPermission = apps.get_model("guardian", "GroupObjectPermission")
        GroupObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
            permission=new_perm, content_type=new_ct
        )
 def remove_old_authenticated_session_content_type(
    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
 ):
    db_alias = schema_editor.connection.alias
    ContentType = apps.get_model("contenttypes", "ContentType")
    ContentType.objects.using(db_alias).filter(model="oldauthenticatedsession").delete()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0047_delete_oldauthenticatedsession"),
    ]
    operations = [
        migrations.RunPython(
            code=migrate_authenticated_session_permissions,
            reverse_code=migrations.RunPython.noop,
        ),
        migrations.RunPython(
            code=remove_old_authenticated_session_content_type,
            reverse_code=migrations.RunPython.noop,
        ),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -1,7 +1,6 @@
 """authentik core models"""
 from datetime import datetime
 from enum import StrEnum
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
@ -10,7 +9,6 @@ from deepmerge import always_merger
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.contrib.sessions.base_session import AbstractBaseSession
 from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.db.models.constants import LOOKUP_SEP
@ -648,30 +646,19 @@ class SourceUserMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning users"""
    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    EMAIL_LINK = (
+    EMAIL_LINK = "email_link", _(
-        "email_link",
+        "Link to a user with identical email address. Can have security implications "
-        _(
+        "when a source doesn't validate email addresses."
            "Link to a user with identical email address. Can have security implications "
            "when a source doesn't validate email addresses."
        ),
    )
-    EMAIL_DENY = (
+    EMAIL_DENY = "email_deny", _(
-        "email_deny",
+        "Use the user's email address, but deny enrollment when the email address already exists."
        _(
            "Use the user's email address, but deny enrollment when the email address already "
            "exists."
        ),
    )
-    USERNAME_LINK = (
+    USERNAME_LINK = "username_link", _(
-        "username_link",
+        "Link to a user with identical username. Can have security implications "
-        _(
+        "when a username is used with another source."
            "Link to a user with identical username. Can have security implications "
            "when a username is used with another source."
        ),
    )
-    USERNAME_DENY = (
+    USERNAME_DENY = "username_deny", _(
-        "username_deny",
+        "Use the user's username, but deny enrollment when the username already exists."
        _("Use the user's username, but deny enrollment when the username already exists."),
    )
@ -679,16 +666,12 @@ class SourceGroupMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning groups"""
    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    NAME_LINK = (
+    NAME_LINK = "name_link", _(
-        "name_link",
+        "Link to a group with identical name. Can have security implications "
-        _(
+        "when a group name is used with another source."
            "Link to a group with identical name. Can have security implications "
            "when a group name is used with another source."
        ),
    )
-    NAME_DENY = (
+    NAME_DENY = "name_deny", _(
-        "name_deny",
+        "Use the group name, but deny enrollment when the name already exists."
        _("Use the group name, but deny enrollment when the name already exists."),
    )
@ -747,7 +730,8 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        choices=SourceGroupMatchingModes.choices,
        default=SourceGroupMatchingModes.IDENTIFIER,
        help_text=_(
-            "How the source determines if an existing group should be used or a new group created."
+            "How the source determines if an existing group should be used or "
            "a new group created."
        ),
    )
@ -1028,75 +1012,45 @@ class PropertyMapping(SerializerModel, ManagedModel):
        verbose_name_plural = _("Property Mappings")
-class Session(ExpiringModel, AbstractBaseSession):
+class AuthenticatedSession(ExpiringModel):
-    """User session with extra fields for fast access"""
+    """Additional session class for authenticated users. Augments the standard django session
    to achieve the following:
        - Make it queryable by user
        - Have a direct connection to user objects
        - Allow users to view their own sessions and terminate them
        - Save structured and well-defined information.
    """
-    # Remove upstream field because we're using our own ExpiringModel
+    uuid = models.UUIDField(default=uuid4, primary_key=True)
    expire_date = None
    session_data = models.BinaryField(_("session data"))
-    # Keep in sync with Session.Keys
+    session_key = models.CharField(max_length=40)
-    last_ip = models.GenericIPAddressField()
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
    last_ip = models.TextField()
    last_user_agent = models.TextField(blank=True)
    last_used = models.DateTimeField(auto_now=True)
    class Meta:
        verbose_name = _("Session")
        verbose_name_plural = _("Sessions")
        indexes = ExpiringModel.Meta.indexes + [
            models.Index(fields=["expires", "session_key"]),
        ]
        default_permissions = []
    def __str__(self):
        return self.session_key
    class Keys(StrEnum):
        """
        Keys to be set with the session interface for the fields above to be updated.
        If a field is added here that needs to be initialized when the session is initialized,
        it must also be reflected in authentik.root.middleware.SessionMiddleware.process_request
        and in authentik.core.sessions.SessionStore.__init__
        """
        LAST_IP = "last_ip"
        LAST_USER_AGENT = "last_user_agent"
        LAST_USED = "last_used"
    @classmethod
    def get_session_store_class(cls):
        from authentik.core.sessions import SessionStore
        return SessionStore
    def get_decoded(self):
        raise NotImplementedError
 class AuthenticatedSession(SerializerModel):
    session = models.OneToOneField(Session, on_delete=models.CASCADE, primary_key=True)
    # We use the session as primary key, but we need the API to be able to reference
    # this object uniquely without exposing the session key
    uuid = models.UUIDField(default=uuid4, unique=True)
    user = models.ForeignKey(User, on_delete=models.CASCADE)
    class Meta:
        verbose_name = _("Authenticated Session")
        verbose_name_plural = _("Authenticated Sessions")
        indexes = ExpiringModel.Meta.indexes + [
            models.Index(fields=["session_key"]),
        ]
    def __str__(self) -> str:
-        return f"Authenticated Session {str(self.pk)[:10]}"
+        return f"Authenticated Session {self.session_key[:10]}"
    @staticmethod
    def from_request(request: HttpRequest, user: User) -> Optional["AuthenticatedSession"]:
        """Create a new session from a http request"""
-        if not hasattr(request, "session") or not request.session.exists(
+        from authentik.root.middleware import ClientIPMiddleware
-            request.session.session_key
+
-        ):
+        if not hasattr(request, "session") or not request.session.session_key:
            return None
        return AuthenticatedSession(
-            session=Session.objects.filter(session_key=request.session.session_key).first(),
+            session_key=request.session.session_key,
            user=user,
            last_ip=ClientIPMiddleware.get_client_ip(request),
            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
            expires=request.session.get_expiry_date(),
        )
--- a/authentik/core/sessions.py
+++ b/authentik/core/sessions.py
@ -1,168 +0,0 @@
 """authentik sessions engine"""
 import pickle  # nosec
 from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
 from django.contrib.sessions.backends.db import SessionStore as SessionBase
 from django.core.exceptions import SuspiciousOperation
 from django.utils import timezone
 from django.utils.functional import cached_property
 from structlog.stdlib import get_logger
 from authentik.root.middleware import ClientIPMiddleware
 LOGGER = get_logger()
 class SessionStore(SessionBase):
    def __init__(self, session_key=None, last_ip=None, last_user_agent=""):
        super().__init__(session_key)
        self._create_kwargs = {
            "last_ip": last_ip or ClientIPMiddleware.default_ip,
            "last_user_agent": last_user_agent,
        }
    @classmethod
    def get_model_class(cls):
        from authentik.core.models import Session
        return Session
    @cached_property
    def model_fields(self):
        return [k.value for k in self.model.Keys]
    def _get_session_from_db(self):
        try:
            return (
                self.model.objects.select_related(
                    "authenticatedsession",
                    "authenticatedsession__user",
                )
                .prefetch_related(
                    "authenticatedsession__user__groups",
                    "authenticatedsession__user__user_permissions",
                )
                .get(
                    session_key=self.session_key,
                    expires__gt=timezone.now(),
                )
            )
        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
            if isinstance(exc, SuspiciousOperation):
                LOGGER.warning(str(exc))
            self._session_key = None
    async def _aget_session_from_db(self):
        try:
            return (
                await self.model.objects.select_related(
                    "authenticatedsession",
                    "authenticatedsession__user",
                )
                .prefetch_related(
                    "authenticatedsession__user__groups",
                    "authenticatedsession__user__user_permissions",
                )
                .aget(
                    session_key=self.session_key,
                    expires__gt=timezone.now(),
                )
            )
        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
            if isinstance(exc, SuspiciousOperation):
                LOGGER.warning(str(exc))
            self._session_key = None
    def encode(self, session_dict):
        return pickle.dumps(session_dict, protocol=pickle.HIGHEST_PROTOCOL)
    def decode(self, session_data):
        try:
            return pickle.loads(session_data)  # nosec
        except pickle.PickleError:
            # ValueError, unpickling exceptions. If any of these happen, just return an empty
            # dictionary (an empty session)
            pass
        return {}
    def load(self):
        s = self._get_session_from_db()
        if s:
            return {
                "authenticatedsession": getattr(s, "authenticatedsession", None),
                **{k: getattr(s, k) for k in self.model_fields},
                **self.decode(s.session_data),
            }
        else:
            return {}
    async def aload(self):
        s = await self._aget_session_from_db()
        if s:
            return {
                "authenticatedsession": getattr(s, "authenticatedsession", None),
                **{k: getattr(s, k) for k in self.model_fields},
                **self.decode(s.session_data),
            }
        else:
            return {}
    def create_model_instance(self, data):
        args = {
            "session_key": self._get_or_create_session_key(),
            "expires": self.get_expiry_date(),
            "session_data": {},
            **self._create_kwargs,
        }
        for k, v in data.items():
            # Don't save:
            # - unused auth data
            # - related models
            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
                pass
            elif k in self.model_fields:
                args[k] = v
            else:
                args["session_data"][k] = v
        args["session_data"] = self.encode(args["session_data"])
        return self.model(**args)
    async def acreate_model_instance(self, data):
        args = {
            "session_key": await self._aget_or_create_session_key(),
            "expires": await self.aget_expiry_date(),
            "session_data": {},
            **self._create_kwargs,
        }
        for k, v in data.items():
            # Don't save:
            # - unused auth data
            # - related models
            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
                pass
            elif k in self.model_fields:
                args[k] = v
            else:
                args["session_data"][k] = v
        args["session_data"] = self.encode(args["session_data"])
        return self.model(**args)
    @classmethod
    def clear_expired(cls):
        cls.get_model_class().objects.filter(expires__lt=timezone.now()).delete()
    @classmethod
    async def aclear_expired(cls):
        await cls.get_model_class().objects.filter(expires__lt=timezone.now()).adelete()
    def cycle_key(self):
        data = self._session
        key = self.session_key
        self.create()
        self._session_cache = data
        if key:
            self.delete(key)
        if (authenticated_session := data.get("authenticatedsession")) is not None:
            authenticated_session.session_id = self.session_key
            authenticated_session.save(force_insert=True)
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,10 +1,14 @@
 """authentik core signals"""
-from django.contrib.auth.signals import user_logged_in
+from importlib import import_module
 from django.conf import settings
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.contrib.sessions.backends.base import SessionBase
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
-from django.db.models.signals import post_delete, post_save, pre_save
+from django.db.models.signals import post_save, pre_delete, pre_save
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
@ -14,7 +18,6 @@ from authentik.core.models import (
    AuthenticatedSession,
    BackchannelProvider,
    ExpiringModel,
    Session,
    User,
    default_token_duration,
 )
@ -25,6 +28,7 @@ password_changed = Signal()
 login_failed = Signal()
 LOGGER = get_logger()
 SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore
@receiver(post_save, sender=Application)
@ -49,10 +53,18 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
        session.save()
-@receiver(post_delete, sender=AuthenticatedSession)
+@receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
    """Delete AuthenticatedSession if it exists"""
    if not request.session or not request.session.session_key:
        return
    AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
@receiver(pre_delete, sender=AuthenticatedSession)
 def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
    """Delete session when authenticated session is deleted"""
-    Session.objects.filter(session_key=instance.pk).delete()
+    SessionStore(instance.session_key).delete()
@receiver(pre_save)
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -2,16 +2,22 @@
 from datetime import datetime, timedelta
 from django.conf import ImproperlyConfigured
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.contrib.sessions.backends.db import SessionStore as DBSessionStore
 from django.core.cache import cache
 from django.utils.timezone import now
 from structlog.stdlib import get_logger
 from authentik.core.models import (
    USER_ATTRIBUTE_EXPIRES,
    USER_ATTRIBUTE_GENERATED,
    AuthenticatedSession,
    ExpiringModel,
    User,
 )
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 LOGGER = get_logger()
@ -32,6 +38,40 @@ def clean_expired_models(self: SystemTask):
            obj.expire_action()
        LOGGER.debug("Expired models", model=cls, amount=amount)
        messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
    # Special case
    amount = 0
    for session in AuthenticatedSession.objects.all():
        match CONFIG.get("session_storage", "cache"):
            case "cache":
                cache_key = f"{KEY_PREFIX}{session.session_key}"
                value = None
                try:
                    value = cache.get(cache_key)
                except Exception as exc:
                    LOGGER.debug("Failed to get session from cache", exc=exc)
                if not value:
                    session.delete()
                    amount += 1
            case "db":
                if not (
                    DBSessionStore.get_model_class()
                    .objects.filter(session_key=session.session_key, expire_date__gt=now())
                    .exists()
                ):
                    session.delete()
                    amount += 1
            case _:
                # Should never happen, as we check for other values in authentik/root/settings.py
                raise ImproperlyConfigured(
                    "Invalid session_storage setting, allowed values are db and cache"
                )
    if CONFIG.get("session_storage", "cache") == "db":
        DBSessionStore.clear_expired()
    LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
    messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")
    self.set_status(TaskStatus.SUCCESSFUL, *messages)
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,14 +16,12 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand_css }}</style>
+        <style>{{ brand.branding_custom_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
-        {% for key, value in html_meta.items %}
+        <meta name="sentry-trace" content="{{ sentry_trace }}" />
        <meta name="{{key}}" content="{{ value }}" />
        {% endfor %}
    </head>
    <body>
        {% block body %}
--- a/authentik/core/tests/test_api_utils.py
+++ b/authentik/core/tests/test_api_utils.py
@ -1,17 +1,9 @@
 """Test API Utils"""
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import (
    HyperlinkedModelSerializer,
 )
 from rest_framework.serializers import (
    ModelSerializer as BaseModelSerializer,
 )
 from rest_framework.test import APITestCase
 from authentik.core.api.utils import ModelSerializer as CustomModelSerializer
 from authentik.core.api.utils import is_dict
 from authentik.lib.utils.reflection import all_subclasses
 class TestAPIUtils(APITestCase):
@ -22,14 +14,3 @@ class TestAPIUtils(APITestCase):
        self.assertIsNone(is_dict({}))
        with self.assertRaises(ValidationError):
            is_dict("foo")
    def test_all_serializers_descend_from_custom(self):
        """Test that every serializer we define descends from our own ModelSerializer"""
        # Weirdly, there's only one serializer in `rest_framework` which descends from
        # ModelSerializer: HyperlinkedModelSerializer
        expected = {CustomModelSerializer, HyperlinkedModelSerializer}
        actual = set(all_subclasses(BaseModelSerializer)) - set(
            all_subclasses(CustomModelSerializer)
        )
        self.assertEqual(expected, actual)
--- a/authentik/core/tests/test_authenticated_sessions_api.py
+++ b/authentik/core/tests/test_authenticated_sessions_api.py
@ -5,7 +5,7 @@ from json import loads
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
-from authentik.core.models import AuthenticatedSession, Session, User
+from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
@ -30,18 +30,3 @@ class TestAuthenticatedSessionsAPI(APITestCase):
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["pagination"]["count"], 1)
    def test_delete(self):
        """Test deletion"""
        self.client.force_login(self.user)
        self.assertEqual(AuthenticatedSession.objects.all().count(), 1)
        self.assertEqual(Session.objects.all().count(), 1)
        response = self.client.delete(
            reverse(
                "authentik_api:authenticatedsession-detail",
                kwargs={"uuid": AuthenticatedSession.objects.first().uuid},
            )
        )
        self.assertEqual(response.status_code, 204)
        self.assertEqual(AuthenticatedSession.objects.all().count(), 0)
        self.assertEqual(Session.objects.all().count(), 0)
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -124,16 +124,6 @@ class TestGroupsAPI(APITestCase):
            {"is_superuser": ["User does not have permission to set superuser status to True."]},
        )
    def test_superuser_no_perm_no_superuser(self):
        """Test creating a group without permission and without superuser flag"""
        assign_perm("authentik_core.add_group", self.login_user)
        self.client.force_login(self.login_user)
        res = self.client.post(
            reverse("authentik_api:group-list"),
            data={"name": generate_id(), "is_superuser": False},
        )
        self.assertEqual(res.status_code, 201)
    def test_superuser_update_no_perm(self):
        """Test updating a superuser group without permission"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
--- a/authentik/core/tests/test_tasks.py
+++ b/authentik/core/tests/test_tasks.py
@ -13,10 +13,7 @@ from authentik.core.models import (
    TokenIntents,
    User,
 )
-from authentik.core.tasks import (
+from authentik.core.tasks import clean_expired_models, clean_temporary_users
    clean_expired_models,
    clean_temporary_users,
 )
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -3,6 +3,8 @@
 from datetime import datetime
 from json import loads
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
@ -10,7 +12,6 @@ from authentik.brands.models import Brand
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    AuthenticatedSession,
    Session,
    Token,
    User,
    UserTypes,
@ -380,15 +381,12 @@ class TestUsersAPI(APITestCase):
        """Ensure sessions are deleted when a user is deactivated"""
        user = create_test_admin_user()
        session_id = generate_id()
        session = Session.objects.create(
            session_key=session_id,
            last_ip="255.255.255.255",
            last_user_agent="",
        )
        AuthenticatedSession.objects.create(
            session=session,
            user=user,
            session_key=session_id,
            last_ip="",
        )
        cache.set(KEY_PREFIX + session_id, "foo")
        self.client.force_login(self.admin)
        response = self.client.patch(
@ -399,7 +397,5 @@ class TestUsersAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 200)
-        self.assertFalse(Session.objects.filter(session_key=session_id).exists())
+        self.assertIsNone(cache.get(KEY_PREFIX + session_id))
-        self.assertFalse(
+        self.assertFalse(AuthenticatedSession.objects.filter(session_key=session_id).exists())
            AuthenticatedSession.objects.filter(session__session_key=session_id).exists()
        )
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -1,5 +1,7 @@
 """authentik URL Configuration"""
 from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
@ -27,7 +29,7 @@ from authentik.core.views.interface import (
    RootRedirectView,
 )
 from authentik.flows.views.interface import FlowInterfaceView
-from authentik.root.asgi_middleware import AuthMiddlewareStack
+from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@ -97,7 +99,9 @@ api_urlpatterns = [
 websocket_urlpatterns = [
    path(
        "ws/client/",
-        ChannelsLoggingMiddleware(AuthMiddlewareStack(MessageConsumer.as_asgi())),
+        ChannelsLoggingMiddleware(
            CookieMiddleware(SessionMiddleware(AuthMiddleware(MessageConsumer.as_asgi())))
        ),
    ),
 ]
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -30,7 +30,6 @@ from structlog.stdlib import get_logger
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import UserTypes
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
@ -273,12 +272,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def view_certificate(self, request: Request, pk: str) -> Response:
        """Return certificate-key pairs certificate and log access"""
        certificate: CertificateKeyPair = self.get_object()
-        if request.user.type != UserTypes.INTERNAL_SERVICE_ACCOUNT:
+        Event.new(  # noqa # nosec
-            Event.new(  # noqa # nosec
+            EventAction.SECRET_VIEW,
-                EventAction.SECRET_VIEW,
+            secret=certificate,
-                secret=certificate,
+            type="certificate",
-                type="certificate",
+        ).from_http(request)
            ).from_http(request)
        if "download" in request.query_params:
            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
            response = HttpResponse(
@ -304,12 +302,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def view_private_key(self, request: Request, pk: str) -> Response:
        """Return certificate-key pairs private key and log access"""
        certificate: CertificateKeyPair = self.get_object()
-        if request.user.type != UserTypes.INTERNAL_SERVICE_ACCOUNT:
+        Event.new(  # noqa # nosec
-            Event.new(  # noqa # nosec
+            EventAction.SECRET_VIEW,
-                EventAction.SECRET_VIEW,
+            secret=certificate,
-                secret=certificate,
+            type="private_key",
-                type="private_key",
+        ).from_http(request)
            ).from_http(request)
        if "download" in request.query_params:
            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
            response = HttpResponse(certificate.key_data, content_type="application/x-pem-file")
--- a/authentik/enterprise/license.py
+++ b/authentik/enterprise/license.py
@ -132,14 +132,13 @@ class LicenseKey:
        """Get a summarized version of all (not expired) licenses"""
        total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
        for lic in License.objects.all():
-            if lic.is_valid:
+            total.internal_users += lic.internal_users
-                total.internal_users += lic.internal_users
+            total.external_users += lic.external_users
                total.external_users += lic.external_users
                total.license_flags.extend(lic.status.license_flags)
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
                total.exp = exp_ts
            total.exp = max(total.exp, exp_ts)
            total.license_flags.extend(lic.status.license_flags)
        return total
    @staticmethod
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -39,10 +39,6 @@ class License(SerializerModel):
    internal_users = models.BigIntegerField()
    external_users = models.BigIntegerField()
    @property
    def is_valid(self) -> bool:
        return self.expiry >= now()
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.api import LicenseSerializer
--- a/authentik/enterprise/policies/unique_password/api.py
+++ b/authentik/enterprise/policies/unique_password/api.py
@ -1,27 +0,0 @@
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.policies.unique_password.models import UniquePasswordPolicy
 from authentik.policies.api.policies import PolicySerializer
 class UniquePasswordPolicySerializer(EnterpriseRequiredMixin, PolicySerializer):
    """Password Uniqueness Policy Serializer"""
    class Meta:
        model = UniquePasswordPolicy
        fields = PolicySerializer.Meta.fields + [
            "password_field",
            "num_historical_passwords",
        ]
 class UniquePasswordPolicyViewSet(UsedByMixin, ModelViewSet):
    """Password Uniqueness Policy Viewset"""
    queryset = UniquePasswordPolicy.objects.all()
    serializer_class = UniquePasswordPolicySerializer
    filterset_fields = "__all__"
    ordering = ["name"]
    search_fields = ["name"]
--- a/authentik/enterprise/policies/unique_password/apps.py
+++ b/authentik/enterprise/policies/unique_password/apps.py
@ -1,10 +0,0 @@
 """authentik Unique Password policy app config"""
 from authentik.enterprise.apps import EnterpriseConfig
 class AuthentikEnterprisePoliciesUniquePasswordConfig(EnterpriseConfig):
    name = "authentik.enterprise.policies.unique_password"
    label = "authentik_policies_unique_password"
    verbose_name = "authentik Enterprise.Policies.Unique Password"
    default = True
--- a/authentik/enterprise/policies/unique_password/migrations/0001_initial.py
+++ b/authentik/enterprise/policies/unique_password/migrations/0001_initial.py
@ -1,81 +0,0 @@
 # Generated by Django 5.0.13 on 2025-03-26 23:02
 import django.db.models.deletion
 from django.conf import settings
 from django.db import migrations, models
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
    operations = [
        migrations.CreateModel(
            name="UniquePasswordPolicy",
            fields=[
                (
                    "policy_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_policies.policy",
                    ),
                ),
                (
                    "password_field",
                    models.TextField(
                        default="password",
                        help_text="Field key to check, field keys defined in Prompt stages are available.",
                    ),
                ),
                (
                    "num_historical_passwords",
                    models.PositiveIntegerField(
                        default=1, help_text="Number of passwords to check against."
                    ),
                ),
            ],
            options={
                "verbose_name": "Password Uniqueness Policy",
                "verbose_name_plural": "Password Uniqueness Policies",
                "indexes": [
                    models.Index(fields=["policy_ptr_id"], name="authentik_p_policy__f559aa_idx")
                ],
            },
            bases=("authentik_policies.policy",),
        ),
        migrations.CreateModel(
            name="UserPasswordHistory",
            fields=[
                (
                    "id",
                    models.AutoField(
                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
                    ),
                ),
                ("old_password", models.CharField(max_length=128)),
                ("created_at", models.DateTimeField(auto_now_add=True)),
                ("hibp_prefix_sha1", models.CharField(max_length=5)),
                ("hibp_pw_hash", models.TextField()),
                (
                    "user",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE,
                        related_name="old_passwords",
                        to=settings.AUTH_USER_MODEL,
                    ),
                ),
            ],
            options={
                "verbose_name": "User Password History",
            },
        ),
    ]
--- a/authentik/enterprise/policies/unique_password/migrations/init.py
+++ b/authentik/enterprise/policies/unique_password/migrations/init.py
--- a/authentik/enterprise/policies/unique_password/models.py
+++ b/authentik/enterprise/policies/unique_password/models.py
@ -1,151 +0,0 @@
 from hashlib import sha1
 from django.contrib.auth.hashers import identify_hasher, make_password
 from django.db import models
 from django.utils.translation import gettext as _
 from rest_framework.serializers import BaseSerializer
 from structlog.stdlib import get_logger
 from authentik.core.models import User
 from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 LOGGER = get_logger()
 class UniquePasswordPolicy(Policy):
    """This policy prevents users from reusing old passwords."""
    password_field = models.TextField(
        default="password",
        help_text=_("Field key to check, field keys defined in Prompt stages are available."),
    )
    # Limit on the number of previous passwords the policy evaluates
    # Also controls number of old passwords the system stores.
    num_historical_passwords = models.PositiveIntegerField(
        default=1,
        help_text=_("Number of passwords to check against."),
    )
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.policies.unique_password.api import UniquePasswordPolicySerializer
        return UniquePasswordPolicySerializer
    @property
    def component(self) -> str:
        return "ak-policy-password-uniqueness-form"
    def passes(self, request: PolicyRequest) -> PolicyResult:
        from authentik.enterprise.policies.unique_password.models import UserPasswordHistory
        password = request.context.get(PLAN_CONTEXT_PROMPT, {}).get(
            self.password_field, request.context.get(self.password_field)
        )
        if not password:
            LOGGER.warning(
                "Password field not found in request when checking UniquePasswordPolicy",
                field=self.password_field,
                fields=request.context.keys(),
            )
            return PolicyResult(False, _("Password not set in context"))
        password = str(password)
        if not self.num_historical_passwords:
            # Policy not configured to check against any passwords
            return PolicyResult(True)
        num_to_check = self.num_historical_passwords
        password_history = UserPasswordHistory.objects.filter(user=request.user).order_by(
            "-created_at"
        )[:num_to_check]
        if not password_history:
            return PolicyResult(True)
        for record in password_history:
            if not record.old_password:
                continue
            if self._passwords_match(new_password=password, old_password=record.old_password):
                # Return on first match. Authentik does not consider timing attacks
                # on old passwords to be an attack surface.
                return PolicyResult(
                    False,
                    _("This password has been used previously. Please choose a different one."),
                )
        return PolicyResult(True)
    def _passwords_match(self, *, new_password: str, old_password: str) -> bool:
        try:
            hasher = identify_hasher(old_password)
        except ValueError:
            LOGGER.warning(
                "Skipping password; could not load hash algorithm",
            )
            return False
        return hasher.verify(new_password, old_password)
    @classmethod
    def is_in_use(cls):
        """Check if any UniquePasswordPolicy is in use, either through policy bindings
        or direct attachment to a PromptStage.
        Returns:
            bool: True if any policy is in use, False otherwise
        """
        from authentik.policies.models import PolicyBinding
        # Check if any policy is in use through bindings
        if PolicyBinding.in_use.for_policy(cls).exists():
            return True
        # Check if any policy is attached to a PromptStage
        if cls.objects.filter(promptstage__isnull=False).exists():
            return True
        return False
    class Meta(Policy.PolicyMeta):
        verbose_name = _("Password Uniqueness Policy")
        verbose_name_plural = _("Password Uniqueness Policies")
 class UserPasswordHistory(models.Model):
    user = models.ForeignKey(User, on_delete=models.CASCADE, related_name="old_passwords")
    # Mimic's column type of AbstractBaseUser.password
    old_password = models.CharField(max_length=128)
    created_at = models.DateTimeField(auto_now_add=True)
    hibp_prefix_sha1 = models.CharField(max_length=5)
    hibp_pw_hash = models.TextField()
    class Meta:
        verbose_name = _("User Password History")
    def __str__(self) -> str:
        timestamp = f"{self.created_at:%Y/%m/%d %X}" if self.created_at else "N/A"
        return f"Previous Password (user: {self.user_id}, recorded: {timestamp})"
    @classmethod
    def create_for_user(cls, user: User, password: str):
        # To check users' passwords against Have I been Pwned, we need the first 5 chars
        # of the password hashed with SHA1 without a salt...
        pw_hash_sha1 = sha1(password.encode("utf-8")).hexdigest()  # nosec
        # ...however that'll give us a list of hashes from HIBP, and to compare that we still
        # need a full unsalted SHA1 of the password. We don't want to save that directly in
        # the database, so we hash that SHA1 again with a modern hashing alg,
        # and then when we check users' passwords against HIBP we can use `check_password`
        # which will take care of this.
        hibp_hash_hash = make_password(pw_hash_sha1)
        return cls.objects.create(
            user=user,
            old_password=password,
            hibp_prefix_sha1=pw_hash_sha1[:5],
            hibp_pw_hash=hibp_hash_hash,
        )
--- a/authentik/enterprise/policies/unique_password/settings.py
+++ b/authentik/enterprise/policies/unique_password/settings.py
@ -1,20 +0,0 @@
 """Unique Password Policy settings"""
 from celery.schedules import crontab
 from authentik.lib.utils.time import fqdn_rand
 CELERY_BEAT_SCHEDULE = {
    "policies_unique_password_trim_history": {
        "task": "authentik.enterprise.policies.unique_password.tasks.trim_password_histories",
        "schedule": crontab(minute=fqdn_rand("policies_unique_password_trim"), hour="*/12"),
        "options": {"queue": "authentik_scheduled"},
    },
    "policies_unique_password_check_purge": {
        "task": (
            "authentik.enterprise.policies.unique_password.tasks.check_and_purge_password_history"
        ),
        "schedule": crontab(minute=fqdn_rand("policies_unique_password_purge"), hour="*/24"),
        "options": {"queue": "authentik_scheduled"},
    },
 }
--- a/authentik/enterprise/policies/unique_password/signals.py
+++ b/authentik/enterprise/policies/unique_password/signals.py
@ -1,23 +0,0 @@
 """authentik policy signals"""
 from django.dispatch import receiver
 from authentik.core.models import User
 from authentik.core.signals import password_changed
 from authentik.enterprise.policies.unique_password.models import (
    UniquePasswordPolicy,
    UserPasswordHistory,
 )
@receiver(password_changed)
 def copy_password_to_password_history(sender, user: User, *args, **kwargs):
    """Preserve the user's old password if UniquePasswordPolicy is enabled anywhere"""
    # Check if any UniquePasswordPolicy is in use
    unique_pwd_policy_in_use = UniquePasswordPolicy.is_in_use()
    if unique_pwd_policy_in_use:
        """NOTE: Because we run this in a signal after saving the user,
        we are not atomically guaranteed to save password history.
        """
        UserPasswordHistory.create_for_user(user, user.password)
--- a/authentik/enterprise/policies/unique_password/tasks.py
+++ b/authentik/enterprise/policies/unique_password/tasks.py
@ -1,66 +0,0 @@
 from django.db.models.aggregates import Count
 from structlog import get_logger
 from authentik.enterprise.policies.unique_password.models import (
    UniquePasswordPolicy,
    UserPasswordHistory,
 )
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.root.celery import CELERY_APP
 LOGGER = get_logger()
@CELERY_APP.task(bind=True, base=SystemTask)
@prefill_task
 def check_and_purge_password_history(self: SystemTask):
    """Check if any UniquePasswordPolicy exists, and if not, purge the password history table.
    This is run on a schedule instead of being triggered by policy binding deletion.
    """
    if not UniquePasswordPolicy.objects.exists():
        UserPasswordHistory.objects.all().delete()
        LOGGER.debug("Purged UserPasswordHistory table as no policies are in use")
        self.set_status(TaskStatus.SUCCESSFUL, "Successfully purged UserPasswordHistory")
        return
    self.set_status(
        TaskStatus.SUCCESSFUL, "Not purging password histories, a unique password policy exists"
    )
@CELERY_APP.task(bind=True, base=SystemTask)
 def trim_password_histories(self: SystemTask):
    """Removes rows from UserPasswordHistory older than
    the `n` most recent entries.
    The `n` is defined by the largest configured value for all bound
    UniquePasswordPolicy policies.
    """
    # No policy, we'll let the cleanup above do its thing
    if not UniquePasswordPolicy.objects.exists():
        return
    num_rows_to_preserve = 0
    for policy in UniquePasswordPolicy.objects.all():
        num_rows_to_preserve = max(num_rows_to_preserve, policy.num_historical_passwords)
    all_pks_to_keep = []
    # Get all users who have password history entries
    users_with_history = (
        UserPasswordHistory.objects.values("user")
        .annotate(count=Count("user"))
        .filter(count__gt=0)
        .values_list("user", flat=True)
    )
    for user_pk in users_with_history:
        entries = UserPasswordHistory.objects.filter(user__pk=user_pk)
        pks_to_keep = entries.order_by("-created_at")[:num_rows_to_preserve].values_list(
            "pk", flat=True
        )
        all_pks_to_keep.extend(pks_to_keep)
    num_deleted, _ = UserPasswordHistory.objects.exclude(pk__in=all_pks_to_keep).delete()
    LOGGER.debug("Deleted stale password history records", count=num_deleted)
    self.set_status(TaskStatus.SUCCESSFUL, f"Delete {num_deleted} stale password history records")
--- a/authentik/enterprise/policies/unique_password/tests/test_flows.py
+++ b/authentik/enterprise/policies/unique_password/tests/test_flows.py
@ -1,108 +0,0 @@
 """Unique Password Policy flow tests"""
 from django.contrib.auth.hashers import make_password
 from django.urls.base import reverse
 from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.enterprise.policies.unique_password.models import (
    UniquePasswordPolicy,
    UserPasswordHistory,
 )
 from authentik.flows.models import FlowDesignation, FlowStageBinding
 from authentik.flows.tests import FlowTestCase
 from authentik.lib.generators import generate_id
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 class TestUniquePasswordPolicyFlow(FlowTestCase):
    """Test Unique Password Policy in a flow"""
    REUSED_PASSWORD = "hunter1"  # nosec B105
    def setUp(self) -> None:
        self.user = create_test_user()
        self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        password_prompt = Prompt.objects.create(
            name=generate_id(),
            field_key="password",
            label="PASSWORD_LABEL",
            type=FieldTypes.PASSWORD,
            required=True,
            placeholder="PASSWORD_PLACEHOLDER",
        )
        self.policy = UniquePasswordPolicy.objects.create(
            name="password_must_unique",
            password_field=password_prompt.field_key,
            num_historical_passwords=1,
        )
        stage = PromptStage.objects.create(name="prompt-stage")
        stage.validation_policies.set([self.policy])
        stage.fields.set(
            [
                password_prompt,
            ]
        )
        FlowStageBinding.objects.create(target=self.flow, stage=stage, order=2)
        # Seed the user's password history
        UserPasswordHistory.create_for_user(self.user, make_password(self.REUSED_PASSWORD))
    def test_prompt_data(self):
        """Test policy attached to a prompt stage"""
        # Test the policy directly
        from authentik.policies.types import PolicyRequest
        from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
        # Create a policy request with the reused password
        request = PolicyRequest(user=self.user)
        request.context[PLAN_CONTEXT_PROMPT] = {"password": self.REUSED_PASSWORD}
        # Test the policy directly
        result = self.policy.passes(request)
        # Verify that the policy fails (returns False) with the expected error message
        self.assertFalse(result.passing, "Policy should fail for reused password")
        self.assertEqual(
            result.messages[0],
            "This password has been used previously. Please choose a different one.",
            "Incorrect error message",
        )
        # API-based testing approach:
        self.client.force_login(self.user)
        # Send a POST request to the flow executor with the reused password
        response = self.client.post(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            {"password": self.REUSED_PASSWORD},
        )
        self.assertStageResponse(
            response,
            self.flow,
            component="ak-stage-prompt",
            fields=[
                {
                    "choices": None,
                    "field_key": "password",
                    "label": "PASSWORD_LABEL",
                    "order": 0,
                    "placeholder": "PASSWORD_PLACEHOLDER",
                    "initial_value": "",
                    "required": True,
                    "type": "password",
                    "sub_text": "",
                }
            ],
            response_errors={
                "non_field_errors": [
                    {
                        "code": "invalid",
                        "string": "This password has been used previously. "
                        "Please choose a different one.",
                    }
                ]
            },
        )
--- a/authentik/enterprise/policies/unique_password/tests/test_policy.py
+++ b/authentik/enterprise/policies/unique_password/tests/test_policy.py
@ -1,77 +0,0 @@
 """Unique Password Policy tests"""
 from django.contrib.auth.hashers import make_password
 from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
 from authentik.core.models import User
 from authentik.enterprise.policies.unique_password.models import (
    UniquePasswordPolicy,
    UserPasswordHistory,
 )
 from authentik.policies.types import PolicyRequest, PolicyResult
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 class TestUniquePasswordPolicy(TestCase):
    """Test Password Uniqueness Policy"""
    def setUp(self) -> None:
        self.policy = UniquePasswordPolicy.objects.create(
            name="test_unique_password", num_historical_passwords=1
        )
        self.user = User.objects.create(username="test-user")
    def test_invalid(self):
        """Test without password present in request"""
        request = PolicyRequest(get_anonymous_user())
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages[0], "Password not set in context")
    def test_passes_no_previous_passwords(self):
        request = PolicyRequest(get_anonymous_user())
        request.context = {PLAN_CONTEXT_PROMPT: {"password": "hunter2"}}
        result: PolicyResult = self.policy.passes(request)
        self.assertTrue(result.passing)
    def test_passes_passwords_are_different(self):
        # Seed database with an old password
        UserPasswordHistory.create_for_user(self.user, make_password("hunter1"))
        request = PolicyRequest(self.user)
        request.context = {PLAN_CONTEXT_PROMPT: {"password": "hunter2"}}
        result: PolicyResult = self.policy.passes(request)
        self.assertTrue(result.passing)
    def test_passes_multiple_old_passwords(self):
        # Seed with multiple old passwords
        UserPasswordHistory.objects.bulk_create(
            [
                UserPasswordHistory(user=self.user, old_password=make_password("hunter1")),
                UserPasswordHistory(user=self.user, old_password=make_password("hunter2")),
            ]
        )
        request = PolicyRequest(self.user)
        request.context = {PLAN_CONTEXT_PROMPT: {"password": "hunter3"}}
        result: PolicyResult = self.policy.passes(request)
        self.assertTrue(result.passing)
    def test_fails_password_matches_old_password(self):
        # Seed database with an old password
        UserPasswordHistory.create_for_user(self.user, make_password("hunter1"))
        request = PolicyRequest(self.user)
        request.context = {PLAN_CONTEXT_PROMPT: {"password": "hunter1"}}
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
    def test_fails_if_identical_password_with_different_hash_algos(self):
        UserPasswordHistory.create_for_user(
            self.user, make_password("hunter2", "somesalt", "scrypt")
        )
        request = PolicyRequest(self.user)
        request.context = {PLAN_CONTEXT_PROMPT: {"password": "hunter2"}}
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
--- a/authentik/enterprise/policies/unique_password/tests/test_stages.py
+++ b/authentik/enterprise/policies/unique_password/tests/test_stages.py
@ -1,90 +0,0 @@
 from django.urls import reverse
 from authentik.core.models import Group, Source, User
 from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.enterprise.policies.unique_password.models import (
    UniquePasswordPolicy,
    UserPasswordHistory,
 )
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_key
 from authentik.policies.models import PolicyBinding, PolicyBindingModel
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.models import UserWriteStage
 class TestUserWriteStage(FlowTestCase):
    """Write tests"""
    def setUp(self):
        super().setUp()
        self.flow = create_test_flow()
        self.group = Group.objects.create(name="test-group")
        self.other_group = Group.objects.create(name="other-group")
        self.stage: UserWriteStage = UserWriteStage.objects.create(
            name="write", create_users_as_inactive=True, create_users_group=self.group
        )
        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)
        self.source = Source.objects.create(name="fake_source")
    def test_save_password_history_if_policy_binding_enforced(self):
        """Test user's new password is recorded when ANY enabled UniquePasswordPolicy exists"""
        unique_password_policy = UniquePasswordPolicy.objects.create(num_historical_passwords=5)
        pbm = PolicyBindingModel.objects.create()
        PolicyBinding.objects.create(
            target=pbm, policy=unique_password_policy, order=0, enabled=True
        )
        test_user = create_test_user()
        # Store original password for verification
        original_password = test_user.password
        # We're changing our own password
        self.client.force_login(test_user)
        new_password = generate_key()
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
        plan.context[PLAN_CONTEXT_PENDING_USER] = test_user
        plan.context[PLAN_CONTEXT_PROMPT] = {
            "username": test_user.username,
            "password": new_password,
        }
        session = self.client.session
        session[SESSION_KEY_PLAN] = plan
        session.save()
        # Password history should be recorded
        user_password_history_qs = UserPasswordHistory.objects.filter(user=test_user)
        self.assertTrue(user_password_history_qs.exists(), "Password history should be recorded")
        self.assertEqual(len(user_password_history_qs), 1, "expected 1 recorded password")
        # Create a password history entry manually to simulate the signal behavior
        # This is what would happen if the signal worked correctly
        UserPasswordHistory.objects.create(user=test_user, old_password=original_password)
        user_password_history_qs = UserPasswordHistory.objects.filter(user=test_user)
        self.assertTrue(user_password_history_qs.exists(), "Password history should be recorded")
        self.assertEqual(len(user_password_history_qs), 2, "expected 2 recorded password")
        # Execute the flow by sending a POST request to the flow executor endpoint
        response = self.client.post(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
        )
        # Verify that the request was successful
        self.assertEqual(response.status_code, 200)
        user_qs = User.objects.filter(username=plan.context[PLAN_CONTEXT_PROMPT]["username"])
        self.assertTrue(user_qs.exists())
        # Verify the password history entry exists
        user_password_history_qs = UserPasswordHistory.objects.filter(user=test_user)
        self.assertTrue(user_password_history_qs.exists(), "Password history should be recorded")
        self.assertEqual(len(user_password_history_qs), 3, "expected 3 recorded password")
        # Verify that one of the entries contains the original password
        self.assertTrue(
            any(entry.old_password == original_password for entry in user_password_history_qs),
            "original password should be in password history table",
        )
--- a/authentik/enterprise/policies/unique_password/tests/test_tasks.py
+++ b/authentik/enterprise/policies/unique_password/tests/test_tasks.py
@ -1,178 +0,0 @@
 from datetime import datetime, timedelta
 from django.test import TestCase
 from authentik.core.tests.utils import create_test_user
 from authentik.enterprise.policies.unique_password.models import (
    UniquePasswordPolicy,
    UserPasswordHistory,
 )
 from authentik.enterprise.policies.unique_password.tasks import (
    check_and_purge_password_history,
    trim_password_histories,
 )
 from authentik.policies.models import PolicyBinding, PolicyBindingModel
 class TestUniquePasswordPolicyModel(TestCase):
    """Test the UniquePasswordPolicy model methods"""
    def test_is_in_use_with_binding(self):
        """Test is_in_use returns True when a policy binding exists"""
        # Create a UniquePasswordPolicy and a PolicyBinding for it
        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=5)
        pbm = PolicyBindingModel.objects.create()
        PolicyBinding.objects.create(target=pbm, policy=policy, order=0, enabled=True)
        # Verify is_in_use returns True
        self.assertTrue(UniquePasswordPolicy.is_in_use())
    def test_is_in_use_with_promptstage(self):
        """Test is_in_use returns True when attached to a PromptStage"""
        from authentik.stages.prompt.models import PromptStage
        # Create a UniquePasswordPolicy and attach it to a PromptStage
        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=5)
        prompt_stage = PromptStage.objects.create(
            name="Test Prompt Stage",
        )
        # Use the set() method for many-to-many relationships
        prompt_stage.validation_policies.set([policy])
        # Verify is_in_use returns True
        self.assertTrue(UniquePasswordPolicy.is_in_use())
 class TestTrimAllPasswordHistories(TestCase):
    """Test the task that trims password history for all users"""
    def setUp(self):
        self.user1 = create_test_user("test-user1")
        self.user2 = create_test_user("test-user2")
        self.pbm = PolicyBindingModel.objects.create()
        # Create a policy with a limit of 1 password
        self.policy = UniquePasswordPolicy.objects.create(num_historical_passwords=1)
        PolicyBinding.objects.create(
            target=self.pbm,
            policy=self.policy,
            enabled=True,
            order=0,
        )
 class TestCheckAndPurgePasswordHistory(TestCase):
    """Test the scheduled task that checks if any policy is in use and purges if not"""
    def setUp(self):
        self.user = create_test_user("test-user")
        self.pbm = PolicyBindingModel.objects.create()
    def test_purge_when_no_policy_in_use(self):
        """Test that the task purges the table when no policy is in use"""
        # Create some password history entries
        UserPasswordHistory.create_for_user(self.user, "hunter2")
        # Verify we have entries
        self.assertTrue(UserPasswordHistory.objects.exists())
        # Run the task - should purge since no policy is in use
        check_and_purge_password_history()
        # Verify the table is empty
        self.assertFalse(UserPasswordHistory.objects.exists())
    def test_no_purge_when_policy_in_use(self):
        """Test that the task doesn't purge when a policy is in use"""
        # Create a policy and binding
        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=5)
        PolicyBinding.objects.create(
            target=self.pbm,
            policy=policy,
            enabled=True,
            order=0,
        )
        # Create some password history entries
        UserPasswordHistory.create_for_user(self.user, "hunter2")
        # Verify we have entries
        self.assertTrue(UserPasswordHistory.objects.exists())
        # Run the task - should NOT purge since a policy is in use
        check_and_purge_password_history()
        # Verify the entries still exist
        self.assertTrue(UserPasswordHistory.objects.exists())
 class TestTrimPasswordHistory(TestCase):
    """Test password history cleanup task"""
    def setUp(self):
        self.user = create_test_user("test-user")
        self.pbm = PolicyBindingModel.objects.create()
    def test_trim_password_history_ok(self):
        """Test passwords over the define limit are deleted"""
        _now = datetime.now()
        UserPasswordHistory.objects.bulk_create(
            [
                UserPasswordHistory(
                    user=self.user,
                    old_password="hunter1",  # nosec B106
                    created_at=_now - timedelta(days=3),
                ),
                UserPasswordHistory(
                    user=self.user,
                    old_password="hunter2",  # nosec B106
                    created_at=_now - timedelta(days=2),
                ),
                UserPasswordHistory(
                    user=self.user,
                    old_password="hunter3",  # nosec B106
                    created_at=_now,
                ),
            ]
        )
        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=1)
        PolicyBinding.objects.create(
            target=self.pbm,
            policy=policy,
            enabled=True,
            order=0,
        )
        trim_password_histories.delay()
        user_pwd_history_qs = UserPasswordHistory.objects.filter(user=self.user)
        self.assertEqual(len(user_pwd_history_qs), 1)
    def test_trim_password_history_policy_diabled_no_op(self):
        """Test no passwords removed if policy binding is disabled"""
        # Insert a record to ensure it's not deleted after executing task
        UserPasswordHistory.create_for_user(self.user, "hunter2")
        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=1)
        PolicyBinding.objects.create(
            target=self.pbm,
            policy=policy,
            enabled=False,
            order=0,
        )
        trim_password_histories.delay()
        self.assertTrue(UserPasswordHistory.objects.filter(user=self.user).exists())
    def test_trim_password_history_fewer_records_than_maximum_is_no_op(self):
        """Test no passwords deleted if fewer passwords exist than limit"""
        UserPasswordHistory.create_for_user(self.user, "hunter2")
        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=2)
        PolicyBinding.objects.create(
            target=self.pbm,
            policy=policy,
            enabled=True,
            order=0,
        )
        trim_password_histories.delay()
        self.assertTrue(UserPasswordHistory.objects.filter(user=self.user).exists())
--- a/authentik/enterprise/policies/unique_password/urls.py
+++ b/authentik/enterprise/policies/unique_password/urls.py
@ -1,7 +0,0 @@
 """API URLs"""
 from authentik.enterprise.policies.unique_password.api import UniquePasswordPolicyViewSet
 api_urlpatterns = [
    ("policies/unique_password", UniquePasswordPolicyViewSet),
 ]
--- a/authentik/enterprise/providers/google_workspace/clients/groups.py
+++ b/authentik/enterprise/providers/google_workspace/clients/groups.py
@ -25,7 +25,7 @@ class GoogleWorkspaceGroupClient(
    """Google client for groups"""
    connection_type = GoogleWorkspaceProviderGroup
-    connection_attr = "googleworkspaceprovidergroup_set"
+    connection_type_query = "group"
    can_discover = True
    def __init__(self, provider: GoogleWorkspaceProvider) -> None:
--- a/authentik/enterprise/providers/google_workspace/clients/users.py
+++ b/authentik/enterprise/providers/google_workspace/clients/users.py
@ -20,7 +20,7 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
    """Sync authentik users into google workspace"""
    connection_type = GoogleWorkspaceProviderUser
-    connection_attr = "googleworkspaceprovideruser_set"
+    connection_type_query = "user"
    can_discover = True
    def __init__(self, provider: GoogleWorkspaceProvider) -> None:
--- a/authentik/enterprise/providers/google_workspace/models.py
+++ b/authentik/enterprise/providers/google_workspace/models.py
@ -132,11 +132,7 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
        if type == User:
            # Get queryset of all users with consistent ordering
            # according to the provider's settings
-            base = (
+            base = User.objects.all().exclude_anonymous()
                User.objects.prefetch_related("googleworkspaceprovideruser_set")
                .all()
                .exclude_anonymous()
            )
            if self.exclude_users_service_account:
                base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
                    type=UserTypes.INTERNAL_SERVICE_ACCOUNT
@ -146,11 +142,7 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
            return base.order_by("pk")
        if type == Group:
            # Get queryset of all groups with consistent ordering
-            return (
+            return Group.objects.all().order_by("pk")
                Group.objects.prefetch_related("googleworkspaceprovidergroup_set")
                .all()
                .order_by("pk")
            )
        raise ValueError(f"Invalid type {type}")
    def google_credentials(self):
--- a/authentik/enterprise/providers/microsoft_entra/clients/groups.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/groups.py
@ -29,7 +29,7 @@ class MicrosoftEntraGroupClient(
    """Microsoft client for groups"""
    connection_type = MicrosoftEntraProviderGroup
-    connection_attr = "microsoftentraprovidergroup_set"
+    connection_type_query = "group"
    can_discover = True
    def __init__(self, provider: MicrosoftEntraProvider) -> None:
--- a/authentik/enterprise/providers/microsoft_entra/clients/users.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/users.py
@ -24,7 +24,7 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
    """Sync authentik users into microsoft entra"""
    connection_type = MicrosoftEntraProviderUser
-    connection_attr = "microsoftentraprovideruser_set"
+    connection_type_query = "user"
    can_discover = True
    def __init__(self, provider: MicrosoftEntraProvider) -> None:
--- a/authentik/enterprise/providers/microsoft_entra/models.py
+++ b/authentik/enterprise/providers/microsoft_entra/models.py
@ -121,11 +121,7 @@ class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
        if type == User:
            # Get queryset of all users with consistent ordering
            # according to the provider's settings
-            base = (
+            base = User.objects.all().exclude_anonymous()
                User.objects.prefetch_related("microsoftentraprovideruser_set")
                .all()
                .exclude_anonymous()
            )
            if self.exclude_users_service_account:
                base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
                    type=UserTypes.INTERNAL_SERVICE_ACCOUNT
@ -135,11 +131,7 @@ class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
            return base.order_by("pk")
        if type == Group:
            # Get queryset of all groups with consistent ordering
-            return (
+            return Group.objects.all().order_by("pk")
                Group.objects.prefetch_related("microsoftentraprovidergroup_set")
                .all()
                .order_by("pk")
            )
        raise ValueError(f"Invalid type {type}")
    def microsoft_credentials(self):
--- a/authentik/enterprise/providers/ssf/signals.py
+++ b/authentik/enterprise/providers/ssf/signals.py
@ -102,7 +102,7 @@ def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSessi
            "format": "complex",
            "session": {
                "format": "opaque",
-                "id": sha256(instance.session.session_key.encode("ascii")).hexdigest(),
+                "id": sha256(instance.session_key.encode("ascii")).hexdigest(),
            },
            "user": {
                "format": "email",
--- a/authentik/enterprise/providers/ssf/views/stream.py
+++ b/authentik/enterprise/providers/ssf/views/stream.py
@ -4,9 +4,10 @@ from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from structlog.stdlib import get_logger
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.providers.ssf.models import (
    DeliveryMethods,
    EventTypes,
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -14,12 +14,10 @@ CELERY_BEAT_SCHEDULE = {
 TENANT_APPS = [
    "authentik.enterprise.audit",
    "authentik.enterprise.policies.unique_password",
    "authentik.enterprise.providers.google_workspace",
    "authentik.enterprise.providers.microsoft_entra",
    "authentik.enterprise.providers.ssf",
    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
    "authentik.enterprise.stages.mtls",
    "authentik.enterprise.stages.source",
 ]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
@ -2,11 +2,11 @@
 from rest_framework import mixins
 from rest_framework.permissions import IsAdminUser
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    AuthenticatorEndpointGDTCStage,
--- a/authentik/enterprise/stages/mtls/init.py
+++ b/authentik/enterprise/stages/mtls/init.py
--- a/authentik/enterprise/stages/mtls/api.py
+++ b/authentik/enterprise/stages/mtls/api.py
@ -1,31 +0,0 @@
 """Mutual TLS Stage API Views"""
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.mtls.models import MutualTLSStage
 from authentik.flows.api.stages import StageSerializer
 class MutualTLSStageSerializer(EnterpriseRequiredMixin, StageSerializer):
    """MutualTLSStage Serializer"""
    class Meta:
        model = MutualTLSStage
        fields = StageSerializer.Meta.fields + [
            "mode",
            "certificate_authorities",
            "cert_attribute",
            "user_attribute",
        ]
 class MutualTLSStageViewSet(UsedByMixin, ModelViewSet):
    """MutualTLSStage Viewset"""
    queryset = MutualTLSStage.objects.all()
    serializer_class = MutualTLSStageSerializer
    filterset_fields = "__all__"
    ordering = ["name"]
    search_fields = ["name"]
--- a/authentik/enterprise/stages/mtls/apps.py
+++ b/authentik/enterprise/stages/mtls/apps.py
@ -1,12 +0,0 @@
 """authentik stage app config"""
 from authentik.enterprise.apps import EnterpriseConfig
 class AuthentikEnterpriseStageMTLSConfig(EnterpriseConfig):
    """authentik MTLS stage config"""
    name = "authentik.enterprise.stages.mtls"
    label = "authentik_stages_mtls"
    verbose_name = "authentik Enterprise.Stages.MTLS"
    default = True
--- a/authentik/enterprise/stages/mtls/migrations/0001_initial.py
+++ b/authentik/enterprise/stages/mtls/migrations/0001_initial.py
@ -1,68 +0,0 @@
 # Generated by Django 5.1.9 on 2025-05-19 18:29
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
        ("authentik_flows", "0027_auto_20231028_1424"),
    ]
    operations = [
        migrations.CreateModel(
            name="MutualTLSStage",
            fields=[
                (
                    "stage_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_flows.stage",
                    ),
                ),
                (
                    "mode",
                    models.TextField(choices=[("optional", "Optional"), ("required", "Required")]),
                ),
                (
                    "cert_attribute",
                    models.TextField(
                        choices=[
                            ("subject", "Subject"),
                            ("common_name", "Common Name"),
                            ("email", "Email"),
                        ]
                    ),
                ),
                (
                    "user_attribute",
                    models.TextField(choices=[("username", "Username"), ("email", "Email")]),
                ),
                (
                    "certificate_authorities",
                    models.ManyToManyField(
                        blank=True,
                        default=None,
                        help_text="Configure certificate authorities to validate the certificate against. This option has a higher priority than the `client_certificate` option on `Brand`.",
                        to="authentik_crypto.certificatekeypair",
                    ),
                ),
            ],
            options={
                "verbose_name": "Mutual TLS Stage",
                "verbose_name_plural": "Mutual TLS Stages",
                "permissions": [
                    ("pass_outpost_certificate", "Permissions to pass Certificates for outposts.")
                ],
            },
            bases=("authentik_flows.stage",),
        ),
    ]
--- a/authentik/enterprise/stages/mtls/migrations/init.py
+++ b/authentik/enterprise/stages/mtls/migrations/init.py
--- a/authentik/enterprise/stages/mtls/models.py
+++ b/authentik/enterprise/stages/mtls/models.py
@ -1,71 +0,0 @@
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Stage
 from authentik.flows.stage import StageView
 class TLSMode(models.TextChoices):
    """Modes the TLS Stage can operate in"""
    OPTIONAL = "optional"
    REQUIRED = "required"
 class CertAttributes(models.TextChoices):
    """Certificate attribute used for user matching"""
    SUBJECT = "subject"
    COMMON_NAME = "common_name"
    EMAIL = "email"
 class UserAttributes(models.TextChoices):
    """User attribute for user matching"""
    USERNAME = "username"
    EMAIL = "email"
 class MutualTLSStage(Stage):
    """Authenticate/enroll users using a client-certificate."""
    mode = models.TextField(choices=TLSMode.choices)
    certificate_authorities = models.ManyToManyField(
        CertificateKeyPair,
        default=None,
        blank=True,
        help_text=_(
            "Configure certificate authorities to validate the certificate against. "
            "This option has a higher priority than the `client_certificate` option on `Brand`."
        ),
    )
    cert_attribute = models.TextField(choices=CertAttributes.choices)
    user_attribute = models.TextField(choices=UserAttributes.choices)
    @property
    def view(self) -> type[StageView]:
        from authentik.enterprise.stages.mtls.stage import MTLSStageView
        return MTLSStageView
    @property
    def serializer(self) -> type[Serializer]:
        from authentik.enterprise.stages.mtls.api import MutualTLSStageSerializer
        return MutualTLSStageSerializer
    @property
    def component(self) -> str:
        return "ak-stage-mtls-form"
    class Meta:
        verbose_name = _("Mutual TLS Stage")
        verbose_name_plural = _("Mutual TLS Stages")
        permissions = [
            ("pass_outpost_certificate", _("Permissions to pass Certificates for outposts.")),
        ]
--- a/authentik/enterprise/stages/mtls/stage.py
+++ b/authentik/enterprise/stages/mtls/stage.py
@ -1,230 +0,0 @@
 from binascii import hexlify
 from urllib.parse import unquote_plus
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.primitives import hashes
 from cryptography.x509 import (
    Certificate,
    NameOID,
    ObjectIdentifier,
    UnsupportedGeneralNameType,
    load_pem_x509_certificate,
 )
 from cryptography.x509.verification import PolicyBuilder, Store, VerificationError
 from django.utils.translation import gettext_lazy as _
 from authentik.brands.models import Brand
 from authentik.core.models import User
 from authentik.crypto.models import CertificateKeyPair
 from authentik.enterprise.stages.mtls.models import (
    CertAttributes,
    MutualTLSStage,
    TLSMode,
    UserAttributes,
 )
 from authentik.flows.challenge import AccessDeniedChallenge
 from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 # All of these headers must only be accepted from "trusted" reverse proxies
 # See internal/web/proxy.go:39
 HEADER_PROXY_FORWARDED = "X-Forwarded-Client-Cert"
 HEADER_NGINX_FORWARDED = "SSL-Client-Cert"
 HEADER_TRAEFIK_FORWARDED = "X-Forwarded-TLS-Client-Cert"
 HEADER_OUTPOST_FORWARDED = "X-Authentik-Outpost-Certificate"
 PLAN_CONTEXT_CERTIFICATE = "certificate"
 class MTLSStageView(ChallengeStageView):
    def __parse_single_cert(self, raw: str | None) -> list[Certificate]:
        """Helper to parse a single certificate"""
        if not raw:
            return []
        try:
            cert = load_pem_x509_certificate(unquote_plus(raw).encode())
            return [cert]
        except ValueError as exc:
            self.logger.info("Failed to parse certificate", exc=exc)
            return []
    def _parse_cert_xfcc(self) -> list[Certificate]:
        """Parse certificates in the format given to us in
        the format of the authentik router/envoy"""
        xfcc_raw = self.request.headers.get(HEADER_PROXY_FORWARDED)
        if not xfcc_raw:
            return []
        certs = []
        for r_cert in xfcc_raw.split(","):
            el = r_cert.split(";")
            raw_cert = {k.split("=")[0]: k.split("=")[1] for k in el}
            if "Cert" not in raw_cert:
                continue
            certs.extend(self.__parse_single_cert(raw_cert["Cert"]))
        return certs
    def _parse_cert_nginx(self) -> list[Certificate]:
        """Parse certificates in the format nginx-ingress gives to us"""
        sslcc_raw = self.request.headers.get(HEADER_NGINX_FORWARDED)
        return self.__parse_single_cert(sslcc_raw)
    def _parse_cert_traefik(self) -> list[Certificate]:
        """Parse certificates in the format traefik gives to us"""
        ftcc_raw = self.request.headers.get(HEADER_TRAEFIK_FORWARDED)
        return self.__parse_single_cert(ftcc_raw)
    def _parse_cert_outpost(self) -> list[Certificate]:
        """Parse certificates in the format outposts give to us. Also authenticates
        the outpost to ensure it has the permission to do so"""
        user = ClientIPMiddleware.get_outpost_user(self.request)
        if not user:
            return []
        if not user.has_perm(
            "pass_outpost_certificate", self.executor.current_stage
        ) and not user.has_perm("authentik_stages_mtls.pass_outpost_certificate"):
            return []
        outpost_raw = self.request.headers.get(HEADER_OUTPOST_FORWARDED)
        return self.__parse_single_cert(outpost_raw)
    def get_authorities(self) -> list[CertificateKeyPair] | None:
        # We can't access `certificate_authorities` on `self.executor.current_stage`, as that would
        # load the certificate into the directly referenced foreign key, which we have to pickle
        # as part of the flow plan, and cryptography certs can't be pickled
        stage: MutualTLSStage = (
            MutualTLSStage.objects.filter(pk=self.executor.current_stage.pk)
            .prefetch_related("certificate_authorities")
            .first()
        )
        if stage.certificate_authorities.exists():
            return stage.certificate_authorities.order_by("name")
        brand: Brand = self.request.brand
        if brand.client_certificates.exists():
            return brand.client_certificates.order_by("name")
        return None
    def validate_cert(self, authorities: list[CertificateKeyPair], certs: list[Certificate]):
        authorities_cert = [x.certificate for x in authorities]
        for _cert in certs:
            try:
                PolicyBuilder().store(Store(authorities_cert)).build_client_verifier().verify(
                    _cert, []
                )
                return _cert
            except (
                InvalidSignature,
                TypeError,
                ValueError,
                VerificationError,
                UnsupportedGeneralNameType,
            ) as exc:
                self.logger.warning("Discarding invalid certificate", cert=_cert, exc=exc)
                continue
        return None
    def check_if_user(self, cert: Certificate):
        stage: MutualTLSStage = self.executor.current_stage
        cert_attr = None
        user_attr = None
        match stage.cert_attribute:
            case CertAttributes.SUBJECT:
                cert_attr = cert.subject.rfc4514_string()
            case CertAttributes.COMMON_NAME:
                cert_attr = self.get_cert_attribute(cert, NameOID.COMMON_NAME)
            case CertAttributes.EMAIL:
                cert_attr = self.get_cert_attribute(cert, NameOID.EMAIL_ADDRESS)
        match stage.user_attribute:
            case UserAttributes.USERNAME:
                user_attr = "username"
            case UserAttributes.EMAIL:
                user_attr = "email"
        if not user_attr or not cert_attr:
            return None
        return User.objects.filter(**{user_attr: cert_attr}).first()
    def _cert_to_dict(self, cert: Certificate) -> dict:
        """Represent a certificate in a dictionary, as certificate objects cannot be pickled"""
        return {
            "serial_number": str(cert.serial_number),
            "subject": cert.subject.rfc4514_string(),
            "issuer": cert.issuer.rfc4514_string(),
            "fingerprint_sha256": hexlify(cert.fingerprint(hashes.SHA256()), ":").decode("utf-8"),
            "fingerprint_sha1": hexlify(cert.fingerprint(hashes.SHA1()), ":").decode(  # nosec
                "utf-8"
            ),
        }
    def auth_user(self, user: User, cert: Certificate):
        self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = user
        self.executor.plan.context.setdefault(PLAN_CONTEXT_METHOD, "mtls")
        self.executor.plan.context.setdefault(PLAN_CONTEXT_METHOD_ARGS, {})
        self.executor.plan.context[PLAN_CONTEXT_METHOD_ARGS].update(
            {"certificate": self._cert_to_dict(cert)}
        )
    def enroll_prepare_user(self, cert: Certificate):
        self.executor.plan.context.setdefault(PLAN_CONTEXT_PROMPT, {})
        self.executor.plan.context[PLAN_CONTEXT_PROMPT].update(
            {
                "email": self.get_cert_attribute(cert, NameOID.EMAIL_ADDRESS),
                "name": self.get_cert_attribute(cert, NameOID.COMMON_NAME),
            }
        )
        self.executor.plan.context[PLAN_CONTEXT_CERTIFICATE] = self._cert_to_dict(cert)
    def get_cert_attribute(self, cert: Certificate, oid: ObjectIdentifier) -> str | None:
        attr = cert.subject.get_attributes_for_oid(oid)
        if len(attr) < 1:
            return None
        return str(attr[0].value)
    def dispatch(self, request, *args, **kwargs):
        stage: MutualTLSStage = self.executor.current_stage
        certs = [
            *self._parse_cert_xfcc(),
            *self._parse_cert_nginx(),
            *self._parse_cert_traefik(),
            *self._parse_cert_outpost(),
        ]
        authorities = self.get_authorities()
        if not authorities:
            self.logger.warning("No Certificate authority found")
            if stage.mode == TLSMode.OPTIONAL:
                return self.executor.stage_ok()
            if stage.mode == TLSMode.REQUIRED:
                return super().dispatch(request, *args, **kwargs)
        cert = self.validate_cert(authorities, certs)
        if not cert and stage.mode == TLSMode.REQUIRED:
            self.logger.warning("Client certificate required but no certificates given")
            return super().dispatch(
                request,
                *args,
                error_message=_("Certificate required but no certificate was given."),
                **kwargs,
            )
        if not cert and stage.mode == TLSMode.OPTIONAL:
            self.logger.info("No certificate given, continuing")
            return self.executor.stage_ok()
        existing_user = self.check_if_user(cert)
        if self.executor.flow.designation == FlowDesignation.ENROLLMENT:
            self.enroll_prepare_user(cert)
        elif existing_user:
            self.auth_user(existing_user, cert)
        else:
            return super().dispatch(
                request, *args, error_message=_("No user found for certificate."), **kwargs
            )
        return self.executor.stage_ok()
    def get_challenge(self, *args, error_message: str | None = None, **kwargs):
        return AccessDeniedChallenge(
            data={
                "component": "ak-stage-access-denied",
                "error_message": str(error_message or "Unknown error"),
            }
        )
--- a/authentik/enterprise/stages/mtls/tests/init.py
+++ b/authentik/enterprise/stages/mtls/tests/init.py
--- a/authentik/enterprise/stages/mtls/tests/fixtures/ca.pem
+++ b/authentik/enterprise/stages/mtls/tests/fixtures/ca.pem
@ -1,31 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIFXDCCA0SgAwIBAgIUBmV7zREyC1SPr72/75/L9zpwV18wDQYJKoZIhvcNAQEL
 BQAwRjEaMBgGA1UEAwwRYXV0aGVudGlrIFRlc3QgQ0ExEjAQBgNVBAoMCWF1dGhl
 bnRpazEUMBIGA1UECwwLU2VsZi1zaWduZWQwHhcNMjUwNDI3MTgzMDUwWhcNMzUw
 MzA3MTgzMDUwWjBGMRowGAYDVQQDDBFhdXRoZW50aWsgVGVzdCBDQTESMBAGA1UE
 CgwJYXV0aGVudGlrMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCAiIwDQYJKoZIhvcN
 AQEBBQADggIPADCCAgoCggIBAMc0NxZj7j1mPu0aRToo8oMPdC3T99xgxnqdr18x
 LV4pWyi/YLghgZHqNQY2xNP6JIlSeUZD6KFUYT2sPL4Av/zSg5zO8bl+/lf7ckje
 O1/Bt5A8xtL0CpmpMDGiI6ibdDElaywM6AohisbxrV29pygSKGq2wugF/urqGtE+
 5z4y5Kt6qMdKkd0iXT+WagbQTIUlykFKgB0+qqTLzDl01lVDa/DoLl8Hqp45mVx2
 pqrGsSa3TCErLIv9hUlZklF7A8UV4ZB4JL20UKcP8dKzQClviNie17tpsUpOuy3A
 SQ6+guWTHTLJNCSdLn1xIqc5q+f5wd2dIDf8zXCTHj+Xp0bJE3Vgaq5R31K9+b+1
 2dDWz1KcNJaLEnw2+b0O8M64wTMLxhqOv7QfLUr6Pmg1ZymghjLcZ6bnU9e31Vza
 hlPKhxjqYQUC4Kq+oaYF6qdUeJy+dsYf0iDv5tTC+eReZDWIjxTPrNpwA773ZwT7
 WVmL7ULGpuP2g9rNvFBcZiN+i6d7CUoN+jd/iRdo79lrI0dfXiyy4bYgW/2HeZfF
 HaOsc1xsoqnJdWbWkX/ooyaCjAfm07kS3HiOzz4q3QW4wgGrwV8lEraLPxYYeOQu
 YcGMOM8NfnVkjc8gmyXUxedCje5Vz/Tu5fKrQEInnCmXxVsWbwr/LzEjMKAM/ivY
 0TXxAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0G
 A1UdDgQWBBTa+Ns6QzqlNvnTGszkouQQtZnVJDANBgkqhkiG9w0BAQsFAAOCAgEA
 NpJEDMXjuEIzSzafkxSshvjnt5sMYmzmvjNoRlkxgN2YcWvPoxbalGAYzcpyggT2
 6xZY8R4tvB1oNTCArqwf860kkofUoJCr88D/pU3Cv4JhjCWs4pmXTsvSqlBSlJbo
 +jPBZwbn6it/6jcit6Be3rW2PtHe8tASd9Lf8/2r1ZvupXwPzcR84R4Z10ve2lqV
 xxcWlMmBh51CaYI0b1/WTe9Ua+wgkCVkxbf9zNcDQXjxw2ICWK+nR/4ld4nmqVm2
 C7nhvXwU8FAHl7ZgR2Z3PLrwPuhd+kd6NXQqNkS9A+n+1vSRLbRjmV8pwIPpdPEq
 nslUAGJJBHDUBArxC3gOJSB+WtmaCfzDu2gepMf9Ng1H2ZhwSF/FH3v3fsJqZkzz
 NBstT9KuNGQRYiCmAPJaoVAc9BoLa+BFML1govtWtpdmbFk8PZEcuUsP7iAZqFF1
 uuldPyZ8huGpQSR6Oq2bILRHowfGY0npTZAyxg0Vs8UMy1HTwNOp9OuRtArMZmsJ
 jFIx1QzRf9S1i6bYpOzOudoXj4ARkS1KmVExGjJFcIT0xlFSSERie2fEKSeEYOyG
 G+PA2qRt/F51FGOMm1ZscjPXqk2kt3C4BFbz6Vvxsq7D3lmhvFLn4jVA8+OidsM0
 YUrVMtWET/RkjEIbADbgRXxNUNo+jtQZDU9C1IiAdfk=
 -----END CERTIFICATE-----
--- a/authentik/enterprise/stages/mtls/tests/fixtures/cert_client.pem
+++ b/authentik/enterprise/stages/mtls/tests/fixtures/cert_client.pem
@ -1,31 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIFWTCCA0GgAwIBAgIUDEnKCSmIXG/akySGes7bhOGrN/8wDQYJKoZIhvcNAQEL
 BQAwRjEaMBgGA1UEAwwRYXV0aGVudGlrIFRlc3QgQ0ExEjAQBgNVBAoMCWF1dGhl
 bnRpazEUMBIGA1UECwwLU2VsZi1zaWduZWQwHhcNMjUwNTE5MTIzODQ2WhcNMjYw
 NTE1MTIzODQ2WjARMQ8wDQYDVQQDDAZjbGllbnQwggIiMA0GCSqGSIb3DQEBAQUA
 A4ICDwAwggIKAoICAQCkPkS1V6l0gj0ulxMznkxkgrw4p9Tjd8teSsGZt02A2Eo6
 7D8FbJ7pp3d5fYW/TWuEKVBLWTID6rijW5EGcdgTM5Jxf/QR+aZTEK6umQxUd4yO
 mOtp+xVS3KlcsSej2dFpeE5h5VkZizHpvh5xkoAP8W5VtQLOVF0hIeumHnJmaeLj
 +mhK9PBFpO7k9SFrYYhd/uLrYbIdANihbIO2Q74rNEJHewhFNM7oNSjjEWzRd/7S
 qNdQij9JGrVG7u8YJJscEQHqyHMYFVCEMjxmsge5BO6Vx5OWmUE3wXPzb5TbyTS4
 +yg88g9rYTUXrzz+poCyKpaur45qBsdw35lJ8nq69VJj2xJLGQDwoTgGSXRuPciC
 3OilQI+Ma+j8qQGJxJ8WJxISlf1cuhp+V4ZUd1lawlM5hAXyXmHRlH4pun4y+g7O
 O34+fE3pK25JjVCicMT/rC2A/sb95j/fHTzzJpbB70U0I50maTcIsOkyw6aiF//E
 0ShTDz14x22SCMolUc6hxTDZvBB6yrcJHd7d9CCnFH2Sgo13QrtNJ/atXgm13HGh
 wBzRwK38XUGl/J4pJaxAupTVCPriStUM3m0EYHNelRRUE91pbyeGT0rvOuv00uLw
 Rj7K7hJZR8avTKWmKrVBVpq+gSojGW1DwBS0NiDNkZs0d/IjB1wkzczEgdZjXwID
 AQABo3QwcjAfBgNVHSMEGDAWgBTa+Ns6QzqlNvnTGszkouQQtZnVJDAdBgNVHSUE
 FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEQYDVR0RBAowCIIGY2xpZW50MB0GA1Ud
 DgQWBBT1xg5sXkypRBwvCxBuyfoanaiZ5jANBgkqhkiG9w0BAQsFAAOCAgEAvUAz
 YwIjxY/0KHZDU8owdILVqKChzfLcy9OHNPyEI3TSOI8X6gNtBO+HE6r8aWGcC9vw
 zzeIsNQ3UEjvRWi2r+vUVbiPTbFdZboNDSZv6ZmGHxwd85VsjXRGoXV6koCT/9zi
 9/lCM1DwqwYSwBphMJdRVFRUMluSYk1oHflGeA18xgGuts4eFivJwhabGm1AdVVQ
 /CYvqCuTxd/DCzWZBdyxYpDru64i/kyeJCt1pThKEFDWmpumFdBI4CxJ0OhxVSGp
 dOXzK+Y6ULepxCvi6/OpSog52jQ6PnNd1ghiYtq7yO1T4GQz65M1vtHHVvQ3gfBE
 AuKYQp6io7ypitRx+LpjsBQenyP4FFGfrq7pm90nLluOBOArfSdF0N+CP2wo/YFV
 9BGf89OtvRi3BXCm2NXkE/Sc4We26tY8x7xNLOmNs8YOT0O3r/EQ690W9GIwRMx0
 m0r/RXWn5V3o4Jib9r8eH9NzaDstD8g9dECcGfM4fHoM/DAGFaRrNcjMsS1APP3L
 jp7+BfBSXtrz9V6rVJ3CBLXlLK0AuSm7bqd1MJsGA9uMLpsVZIUA+KawcmPGdPU+
 NxdpBCtzyurQSUyaTLtVqSeP35gMAwaNzUDph8Uh+vHz+kRwgXS19OQvTaud5LJu
 nQe4JNS+u5e2VDEBWUxt8NTpu6eShDN0iIEHtxA=
 -----END CERTIFICATE-----
--- a/authentik/enterprise/stages/mtls/tests/test_stage.py
+++ b/authentik/enterprise/stages/mtls/tests/test_stage.py
@ -1,228 +0,0 @@
 from unittest.mock import MagicMock, patch
 from urllib.parse import quote_plus
 from django.urls import reverse
 from guardian.shortcuts import assign_perm
 from authentik.core.models import User
 from authentik.core.tests.utils import (
    create_test_brand,
    create_test_cert,
    create_test_flow,
    create_test_user,
 )
 from authentik.crypto.models import CertificateKeyPair
 from authentik.enterprise.stages.mtls.models import (
    CertAttributes,
    MutualTLSStage,
    TLSMode,
    UserAttributes,
 )
 from authentik.enterprise.stages.mtls.stage import PLAN_CONTEXT_CERTIFICATE
 from authentik.flows.models import FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.tests import FlowTestCase
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
 from authentik.outposts.models import Outpost, OutpostType
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 class MTLSStageTests(FlowTestCase):
    def setUp(self):
        super().setUp()
        self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        self.ca = CertificateKeyPair.objects.create(
            name=generate_id(),
            certificate_data=load_fixture("fixtures/ca.pem"),
        )
        self.stage = MutualTLSStage.objects.create(
            name=generate_id(),
            mode=TLSMode.REQUIRED,
            cert_attribute=CertAttributes.COMMON_NAME,
            user_attribute=UserAttributes.USERNAME,
        )
        self.stage.certificate_authorities.add(self.ca)
        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=0)
        self.client_cert = load_fixture("fixtures/cert_client.pem")
        # User matching the certificate
        User.objects.filter(username="client").delete()
        self.cert_user = create_test_user(username="client")
    def test_parse_xfcc(self):
        """Test authentik Proxy/Envoy's XFCC format"""
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Forwarded-Client-Cert": f"Cert={quote_plus(self.client_cert)}"},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
        self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_parse_nginx(self):
        """Test nginx's format"""
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"SSL-Client-Cert": quote_plus(self.client_cert)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
        self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_parse_traefik(self):
        """Test traefik's format"""
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
        self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_parse_outpost_object(self):
        """Test outposts's format"""
        outpost = Outpost.objects.create(name=generate_id(), type=OutpostType.PROXY)
        assign_perm("pass_outpost_certificate", outpost.user, self.stage)
        with patch(
            "authentik.root.middleware.ClientIPMiddleware.get_outpost_user",
            MagicMock(return_value=outpost.user),
        ):
            with self.assertFlowFinishes() as plan:
                res = self.client.get(
                    reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                    headers={"X-Authentik-Outpost-Certificate": quote_plus(self.client_cert)},
                )
                self.assertEqual(res.status_code, 200)
                self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
            self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_parse_outpost_global(self):
        """Test outposts's format"""
        outpost = Outpost.objects.create(name=generate_id(), type=OutpostType.PROXY)
        assign_perm("authentik_stages_mtls.pass_outpost_certificate", outpost.user)
        with patch(
            "authentik.root.middleware.ClientIPMiddleware.get_outpost_user",
            MagicMock(return_value=outpost.user),
        ):
            with self.assertFlowFinishes() as plan:
                res = self.client.get(
                    reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                    headers={"X-Authentik-Outpost-Certificate": quote_plus(self.client_cert)},
                )
                self.assertEqual(res.status_code, 200)
                self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
            self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_parse_outpost_no_perm(self):
        """Test outposts's format"""
        outpost = Outpost.objects.create(name=generate_id(), type=OutpostType.PROXY)
        with patch(
            "authentik.root.middleware.ClientIPMiddleware.get_outpost_user",
            MagicMock(return_value=outpost.user),
        ):
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Authentik-Outpost-Certificate": quote_plus(self.client_cert)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageResponse(res, self.flow, component="ak-stage-access-denied")
    def test_invalid_cert(self):
        """Test invalid certificate"""
        cert = create_test_cert()
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Forwarded-TLS-Client-Cert": quote_plus(cert.certificate_data)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageResponse(res, self.flow, component="ak-stage-access-denied")
        self.assertNotIn(PLAN_CONTEXT_PENDING_USER, plan().context)
    def test_auth_no_user(self):
        """Test auth with no user"""
        User.objects.filter(username="client").delete()
        res = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
        )
        self.assertEqual(res.status_code, 200)
        self.assertStageResponse(res, self.flow, component="ak-stage-access-denied")
    def test_brand_ca(self):
        """Test using a CA from the brand"""
        self.stage.certificate_authorities.clear()
        brand = create_test_brand()
        brand.client_certificates.add(self.ca)
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
        self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_no_ca_optional(self):
        """Test using no CA Set"""
        self.stage.mode = TLSMode.OPTIONAL
        self.stage.certificate_authorities.clear()
        self.stage.save()
        res = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
        )
        self.assertEqual(res.status_code, 200)
        self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
    def test_no_ca_required(self):
        """Test using no CA Set"""
        self.stage.certificate_authorities.clear()
        self.stage.save()
        res = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
        )
        self.assertEqual(res.status_code, 200)
        self.assertStageResponse(res, self.flow, component="ak-stage-access-denied")
    def test_no_cert_optional(self):
        """Test using no cert Set"""
        self.stage.mode = TLSMode.OPTIONAL
        self.stage.save()
        res = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
        )
        self.assertEqual(res.status_code, 200)
        self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
    def test_enroll(self):
        """Test Enrollment flow"""
        self.flow.designation = FlowDesignation.ENROLLMENT
        self.flow.save()
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
        self.assertEqual(plan().context[PLAN_CONTEXT_PROMPT], {"email": None, "name": "client"})
        self.assertEqual(
            plan().context[PLAN_CONTEXT_CERTIFICATE],
            {
                "fingerprint_sha1": "52:39:ca:1e:3a:1f:78:3a:9f:26:3b:c2:84:99:48:68:99:99:81:8a",
                "fingerprint_sha256": (
                    "c1:07:8b:7c:e9:02:57:87:1e:92:e5:81:83:21:bc:92:c7:47:65:e3:97:fb:05:97:6f:36:9e:b5:31:77:98:b7"
                ),
                "issuer": "OU=Self-signed,O=authentik,CN=authentik Test CA",
                "serial_number": "70153443448884702681996102271549704759327537151",
                "subject": "CN=client",
            },
        )
--- a/authentik/enterprise/stages/mtls/urls.py
+++ b/authentik/enterprise/stages/mtls/urls.py
@ -1,5 +0,0 @@
 """API URLs"""
 from authentik.enterprise.stages.mtls.api import MutualTLSStageViewSet
 api_urlpatterns = [("stages/mtls", MutualTLSStageViewSet)]
--- a/authentik/enterprise/tests/test_license.py
+++ b/authentik/enterprise/tests/test_license.py
@ -8,7 +8,6 @@ from django.test import TestCase
 from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError
 from authentik.core.models import User
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import (
    THRESHOLD_READ_ONLY_WEEKS,
@ -72,9 +71,9 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_valid_multiple(self):
        """Check license verification"""
-        lic = License.objects.create(key=generate_id(), expiry=expiry_valid)
+        lic = License.objects.create(key=generate_id())
        self.assertTrue(lic.status.status().is_valid)
-        lic2 = License.objects.create(key=generate_id(), expiry=expiry_valid)
+        lic2 = License.objects.create(key=generate_id())
        self.assertTrue(lic2.status.status().is_valid)
        total = LicenseKey.get_total()
        self.assertEqual(total.internal_users, 200)
@ -233,9 +232,7 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_expiry_expired(self):
        """Check license verification"""
-        User.objects.all().delete()
+        License.objects.create(key=generate_id())
        License.objects.all().delete()
        License.objects.create(key=generate_id(), expiry=expiry_expired)
        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRED)
    @patch(
--- a/authentik/events/logs.py
+++ b/authentik/events/logs.py
@ -57,7 +57,7 @@ class LogEventSerializer(PassiveSerializer):
@contextmanager
-def capture_logs(log_default_output=True) -> Generator[list[LogEvent]]:
+def capture_logs(log_default_output=True) -> Generator[list[LogEvent], None, None]:
    """Capture log entries created"""
    logs = []
    cap = LogCapture()
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -59,7 +59,7 @@ def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | Non
        session = request_or_session.session
    if isinstance(request_or_session, AuthenticatedSession):
        SessionStore = _session_engine.SessionStore
-        session = SessionStore(request_or_session.session.session_key)
+        session = SessionStore(request_or_session.session_key)
    return session.get(SESSION_LOGIN_EVENT, None)
--- a/authentik/flows/migrations/0028_flowtoken_revoke_on_execution.py
+++ b/authentik/flows/migrations/0028_flowtoken_revoke_on_execution.py
@ -1,18 +0,0 @@
 # Generated by Django 5.1.9 on 2025-05-27 12:52
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_flows", "0027_auto_20231028_1424"),
    ]
    operations = [
        migrations.AddField(
            model_name="flowtoken",
            name="revoke_on_execution",
            field=models.BooleanField(default=True),
        ),
    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -303,10 +303,9 @@ class FlowToken(Token):
    flow = models.ForeignKey(Flow, on_delete=models.CASCADE)
    _plan = models.TextField()
    revoke_on_execution = models.BooleanField(default=True)
    @staticmethod
-    def pickle(plan: "FlowPlan") -> str:
+    def pickle(plan) -> str:
        """Pickle into string"""
        data = dumps(plan)
        return b64encode(data).decode()
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -99,10 +99,9 @@ class ChallengeStageView(StageView):
            self.logger.debug("Got StageInvalidException", exc=exc)
            return self.executor.stage_invalid()
        if not challenge.is_valid():
-            self.logger.error(
+            self.logger.warning(
                "f(ch): Invalid challenge",
                errors=challenge.errors,
                challenge=challenge.data,
            )
        return HttpChallengeResponse(challenge)
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -15,7 +15,6 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
        <link rel="prefetch" href="{{ flow_background_url }}" />
        {% include "base/header_js.html" %}
        <style>
          html,
@ -23,7 +22,7 @@
            height: 100%;
          }
          body {
-            background-image: url("{{ flow_background_url }}");
+            background-image: url("{{ flow.background_url }}");
            background-repeat: no-repeat;
            background-size: cover;
          }
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -5,9 +5,9 @@
 {% block head_before %}
 {{ block.super }}
-<link rel="prefetch" href="{{ flow_background_url }}" />
+<link rel="prefetch" href="{{ flow.background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
-<script>ShadyDOM = { force: true };</script>
+<script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
 {% include "base/header_js.html" %}
 <script>
@ -21,7 +21,7 @@ window.authentik.flow = {
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
-    --ak-flow-background: url("{{ flow_background_url }}");
+    --ak-flow-background: url("{{ flow.background_url }}");
 }
 </style>
 {% endblock %}
--- a/Show More
+++ b/Show More
`@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)`

	`## Adoption and Contributions`	`## Adoption and Contributions`

	`Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).`	`Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).`