web: Update test types, config.

web: Prepare NPM Workspaces.
web: Use consistent TSConfig.
2025-05-23 13:23:05 +02:00 · 2025-05-23 13:20:45 +02:00 · 2025-05-23 13:20:45 +02:00 · 2025-05-23 13:20:44 +02:00 · 2025-05-23 13:20:44 +02:00 · 2025-05-23 13:14:22 +02:00
407 changed files with 47186 additions and 75789 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.6.2
+current_version = 2025.4.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -21,8 +21,6 @@ optional_value = final

 [bumpversion:file:package.json]

-[bumpversion:file:package-lock.json]
-
 [bumpversion:file:docker-compose.yml]

 [bumpversion:file:schema.yml]
@ -33,4 +31,6 @@ optional_value = final

 [bumpversion:file:internal/constants/constants.go]

+[bumpversion:file:web/src/common/constants.ts]
+
 [bumpversion:file:lifecycle/aws/template.yaml]
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -28,15 +28,15 @@ runs:
    - name: Setup node
      uses: actions/setup-node@v4
      with:
-        node-version-file: web/package.json
+        node-version-file: package.json
        cache: "npm"
-        cache-dependency-path: web/package-lock.json
+        cache-dependency-path: package-lock.json
    - name: Setup go
      uses: actions/setup-go@v5
      with:
        go-version-file: "go.mod"
    - name: Setup docker cache
-      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
+      uses: ScribeMD/docker-cache@0.5.0
      with:
        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
@ -44,7 +44,7 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        cd web && npm ci
+        npm ci
    - name: Generate config
      shell: uv run python {0}
      run: |
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -20,8 +20,11 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
      - uses: actions/setup-node@v4
        with:
-          node-version-file: web/package.json
+          node-version-file: package.json
          registry-url: "https://registry.npmjs.org"
+      - name: Prepare Dependencies
+        run: |
+          npm ci
      - name: Generate API Client
        run: make gen-client-ts
      - name: Publish package
@ -32,15 +35,13 @@ jobs:
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
      - name: Upgrade /web
-        working-directory: web
        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
+          export VERSION=`node -e 'console.log(require("./gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION -w @goauthentik/web
      - name: Upgrade /web/packages/sfe
-        working-directory: web/packages/sfe
        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
+          export VERSION=`node -e 'console.log(require("./gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION -w @goauthentik/web-sfe
      - uses: peter-evans/create-pull-request@v7
        id: cpr
        with:
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -62,7 +62,6 @@ jobs:
        psql:
          - 15-alpine
          - 16-alpine
-          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
@ -117,7 +116,6 @@ jobs:
        psql:
          - 15-alpine
          - 16-alpine
-          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
@ -195,23 +193,22 @@ jobs:
      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Setup e2e env (chrome, etc)
+      - name: Setup E2E environment (Chrome, etc)
        run: |
          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
      - id: cache-web
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
-      - name: prepare web ui
+          key: ${{ runner.os }}-web-${{ hashFiles('package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+      - name: Prepare Web UI
        if: steps.cache-web.outputs.cache-hit != 'true'
-        working-directory: web
        run: |
          npm ci
-          make -C .. gen-client-ts
-          npm run build
-          npm run build:sfe
-      - name: run e2e
+          make gen-client-ts
+          npm run build -w @goauthentik/web
+          npm run build -w @goauthentik/web-sfe
+      - name: Run E2E
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
          uv run coverage xml
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -26,7 +26,7 @@ jobs:
          mkdir -p web/dist
          mkdir -p website/help
          touch web/dist/test website/help/test
-      - name: Generate API
+      - name: Generate Golang API Client
        run: make gen-client-go
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v8
@ -43,7 +43,7 @@ jobs:
          go-version-file: "go.mod"
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate API
+      - name: Generate Golang API Client
        run: make gen-client-go
      - name: Go unittests
        run: |
@ -99,7 +99,7 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate API
+      - name: Generate Golang API Client
        run: make gen-client-go
      - name: Build Docker Image
        id: push
@ -145,16 +145,17 @@ jobs:
          go-version-file: "go.mod"
      - uses: actions/setup-node@v4
        with:
-          node-version-file: web/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - name: Generate API
+          cache-dependency-path: package-lock.json
+      - name: Generate Golang API Client
        run: make gen-client-go
-      - name: Build web
-        working-directory: web/
+      - name: Prepare Dependencies
        run: |
          npm ci
-          npm run build-proxy
+      - name: Run ESBuild
+        run: |
+          npm run build-proxy -w @goauthentik/web
      - name: Build outpost
        run: |
          set -x
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -19,47 +19,45 @@ jobs:
      matrix:
        command:
          - lint
-          - lint:lockfile
-          - tsc
          - prettier-check
        project:
          - web
        include:
-          - command: tsc
-            project: web
          - command: lit-analyse
            project: web
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          node-version-file: ${{ matrix.project }}/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: ${{ matrix.project }}/package-lock.json
-      - working-directory: ${{ matrix.project }}/
+          cache-dependency-path: package-lock.json
+      - name: Prepare Dependencies
        run: |
          npm ci
-      - name: Generate API
+      - name: Generate TypeScript API
        run: make gen-client-ts
-      - name: Lint
-        working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
+      - name: Lint Project
+        run: |
+          npm run build-locales -w @goauthentik/web
+          npm run lint:types
+      - name: Lint Web
+        run: npm run ${{ matrix.command }} -w @goauthentik/web
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          node-version-file: web/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
+          cache-dependency-path: package-lock.json
+      - name: Prepare Dependencies
        run: npm ci
-      - name: Generate API
+      - name: Generate TypeScript API
        run: make gen-client-ts
      - name: build
-        working-directory: web/
-        run: npm run build
+        run: npm run build -w @goauthentik/web
  ci-web-mark:
    if: always()
    needs:
@ -78,13 +76,12 @@ jobs:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          node-version-file: web/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
+          cache-dependency-path: package-lock.json
+      - name: Prepare Dependencies
        run: npm ci
-      - name: Generate API
+      - name: Generate TypeScript API
        run: make gen-client-ts
      - name: test
-        working-directory: web/
-        run: npm run test || exit 0
+        run: npm run test -w @goauthentik/web || exit 0
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -14,53 +14,44 @@ on:
 jobs:
  lint:
    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint:lockfile
-          - prettier-check
    steps:
      - uses: actions/checkout@v4
-      - working-directory: website/
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+          cache-dependency-path: package-lock.json
+      - name: Prepare Dependencies
        run: npm ci
      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: npm run prettier-check -w @goauthentik/docs
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          node-version-file: website/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
+          cache-dependency-path: package-lock.json
+      - name: Prepare Dependencies
        run: npm ci
      - name: test
-        working-directory: website/
-        run: npm test
+        run: npm test -w @goauthentik/docs
  build:
    runs-on: ubuntu-latest
-    name: ${{ matrix.job }}
-    strategy:
-      fail-fast: false
-      matrix:
-        job:
-          - build
    steps:
      - uses: actions/checkout@v4
+
      - uses: actions/setup-node@v4
        with:
-          node-version-file: website/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
+          cache-dependency-path: package-lock.json
+      - name: Prepare Dependencies
        run: npm ci
-      - name: build
-        working-directory: website/
-        run: npm run ${{ matrix.job }}
+      - name: Run Docusaurus
+        run: npm run build -w @goauthentik/docs
  ci-website-mark:
    if: always()
    needs:
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -7,7 +7,7 @@ on:
      - packages/eslint-config/**
      - packages/prettier-config/**
      - packages/tsconfig/**
-      - web/packages/esbuild-plugin-live-reload/**
+      - packages/web/esbuild-plugin-live-reload/**
  workflow_dispatch:
 jobs:
  publish:
@ -21,7 +21,7 @@ jobs:
          - packages/eslint-config
          - packages/prettier-config
          - packages/tsconfig
-          - web/packages/esbuild-plugin-live-reload
+          - packages/web/esbuild-plugin-live-reload
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -106,14 +106,14 @@ jobs:
          go-version-file: "go.mod"
      - uses: actions/setup-node@v4
        with:
-          node-version-file: web/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - name: Build web
-        working-directory: web/
+          cache-dependency-path: package-lock.json
+      - name: Prepare Dependencies
+        run: npm ci
+      - name: Run ESBuild (Proxy)
        run: |
-          npm ci
-          npm run build-proxy
+          npm run build-proxy -w @goauthentik/web
      - name: Build outpost
        run: |
          set -x
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -32,15 +32,25 @@ jobs:
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate API
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+          cache-dependency-path: package-lock.json
+      - name: Prepare Dependencies
+        run: npm ci
+      - name: Generate TypeScript API
        run: make gen-client-ts
-      - name: run extract
+      - name: Run extract
        run: |
          uv run make i18n-extract
-      - name: run compile
+      - name: Run UV compile
        run: |
          uv run ak compilemessages
-          make web-check-compile
+      - name: Lint Project
+        run: |
+          npm run build-locales -w @goauthentik/web
+          npm run lint:types
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
        uses: peter-evans/create-pull-request@v7
--- a/.prettierignore
+++ b/.prettierignore
@ -36,12 +36,19 @@ coverage
 *.mdx
 *.md

-## Import order matters
-poly.ts
-src/locale-codes.ts
-src/locales/
-
 # Storybook
 storybook-static/
 .storybook/css-import-maps*

+# JSON Schemas
+schemas/**/*.json
+blueprints/**/*.json
+authentik/**/*.json
+lifecycle/**/*.json
+
+# Locales
+web/src/locale-codes.ts
+web/src/locales/
+
+# Wireit's cache
+.wireit
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -17,6 +17,6 @@
        "ms-python.vscode-pylance",
        "redhat.vscode-yaml",
        "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
    ]
 }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -4,12 +4,7 @@
        {
            "label": "authentik/core: make",
            "command": "uv",
-            "args": [
-                "run",
-                "make",
-                "lint-fix",
-                "lint"
-            ],
+            "args": ["run", "make", "lint-fix", "lint"],
            "presentation": {
                "panel": "new"
            },
@ -18,11 +13,7 @@
        {
            "label": "authentik/core: run",
            "command": "uv",
-            "args": [
-                "run",
-                "ak",
-                "server"
-            ],
+            "args": ["run", "ak", "server"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -32,17 +23,13 @@
        {
            "label": "authentik/web: make",
            "command": "make",
-            "args": [
-                "web"
-            ],
+            "args": ["web"],
            "group": "build"
        },
        {
            "label": "authentik/web: watch",
            "command": "make",
-            "args": [
-                "web-watch"
-            ],
+            "args": ["web-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -52,26 +39,19 @@
        {
            "label": "authentik: install",
            "command": "make",
-            "args": [
-                "install",
-                "-j4"
-            ],
+            "args": ["install", "-j4"],
            "group": "build"
        },
        {
            "label": "authentik/website: make",
            "command": "make",
-            "args": [
-                "website"
-            ],
+            "args": ["website"],
            "group": "build"
        },
        {
            "label": "authentik/website: watch",
            "command": "make",
-            "args": [
-                "website-watch"
-            ],
+            "args": ["website-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -81,11 +61,7 @@
        {
            "label": "authentik/api: generate",
            "command": "uv",
-            "args": [
-                "run",
-                "make",
-                "gen"
-            ],
+            "args": ["run", "make", "gen"],
            "group": "build"
        }
    ]
--- a/82
+++ b/82
@ -1,49 +1,41 @@
 # syntax=docker/dockerfile:1

-# Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS website-builder
-
-ENV NODE_ENV=production
-
-WORKDIR /work/website
-
-RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
-    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
-    npm ci --include=dev
-
-COPY ./website /work/website/
-COPY ./blueprints /work/blueprints/
-COPY ./schema.yml /work/
-COPY ./SECURITY.md /work/
-
-RUN npm run build-bundled
-
-# Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS web-builder
+# Stage 1: Build Node packages
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-packages

 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
-ENV NODE_ENV=production

-WORKDIR /work/web
-
-RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
-    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
-    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
-    npm ci --include=dev
+WORKDIR /work

+COPY ./SECURITY.md /work
+COPY ./schema.yml /work
+COPY ./docker-compose.yml /work
+COPY ./blueprints /work/blueprints/
 COPY ./package.json /work
+COPY ./package-lock.json /work
+COPY ./tsconfig.json /work
+COPY ./packages/ /work/packages/
 COPY ./web /work/web/
 COPY ./website /work/website/
-COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
+COPY ./gen-ts-api /work/gen-ts-api/

-RUN npm run build && \
-    npm run build:sfe
+RUN --mount=type=cache,id=npm-node,sharing=shared,target=/root/.npm \
+    npm ci

-# Stage 3: Build go proxy
+RUN cd ./gen-ts-api && npm link
+
+RUN npm link @goauthentik/api -w @goauthentik/web
+
+ENV NODE_ENV=production
+
+RUN npm run build -w @goauthentik/web
+RUN npm run build -w @goauthentik/web-sfe
+
+RUN npm run build:api -w @goauthentik/docs
+RUN npm run build:docusaurus -w @goauthentik/docs
+
+# Stage 2: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder

 ARG TARGETOS
@ -68,8 +60,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=node-packages /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=node-packages /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@ -80,7 +72,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server

-# Stage 4: MaxMind GeoIP
+# Stage 3: MaxMind GeoIP
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip

 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
@ -93,9 +85,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    mkdir -p /usr/share/GeoIP && \
    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

-# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.8 AS uv
-# Stage 6: Base python image
+# Stage 4: Download uv
+FROM ghcr.io/astral-sh/uv:0.7.6 AS uv
+# Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base

 ENV VENV_PATH="/ak-root/.venv" \
@ -109,7 +101,7 @@ WORKDIR /ak-root/

 COPY --from=uv /uv /uvx /bin/

-# Stage 7: Python dependencies
+# Stage 6: Python dependencies
 FROM python-base AS python-deps

 ARG TARGETARCH
@ -144,7 +136,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
    --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-install-project --no-dev

-# Stage 8: Run
+# Stage 7: Run
 FROM python-base AS final-image

 ARG VERSION
@ -187,9 +179,9 @@ COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=web-builder /work/web/dist/ /web/dist/
-COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=website-builder /work/website/build/ /website/help/
+COPY --from=node-packages /work/web/dist/ /web/dist/
+COPY --from=node-packages /work/web/authentik/ /web/authentik/
+COPY --from=node-packages /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip

 USER 1000
--- a/44
+++ b/44
@ -1,6 +1,6 @@
 .PHONY: gen dev-reset all clean test web website

-SHELL := /usr/bin/env bash
+SHELL := /bin/bash
 .SHELLFLAGS += ${SHELLFLAGS} -e -o pipefail
 PWD = $(shell pwd)
 UID = $(shell id -u)
@ -73,7 +73,7 @@ core-i18n-extract:
 		--ignore website \
 		-l en

-install: web-install website-install core-install  ## Install all requires dependencies for `web`, `website` and `core`
+install: npm-install core-install  ## Install all requires dependencies for `web`, `website` and `core`

 dev-drop-db:
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name}
@ -146,9 +146,8 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-	mkdir -p web/node_modules/@goauthentik/api
-	cd ${PWD}/${GEN_API_TS} && npm i
-	\cp -rf ${PWD}/${GEN_API_TS}/* web/node_modules/@goauthentik/api
+	cd ./${GEN_API_TS} && npm link
+	npm link @goauthentik/api -w @goauthentik/web

 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
@ -183,38 +182,34 @@ gen: gen-build gen-client-ts
 ## Web
 #########################

-web-build: web-install  ## Build the Authentik UI
-	cd web && npm run build
+web-build: npm-install  ## Build the Authentik UI
+	npm run build -w @goauthentik/web

 web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it

-web-install:  ## Install the necessary libraries to build the Authentik UI
-	cd web && npm ci
+npm-install:  ## Install the necessary libraries to build the Authentik UI
+	npm ci

 web-test: ## Run tests for the Authentik UI
-	cd web && npm run test
+	npm run test -w @goauthentik/web

 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
-	rm -rf web/dist/
-	mkdir web/dist/
-	touch web/dist/.gitkeep
-	cd web && npm run watch
+	npm run watch -w @goauthentik/web

 web-storybook-watch:  ## Build and run the storybook documentation server
-	cd web && npm run storybook
+	npm run storybook -w @goauthentik/web

 web-lint-fix:
-	cd web && npm run prettier
+	npm run prettier -w @goauthentik/web

 web-lint:
-	cd web && npm run lint
-	cd web && npm run lit-analyse
+	npm run lint -w @goauthentik/web

 web-check-compile:
-	cd web && npm run tsc
+	npm run lint:types

 web-i18n-extract:
-	cd web && npm run extract-locales
+	npm run extract-locales -w @goauthentik/web

 #########################
 ## Website
@ -222,17 +217,14 @@ web-i18n-extract:

 website: website-lint-fix website-build  ## Automatically fix formatting issues in the Authentik website/docs source code, lint the code, and compile it

-website-install:
-	cd website && npm ci
-
 website-lint-fix: lint-codespell
-	cd website && npm run prettier
+	npm run prettier --prefix website

 website-build:
-	cd website && npm run build
+	npm run build --prefix website

 website-watch:  ## Build and watch the documentation website, updating automatically
-	cd website && npm run watch
+	npm run watch --prefix website

 #########################
 ## Docker
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
+| 2025.2.x  | ✅        |
 | 2025.4.x  | ✅        |
-| 2025.6.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.6.2"
+__version__ = "2025.4.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -148,14 +148,3 @@ class TestBrands(APITestCase):
                "default_locale": "",
            },
        )
-
-    def test_custom_css(self):
-        """Test custom_css"""
-        brand = create_test_brand()
-        brand.branding_custom_css = """* {
-            font-family: "Foo bar";
-        }"""
-        brand.save()
-        res = self.client.get(reverse("authentik_core:if-user"))
-        self.assertEqual(res.status_code, 200)
-        self.assertIn(brand.branding_custom_css, res.content.decode())
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,8 +5,6 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from django.utils.html import _json_script_escapes
-from django.utils.safestring import mark_safe

 from authentik import get_full_version
 from authentik.brands.models import Brand
@ -34,13 +32,8 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
-    # similarly to `json_script` we escape everything HTML-related, however django
-    # only directly exposes this as a function that also wraps it in a <script> tag
-    # which we dont want for CSS
-    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
    return {
        "brand": brand,
-        "brand_css": brand_css,
        "footer_links": tenant.footer_links,
        "html_meta": {**get_http_meta()},
        "version": get_full_version(),
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -84,7 +84,6 @@ from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import get_permission_choices
-from authentik.stages.email.flow import pickle_flow_token_for_email
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -452,7 +451,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    def list(self, request, *args, **kwargs):
        return super().list(request, *args, **kwargs)

-    def _create_recovery_link(self, for_email=False) -> tuple[str, Token]:
+    def _create_recovery_link(self) -> tuple[str, Token]:
        """Create a recovery link (when the current brand has a recovery flow set),
        that can either be shown to an admin or sent to the user directly"""
        brand: Brand = self.request._request.brand
@ -474,16 +473,12 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            raise ValidationError(
                {"non_field_errors": "Recovery flow not applicable to user"}
            ) from None
-        _plan = FlowToken.pickle(plan)
-        if for_email:
-            _plan = pickle_flow_token_for_email(plan)
        token, __ = FlowToken.objects.update_or_create(
            identifier=f"{user.uid}-password-reset",
            defaults={
                "user": user,
                "flow": flow,
-                "_plan": _plan,
-                "revoke_on_execution": not for_email,
+                "_plan": FlowToken.pickle(plan),
            },
        )
        querystring = urlencode({QS_KEY_TOKEN: token.key})
@ -653,7 +648,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if for_user.email == "":
            LOGGER.debug("User doesn't have an email address")
            raise ValidationError({"non_field_errors": "User does not have an email address set."})
-        link, token = self._create_recovery_link(for_email=True)
+        link, token = self._create_recovery_link()
        # Lookup the email stage to assure the current user can access it
        stages = get_objects_for_user(
            request.user, "authentik_stages_email.view_emailstage"
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -79,7 +79,6 @@ def _migrate_session(
        AuthenticatedSession.objects.using(db_alias).create(
            session=session,
            user=old_auth_session.user,
-            uuid=old_auth_session.uuid,
        )


--- a/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
+++ b/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
@ -1,81 +1,10 @@
 # Generated by Django 5.1.9 on 2025-05-14 11:15

-from django.apps.registry import Apps, apps as global_apps
+from django.apps.registry import Apps
 from django.db import migrations
-from django.contrib.contenttypes.management import create_contenttypes
-from django.contrib.auth.management import create_permissions
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor


-def migrate_authenticated_session_permissions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    """Migrate permissions from OldAuthenticatedSession to AuthenticatedSession"""
-    db_alias = schema_editor.connection.alias
-
-    # `apps` here is just an instance of `django.db.migrations.state.AppConfigStub`, we need the
-    # real config for creating permissions and content types
-    authentik_core_config = global_apps.get_app_config("authentik_core")
-    # These are only ran by django after all migrations, but we need them right now.
-    # `global_apps` is needed,
-    create_permissions(authentik_core_config, using=db_alias, verbosity=1)
-    create_contenttypes(authentik_core_config, using=db_alias, verbosity=1)
-
-    # But from now on, this is just a regular migration, so use `apps`
-    Permission = apps.get_model("auth", "Permission")
-    ContentType = apps.get_model("contenttypes", "ContentType")
-
-    try:
-        old_ct = ContentType.objects.using(db_alias).get(
-            app_label="authentik_core", model="oldauthenticatedsession"
-        )
-        new_ct = ContentType.objects.using(db_alias).get(
-            app_label="authentik_core", model="authenticatedsession"
-        )
-    except ContentType.DoesNotExist:
-        # This should exist at this point, but if not, let's cut our losses
-        return
-
-    # Get all permissions for the old content type
-    old_perms = Permission.objects.using(db_alias).filter(content_type=old_ct)
-
-    # Create equivalent permissions for the new content type
-    for old_perm in old_perms:
-        new_perm = (
-            Permission.objects.using(db_alias)
-            .filter(
-                content_type=new_ct,
-                codename=old_perm.codename,
-            )
-            .first()
-        )
-        if not new_perm:
-            # This should exist at this point, but if not, let's cut our losses
-            continue
-
-        # Global user permissions
-        User = apps.get_model("authentik_core", "User")
-        User.user_permissions.through.objects.using(db_alias).filter(
-            permission=old_perm
-        ).all().update(permission=new_perm)
-
-        # Global role permissions
-        DjangoGroup = apps.get_model("auth", "Group")
-        DjangoGroup.permissions.through.objects.using(db_alias).filter(
-            permission=old_perm
-        ).all().update(permission=new_perm)
-
-        # Object user permissions
-        UserObjectPermission = apps.get_model("guardian", "UserObjectPermission")
-        UserObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
-            permission=new_perm, content_type=new_ct
-        )
-
-        # Object role permissions
-        GroupObjectPermission = apps.get_model("guardian", "GroupObjectPermission")
-        GroupObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
-            permission=new_perm, content_type=new_ct
-        )
-
-
 def remove_old_authenticated_session_content_type(
    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
 ):
@ -92,12 +21,7 @@ class Migration(migrations.Migration):
    ]

    operations = [
-        migrations.RunPython(
-            code=migrate_authenticated_session_permissions,
-            reverse_code=migrations.RunPython.noop,
-        ),
        migrations.RunPython(
            code=remove_old_authenticated_session_content_type,
-            reverse_code=migrations.RunPython.noop,
        ),
    ]
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,7 +16,7 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand_css }}</style>
+        <style>{{ brand.branding_custom_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
--- a/authentik/flows/migrations/0028_flowtoken_revoke_on_execution.py
+++ b/authentik/flows/migrations/0028_flowtoken_revoke_on_execution.py
@ -1,18 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-27 12:52
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_flows", "0027_auto_20231028_1424"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="flowtoken",
-            name="revoke_on_execution",
-            field=models.BooleanField(default=True),
-        ),
-    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -303,10 +303,9 @@ class FlowToken(Token):

    flow = models.ForeignKey(Flow, on_delete=models.CASCADE)
    _plan = models.TextField()
-    revoke_on_execution = models.BooleanField(default=True)

    @staticmethod
-    def pickle(plan: "FlowPlan") -> str:
+    def pickle(plan) -> str:
        """Pickle into string"""
        data = dumps(plan)
        return b64encode(data).decode()
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -99,10 +99,9 @@ class ChallengeStageView(StageView):
            self.logger.debug("Got StageInvalidException", exc=exc)
            return self.executor.stage_invalid()
        if not challenge.is_valid():
-            self.logger.error(
+            self.logger.warning(
                "f(ch): Invalid challenge",
                errors=challenge.errors,
-                challenge=challenge.data,
            )
        return HttpChallengeResponse(challenge)

--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -146,8 +146,7 @@ class FlowExecutorView(APIView):
        except (AttributeError, EOFError, ImportError, IndexError) as exc:
            LOGGER.warning("f(exec): Failed to restore token plan", exc=exc)
        finally:
-            if token.revoke_on_execution:
-                token.delete()
+            token.delete()
        if not isinstance(plan, FlowPlan):
            return None
        plan.context[PLAN_CONTEXT_IS_RESTORED] = token
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -81,6 +81,7 @@ debugger: false

 log_level: info

+session_storage: cache
 sessions:
  unauthenticated_age: days=1

--- a/authentik/lib/sync/outgoing/tasks.py
+++ b/authentik/lib/sync/outgoing/tasks.py
@ -1,7 +1,6 @@
 from collections.abc import Callable
 from dataclasses import asdict

-from celery import group
 from celery.exceptions import Retry
 from celery.result import allow_join_result
 from django.core.paginator import Paginator
@ -83,41 +82,21 @@ class SyncTasks:
                self.logger.debug("Failed to acquire sync lock, skipping", provider=provider.name)
                return
            try:
-                messages.append(_("Syncing users"))
-                user_results = (
-                    group(
-                        [
-                            sync_objects.signature(
-                                args=(class_to_path(User), page, provider_pk),
-                                time_limit=PAGE_TIMEOUT,
-                                soft_time_limit=PAGE_TIMEOUT,
-                            )
-                            for page in users_paginator.page_range
-                        ]
-                    )
-                    .apply_async()
-                    .get()
-                )
-                for result in user_results:
-                    for msg in result:
+                for page in users_paginator.page_range:
+                    messages.append(_("Syncing page {page} of users".format(page=page)))
+                    for msg in sync_objects.apply_async(
+                        args=(class_to_path(User), page, provider_pk),
+                        time_limit=PAGE_TIMEOUT,
+                        soft_time_limit=PAGE_TIMEOUT,
+                    ).get():
                        messages.append(LogEvent(**msg))
-                messages.append(_("Syncing groups"))
-                group_results = (
-                    group(
-                        [
-                            sync_objects.signature(
-                                args=(class_to_path(Group), page, provider_pk),
-                                time_limit=PAGE_TIMEOUT,
-                                soft_time_limit=PAGE_TIMEOUT,
-                            )
-                            for page in groups_paginator.page_range
-                        ]
-                    )
-                    .apply_async()
-                    .get()
-                )
-                for result in group_results:
-                    for msg in result:
+                for page in groups_paginator.page_range:
+                    messages.append(_("Syncing page {page} of groups".format(page=page)))
+                    for msg in sync_objects.apply_async(
+                        args=(class_to_path(Group), page, provider_pk),
+                        time_limit=PAGE_TIMEOUT,
+                        soft_time_limit=PAGE_TIMEOUT,
+                    ).get():
                        messages.append(LogEvent(**msg))
            except TransientSyncException as exc:
                self.logger.warning("transient sync exception", exc=exc)
@ -130,7 +109,7 @@ class SyncTasks:
    def sync_objects(
        self, object_type: str, page: int, provider_pk: int, override_dry_run=False, **filter
    ):
-        _object_type: type[Model] = path_to_class(object_type)
+        _object_type = path_to_class(object_type)
        self.logger = get_logger().bind(
            provider_type=class_to_path(self._provider_model),
            provider_pk=provider_pk,
@ -153,19 +132,6 @@ class SyncTasks:
            self.logger.debug("starting discover")
            client.discover()
        self.logger.debug("starting sync for page", page=page)
-        messages.append(
-            asdict(
-                LogEvent(
-                    _(
-                        "Syncing page {page} of {object_type}".format(
-                            page=page, object_type=_object_type._meta.verbose_name_plural
-                        )
-                    ),
-                    log_level="info",
-                    logger=f"{provider._meta.verbose_name}@{object_type}",
-                )
-            )
-        )
        for obj in paginator.page(page).object_list:
            obj: Model
            try:
--- a/authentik/outposts/tests/test_ws.py
+++ b/authentik/outposts/tests/test_ws.py
@ -1,9 +1,11 @@
 """Websocket tests"""

 from dataclasses import asdict
+from unittest.mock import patch

 from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
+from django.contrib.contenttypes.models import ContentType
 from django.test import TransactionTestCase

 from authentik import __version__
@ -14,6 +16,12 @@ from authentik.providers.proxy.models import ProxyProvider
 from authentik.root import websocket


+def patched__get_ct_cached(app_label, codename):
+    """Caches `ContentType` instances like its `QuerySet` does."""
+    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
+
+
+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestOutpostWS(TransactionTestCase):
    """Websocket tests"""

--- a/authentik/providers/rac/models.py
+++ b/authentik/providers/rac/models.py
@ -166,6 +166,7 @@ class ConnectionToken(ExpiringModel):
        always_merger.merge(settings, default_settings)
        always_merger.merge(settings, self.endpoint.provider.settings)
        always_merger.merge(settings, self.endpoint.settings)
+        always_merger.merge(settings, self.settings)

        def mapping_evaluator(mappings: QuerySet):
            for mapping in mappings:
@ -190,7 +191,6 @@ class ConnectionToken(ExpiringModel):
        mapping_evaluator(
            RACPropertyMapping.objects.filter(endpoint__in=[self.endpoint]).order_by("name")
        )
-        always_merger.merge(settings, self.settings)

        settings["drive-path"] = f"/tmp/connection/{self.token}"  # nosec
        settings["create-drive-path"] = "true"
--- a/authentik/providers/rac/tests/test_models.py
+++ b/authentik/providers/rac/tests/test_models.py
@ -90,6 +90,23 @@ class TestModels(TransactionTestCase):
                "resize-method": "display-update",
            },
        )
+        # Set settings in token
+        token.settings = {
+            "level": "token",
+        }
+        token.save()
+        self.assertEqual(
+            token.get_settings(),
+            {
+                "hostname": self.endpoint.host.split(":")[0],
+                "port": "1324",
+                "client-name": f"authentik - {self.user}",
+                "drive-path": path,
+                "create-drive-path": "true",
+                "level": "token",
+                "resize-method": "display-update",
+            },
+        )
        # Set settings in property mapping (provider)
        mapping = RACPropertyMapping.objects.create(
            name=generate_id(),
@ -134,22 +151,3 @@ class TestModels(TransactionTestCase):
                "resize-method": "display-update",
            },
        )
-        # Set settings in token
-        token.settings = {
-            "level": "token",
-        }
-        token.save()
-        self.assertEqual(
-            token.get_settings(),
-            {
-                "hostname": self.endpoint.host.split(":")[0],
-                "port": "1324",
-                "client-name": f"authentik - {self.user}",
-                "drive-path": path,
-                "create-drive-path": "true",
-                "foo": "true",
-                "bar": "6",
-                "resize-method": "display-update",
-                "level": "token",
-            },
-        )
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -20,9 +20,6 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-PLAN_CONNECTION_SETTINGS = "connection_settings"


 class RACStartView(PolicyAccessView):
@ -112,15 +109,10 @@ class RACFinalStage(RedirectStage):
        return super().dispatch(request, *args, **kwargs)

    def get_challenge(self, *args, **kwargs) -> RedirectChallenge:
-        settings = self.executor.plan.context.get(PLAN_CONNECTION_SETTINGS)
-        if not settings:
-            settings = self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {}).get(
-                PLAN_CONNECTION_SETTINGS
-            )
        token = ConnectionToken.objects.create(
            provider=self.provider,
            endpoint=self.endpoint,
-            settings=settings or {},
+            settings=self.executor.plan.context.get("connection_settings", {}),
            session=self.request.session["authenticatedsession"],
            expires=now() + timedelta_from_string(self.provider.connection_expiry),
            expiring=True,
--- a/authentik/providers/scim/clients/groups.py
+++ b/authentik/providers/scim/clients/groups.py
@ -47,16 +47,15 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):

    def to_schema(self, obj: Group, connection: SCIMProviderGroup) -> SCIMGroupSchema:
        """Convert authentik user into SCIM"""
-        raw_scim_group = super().to_schema(obj, connection)
+        raw_scim_group = super().to_schema(
+            obj,
+            connection,
+            schemas=(SCIM_GROUP_SCHEMA,),
+        )
        try:
            scim_group = SCIMGroupSchema.model_validate(delete_none_values(raw_scim_group))
        except ValidationError as exc:
            raise StopSync(exc, obj) from exc
-        if SCIM_GROUP_SCHEMA not in scim_group.schemas:
-            scim_group.schemas.insert(0, SCIM_GROUP_SCHEMA)
-        # As this might be unset, we need to tell pydantic it's set so ensure the schemas
-        # are included, even if its just the defaults
-        scim_group.schemas = list(scim_group.schemas)
        if not scim_group.externalId:
            scim_group.externalId = str(obj.pk)

--- a/authentik/providers/scim/clients/users.py
+++ b/authentik/providers/scim/clients/users.py
@ -31,16 +31,15 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):

    def to_schema(self, obj: User, connection: SCIMProviderUser) -> SCIMUserSchema:
        """Convert authentik user into SCIM"""
-        raw_scim_user = super().to_schema(obj, connection)
+        raw_scim_user = super().to_schema(
+            obj,
+            connection,
+            schemas=(SCIM_USER_SCHEMA,),
+        )
        try:
            scim_user = SCIMUserSchema.model_validate(delete_none_values(raw_scim_user))
        except ValidationError as exc:
            raise StopSync(exc, obj) from exc
-        if SCIM_USER_SCHEMA not in scim_user.schemas:
-            scim_user.schemas.insert(0, SCIM_USER_SCHEMA)
-        # As this might be unset, we need to tell pydantic it's set so ensure the schemas
-        # are included, even if its just the defaults
-        scim_user.schemas = list(scim_user.schemas)
        if not scim_user.externalId:
            scim_user.externalId = str(obj.uid)
        return scim_user
--- a/authentik/providers/scim/tests/test_user.py
+++ b/authentik/providers/scim/tests/test_user.py
@ -91,57 +91,6 @@ class SCIMUserTests(TestCase):
            },
        )

-    @Mocker()
-    def test_user_create_custom_schema(self, mock: Mocker):
-        """Test user creation with custom schema"""
-        schema = SCIMMapping.objects.create(
-            name="custom_schema",
-            expression="""return {"schemas": ["foo"]}""",
-        )
-        self.provider.property_mappings.add(schema)
-        scim_id = generate_id()
-        mock.get(
-            "https://localhost/ServiceProviderConfig",
-            json={},
-        )
-        mock.post(
-            "https://localhost/Users",
-            json={
-                "id": scim_id,
-            },
-        )
-        uid = generate_id()
-        user = User.objects.create(
-            username=uid,
-            name=f"{uid} {uid}",
-            email=f"{uid}@goauthentik.io",
-        )
-        self.assertEqual(mock.call_count, 2)
-        self.assertEqual(mock.request_history[0].method, "GET")
-        self.assertEqual(mock.request_history[1].method, "POST")
-        self.assertJSONEqual(
-            mock.request_history[1].body,
-            {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "foo"],
-                "active": True,
-                "emails": [
-                    {
-                        "primary": True,
-                        "type": "other",
-                        "value": f"{uid}@goauthentik.io",
-                    }
-                ],
-                "externalId": user.uid,
-                "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
-                    "givenName": uid,
-                },
-                "displayName": f"{uid} {uid}",
-                "userName": uid,
-            },
-        )
-
    @Mocker()
    def test_user_create_different_provider_same_id(self, mock: Mocker):
        """Test user creation with multiple providers that happen
@ -435,7 +384,7 @@ class SCIMUserTests(TestCase):
                self.assertIn(request.method, SAFE_METHODS)
        task = SystemTask.objects.filter(uid=slugify(self.provider.name)).first()
        self.assertIsNotNone(task)
-        drop_msg = task.messages[3]
+        drop_msg = task.messages[2]
        self.assertEqual(drop_msg["event"], "Dropping mutating request due to dry run")
        self.assertIsNotNone(drop_msg["attributes"]["url"])
        self.assertIsNotNone(drop_msg["attributes"]["body"])
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -424,7 +424,7 @@ else:
        "BACKEND": "authentik.root.storages.FileStorage",
        "OPTIONS": {
            "location": Path(CONFIG.get("storage.media.file.path")),
-            "base_url": CONFIG.get("web.path", "/") + "media/",
+            "base_url": "/media/",
        },
    }
    # Compatibility for apps not supporting top-level STORAGES
--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@ -3,44 +3,25 @@
 import os
 from argparse import ArgumentParser
 from unittest import TestCase
-from unittest.mock import patch

 import pytest
 from django.conf import settings
-from django.contrib.contenttypes.models import ContentType
 from django.test.runner import DiscoverRunner
-from structlog.stdlib import get_logger

 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import sentry_init
 from authentik.root.signals import post_startup, pre_startup, startup
+from tests.e2e.utils import get_docker_tag

 # globally set maxDiff to none to show full assert error
 TestCase.maxDiff = None


-def get_docker_tag() -> str:
-    """Get docker-tag based off of CI variables"""
-    env_pr_branch = "GITHUB_HEAD_REF"
-    default_branch = "GITHUB_REF"
-    branch_name = os.environ.get(default_branch, "main")
-    if os.environ.get(env_pr_branch, "") != "":
-        branch_name = os.environ[env_pr_branch]
-    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
-    return f"gh-{branch_name}"
-
-
-def patched__get_ct_cached(app_label, codename):
-    """Caches `ContentType` instances like its `QuerySet` does."""
-    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
-
-
 class PytestTestRunner(DiscoverRunner):  # pragma: no cover
    """Runs pytest to discover and run tests."""

    def __init__(self, **kwargs):
        super().__init__(**kwargs)
-        self.logger = get_logger().bind(runner="pytest")

        self.args = []
        if self.failfast:
@ -50,8 +31,6 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover

        if kwargs.get("randomly_seed", None):
            self.args.append(f"--randomly-seed={kwargs['randomly_seed']}")
-        if kwargs.get("no_capture", False):
-            self.args.append("--capture=no")

        settings.TEST = True
        settings.CELERY["task_always_eager"] = True
@ -85,11 +64,6 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
            "Default behaviour: use random.Random().getrandbits(32), so the seed is"
            "different on each run.",
        )
-        parser.add_argument(
-            "--no-capture",
-            action="store_true",
-            help="Disable any capturing of stdout/stderr during tests.",
-        )

    def run_tests(self, test_labels, extra_tests=None, **kwargs):
        """Run pytest and return the exitcode.
@ -132,10 +106,4 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
                    f"path instead."
                )

-        self.logger.info("Running tests", test_files=self.args)
-        with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
-            try:
-                return pytest.main(self.args)
-            except Exception as e:
-                self.logger.error("Error running tests", error=str(e), test_files=self.args)
-                return 1
+        return pytest.main(self.args)
--- a/authentik/sources/ldap/api.py
+++ b/authentik/sources/ldap/api.py
@ -103,7 +103,6 @@ class LDAPSourceSerializer(SourceSerializer):
            "user_object_filter",
            "group_object_filter",
            "group_membership_field",
-            "user_membership_attribute",
            "object_uniqueness_field",
            "password_login_update_internal_password",
            "sync_users",
@ -112,7 +111,6 @@ class LDAPSourceSerializer(SourceSerializer):
            "sync_parent_group",
            "connectivity",
            "lookup_groups_from_user",
-            "delete_not_found_objects",
        ]
        extra_kwargs = {"bind_password": {"write_only": True}}

@ -140,7 +138,6 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
        "user_object_filter",
        "group_object_filter",
        "group_membership_field",
-        "user_membership_attribute",
        "object_uniqueness_field",
        "password_login_update_internal_password",
        "sync_users",
@ -150,7 +147,6 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
        "user_property_mappings",
        "group_property_mappings",
        "lookup_groups_from_user",
-        "delete_not_found_objects",
    ]
    search_fields = ["name", "slug"]
    ordering = ["name"]
--- a/authentik/sources/ldap/migrations/0009_groupldapsourceconnection_validated_by_and_more.py
+++ b/authentik/sources/ldap/migrations/0009_groupldapsourceconnection_validated_by_and_more.py
@ -1,48 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-28 08:15
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0048_delete_oldauthenticatedsession_content_type"),
-        ("authentik_sources_ldap", "0008_groupldapsourceconnection_userldapsourceconnection"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="groupldapsourceconnection",
-            name="validated_by",
-            field=models.UUIDField(
-                blank=True,
-                help_text="Unique ID used while checking if this object still exists in the directory.",
-                null=True,
-            ),
-        ),
-        migrations.AddField(
-            model_name="ldapsource",
-            name="delete_not_found_objects",
-            field=models.BooleanField(
-                default=False,
-                help_text="Delete authentik users and groups which were previously supplied by this source, but are now missing from it.",
-            ),
-        ),
-        migrations.AddField(
-            model_name="userldapsourceconnection",
-            name="validated_by",
-            field=models.UUIDField(
-                blank=True,
-                help_text="Unique ID used while checking if this object still exists in the directory.",
-                null=True,
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="groupldapsourceconnection",
-            index=models.Index(fields=["validated_by"], name="authentik_s_validat_b70447_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="userldapsourceconnection",
-            index=models.Index(fields=["validated_by"], name="authentik_s_validat_ff2ebc_idx"),
-        ),
-    ]
--- a/authentik/sources/ldap/migrations/0010_ldapsource_user_membership_attribute.py
+++ b/authentik/sources/ldap/migrations/0010_ldapsource_user_membership_attribute.py
@ -1,32 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-29 11:22
-
-from django.apps.registry import Apps
-from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def set_user_membership_attribute(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    LDAPSource = apps.get_model("authentik_sources_ldap", "LDAPSource")
-    db_alias = schema_editor.connection.alias
-
-    LDAPSource.objects.using(db_alias).filter(group_membership_field="memberUid").all().update(
-        user_membership_attribute="ldap_uniq"
-    )
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_sources_ldap", "0009_groupldapsourceconnection_validated_by_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="ldapsource",
-            name="user_membership_attribute",
-            field=models.TextField(
-                default="distinguishedName",
-                help_text="Attribute which matches the value of `group_membership_field`.",
-            ),
-        ),
-        migrations.RunPython(set_user_membership_attribute, migrations.RunPython.noop),
-    ]
--- a/authentik/sources/ldap/models.py
+++ b/authentik/sources/ldap/models.py
@ -100,10 +100,6 @@ class LDAPSource(Source):
        default="(objectClass=person)",
        help_text=_("Consider Objects matching this filter to be Users."),
    )
-    user_membership_attribute = models.TextField(
-        default=LDAP_DISTINGUISHED_NAME,
-        help_text=_("Attribute which matches the value of `group_membership_field`."),
-    )
    group_membership_field = models.TextField(
        default="member", help_text=_("Field which contains members of a group.")
    )
@ -141,14 +137,6 @@ class LDAPSource(Source):
        ),
    )

-    delete_not_found_objects = models.BooleanField(
-        default=False,
-        help_text=_(
-            "Delete authentik users and groups which were previously supplied by this source, "
-            "but are now missing from it."
-        ),
-    )
-
    @property
    def component(self) -> str:
        return "ak-source-ldap-form"
@ -333,12 +321,6 @@ class LDAPSourcePropertyMapping(PropertyMapping):


 class UserLDAPSourceConnection(UserSourceConnection):
-    validated_by = models.UUIDField(
-        null=True,
-        blank=True,
-        help_text=_("Unique ID used while checking if this object still exists in the directory."),
-    )
-
    @property
    def serializer(self) -> type[Serializer]:
        from authentik.sources.ldap.api import (
@ -350,18 +332,9 @@ class UserLDAPSourceConnection(UserSourceConnection):
    class Meta:
        verbose_name = _("User LDAP Source Connection")
        verbose_name_plural = _("User LDAP Source Connections")
-        indexes = [
-            models.Index(fields=["validated_by"]),
-        ]


 class GroupLDAPSourceConnection(GroupSourceConnection):
-    validated_by = models.UUIDField(
-        null=True,
-        blank=True,
-        help_text=_("Unique ID used while checking if this object still exists in the directory."),
-    )
-
    @property
    def serializer(self) -> type[Serializer]:
        from authentik.sources.ldap.api import (
@ -373,6 +346,3 @@ class GroupLDAPSourceConnection(GroupSourceConnection):
    class Meta:
        verbose_name = _("Group LDAP Source Connection")
        verbose_name_plural = _("Group LDAP Source Connections")
-        indexes = [
-            models.Index(fields=["validated_by"]),
-        ]
--- a/authentik/sources/ldap/sync/base.py
+++ b/authentik/sources/ldap/sync/base.py
@ -9,7 +9,7 @@ from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.sources.mapper import SourceMapper
 from authentik.lib.config import CONFIG
 from authentik.lib.sync.mapper import PropertyMappingManager
-from authentik.sources.ldap.models import LDAPSource, flatten
+from authentik.sources.ldap.models import LDAPSource


 class BaseLDAPSynchronizer:
@ -77,16 +77,6 @@ class BaseLDAPSynchronizer:
        """Get objects from LDAP, implemented in subclass"""
        raise NotImplementedError()

-    def get_attributes(self, object):
-        if "attributes" not in object:
-            return
-        return object.get("attributes", {})
-
-    def get_identifier(self, attributes: dict):
-        if not attributes.get(self._source.object_uniqueness_field):
-            return
-        return flatten(attributes[self._source.object_uniqueness_field])
-
    def search_paginator(  # noqa: PLR0913
        self,
        search_base,
--- a/authentik/sources/ldap/sync/forward_delete_groups.py
+++ b/authentik/sources/ldap/sync/forward_delete_groups.py
@ -1,61 +0,0 @@
-from collections.abc import Generator
-from itertools import batched
-from uuid import uuid4
-
-from ldap3 import SUBTREE
-
-from authentik.core.models import Group
-from authentik.sources.ldap.models import GroupLDAPSourceConnection
-from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
-from authentik.sources.ldap.sync.forward_delete_users import DELETE_CHUNK_SIZE, UPDATE_CHUNK_SIZE
-
-
-class GroupLDAPForwardDeletion(BaseLDAPSynchronizer):
-    """Delete LDAP Groups from authentik"""
-
-    @staticmethod
-    def name() -> str:
-        return "group_deletions"
-
-    def get_objects(self, **kwargs) -> Generator:
-        if not self._source.sync_groups or not self._source.delete_not_found_objects:
-            self.message("Group syncing is disabled for this Source")
-            return iter(())
-
-        uuid = uuid4()
-        groups = self._source.connection().extend.standard.paged_search(
-            search_base=self.base_dn_groups,
-            search_filter=self._source.group_object_filter,
-            search_scope=SUBTREE,
-            attributes=[self._source.object_uniqueness_field],
-            generator=True,
-            **kwargs,
-        )
-        for batch in batched(groups, UPDATE_CHUNK_SIZE, strict=False):
-            identifiers = []
-            for group in batch:
-                if not (attributes := self.get_attributes(group)):
-                    continue
-                if identifier := self.get_identifier(attributes):
-                    identifiers.append(identifier)
-            GroupLDAPSourceConnection.objects.filter(identifier__in=identifiers).update(
-                validated_by=uuid
-            )
-
-        return batched(
-            GroupLDAPSourceConnection.objects.filter(source=self._source)
-            .exclude(validated_by=uuid)
-            .values_list("group", flat=True)
-            .iterator(chunk_size=DELETE_CHUNK_SIZE),
-            DELETE_CHUNK_SIZE,
-            strict=False,
-        )
-
-    def sync(self, group_pks: tuple) -> int:
-        """Delete authentik groups"""
-        if not self._source.sync_groups or not self._source.delete_not_found_objects:
-            self.message("Group syncing is disabled for this Source")
-            return -1
-        self._logger.debug("Deleting groups", group_pks=group_pks)
-        _, deleted_per_type = Group.objects.filter(pk__in=group_pks).delete()
-        return deleted_per_type.get(Group._meta.label, 0)
--- a/authentik/sources/ldap/sync/forward_delete_users.py
+++ b/authentik/sources/ldap/sync/forward_delete_users.py
@ -1,63 +0,0 @@
-from collections.abc import Generator
-from itertools import batched
-from uuid import uuid4
-
-from ldap3 import SUBTREE
-
-from authentik.core.models import User
-from authentik.sources.ldap.models import UserLDAPSourceConnection
-from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
-
-UPDATE_CHUNK_SIZE = 10_000
-DELETE_CHUNK_SIZE = 50
-
-
-class UserLDAPForwardDeletion(BaseLDAPSynchronizer):
-    """Delete LDAP Users from authentik"""
-
-    @staticmethod
-    def name() -> str:
-        return "user_deletions"
-
-    def get_objects(self, **kwargs) -> Generator:
-        if not self._source.sync_users or not self._source.delete_not_found_objects:
-            self.message("User syncing is disabled for this Source")
-            return iter(())
-
-        uuid = uuid4()
-        users = self._source.connection().extend.standard.paged_search(
-            search_base=self.base_dn_users,
-            search_filter=self._source.user_object_filter,
-            search_scope=SUBTREE,
-            attributes=[self._source.object_uniqueness_field],
-            generator=True,
-            **kwargs,
-        )
-        for batch in batched(users, UPDATE_CHUNK_SIZE, strict=False):
-            identifiers = []
-            for user in batch:
-                if not (attributes := self.get_attributes(user)):
-                    continue
-                if identifier := self.get_identifier(attributes):
-                    identifiers.append(identifier)
-            UserLDAPSourceConnection.objects.filter(identifier__in=identifiers).update(
-                validated_by=uuid
-            )
-
-        return batched(
-            UserLDAPSourceConnection.objects.filter(source=self._source)
-            .exclude(validated_by=uuid)
-            .values_list("user", flat=True)
-            .iterator(chunk_size=DELETE_CHUNK_SIZE),
-            DELETE_CHUNK_SIZE,
-            strict=False,
-        )
-
-    def sync(self, user_pks: tuple) -> int:
-        """Delete authentik users"""
-        if not self._source.sync_users or not self._source.delete_not_found_objects:
-            self.message("User syncing is disabled for this Source")
-            return -1
-        self._logger.debug("Deleting users", user_pks=user_pks)
-        _, deleted_per_type = User.objects.filter(pk__in=user_pks).delete()
-        return deleted_per_type.get(User._meta.label, 0)
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@ -58,16 +58,18 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
            return -1
        group_count = 0
        for group in page_data:
-            if (attributes := self.get_attributes(group)) is None:
+            if "attributes" not in group:
                continue
+            attributes = group.get("attributes", {})
            group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
-            if not (uniq := self.get_identifier(attributes)):
+            if not attributes.get(self._source.object_uniqueness_field):
                self.message(
                    f"Uniqueness field not found/not set in attributes: '{group_dn}'",
                    attributes=attributes.keys(),
                    dn=group_dn,
                )
                continue
+            uniq = flatten(attributes[self._source.object_uniqueness_field])
            try:
                defaults = {
                    k: flatten(v)
--- a/authentik/sources/ldap/sync/membership.py
+++ b/authentik/sources/ldap/sync/membership.py
@ -63,19 +63,25 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
                    group_member_dn = group_member.get("dn", {})
                    members.append(group_member_dn)
            else:
-                if (attributes := self.get_attributes(group)) is None:
+                if "attributes" not in group:
                    continue
-                members = attributes.get(self._source.group_membership_field, [])
+                members = group.get("attributes", {}).get(self._source.group_membership_field, [])

            ak_group = self.get_group(group)
            if not ak_group:
                continue

+            membership_mapping_attribute = LDAP_DISTINGUISHED_NAME
+            if self._source.group_membership_field == "memberUid":
+                # If memberships are based on the posixGroup's 'memberUid'
+                # attribute we use the RDN instead of the FDN to lookup members.
+                membership_mapping_attribute = LDAP_UNIQUENESS
+
            users = User.objects.filter(
-                Q(**{f"attributes__{self._source.user_membership_attribute}__in": members})
+                Q(**{f"attributes__{membership_mapping_attribute}__in": members})
                | Q(
                    **{
-                        f"attributes__{self._source.user_membership_attribute}__isnull": True,
+                        f"attributes__{membership_mapping_attribute}__isnull": True,
                        "ak_groups__in": [ak_group],
                    }
                )
--- a/authentik/sources/ldap/sync/users.py
+++ b/authentik/sources/ldap/sync/users.py
@ -60,16 +60,18 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
            return -1
        user_count = 0
        for user in page_data:
-            if (attributes := self.get_attributes(user)) is None:
+            if "attributes" not in user:
                continue
+            attributes = user.get("attributes", {})
            user_dn = flatten(user.get("entryDN", user.get("dn")))
-            if not (uniq := self.get_identifier(attributes)):
+            if not attributes.get(self._source.object_uniqueness_field):
                self.message(
                    f"Uniqueness field not found/not set in attributes: '{user_dn}'",
                    attributes=attributes.keys(),
                    dn=user_dn,
                )
                continue
+            uniq = flatten(attributes[self._source.object_uniqueness_field])
            try:
                defaults = {
                    k: flatten(v)
--- a/authentik/sources/ldap/tasks.py
+++ b/authentik/sources/ldap/tasks.py
@ -17,8 +17,6 @@ from authentik.lib.utils.reflection import class_to_path, path_to_class
 from authentik.root.celery import CELERY_APP
 from authentik.sources.ldap.models import LDAPSource
 from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
-from authentik.sources.ldap.sync.forward_delete_groups import GroupLDAPForwardDeletion
-from authentik.sources.ldap.sync.forward_delete_users import UserLDAPForwardDeletion
 from authentik.sources.ldap.sync.groups import GroupLDAPSynchronizer
 from authentik.sources.ldap.sync.membership import MembershipLDAPSynchronizer
 from authentik.sources.ldap.sync.users import UserLDAPSynchronizer
@ -54,11 +52,11 @@ def ldap_connectivity_check(pk: str | None = None):


@CELERY_APP.task(
-    # We take the configured hours timeout time by 3.5 as we run user and
-    # group in parallel and then membership, then deletions, so 3x is to cover the serial tasks,
+    # We take the configured hours timeout time by 2.5 as we run user and
+    # group in parallel and then membership, so 2x is to cover the serial tasks,
    # and 0.5x on top of that to give some more leeway
-    soft_time_limit=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3.5,
-    task_time_limit=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3.5,
+    soft_time_limit=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 2.5,
+    task_time_limit=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 2.5,
 )
 def ldap_sync_single(source_pk: str):
    """Sync a single source"""
@ -81,25 +79,6 @@ def ldap_sync_single(source_pk: str):
            group(
                ldap_sync_paginator(source, MembershipLDAPSynchronizer),
            ),
-            # Finally, deletions. What we'd really like to do here is something like
-            # ```
-            # user_identifiers = <ldap query>
-            # User.objects.exclude(
-            #     usersourceconnection__identifier__in=user_uniqueness_identifiers,
-            # ).delete()
-            # ```
-            # This runs into performance issues in large installations. So instead we spread the
-            # work out into three steps:
-            # 1. Get every object from the LDAP source.
-            # 2. Mark every object as "safe" in the database. This is quick, but any error could
-            #    mean deleting users which should not be deleted, so we do it immediately, in
-            #    large chunks, and only queue the deletion step afterwards.
-            # 3. Delete every unmarked item. This is slow, so we spread it over many tasks in
-            #    small chunks.
-            group(
-                ldap_sync_paginator(source, UserLDAPForwardDeletion)
-                + ldap_sync_paginator(source, GroupLDAPForwardDeletion),
-            ),
        )
        task()

--- a/authentik/sources/ldap/tests/mock_slapd.py
+++ b/authentik/sources/ldap/tests/mock_slapd.py
@ -2,33 +2,6 @@

 from ldap3 import MOCK_SYNC, OFFLINE_SLAPD_2_4, Connection, Server

-# The mock modifies these in place, so we have to define them per string
-user_in_slapd_dn = "cn=user_in_slapd_cn,ou=users,dc=goauthentik,dc=io"
-user_in_slapd_cn = "user_in_slapd_cn"
-user_in_slapd_uid = "user_in_slapd_uid"
-user_in_slapd_object_class = "person"
-user_in_slapd = {
-    "dn": user_in_slapd_dn,
-    "attributes": {
-        "cn": user_in_slapd_cn,
-        "uid": user_in_slapd_uid,
-        "objectClass": user_in_slapd_object_class,
-    },
-}
-group_in_slapd_dn = "cn=user_in_slapd_cn,ou=groups,dc=goauthentik,dc=io"
-group_in_slapd_cn = "group_in_slapd_cn"
-group_in_slapd_uid = "group_in_slapd_uid"
-group_in_slapd_object_class = "groupOfNames"
-group_in_slapd = {
-    "dn": group_in_slapd_dn,
-    "attributes": {
-        "cn": group_in_slapd_cn,
-        "uid": group_in_slapd_uid,
-        "objectClass": group_in_slapd_object_class,
-        "member": [user_in_slapd["dn"]],
-    },
-}
-

 def mock_slapd_connection(password: str) -> Connection:
    """Create mock SLAPD connection"""
@ -123,14 +96,5 @@ def mock_slapd_connection(password: str) -> Connection:
            "objectClass": "posixAccount",
        },
    )
-    # Known user and group
-    connection.strategy.add_entry(
-        user_in_slapd["dn"],
-        user_in_slapd["attributes"],
-    )
-    connection.strategy.add_entry(
-        group_in_slapd["dn"],
-        group_in_slapd["attributes"],
-    )
    connection.bind()
    return connection
--- a/authentik/sources/ldap/tests/test_sync.py
+++ b/authentik/sources/ldap/tests/test_sync.py
@ -13,26 +13,14 @@ from authentik.events.system_tasks import TaskStatus
 from authentik.lib.generators import generate_id, generate_key
 from authentik.lib.sync.outgoing.exceptions import StopSync
 from authentik.lib.utils.reflection import class_to_path
-from authentik.sources.ldap.models import (
-    GroupLDAPSourceConnection,
-    LDAPSource,
-    LDAPSourcePropertyMapping,
-    UserLDAPSourceConnection,
-)
-from authentik.sources.ldap.sync.forward_delete_users import DELETE_CHUNK_SIZE
+from authentik.sources.ldap.models import LDAPSource, LDAPSourcePropertyMapping
 from authentik.sources.ldap.sync.groups import GroupLDAPSynchronizer
 from authentik.sources.ldap.sync.membership import MembershipLDAPSynchronizer
 from authentik.sources.ldap.sync.users import UserLDAPSynchronizer
 from authentik.sources.ldap.tasks import ldap_sync, ldap_sync_all
 from authentik.sources.ldap.tests.mock_ad import mock_ad_connection
 from authentik.sources.ldap.tests.mock_freeipa import mock_freeipa_connection
-from authentik.sources.ldap.tests.mock_slapd import (
-    group_in_slapd_cn,
-    group_in_slapd_uid,
-    mock_slapd_connection,
-    user_in_slapd_cn,
-    user_in_slapd_uid,
-)
+from authentik.sources.ldap.tests.mock_slapd import mock_slapd_connection

 LDAP_PASSWORD = generate_key()

@ -269,56 +257,12 @@ class LDAPSyncTests(TestCase):
        self.source.group_membership_field = "memberUid"
        self.source.user_object_filter = "(objectClass=posixAccount)"
        self.source.group_object_filter = "(objectClass=posixGroup)"
-        self.source.user_membership_attribute = "uid"
        self.source.user_property_mappings.set(
-            [
-                *LDAPSourcePropertyMapping.objects.filter(
-                    Q(managed__startswith="goauthentik.io/sources/ldap/default")
-                    | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
-                ).all(),
-                LDAPSourcePropertyMapping.objects.create(
-                    name="name",
-                    expression='return {"attributes": {"uid": list_flatten(ldap.get("uid"))}}',
-                ),
-            ]
-        )
-        self.source.group_property_mappings.set(
            LDAPSourcePropertyMapping.objects.filter(
-                managed="goauthentik.io/sources/ldap/openldap-cn"
+                Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
            )
        )
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            self.source.save()
-            user_sync = UserLDAPSynchronizer(self.source)
-            user_sync.sync_full()
-            group_sync = GroupLDAPSynchronizer(self.source)
-            group_sync.sync_full()
-            membership_sync = MembershipLDAPSynchronizer(self.source)
-            membership_sync.sync_full()
-            # Test if membership mapping based on memberUid works.
-            posix_group = Group.objects.filter(name="group-posix").first()
-            self.assertTrue(posix_group.users.filter(name="user-posix").exists())
-
-    def test_sync_groups_openldap_posix_group_nonstandard_membership_attribute(self):
-        """Test posix group sync"""
-        self.source.object_uniqueness_field = "cn"
-        self.source.group_membership_field = "memberUid"
-        self.source.user_object_filter = "(objectClass=posixAccount)"
-        self.source.group_object_filter = "(objectClass=posixGroup)"
-        self.source.user_membership_attribute = "cn"
-        self.source.user_property_mappings.set(
-            [
-                *LDAPSourcePropertyMapping.objects.filter(
-                    Q(managed__startswith="goauthentik.io/sources/ldap/default")
-                    | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
-                ).all(),
-                LDAPSourcePropertyMapping.objects.create(
-                    name="name",
-                    expression='return {"attributes": {"cn": list_flatten(ldap.get("cn"))}}',
-                ),
-            ]
-        )
        self.source.group_property_mappings.set(
            LDAPSourcePropertyMapping.objects.filter(
                managed="goauthentik.io/sources/ldap/openldap-cn"
@ -364,160 +308,3 @@ class LDAPSyncTests(TestCase):
        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
            ldap_sync_all.delay().get()
-
-    def test_user_deletion(self):
-        """Test user deletion"""
-        user = User.objects.create_user(username="not-in-the-source")
-        UserLDAPSourceConnection.objects.create(
-            user=user, source=self.source, identifier="not-in-the-source"
-        )
-        self.source.object_uniqueness_field = "uid"
-        self.source.group_object_filter = "(objectClass=groupOfNames)"
-        self.source.delete_not_found_objects = True
-        self.source.save()
-
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            ldap_sync_all.delay().get()
-        self.assertFalse(User.objects.filter(username="not-in-the-source").exists())
-
-    def test_user_deletion_still_in_source(self):
-        """Test that user is not deleted if it's still in the source"""
-        username = user_in_slapd_cn
-        identifier = user_in_slapd_uid
-        user = User.objects.create_user(username=username)
-        UserLDAPSourceConnection.objects.create(
-            user=user, source=self.source, identifier=identifier
-        )
-        self.source.object_uniqueness_field = "uid"
-        self.source.group_object_filter = "(objectClass=groupOfNames)"
-        self.source.delete_not_found_objects = True
-        self.source.save()
-
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            ldap_sync_all.delay().get()
-        self.assertTrue(User.objects.filter(username=username).exists())
-
-    def test_user_deletion_no_sync(self):
-        """Test that user is not deleted if sync_users is False"""
-        user = User.objects.create_user(username="not-in-the-source")
-        UserLDAPSourceConnection.objects.create(
-            user=user, source=self.source, identifier="not-in-the-source"
-        )
-        self.source.object_uniqueness_field = "uid"
-        self.source.group_object_filter = "(objectClass=groupOfNames)"
-        self.source.delete_not_found_objects = True
-        self.source.sync_users = False
-        self.source.save()
-
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            ldap_sync_all.delay().get()
-        self.assertTrue(User.objects.filter(username="not-in-the-source").exists())
-
-    def test_user_deletion_no_delete(self):
-        """Test that user is not deleted if delete_not_found_objects is False"""
-        user = User.objects.create_user(username="not-in-the-source")
-        UserLDAPSourceConnection.objects.create(
-            user=user, source=self.source, identifier="not-in-the-source"
-        )
-        self.source.object_uniqueness_field = "uid"
-        self.source.group_object_filter = "(objectClass=groupOfNames)"
-        self.source.save()
-
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            ldap_sync_all.delay().get()
-        self.assertTrue(User.objects.filter(username="not-in-the-source").exists())
-
-    def test_group_deletion(self):
-        """Test group deletion"""
-        group = Group.objects.create(name="not-in-the-source")
-        GroupLDAPSourceConnection.objects.create(
-            group=group, source=self.source, identifier="not-in-the-source"
-        )
-        self.source.object_uniqueness_field = "uid"
-        self.source.group_object_filter = "(objectClass=groupOfNames)"
-        self.source.delete_not_found_objects = True
-        self.source.save()
-
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            ldap_sync_all.delay().get()
-        self.assertFalse(Group.objects.filter(name="not-in-the-source").exists())
-
-    def test_group_deletion_still_in_source(self):
-        """Test that group is not deleted if it's still in the source"""
-        groupname = group_in_slapd_cn
-        identifier = group_in_slapd_uid
-        group = Group.objects.create(name=groupname)
-        GroupLDAPSourceConnection.objects.create(
-            group=group, source=self.source, identifier=identifier
-        )
-        self.source.object_uniqueness_field = "uid"
-        self.source.group_object_filter = "(objectClass=groupOfNames)"
-        self.source.delete_not_found_objects = True
-        self.source.save()
-
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            ldap_sync_all.delay().get()
-        self.assertTrue(Group.objects.filter(name=groupname).exists())
-
-    def test_group_deletion_no_sync(self):
-        """Test that group is not deleted if sync_groups is False"""
-        group = Group.objects.create(name="not-in-the-source")
-        GroupLDAPSourceConnection.objects.create(
-            group=group, source=self.source, identifier="not-in-the-source"
-        )
-        self.source.object_uniqueness_field = "uid"
-        self.source.group_object_filter = "(objectClass=groupOfNames)"
-        self.source.delete_not_found_objects = True
-        self.source.sync_groups = False
-        self.source.save()
-
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            ldap_sync_all.delay().get()
-        self.assertTrue(Group.objects.filter(name="not-in-the-source").exists())
-
-    def test_group_deletion_no_delete(self):
-        """Test that group is not deleted if delete_not_found_objects is False"""
-        group = Group.objects.create(name="not-in-the-source")
-        GroupLDAPSourceConnection.objects.create(
-            group=group, source=self.source, identifier="not-in-the-source"
-        )
-        self.source.object_uniqueness_field = "uid"
-        self.source.group_object_filter = "(objectClass=groupOfNames)"
-        self.source.save()
-
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            ldap_sync_all.delay().get()
-        self.assertTrue(Group.objects.filter(name="not-in-the-source").exists())
-
-    def test_batch_deletion(self):
-        """Test batch deletion"""
-        BATCH_SIZE = DELETE_CHUNK_SIZE + 1
-        for i in range(BATCH_SIZE):
-            user = User.objects.create_user(username=f"not-in-the-source-{i}")
-            group = Group.objects.create(name=f"not-in-the-source-{i}")
-            group.users.add(user)
-            UserLDAPSourceConnection.objects.create(
-                user=user, source=self.source, identifier=f"not-in-the-source-{i}-user"
-            )
-            GroupLDAPSourceConnection.objects.create(
-                group=group, source=self.source, identifier=f"not-in-the-source-{i}-group"
-            )
-        self.source.object_uniqueness_field = "uid"
-        self.source.group_object_filter = "(objectClass=groupOfNames)"
-        self.source.delete_not_found_objects = True
-        self.source.save()
-
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            ldap_sync_all.delay().get()
-
-        self.assertFalse(User.objects.filter(username__startswith="not-in-the-source").exists())
-        self.assertFalse(Group.objects.filter(name__startswith="not-in-the-source").exists())
--- a/authentik/sources/saml/views.py
+++ b/authentik/sources/saml/views.py
@ -9,7 +9,6 @@ from django.http.response import HttpResponseBadRequest
 from django.shortcuts import get_object_or_404, redirect
 from django.utils.decorators import method_decorator
 from django.utils.http import urlencode
-from django.utils.translation import gettext as _
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger
@ -129,9 +128,7 @@ class InitiateView(View):
        # otherwise we default to POST_AUTO, with direct redirect
        if source.binding_type == SAMLBindingTypes.POST:
            injected_stages.append(in_memory_stage(ConsentStageView))
-            plan_kwargs[PLAN_CONTEXT_CONSENT_HEADER] = _(
-                "Continue to {source_name}".format(source_name=source.name)
-            )
+            plan_kwargs[PLAN_CONTEXT_CONSENT_HEADER] = f"Continue to {source.name}"
        injected_stages.append(in_memory_stage(AutosubmitStageView))
        return self.handle_login_flow(
            source,
--- a/authentik/sources/scim/views/v2/groups.py
+++ b/authentik/sources/scim/views/v2/groups.py
@ -97,8 +97,7 @@ class GroupsView(SCIMObjectView):
                    self.logger.warning("Invalid group member", exc=exc)
                    continue
                query |= Q(uuid=member.value)
-            if query:
-                group.users.set(User.objects.filter(query))
+            group.users.set(User.objects.filter(query))
        if not connection:
            connection, _ = SCIMSourceGroup.objects.get_or_create(
                source=self.source,
--- a/authentik/stages/authenticator_validate/tests/test_webauthn.py
+++ b/authentik/stages/authenticator_validate/tests/test_webauthn.py
@ -151,7 +151,9 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
            webauthn_user_verification=UserVerification.PREFERRED,
        )
        stage.webauthn_allowed_device_types.set(
-            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
+            WebAuthnDeviceType.objects.filter(
+                description="Android Authenticator with SafetyNet Attestation"
+            )
        )
        session = self.client.session
        plan = FlowPlan(flow_pk=flow.pk.hex)
@ -337,7 +339,9 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
            device_classes=[DeviceClasses.WEBAUTHN],
        )
        stage.webauthn_allowed_device_types.set(
-            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
+            WebAuthnDeviceType.objects.filter(
+                description="Android Authenticator with SafetyNet Attestation"
+            )
        )
        session = self.client.session
        plan = FlowPlan(flow_pk=flow.pk.hex)
--- a/authentik/stages/authenticator_webauthn/mds/aaguid.json
+++ b/authentik/stages/authenticator_webauthn/mds/aaguid.json
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/authenticator_webauthn/tests.py
+++ b/authentik/stages/authenticator_webauthn/tests.py
@ -141,7 +141,9 @@ class TestAuthenticatorWebAuthnStage(FlowTestCase):
        """Test registration with restricted devices (fail)"""
        webauthn_mds_import.delay(force=True).get()
        self.stage.device_type_restrictions.set(
-            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
+            WebAuthnDeviceType.objects.filter(
+                description="Android Authenticator with SafetyNet Attestation"
+            )
        )

        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
--- a/authentik/stages/consent/stage.py
+++ b/authentik/stages/consent/stage.py
@ -4,8 +4,6 @@ from uuid import uuid4

 from django.http import HttpRequest, HttpResponse
 from django.utils.timezone import now
-from django.utils.translation import gettext as _
-from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField

 from authentik.core.api.utils import PassiveSerializer
@ -49,11 +47,6 @@ class ConsentChallengeResponse(ChallengeResponse):
    component = CharField(default="ak-stage-consent")
    token = CharField(required=True)

-    def validate_token(self, token: str):
-        if token != self.stage.executor.request.session[SESSION_KEY_CONSENT_TOKEN]:
-            raise ValidationError(_("Invalid consent token, re-showing prompt"))
-        return token
-

 class ConsentStageView(ChallengeStageView):
    """Simple consent checker."""
@ -127,6 +120,9 @@ class ConsentStageView(ChallengeStageView):
        return super().get(request, *args, **kwargs)

    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        if response.data["token"] != self.request.session[SESSION_KEY_CONSENT_TOKEN]:
+            self.logger.info("Invalid consent token, re-showing prompt")
+            return self.get(self.request)
        if self.should_always_prompt():
            return self.executor.stage_ok()
        current_stage: ConsentStage = self.executor.current_stage
--- a/authentik/stages/consent/tests.py
+++ b/authentik/stages/consent/tests.py
@ -17,7 +17,6 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.stages.consent.models import ConsentMode, ConsentStage, UserConsent
 from authentik.stages.consent.stage import (
-    PLAN_CONTEXT_CONSENT_HEADER,
    PLAN_CONTEXT_CONSENT_PERMISSIONS,
    SESSION_KEY_CONSENT_TOKEN,
 )
@ -34,40 +33,6 @@ class TestConsentStage(FlowTestCase):
            slug=generate_id(),
        )

-    def test_mismatched_token(self):
-        """Test incorrect token"""
-        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-        stage = ConsentStage.objects.create(name=generate_id(), mode=ConsentMode.ALWAYS_REQUIRE)
-        binding = FlowStageBinding.objects.create(target=flow, stage=stage, order=2)
-
-        plan = FlowPlan(flow_pk=flow.pk.hex, bindings=[binding], markers=[StageMarker()])
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        self.assertEqual(response.status_code, 200)
-
-        session = self.client.session
-        response = self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-            {
-                "token": generate_id(),
-            },
-        )
-
-        self.assertEqual(response.status_code, 200)
-        self.assertStageResponse(
-            response,
-            flow,
-            component="ak-stage-consent",
-            response_errors={
-                "token": [{"string": "Invalid consent token, re-showing prompt", "code": "invalid"}]
-            },
-        )
-        self.assertFalse(UserConsent.objects.filter(user=self.user).exists())
-
    def test_always_required(self):
        """Test always required consent"""
        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
@ -193,7 +158,6 @@ class TestConsentStage(FlowTestCase):
            context={
                PLAN_CONTEXT_APPLICATION: self.application,
                PLAN_CONTEXT_CONSENT_PERMISSIONS: [PermissionDict(id="foo", name="foo-desc")],
-                PLAN_CONTEXT_CONSENT_HEADER: "test header",
            },
        )
        session = self.client.session
--- a/authentik/stages/email/flow.py
+++ b/authentik/stages/email/flow.py
@ -1,38 +0,0 @@
-from base64 import b64encode
-from copy import deepcopy
-from pickle import dumps  # nosec
-
-from django.utils.translation import gettext as _
-
-from authentik.flows.models import FlowToken, in_memory_stage
-from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, FlowPlan
-from authentik.stages.consent.stage import PLAN_CONTEXT_CONSENT_HEADER, ConsentStageView
-
-
-def pickle_flow_token_for_email(plan: FlowPlan):
-    """Insert a consent stage into the flow plan and pickle it for a FlowToken,
-    to be sent via Email. This is to prevent automated email scanners, which sometimes
-    open links in emails in a full browser from breaking the link."""
-    plan_copy = deepcopy(plan)
-    plan_copy.insert_stage(in_memory_stage(EmailTokenRevocationConsentStageView), index=0)
-    plan_copy.context[PLAN_CONTEXT_CONSENT_HEADER] = _("Continue to confirm this email address.")
-    data = dumps(plan_copy)
-    return b64encode(data).decode()
-
-
-class EmailTokenRevocationConsentStageView(ConsentStageView):
-
-    def get(self, request, *args, **kwargs):
-        token: FlowToken = self.executor.plan.context[PLAN_CONTEXT_IS_RESTORED]
-        try:
-            token.refresh_from_db()
-        except FlowToken.DoesNotExist:
-            return self.executor.stage_invalid(
-                _("Link was already used, please request a new link.")
-            )
-        return super().get(request, *args, **kwargs)
-
-    def challenge_valid(self, response):
-        token: FlowToken = self.executor.plan.context[PLAN_CONTEXT_IS_RESTORED]
-        token.delete()
-        return super().challenge_valid(response)
--- a/authentik/stages/email/stage.py
+++ b/authentik/stages/email/stage.py
@ -23,7 +23,6 @@ from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import QS_KEY_TOKEN, QS_QUERY
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.stages.email.flow import pickle_flow_token_for_email
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -87,8 +86,7 @@ class EmailStageView(ChallengeStageView):
                user=pending_user,
                identifier=identifier,
                flow=self.executor.flow,
-                _plan=pickle_flow_token_for_email(self.executor.plan),
-                revoke_on_execution=False,
+                _plan=FlowToken.pickle(self.executor.plan),
            )
        token = tokens.first()
        # Check if token is expired and rotate key if so
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@ -100,11 +100,9 @@ def send_mail(
        # Because we use the Message-ID as UID for the task, manually assign it
        message_object.extra_headers["Message-ID"] = message_id

-        # Add the logo if it is used in the email body (we can't add it in the
-        # previous message since MIMEImage can't be converted to json)
-        body = get_email_body(message_object)
-        if "cid:logo" in body:
-            message_object.attach(logo_data())
+        # Add the logo (we can't add it in the previous message since MIMEImage
+        # can't be converted to json)
+        message_object.attach(logo_data())

        if (
            message_object.to
--- a/authentik/stages/email/templates/email/base.html
+++ b/authentik/stages/email/templates/email/base.html
@ -96,7 +96,7 @@
                <table width="100%" style="background-color: #FFFFFF; border-spacing: 0; margin-top: 15px;">
                  <tr height="80">
                    <td align="center" style="padding: 20px 0;">
-                      <img src="{% block logo_url %}cid:logo{% endblock %}" border="0=" alt="authentik logo" class="flexibleImage logo">
+                      <img src="{% block logo_url %}cid:logo.png{% endblock %}" border="0=" alt="authentik logo" class="flexibleImage logo">
                    </td>
                  </tr>
                  {% block content %}
--- a/authentik/stages/email/tests/test_sending.py
+++ b/authentik/stages/email/tests/test_sending.py
@ -174,5 +174,5 @@ class TestEmailStageSending(FlowTestCase):
                response = self.client.post(url)
            response = self.client.post(url)
            self.assertEqual(response.status_code, 200)
-            self.assertGreaterEqual(len(mail.outbox), 1)
+            self.assertTrue(len(mail.outbox) >= 1)
            self.assertEqual(mail.outbox[0].subject, "authentik")
--- a/authentik/stages/email/tests/test_stage.py
+++ b/authentik/stages/email/tests/test_stage.py
@ -17,7 +17,6 @@ from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import QS_KEY_TOKEN, SESSION_KEY_PLAN, FlowExecutorView
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
-from authentik.stages.consent.stage import SESSION_KEY_CONSENT_TOKEN
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.stage import PLAN_CONTEXT_EMAIL_OVERRIDE, EmailStageView

@ -161,17 +160,6 @@ class TestEmailStage(FlowTestCase):
                    kwargs={"flow_slug": self.flow.slug},
                )
            )
-            self.assertStageResponse(response, self.flow, component="ak-stage-consent")
-            response = self.client.post(
-                reverse(
-                    "authentik_api:flow-executor",
-                    kwargs={"flow_slug": self.flow.slug},
-                ),
-                data={
-                    "token": self.client.session[SESSION_KEY_CONSENT_TOKEN],
-                },
-                follow=True,
-            )

            self.assertEqual(response.status_code, 200)
            self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
@ -194,7 +182,6 @@ class TestEmailStage(FlowTestCase):
        # Set flow token user to a different user
        token: FlowToken = FlowToken.objects.get(user=self.user)
        token.user = create_test_admin_user()
-        token.revoke_on_execution = True
        token.save()

        with patch("authentik.flows.views.executor.FlowExecutorView.cancel", MagicMock()):
--- a/authentik/stages/email/utils.py
+++ b/authentik/stages/email/utils.py
@ -19,8 +19,7 @@ def logo_data() -> MIMEImage:
        path = Path("web/dist/assets/icons/icon_left_brand.png")
    with open(path, "rb") as _logo_file:
        logo = MIMEImage(_logo_file.read())
-    logo.add_header("Content-ID", "<logo>")
-    logo.add_header("Content-Disposition", "inline", filename="logo.png")
+    logo.add_header("Content-ID", "logo.png")
    return logo


--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@ -11,7 +11,7 @@ from rest_framework.fields import BooleanField, CharField
 from authentik.core.models import Session, User
 from authentik.events.middleware import audit_ignore
 from authentik.flows.challenge import ChallengeResponse, WithUserInfoChallenge
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE
 from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.root.middleware import ClientIPMiddleware
@ -108,6 +108,10 @@ class UserLoginStageView(ChallengeStageView):
            flow_slug=self.executor.flow.slug,
            session_duration=delta,
        )
+        # Only show success message if we don't have a source in the flow
+        # as sources show their own success messages
+        if not self.executor.plan.context.get(PLAN_CONTEXT_SOURCE, None):
+            messages.success(self.request, _("Successfully logged in!"))
        if self.executor.current_stage.terminate_other_sessions:
            Session.objects.filter(
                authenticatedsession__user=user,
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.6.2 Blueprint schema",
+    "title": "authentik 2025.4.1 Blueprint schema",
    "required": [
        "version",
        "entries"
@ -8147,12 +8147,6 @@
                    "title": "Group membership field",
                    "description": "Field which contains members of a group."
                },
-                "user_membership_attribute": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "User membership attribute",
-                    "description": "Attribute which matches the value of `group_membership_field`."
-                },
                "object_uniqueness_field": {
                    "type": "string",
                    "minLength": 1,
@ -8186,11 +8180,6 @@
                    "type": "boolean",
                    "title": "Lookup groups from user",
                    "description": "Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory"
-                },
-                "delete_not_found_objects": {
-                    "type": "boolean",
-                    "title": "Delete not found objects",
-                    "description": "Delete authentik users and groups which were previously supplied by this source, but are now missing from it."
                }
            },
            "required": []
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
    restart: unless-stopped
    command: server
    environment:
@ -55,7 +55,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
    restart: unless-stopped
    command: worker
    environment:
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@ -0,0 +1,10 @@
+import { createESLintPackageConfig } from "@goauthentik/eslint-config";
+
+// @ts-check
+
+/**
+ * ESLint configuration for authentik's monorepo.
+ */
+const ESLintConfig = createESLintPackageConfig();
+
+export default ESLintConfig;
--- a/go.mod
+++ b/go.mod
@ -27,7 +27,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025041.4
+	goauthentik.io/api/v3 v3.2025041.2
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.14.0
--- a/go.sum
+++ b/go.sum
@ -290,8 +290,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025041.4 h1:cGqzWYnUHrWDoaXWDpIL/kWnX9sFrIhkYDye0P0OEAo=
-goauthentik.io/api/v3 v3.2025041.4/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025041.2 h1:vFYYnhcDcxL95RczZwhzt3i4LptFXMvIRN+vgf8sQYg=
+goauthentik.io/api/v3 v3.2025041.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -33,4 +33,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2025.6.2"
+const VERSION = "2025.4.1"
--- a/internal/outpost/ldap/bind/memory/memory.go
+++ b/internal/outpost/ldap/bind/memory/memory.go
@ -28,18 +28,16 @@ func NewSessionBinder(si server.LDAPServerInstance, oldBinder bind.Binder) *Sess
 		si:  si,
 		log: log.WithField("logger", "authentik.outpost.ldap.binder.session"),
 	}
-	if oldBinder != nil {
-		if oldSb, ok := oldBinder.(*SessionBinder); ok {
-			sb.DirectBinder = oldSb.DirectBinder
-			sb.sessions = oldSb.sessions
-			sb.log.Debug("re-initialised session binder")
-			return sb
-		}
+	if oldSb, ok := oldBinder.(*SessionBinder); ok {
+		sb.DirectBinder = oldSb.DirectBinder
+		sb.sessions = oldSb.sessions
+		sb.log.Debug("re-initialised session binder")
+	} else {
+		sb.sessions = ttlcache.New(ttlcache.WithDisableTouchOnHit[Credentials, ldap.LDAPResultCode]())
+		sb.DirectBinder = *direct.NewDirectBinder(si)
+		go sb.sessions.Start()
+		sb.log.Debug("initialised session binder")
 	}
-	sb.sessions = ttlcache.New(ttlcache.WithDisableTouchOnHit[Credentials, ldap.LDAPResultCode]())
-	sb.DirectBinder = *direct.NewDirectBinder(si)
-	go sb.sessions.Start()
-	sb.log.Debug("initialised session binder")
 	return sb
 }

--- a/internal/outpost/ldap/refresh.go
+++ b/internal/outpost/ldap/refresh.go
@ -16,7 +16,6 @@ import (
 	memorybind "goauthentik.io/internal/outpost/ldap/bind/memory"
 	"goauthentik.io/internal/outpost/ldap/constants"
 	"goauthentik.io/internal/outpost/ldap/flags"
-	"goauthentik.io/internal/outpost/ldap/search"
 	directsearch "goauthentik.io/internal/outpost/ldap/search/direct"
 	memorysearch "goauthentik.io/internal/outpost/ldap/search/memory"
 )
@ -86,11 +85,7 @@ func (ls *LDAPServer) Refresh() error {
 			providers[idx].certUUID = *kp
 		}
 		if *provider.SearchMode.Ptr() == api.LDAPAPIACCESSMODE_CACHED {
-			var oldSearcher search.Searcher
-			if existing != nil {
-				oldSearcher = existing.searcher
-			}
-			providers[idx].searcher = memorysearch.NewMemorySearcher(providers[idx], oldSearcher)
+			providers[idx].searcher = memorysearch.NewMemorySearcher(providers[idx])
 		} else if *provider.SearchMode.Ptr() == api.LDAPAPIACCESSMODE_DIRECT {
 			providers[idx].searcher = directsearch.NewDirectSearcher(providers[idx])
 		}
--- a/internal/outpost/ldap/search/memory/memory.go
+++ b/internal/outpost/ldap/search/memory/memory.go
@ -31,26 +31,13 @@ type MemorySearcher struct {
 	groups []api.Group
 }

-func NewMemorySearcher(si server.LDAPServerInstance, existing search.Searcher) *MemorySearcher {
+func NewMemorySearcher(si server.LDAPServerInstance) *MemorySearcher {
 	ms := &MemorySearcher{
 		si:  si,
 		log: log.WithField("logger", "authentik.outpost.ldap.searcher.memory"),
 		ds:  direct.NewDirectSearcher(si),
 	}
-	if existing != nil {
-		if ems, ok := existing.(*MemorySearcher); ok {
-			ems.si = si
-			ems.fetch()
-			ems.log.Debug("re-initialised memory searcher")
-			return ems
-		}
-	}
-	ms.fetch()
 	ms.log.Debug("initialised memory searcher")
-	return ms
-}
-
-func (ms *MemorySearcher) fetch() {
 	// Error is not handled here, we get an empty/truncated list and the error is logged
 	users, _ := ak.Paginator(ms.si.GetAPIClient().CoreApi.CoreUsersList(context.TODO()).IncludeGroups(true), ak.PaginatorOptions{
 		PageSize: 100,
@ -62,6 +49,7 @@ func (ms *MemorySearcher) fetch() {
 		Logger:   ms.log,
 	})
 	ms.groups = groups
+	return ms
 }

 func (ms *MemorySearcher) SearchBase(req *search.Request) (ldap.ServerSearchResult, error) {
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -5,7 +5,6 @@ import (
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/gob"
-	"encoding/hex"
 	"fmt"
 	"html/template"
 	"net/http"
@ -119,8 +118,8 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
 	mux := mux.NewRouter()

 	// Save cookie name, based on hashed client ID
-	hs := sha256.Sum256([]byte(*p.ClientId))
-	bs := hex.EncodeToString(hs[:])
+	h := sha256.New()
+	bs := string(h.Sum([]byte(*p.ClientId)))
 	sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])

 	// When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match
--- a/internal/outpost/proxyv2/application/claims.go
+++ b/internal/outpost/proxyv2/application/claims.go
@ -3,7 +3,6 @@ package application
 type ProxyClaims struct {
 	UserAttributes  map[string]interface{} `json:"user_attributes"`
 	BackendOverride string                 `json:"backend_override"`
-	HostHeader      string                 `json:"host_header"`
 	IsSuperuser     bool                   `json:"is_superuser"`
 }

--- a/internal/outpost/proxyv2/application/mode_proxy.go
+++ b/internal/outpost/proxyv2/application/mode_proxy.go
@ -74,18 +74,13 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 		r.URL.Scheme = ou.Scheme
 		r.URL.Host = ou.Host
 		claims := a.getClaimsFromSession(r)
-		if claims != nil && claims.Proxy != nil {
-			if claims.Proxy.BackendOverride != "" {
-				u, err := url.Parse(claims.Proxy.BackendOverride)
-				if err != nil {
-					a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override")
-				} else {
-					r.URL.Scheme = u.Scheme
-					r.URL.Host = u.Host
-				}
-			}
-			if claims.Proxy.HostHeader != "" {
-				r.Host = claims.Proxy.HostHeader
+		if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
+			u, err := url.Parse(claims.Proxy.BackendOverride)
+			if err != nil {
+				a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override")
+			} else {
+				r.URL.Scheme = u.Scheme
+				r.URL.Host = u.Host
 			}
 		}
 		a.log.WithField("upstream_url", r.URL.String()).Trace("final upstream url")
--- a/internal/outpost/radius/handler.go
+++ b/internal/outpost/radius/handler.go
@ -2,7 +2,6 @@ package radius

 import (
 	"crypto/sha512"
-	"encoding/hex"
 	"time"

 	"github.com/getsentry/sentry-go"
@ -69,9 +68,7 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
 		}
 	}
 	if pi == nil {
-		hs := sha512.Sum512([]byte(r.Secret))
-		bs := hex.EncodeToString(hs[:])
-		nr.Log().WithField("hashed_secret", bs).Warning("No provider found")
+		nr.Log().WithField("hashed_secret", string(sha512.New().Sum(r.Secret))).Warning("No provider found")
 		_ = w.Write(r.Response(radius.CodeAccessReject))
 		return
 	}
--- a/internal/web/static.go
+++ b/internal/web/static.go
@ -67,15 +67,11 @@ func (ws *WebServer) configureStatic() {

 	// Media files, if backend is file
 	if config.Get().Storage.Media.Backend == "file" {
-		fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))
-		indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/media/").Handler(pathStripper(
-			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
-				fsMedia.ServeHTTP(w, r)
-			}),
-			"media/",
-			config.Get().Web.Path,
-		))
+		fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
+		indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
+			fsMedia.ServeHTTP(w, r)
+		})
 	}

 	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/help/").Handler(pathStripper(
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.6.2
+    Default: 2025.4.1
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/locale/de/LC_MESSAGES/django.mo
+++ b/locale/de/LC_MESSAGES/django.mo
--- a/locale/de/LC_MESSAGES/django.po
+++ b/locale/de/LC_MESSAGES/django.po
@ -32,17 +32,15 @@
 # datenschmutz, 2025
 # 97cce0ae0cad2a2cc552d3165d04643e_de3d740, 2025
 # Dominic Wagner <mail@dominic-wagner.de>, 2025
-# Till-Frederik Riechard, 2025
-# Alexander Mnich, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Alexander Mnich, 2025\n"
+"Last-Translator: Dominic Wagner <mail@dominic-wagner.de>, 2025\n"
 "Language-Team: German (https://app.transifex.com/authentik/teams/119923/de/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -134,10 +132,6 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Vom Authentik-Core-Webserver verwendetes Zertifikat."

-#: authentik/brands/models.py
-msgid "Certificates used for client authentication."
-msgstr ""
-
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Marke"
@ -411,7 +405,7 @@ msgstr "Eigenschaften"

 #: authentik/core/models.py
 msgid "session data"
-msgstr "Sitzungsdaten"
+msgstr ""

 #: authentik/core/models.py
 msgid "Session"
@ -539,7 +533,7 @@ msgstr ""

 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
-msgstr "Anzahl Passwörter, gegen die geprüft wird."
+msgstr ""

 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
@ -549,20 +543,18 @@ msgstr "Passwort nicht im Kontext festgelegt"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
-"Dieses Passwort wurde in Vergangenheit bereits verwendet. Bitte nutzen Sie "
-"ein anderes."

 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
-msgstr "Passwort-Einzigartigkeits-Richtlinie"
+msgstr ""

 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
-msgstr "Passwort-Einzigartigkeits-Richtlinien"
+msgstr ""

 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
-msgstr "Nutzer-Passwort-Historie"
+msgstr ""

 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
@ -701,33 +693,6 @@ msgstr "Endgeräte"
 msgid "Verifying your browser..."
 msgstr "Verifiziere deinen Browser..."

-#: authentik/enterprise/stages/mtls/models.py
-msgid ""
-"Configure certificate authorities to validate the certificate against. This "
-"option has a higher priority than the `client_certificate` option on "
-"`Brand`."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Permissions to pass Certificates for outposts."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "Certificate required but no certificate was given."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "No user found for certificate."
-msgstr ""
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -1023,7 +988,7 @@ msgstr ""

 #: authentik/flows/models.py
 msgid "Evaluate policies when the Stage is presented to the user."
-msgstr "Richtlinien auswerten, wenn die Phase dem Benutzer angezeigt wird."
+msgstr ""

 #: authentik/flows/models.py
 msgid ""
@ -1078,12 +1043,9 @@ msgid "Starting full provider sync"
 msgstr "Starte komplette Provider Synchronisation."

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
-msgstr ""
+#, python-brace-format
+msgid "Syncing page {page} of users"
+msgstr "Synchonisiere Benutzer Seite {page}"

 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@ -1631,11 +1593,11 @@ msgstr "ES256 (Asymmetrische Verschlüsselung)"

 #: authentik/providers/oauth2/models.py
 msgid "ES384 (Asymmetric Encryption)"
-msgstr "ES384 (Asymmetrische Verschlüsselung)"
+msgstr ""

 #: authentik/providers/oauth2/models.py
 msgid "ES512 (Asymmetric Encryption)"
-msgstr "ES5122 (Asymmetrische Verschlüsselung)"
+msgstr ""

 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
@ -2221,11 +2183,11 @@ msgstr "Standard"

 #: authentik/providers/scim/models.py
 msgid "AWS"
-msgstr "AWS"
+msgstr ""

 #: authentik/providers/scim/models.py
 msgid "Slack"
-msgstr "Slack"
+msgstr ""

 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
@ -2237,7 +2199,7 @@ msgstr "Authentifizierungstoken"

 #: authentik/providers/scim/models.py
 msgid "SCIM Compatibility Mode"
-msgstr "SCIM Kompatibilitätsmodus"
+msgstr ""

 #: authentik/providers/scim/models.py
 msgid "Alter authentik behavior for vendor-specific SCIM implementations."
@ -2269,7 +2231,7 @@ msgstr "Rollen"

 #: authentik/rbac/models.py
 msgid "Initial Permissions"
-msgstr "Initiale Berechtigungen"
+msgstr ""

 #: authentik/rbac/models.py
 msgid "System permission"
@ -2525,12 +2487,6 @@ msgid ""
 "Active Directory"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP Quelle"
@ -2548,25 +2504,20 @@ msgid "LDAP Source Property Mappings"
 msgstr "LDAP Quelle Eigenschafts-Zuordnungen"

 #: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
+msgid "User LDAP Source Connection"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid "User LDAP Source Connection"
-msgstr "Benutzer LDAP-Quellverbindung"
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
-msgstr "Benutzer LDAP-Quellverbindungen"
+msgstr ""

 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
-msgstr "LDAP Gruppen Quellverbindung"
+msgstr ""

 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
-msgstr "LDAP Gruppen Quellverbindungen"
+msgstr ""

 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
@ -2579,7 +2530,7 @@ msgstr "Kein Token empfangen."

 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
-msgstr "HTTP Basic Authentifizierung"
+msgstr ""

 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
@ -2945,11 +2896,6 @@ msgstr "SAML Gruppen Quellverbindung"
 msgid "Group SAML Source Connections"
 msgstr "SAML Gruppen Quellverbindungen"

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "SCIM Quelle"
@ -2984,7 +2930,7 @@ msgstr "Duo Geräte"

 #: authentik/stages/authenticator_email/models.py
 msgid "Email OTP"
-msgstr "E-Mail Einmalpasswort"
+msgstr ""

 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/email/models.py
@ -3017,11 +2963,11 @@ msgstr "Beim Rendern der E-Mail-Vorlage ist ein Fehler aufgetreten"

 #: authentik/stages/authenticator_email/models.py
 msgid "Email Device"
-msgstr "E-Mail Gerät"
+msgstr ""

 #: authentik/stages/authenticator_email/models.py
 msgid "Email Devices"
-msgstr "E-Mail Geräte"
+msgstr ""

 #: authentik/stages/authenticator_email/stage.py
 #: authentik/stages/authenticator_sms/stage.py
@ -3031,7 +2977,7 @@ msgstr "Code stimmt nicht überein"

 #: authentik/stages/authenticator_email/stage.py
 msgid "Invalid email"
-msgstr "Ungültige E-Mail"
+msgstr ""

 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 #: authentik/stages/email/templates/email/password_reset.html
@ -3327,10 +3273,6 @@ msgstr "Zustimmung der Benutzer"
 msgid "User Consents"
 msgstr "Zustimmungen der Benutzer"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Verweigerungsstufe"
@ -3347,14 +3289,6 @@ msgstr "Dummy Stufe"
 msgid "Dummy Stages"
 msgstr "Dummy Stufen"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Passwort zurücksetzen"
@ -3956,11 +3890,10 @@ msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
-"Reputation kann nicht niedriger als dieser Wert sein. Null oder negativ."

 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
-msgstr "Reputation kann nicht höher als dieser Wert sein. Null oder positiv."
+msgstr ""

 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-06-02 00:12+0000\n"
+"POT-Creation-Date: 2025-05-20 00:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -961,11 +961,8 @@ msgid "Starting full provider sync"
 msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
+#, python-brace-format
+msgid "Syncing page {page} of users"
 msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
@ -2226,10 +2223,6 @@ msgstr ""
 msgid "Consider Objects matching this filter to be Users."
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid "Attribute which matches the value of `group_membership_field`."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr ""
@ -2259,12 +2252,6 @@ msgid ""
 "Active Directory"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr ""
@ -2281,11 +2268,6 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@ -2657,11 +2639,6 @@ msgstr ""
 msgid "Group SAML Source Connections"
 msgstr ""

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr ""
@ -3017,10 +2994,6 @@ msgstr ""
 msgid "User Consents"
 msgstr ""

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr ""
@ -3037,14 +3010,6 @@ msgstr ""
 msgid "Dummy Stages"
 msgstr ""

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr ""
@ -3497,6 +3462,10 @@ msgstr ""
 msgid "No Pending user to login."
 msgstr ""

+#: authentik/stages/user_login/stage.py
+msgid "Successfully logged in!"
+msgstr ""
+
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr ""
--- a/locale/es/LC_MESSAGES/django.mo
+++ b/locale/es/LC_MESSAGES/django.mo
--- a/locale/es/LC_MESSAGES/django.po
+++ b/locale/es/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/authentik/teams/119923/es/)\n"
@ -109,10 +109,6 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Certificado Web usado por el servidor web Core de authentik"

-#: authentik/brands/models.py
-msgid "Certificates used for client authentication."
-msgstr ""
-
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Marca"
@ -675,33 +671,6 @@ msgstr "Dispositivos de Punto de Conexión"
 msgid "Verifying your browser..."
 msgstr "Verificando tu navegador..."

-#: authentik/enterprise/stages/mtls/models.py
-msgid ""
-"Configure certificate authorities to validate the certificate against. This "
-"option has a higher priority than the `client_certificate` option on "
-"`Brand`."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Permissions to pass Certificates for outposts."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "Certificate required but no certificate was given."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "No user found for certificate."
-msgstr ""
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -1040,12 +1009,9 @@ msgid "Starting full provider sync"
 msgstr "Iniciando sincronización completa de proveedor"

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
-msgstr ""
+#, python-brace-format
+msgid "Syncing page {page} of users"
+msgstr "Sincronizando página {page} de usuarios"

 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@ -2486,12 +2452,6 @@ msgid ""
 "Active Directory"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Fuente de LDAP"
@ -2508,11 +2468,6 @@ msgstr "Asignación de Propiedades de Fuente de LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Asignaciones de Propiedades de Fuente de LDAP"

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@ -2904,11 +2859,6 @@ msgstr "Conexión de Fuente de SAML de Grupo"
 msgid "Group SAML Source Connections"
 msgstr "Conexiones de Fuente de SAML de Grupo"

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "Fuente de SCIM"
@ -3295,10 +3245,6 @@ msgstr "Consentimiento del usuario"
 msgid "User Consents"
 msgstr "Consentimientos del usuario"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Etapa de denegación"
@ -3315,14 +3261,6 @@ msgstr "Escenario ficticio"
 msgid "Dummy Stages"
 msgstr "Etapas ficticias"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Restablecimiento de contraseña"
--- a/locale/fi/LC_MESSAGES/django.mo
+++ b/locale/fi/LC_MESSAGES/django.mo
--- a/locale/fi/LC_MESSAGES/django.po
+++ b/locale/fi/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Ville Ranki, 2025\n"
 "Language-Team: Finnish (https://app.transifex.com/authentik/teams/119923/fi/)\n"
@ -106,10 +106,6 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Web-sertifikaatti, jota authentik Core -verkkopalvelin käyttää."

-#: authentik/brands/models.py
-msgid "Certificates used for client authentication."
-msgstr ""
-
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Brändi"
@ -662,33 +658,6 @@ msgstr "Päätelaitteet"
 msgid "Verifying your browser..."
 msgstr "Selaintasi varmennetaan..."

-#: authentik/enterprise/stages/mtls/models.py
-msgid ""
-"Configure certificate authorities to validate the certificate against. This "
-"option has a higher priority than the `client_certificate` option on "
-"`Brand`."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Permissions to pass Certificates for outposts."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "Certificate required but no certificate was given."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "No user found for certificate."
-msgstr ""
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -1027,12 +996,9 @@ msgid "Starting full provider sync"
 msgstr "Käynnistetään palveluntarjoajan täysi synkronisointi"

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
-msgstr ""
+#, python-brace-format
+msgid "Syncing page {page} of users"
+msgstr "Synkronoidaan käyttäjien sivua {page}"

 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@ -2463,12 +2429,6 @@ msgid ""
 "Active Directory"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP-lähde"
@ -2485,11 +2445,6 @@ msgstr "LDAP-lähteen ominaisuuskytkentä"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP-lähteen ominaisuuskytkennät"

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@ -2882,11 +2837,6 @@ msgstr "Ryhmän SAML-lähteen yhteys"
 msgid "Group SAML Source Connections"
 msgstr "Ryhmän SAML-lähteen yhteydet"

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "SCIM-lähde"
@ -3266,10 +3216,6 @@ msgstr "Käyttäjän hyväksyntä"
 msgid "User Consents"
 msgstr "Käyttäjän hyväksynnät"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Kieltovaihe"
@ -3286,14 +3232,6 @@ msgstr "Valevaihe"
 msgid "Dummy Stages"
 msgstr "Valevaiheet"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Salasanan nollaus"
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-05-20 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@ -1056,12 +1056,9 @@ msgid "Starting full provider sync"
 msgstr "Démarrage d'une synchronisation complète du fournisseur"

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr "Synchronisation des utilisateurs"
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
-msgstr "Synchronisation des groupes"
+#, python-brace-format
+msgid "Syncing page {page} of users"
+msgstr "Synchronisation de la page {page} d'utilisateurs"

 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@ -2511,14 +2508,6 @@ msgstr ""
 "plutôt que sur un attribut de groupe. Cela permet la résolution des groupes "
 "imbriqués sur des systèmes tels que FreeIPA et Active Directory."

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-"Supprimer les utilisateurs et les groupes authentik qui étaient auparavant "
-"fournis par cette source, mais qui en sont maintenant absents."
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Source LDAP"
@ -2535,13 +2524,6 @@ msgstr "Mappage de propriété source LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Mappages de propriété source LDAP"

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-"ID unique utilisé pour vérifier si cet objet existe toujours dans le "
-"répertoire."
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr "Connexion de l'utilisateur à la source LDAP"
@ -2936,11 +2918,6 @@ msgstr "Connexion du groupe à la source SAML"
 msgid "Group SAML Source Connections"
 msgstr "Connexions du groupe à la source SAML"

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr "Continuer vers {source_name}"
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "Source SCIM"
@ -3331,10 +3308,6 @@ msgstr "Consentement Utilisateur"
 msgid "User Consents"
 msgstr "Consentements Utilisateur"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr "Jeton de consentement invalide, réaffichage de l'invite"
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Étape de Refus"
@ -3351,14 +3324,6 @@ msgstr "Étape factice"
 msgid "Dummy Stages"
 msgstr "Étapes factices"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr "Continuer pour confirmer cette adresse courriel."
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr "Ce lien a déjà été utilisé, veuillez en demander un nouveau."
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Réinitialiser le Mot de Passe"
--- a/locale/it/LC_MESSAGES/django.po
+++ b/locale/it/LC_MESSAGES/django.po
@ -20,7 +20,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
@ -114,10 +114,6 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Certificato Web utilizzato dal server Web authentik Core."

-#: authentik/brands/models.py
-msgid "Certificates used for client authentication."
-msgstr ""
-
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Brand"
@ -676,33 +672,6 @@ msgstr "Dispositivi di Accesso"
 msgid "Verifying your browser..."
 msgstr "Verifica del tuo browser..."

-#: authentik/enterprise/stages/mtls/models.py
-msgid ""
-"Configure certificate authorities to validate the certificate against. This "
-"option has a higher priority than the `client_certificate` option on "
-"`Brand`."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Permissions to pass Certificates for outposts."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "Certificate required but no certificate was given."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "No user found for certificate."
-msgstr ""
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -1049,12 +1018,9 @@ msgid "Starting full provider sync"
 msgstr "Avvio della sincronizzazione completa del provider"

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
-msgstr ""
+#, python-brace-format
+msgid "Syncing page {page} of users"
+msgstr "Sincronizzando pagina {page} degli utenti"

 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@ -2497,12 +2463,6 @@ msgstr ""
 "attributo di gruppo. Questo consente la risoluzione di gruppi nidificati su "
 "sistemi come FreeIPA e Active Directory."

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Sorgente LDAP"
@ -2519,11 +2479,6 @@ msgstr "Mappatura delle proprietà sorgente LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Mappature delle proprietà della sorgente LDAP"

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr "Connessione Sorgente LDAP Utente"
@ -2917,11 +2872,6 @@ msgstr "Connessione sorgente SAML di gruppo"
 msgid "Group SAML Source Connections"
 msgstr "Connessioni sorgente SAML di gruppo"

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "Sorgente SCIM"
@ -3319,10 +3269,6 @@ msgstr "Consenso utente"
 msgid "User Consents"
 msgstr "Consensi utente"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Fase di negazione"
@ -3339,14 +3285,6 @@ msgstr "Fase fittizia"
 msgid "Dummy Stages"
 msgstr "Fasi fittizie"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Ripristino password"
--- a/locale/ko/LC_MESSAGES/django.po
+++ b/locale/ko/LC_MESSAGES/django.po
@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: NavyStack, 2023\n"
 "Language-Team: Korean (https://app.transifex.com/authentik/teams/119923/ko/)\n"
@ -99,10 +99,6 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Authentik Core 웹서버에서 사용하는 웹 인증서."

-#: authentik/brands/models.py
-msgid "Certificates used for client authentication."
-msgstr ""
-
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr ""
@ -629,33 +625,6 @@ msgstr ""
 msgid "Verifying your browser..."
 msgstr ""

-#: authentik/enterprise/stages/mtls/models.py
-msgid ""
-"Configure certificate authorities to validate the certificate against. This "
-"option has a higher priority than the `client_certificate` option on "
-"`Brand`."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Permissions to pass Certificates for outposts."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "Certificate required but no certificate was given."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "No user found for certificate."
-msgstr ""
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -977,11 +946,8 @@ msgid "Starting full provider sync"
 msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
+#, python-brace-format
+msgid "Syncing page {page} of users"
 msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
@ -2297,12 +2263,6 @@ msgid ""
 "Active Directory"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP 소스"
@ -2319,11 +2279,6 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@ -2702,11 +2657,6 @@ msgstr ""
 msgid "Group SAML Source Connections"
 msgstr ""

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr ""
@ -3067,10 +3017,6 @@ msgstr "사용자 동의"
 msgid "User Consents"
 msgstr "사용자 동의"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "거부 스테이지"
@ -3087,14 +3033,6 @@ msgstr "더미 스테이지"
 msgid "Dummy Stages"
 msgstr "더미 스테이지"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "비밀번호 초기화"
--- a/locale/nl/LC_MESSAGES/django.mo
+++ b/locale/nl/LC_MESSAGES/django.mo
--- a/locale/nl/LC_MESSAGES/django.po
+++ b/locale/nl/LC_MESSAGES/django.po
@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Dany Sluijk, 2025\n"
 "Language-Team: Dutch (https://app.transifex.com/authentik/teams/119923/nl/)\n"
@ -113,10 +113,6 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Webcertificaat gebruikt door de authentik Core-webserver."

-#: authentik/brands/models.py
-msgid "Certificates used for client authentication."
-msgstr ""
-
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Merk"
@ -195,7 +191,6 @@ msgid "User's display name."
 msgstr "Weergavenaam van de gebruiker."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
-#: authentik/rbac/models.py
 msgid "User"
 msgstr "Gebruiker"

@ -384,18 +379,6 @@ msgstr "Eigenschapskoppeling"
 msgid "Property Mappings"
 msgstr "Eigenschapskoppelingen"

-#: authentik/core/models.py
-msgid "session data"
-msgstr ""
-
-#: authentik/core/models.py
-msgid "Session"
-msgstr "Sessie"
-
-#: authentik/core/models.py
-msgid "Sessions"
-msgstr "Sessies"
-
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Geauthenticeerde Sessie"
@ -503,38 +486,6 @@ msgstr "Licentie Gebruik"
 msgid "License Usage Records"
 msgstr "Licentie Gebruik Records"

-#: authentik/enterprise/policies/unique_password/models.py
-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Veldsleutel om te controleren, veldsleutels gedefinieerd in Prompt-stadia "
-"zijn beschikbaar."
-
-#: authentik/enterprise/policies/unique_password/models.py
-msgid "Number of passwords to check against."
-msgstr ""
-
-#: authentik/enterprise/policies/unique_password/models.py
-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Wachtwoord niet ingesteld in context"
-
-#: authentik/enterprise/policies/unique_password/models.py
-msgid "This password has been used previously. Please choose a different one."
-msgstr ""
-
-#: authentik/enterprise/policies/unique_password/models.py
-msgid "Password Uniqueness Policy"
-msgstr ""
-
-#: authentik/enterprise/policies/unique_password/models.py
-msgid "Password Uniqueness Policies"
-msgstr ""
-
-#: authentik/enterprise/policies/unique_password/models.py
-msgid "User Password History"
-msgstr ""
-
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Enterprise benodigd voor toegang tot deze functie."
@ -671,33 +622,6 @@ msgstr ""
 msgid "Verifying your browser..."
 msgstr "Uw browser wordt geverifieerd..."

-#: authentik/enterprise/stages/mtls/models.py
-msgid ""
-"Configure certificate authorities to validate the certificate against. This "
-"option has a higher priority than the `client_certificate` option on "
-"`Brand`."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Permissions to pass Certificates for outposts."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "Certificate required but no certificate was given."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "No user found for certificate."
-msgstr ""
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -1039,11 +963,8 @@ msgid "Starting full provider sync"
 msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
+#, python-brace-format
+msgid "Syncing page {page} of users"
 msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
@ -1344,6 +1265,12 @@ msgstr ""
 msgid "Clear Policy's cache metrics"
 msgstr ""

+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Veldsleutel om te controleren, veldsleutels gedefinieerd in Prompt-stadia "
+"zijn beschikbaar."
+
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Hoe vaak het wachtwoordhash op haveibeenpwned mag voorkomen"
@ -1355,6 +1282,10 @@ msgstr ""
 "Als de zxcvbn-score gelijk is aan of lager is dan deze waarde, zal het "
 "beleid falen."

+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Wachtwoord niet ingesteld in context"
+
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1396,6 +1327,20 @@ msgstr "Reputatie Score"
 msgid "Reputation Scores"
 msgstr "Reputatie Scores"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr ""
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Toestemming geweigerd"
@ -2215,10 +2160,6 @@ msgstr ""
 msgid "Roles"
 msgstr ""

-#: authentik/rbac/models.py
-msgid "Initial Permissions"
-msgstr ""
-
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr ""
@ -2451,12 +2392,6 @@ msgid ""
 "Active Directory"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP-bron"
@ -2473,27 +2408,6 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-
-#: authentik/sources/ldap/models.py
-msgid "User LDAP Source Connection"
-msgstr ""
-
-#: authentik/sources/ldap/models.py
-msgid "User LDAP Source Connections"
-msgstr ""
-
-#: authentik/sources/ldap/models.py
-msgid "Group LDAP Source Connection"
-msgstr ""
-
-#: authentik/sources/ldap/models.py
-msgid "Group LDAP Source Connections"
-msgstr ""
-
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr ""
@ -2503,14 +2417,6 @@ msgstr ""
 msgid "No token received."
 msgstr "Geen token ontvangen."

-#: authentik/sources/oauth/models.py
-msgid "HTTP Basic Authentication"
-msgstr ""
-
-#: authentik/sources/oauth/models.py
-msgid "Include the client ID and secret as request parameters"
-msgstr ""
-
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL voor aanvragen van token"
@ -2552,12 +2458,6 @@ msgstr ""
 msgid "Additional Scopes"
 msgstr "Aanvullende scopes"

-#: authentik/sources/oauth/models.py
-msgid ""
-"How to perform authentication during an authorization_code token request "
-"flow"
-msgstr ""
-
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth-bron"
@ -2869,11 +2769,6 @@ msgstr ""
 msgid "Group SAML Source Connections"
 msgstr ""

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr ""
@ -3247,10 +3142,6 @@ msgstr "Gebruikerstoestemming"
 msgid "User Consents"
 msgstr "Gebruikersinstemmingen"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Weigerfase"
@ -3267,14 +3158,6 @@ msgstr "Dummystadium"
 msgid "Dummy Stages"
 msgstr "Dummystadia"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Wachtwoordherstel"
@ -3474,12 +3357,6 @@ msgstr ""
 "Wanneer ingeschakeld, slaagt de stap en gaat verder wanneer ongeldige "
 "gebruikersgegevens zijn ingevoerd."

-#: authentik/stages/identification/models.py
-msgid ""
-"Show the user the 'Remember me on this device' toggle, allowing repeat users"
-" to skip straight to entering their password."
-msgstr ""
-
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Optionele inschrijvingsflow, die onderaan de pagina is gekoppeld."
@ -3865,14 +3742,6 @@ msgstr ""
 "Gebeurtenissen worden verwijderd na deze duur. (Indeling: "
 "weken=3;dagen=2;uren=3;seconden=2)."

-#: authentik/tenants/models.py
-msgid "Reputation cannot decrease lower than this value. Zero or negative."
-msgstr ""
-
-#: authentik/tenants/models.py
-msgid "Reputation cannot increase higher than this value. Zero or positive."
-msgstr ""
-
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr "De optie stelt de voettekst links in op de flow uitvoer pagina's."
--- a/locale/pt/LC_MESSAGES/django.po
+++ b/locale/pt/LC_MESSAGES/django.po
@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Hugo Bicho, 2025\n"
 "Language-Team: Portuguese (https://app.transifex.com/authentik/teams/119923/pt/)\n"
@ -105,10 +105,6 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Certificado Web usado pelo servidor web authentik Core."

-#: authentik/brands/models.py
-msgid "Certificates used for client authentication."
-msgstr ""
-
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Marca"
@ -666,33 +662,6 @@ msgstr "Dispositivos do ponto de ligação"
 msgid "Verifying your browser..."
 msgstr "A verificar o seu browser..."

-#: authentik/enterprise/stages/mtls/models.py
-msgid ""
-"Configure certificate authorities to validate the certificate against. This "
-"option has a higher priority than the `client_certificate` option on "
-"`Brand`."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Permissions to pass Certificates for outposts."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "Certificate required but no certificate was given."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "No user found for certificate."
-msgstr ""
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -1038,12 +1007,9 @@ msgid "Starting full provider sync"
 msgstr "Iniciando a sincronização completa com o provedor"

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
-msgstr ""
+#, python-brace-format
+msgid "Syncing page {page} of users"
+msgstr "A sincronizar a página {page} dos utilizadores"

 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@ -2490,12 +2456,6 @@ msgstr ""
 " um atributo do grupo. Isto permite a resolução de grupos hierárquicos em "
 "sistemas como o FreeIPA e Active Directory."

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Fonte LDAP"
@ -2512,11 +2472,6 @@ msgstr "Mapeamento de propriedades de fonte LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Mapeamentos de propriedades de fonte LDAP"

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr "Ligação à fonte LDAP de Utilizador"
@ -2910,11 +2865,6 @@ msgstr "Ligação à fonte SAML de Grupo"
 msgid "Group SAML Source Connections"
 msgstr "Ligações à fonte SAML de Grupo"

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "Fonte SCIM"
@ -3305,10 +3255,6 @@ msgstr "Consentimento do Utilizador"
 msgid "User Consents"
 msgstr "Consentimentos do Utilizador"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Etapa de negação"
@ -3325,14 +3271,6 @@ msgstr "Etapa fictícia"
 msgid "Dummy Stages"
 msgstr "Etapas fictícias"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Redefinição de Palavra-Passe"
--- a/locale/pt_BR/LC_MESSAGES/django.mo
+++ b/locale/pt_BR/LC_MESSAGES/django.mo
--- a/locale/pt_BR/LC_MESSAGES/django.po
+++ b/locale/pt_BR/LC_MESSAGES/django.po
@ -8,19 +8,19 @@
 # Josenivaldo Benito Junior, 2023
 # Caio Lima, 2023
 # Hacklab, 2023
+# Wagner Santos, 2024
 # Rafael Mundel, 2024
 # Anderson Silva Andrade <anderson.asa89@gmail.com>, 2025
 # Gil Poiares-Oliveira, 2025
-# Wagner Santos, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Wagner Santos, 2025\n"
+"Last-Translator: Gil Poiares-Oliveira, 2025\n"
 "Language-Team: Portuguese (Brazil) (https://app.transifex.com/authentik/teams/119923/pt_BR/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -112,10 +112,6 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Certificado da Web usado pelo servidor da web authentik Core."

-#: authentik/brands/models.py
-msgid "Certificates used for client authentication."
-msgstr ""
-
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Brand"
@ -275,11 +271,11 @@ msgstr "Aplicativos"

 #: authentik/core/models.py
 msgid "Application Entitlement"
-msgstr "Autorização de aplicação"
+msgstr ""

 #: authentik/core/models.py
 msgid "Application Entitlements"
-msgstr "Autorizações de aplicação"
+msgstr ""

 #: authentik/core/models.py
 msgid "Use the source-specific identifier"
@ -383,15 +379,15 @@ msgstr "Mapeamentos de propriedades"

 #: authentik/core/models.py
 msgid "session data"
-msgstr "dados de sessão"
+msgstr ""

 #: authentik/core/models.py
 msgid "Session"
-msgstr "Sessão"
+msgstr ""

 #: authentik/core/models.py
 msgid "Sessions"
-msgstr "Sessões"
+msgstr ""

 #: authentik/core/models.py
 msgid "Authenticated Session"
@ -509,7 +505,7 @@ msgstr ""

 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
-msgstr "Número de senhas para verificar."
+msgstr ""

 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
@ -518,19 +514,19 @@ msgstr "Senha não definida no contexto"

 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
-msgstr "A senha já foi utilizada antes. Por favor, escolha uma diferente."
+msgstr ""

 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
-msgstr "Política de exclusividade de senha"
+msgstr ""

 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
-msgstr "Políticas de exclusividade de senha"
+msgstr ""

 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
-msgstr "Histórico de senhas do usuário"
+msgstr ""

 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
@ -614,39 +610,39 @@ msgstr "Chave de Assinatura"

 #: authentik/enterprise/providers/ssf/models.py
 msgid "Key used to sign the SSF Events."
-msgstr "Chave utilizada para assinar os eventos SSF."
+msgstr ""

 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Provider"
-msgstr "Provedor de Shared Signals Framework"
+msgstr ""

 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Providers"
-msgstr "Provedores de Shared Signals Framework"
+msgstr ""

 #: authentik/enterprise/providers/ssf/models.py
 msgid "Add stream to SSF provider"
-msgstr "Adicionar stream ao fornecedor SSF"
+msgstr ""

 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream"
-msgstr "Stream SSF"
+msgstr ""

 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Streams"
-msgstr "Streams SSF"
+msgstr ""

 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Event"
-msgstr "Evento de stream SSF"
+msgstr ""

 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Events"
-msgstr "Eventos de stream SSF"
+msgstr ""

 #: authentik/enterprise/providers/ssf/tasks.py
 msgid "Failed to send request"
-msgstr "Falha ao enviar requisição"
+msgstr ""

 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
@ -668,33 +664,6 @@ msgstr ""
 msgid "Verifying your browser..."
 msgstr ""

-#: authentik/enterprise/stages/mtls/models.py
-msgid ""
-"Configure certificate authorities to validate the certificate against. This "
-"option has a higher priority than the `client_certificate` option on "
-"`Brand`."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Permissions to pass Certificates for outposts."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "Certificate required but no certificate was given."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "No user found for certificate."
-msgstr ""
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -712,7 +681,7 @@ msgstr ""
 #: authentik/events/api/tasks.py
 #, python-brace-format
 msgid "Successfully started task {name}."
-msgstr "Tarefa {name} iniciada com sucesso."
+msgstr ""

 #: authentik/events/models.py
 msgid "Event"
@ -744,16 +713,12 @@ msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
 "serializable."
 msgstr ""
-"Personalize o corpo do pedido. O mapeamento deve retornar dados que sejam "
-"serializáveis em JSON."

 #: authentik/events/models.py
 msgid ""
 "Configure additional headers to be sent. Mapping should return a dictionary "
 "of key-value pairs"
 msgstr ""
-"Configurar cabeçalhos adicionais a serem enviados. O mapeamento deve "
-"retornar um dicionário de pares chave-valor"

 #: authentik/events/models.py
 msgid ""
@ -1033,11 +998,8 @@ msgid "Starting full provider sync"
 msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
+#, python-brace-format
+msgid "Syncing page {page} of users"
 msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
@ -1352,7 +1314,7 @@ msgstr ""
 #: authentik/policies/password/models.py
 #, python-brace-format
 msgid "Password exists on {count} online lists."
-msgstr "A senha está presente em {count}  listas de senhas vulneráveis."
+msgstr ""

 #: authentik/policies/password/models.py
 msgid "Password is too weak."
@ -2434,12 +2396,6 @@ msgid ""
 "Active Directory"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Fonte LDAP"
@ -2456,11 +2412,6 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@ -2851,11 +2802,6 @@ msgstr ""
 msgid "Group SAML Source Connections"
 msgstr ""

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr ""
@ -3228,10 +3174,6 @@ msgstr "Consentimento do usuário"
 msgid "User Consents"
 msgstr "Consentimentos do usuário"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Negar Estágio"
@ -3248,14 +3190,6 @@ msgstr "Palco fictício"
 msgid "Dummy Stages"
 msgstr "Fases fictícias"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Redefinição de senha"
--- a/locale/pt_PT/LC_MESSAGES/django.po
+++ b/locale/pt_PT/LC_MESSAGES/django.po
--- a/locale/ru/LC_MESSAGES/django.po
+++ b/locale/ru/LC_MESSAGES/django.po
@ -18,7 +18,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Russian (https://app.transifex.com/authentik/teams/119923/ru/)\n"
@ -111,10 +111,6 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Web Certificate используемый для authentik Core webserver."

-#: authentik/brands/models.py
-msgid "Certificates used for client authentication."
-msgstr ""
-
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Бренд"
@ -673,33 +669,6 @@ msgstr "Конечные устройства"
 msgid "Verifying your browser..."
 msgstr "Проверка вашего браузера..."

-#: authentik/enterprise/stages/mtls/models.py
-msgid ""
-"Configure certificate authorities to validate the certificate against. This "
-"option has a higher priority than the `client_certificate` option on "
-"`Brand`."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Permissions to pass Certificates for outposts."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "Certificate required but no certificate was given."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "No user found for certificate."
-msgstr ""
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -1040,11 +1009,8 @@ msgid "Starting full provider sync"
 msgstr "Запуск полной синхронизации провайдера"

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
+#, python-brace-format
+msgid "Syncing page {page} of users"
 msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
@ -2464,12 +2430,6 @@ msgid ""
 "Active Directory"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Источник LDAP"
@ -2486,11 +2446,6 @@ msgstr "Сопоставление свойства LDAP источника"
 msgid "LDAP Source Property Mappings"
 msgstr "Сопоставление свойств LDAP источника"

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@ -2887,11 +2842,6 @@ msgstr "Групповое подключение к источнику SAML"
 msgid "Group SAML Source Connections"
 msgstr "Групповые подключения к источнику SAML"

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "Источник SCIM"
@ -3269,10 +3219,6 @@ msgstr "Согласие пользователя"
 msgid "User Consents"
 msgstr "Согласия пользователя"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Этап отказа"
@ -3289,14 +3235,6 @@ msgstr "Фиктивный этап"
 msgid "Dummy Stages"
 msgstr "Фиктивные этапы"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Сброс пароля"
--- a/locale/tr/LC_MESSAGES/django.po
+++ b/locale/tr/LC_MESSAGES/django.po
@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Turkish (https://app.transifex.com/authentik/teams/119923/tr/)\n"
@ -107,10 +107,6 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Authentik Core web sunucusu tarafından kullanılan Web Sertifikası."

-#: authentik/brands/models.py
-msgid "Certificates used for client authentication."
-msgstr ""
-
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Marka"
@ -663,33 +659,6 @@ msgstr "Uç Nokta Cihazları"
 msgid "Verifying your browser..."
 msgstr "Tarayıcınız doğrulanıyor..."

-#: authentik/enterprise/stages/mtls/models.py
-msgid ""
-"Configure certificate authorities to validate the certificate against. This "
-"option has a higher priority than the `client_certificate` option on "
-"`Brand`."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Mutual TLS Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/models.py
-msgid "Permissions to pass Certificates for outposts."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "Certificate required but no certificate was given."
-msgstr ""
-
-#: authentik/enterprise/stages/mtls/stage.py
-msgid "No user found for certificate."
-msgstr ""
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@ -1031,11 +1000,8 @@ msgid "Starting full provider sync"
 msgstr "Tam sağlayıcı senkronizasyonunu başlatma"

 #: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing users"
-msgstr ""
-
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Syncing groups"
+#, python-brace-format
+msgid "Syncing page {page} of users"
 msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
@ -2464,12 +2430,6 @@ msgid ""
 "Active Directory"
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid ""
-"Delete authentik users and groups which were previously supplied by this "
-"source, but are now missing from it."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP Kaynağı"
@ -2486,11 +2446,6 @@ msgstr "LDAP Kaynak Özellik Eşlemesi"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP Kaynak Özellik Eşlemeleri"

-#: authentik/sources/ldap/models.py
-msgid ""
-"Unique ID used while checking if this object still exists in the directory."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@ -2882,11 +2837,6 @@ msgstr "Grup SAML Kaynak Bağlantısı"
 msgid "Group SAML Source Connections"
 msgstr "Grup SAML Kaynak Bağlantıları"

-#: authentik/sources/saml/views.py
-#, python-brace-format
-msgid "Continue to {source_name}"
-msgstr ""
-
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "SCIM Kaynak"
@ -3261,10 +3211,6 @@ msgstr "Kullanıcı Onayı"
 msgid "User Consents"
 msgstr "Kullanıcı Onayları"

-#: authentik/stages/consent/stage.py
-msgid "Invalid consent token, re-showing prompt"
-msgstr ""
-
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Aşama Alanını Reddet"
@ -3281,14 +3227,6 @@ msgstr "Kukla Aşaması"
 msgid "Dummy Stages"
 msgstr "Kukla Aşamaları"

-#: authentik/stages/email/flow.py
-msgid "Continue to confirm this email address."
-msgstr ""
-
-#: authentik/stages/email/flow.py
-msgid "Link was already used, please request a new link."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Parola Sıfırlama"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Teffen Ellis	ab315504a4	web: Update test types, config.	2025-05-23 13:23:05 +02:00
Teffen Ellis	89a24dc508	web: Prepare NPM Workspaces.	2025-05-23 13:20:45 +02:00
Teffen Ellis	1fe72ee377	web: Use consistent TSConfig.	2025-05-23 13:20:45 +02:00
Teffen Ellis	9f596079d9	web: Fix formatter errors.	2025-05-23 13:20:44 +02:00
Teffen Ellis	6c444dffc6	Disable pending rules for follow up PR.	2025-05-23 13:20:44 +02:00
Teffen Ellis	3bcbb2c0f9	web: Clean up test types.	2025-05-23 13:14:22 +02:00
Teffen Ellis	4e284818cf	web: Format. Remove unused script.	2025-05-23 13:14:19 +02:00
Teffen Ellis	ced3f16310	web: Update MDX types.	2025-05-23 13:14:16 +02:00
Teffen Ellis	b65aabafdc	web: Update Sentry types.	2025-05-23 13:14:14 +02:00
Teffen Ellis	b07439dbe7	core: Publish web packages.	2025-05-23 12:48:05 +02:00