endpoints: initial data structure

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2025-05-28 23:22:38 +02:00
262 changed files with 985 additions and 2749 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.6.3
+current_version = 2025.4.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -21,8 +21,6 @@ optional_value = final

 [bumpversion:file:package.json]

-[bumpversion:file:package-lock.json]
-
 [bumpversion:file:docker-compose.yml]

 [bumpversion:file:schema.yml]
@ -33,4 +31,6 @@ optional_value = final

 [bumpversion:file:internal/constants/constants.go]

+[bumpversion:file:web/src/common/constants.ts]
+
 [bumpversion:file:lifecycle/aws/template.yaml]
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -202,7 +202,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -49,7 +49,6 @@ jobs:
      matrix:
        job:
          - build
-          - build:integrations
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -2,7 +2,7 @@ name: "CodeQL"

 on:
  push:
-    branches: [main, next, version*]
+    branches: [main, "*", next, version*]
  pull_request:
    branches: [main]
  schedule:
--- a/2
+++ b/2
@ -96,7 +96,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
 # Stage 5: Download uv
 FROM ghcr.io/astral-sh/uv:0.7.8 AS uv
 # Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base

 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
--- a/4
+++ b/4
@ -86,10 +86,6 @@ dev-create-db:

 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.

-update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
-
 #########################
 ## API Schema
 #########################
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
+| 2025.2.x  | ✅        |
 | 2025.4.x  | ✅        |
-| 2025.6.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.6.3"
+__version__ = "2025.4.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -148,14 +148,3 @@ class TestBrands(APITestCase):
                "default_locale": "",
            },
        )
-
-    def test_custom_css(self):
-        """Test custom_css"""
-        brand = create_test_brand()
-        brand.branding_custom_css = """* {
-            font-family: "Foo bar";
-        }"""
-        brand.save()
-        res = self.client.get(reverse("authentik_core:if-user"))
-        self.assertEqual(res.status_code, 200)
-        self.assertIn(brand.branding_custom_css, res.content.decode())
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,8 +5,6 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from django.utils.html import _json_script_escapes
-from django.utils.safestring import mark_safe

 from authentik import get_full_version
 from authentik.brands.models import Brand
@ -34,13 +32,8 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
-    # similarly to `json_script` we escape everything HTML-related, however django
-    # only directly exposes this as a function that also wraps it in a <script> tag
-    # which we dont want for CSS
-    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
    return {
        "brand": brand,
-        "brand_css": brand_css,
        "footer_links": tenant.footer_links,
        "html_meta": {**get_http_meta()},
        "version": get_full_version(),
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -79,7 +79,6 @@ def _migrate_session(
        AuthenticatedSession.objects.using(db_alias).create(
            session=session,
            user=old_auth_session.user,
-            uuid=old_auth_session.uuid,
        )


--- a/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
+++ b/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
@ -1,81 +1,10 @@
 # Generated by Django 5.1.9 on 2025-05-14 11:15

-from django.apps.registry import Apps, apps as global_apps
+from django.apps.registry import Apps
 from django.db import migrations
-from django.contrib.contenttypes.management import create_contenttypes
-from django.contrib.auth.management import create_permissions
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor


-def migrate_authenticated_session_permissions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    """Migrate permissions from OldAuthenticatedSession to AuthenticatedSession"""
-    db_alias = schema_editor.connection.alias
-
-    # `apps` here is just an instance of `django.db.migrations.state.AppConfigStub`, we need the
-    # real config for creating permissions and content types
-    authentik_core_config = global_apps.get_app_config("authentik_core")
-    # These are only ran by django after all migrations, but we need them right now.
-    # `global_apps` is needed,
-    create_permissions(authentik_core_config, using=db_alias, verbosity=1)
-    create_contenttypes(authentik_core_config, using=db_alias, verbosity=1)
-
-    # But from now on, this is just a regular migration, so use `apps`
-    Permission = apps.get_model("auth", "Permission")
-    ContentType = apps.get_model("contenttypes", "ContentType")
-
-    try:
-        old_ct = ContentType.objects.using(db_alias).get(
-            app_label="authentik_core", model="oldauthenticatedsession"
-        )
-        new_ct = ContentType.objects.using(db_alias).get(
-            app_label="authentik_core", model="authenticatedsession"
-        )
-    except ContentType.DoesNotExist:
-        # This should exist at this point, but if not, let's cut our losses
-        return
-
-    # Get all permissions for the old content type
-    old_perms = Permission.objects.using(db_alias).filter(content_type=old_ct)
-
-    # Create equivalent permissions for the new content type
-    for old_perm in old_perms:
-        new_perm = (
-            Permission.objects.using(db_alias)
-            .filter(
-                content_type=new_ct,
-                codename=old_perm.codename,
-            )
-            .first()
-        )
-        if not new_perm:
-            # This should exist at this point, but if not, let's cut our losses
-            continue
-
-        # Global user permissions
-        User = apps.get_model("authentik_core", "User")
-        User.user_permissions.through.objects.using(db_alias).filter(
-            permission=old_perm
-        ).all().update(permission=new_perm)
-
-        # Global role permissions
-        DjangoGroup = apps.get_model("auth", "Group")
-        DjangoGroup.permissions.through.objects.using(db_alias).filter(
-            permission=old_perm
-        ).all().update(permission=new_perm)
-
-        # Object user permissions
-        UserObjectPermission = apps.get_model("guardian", "UserObjectPermission")
-        UserObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
-            permission=new_perm, content_type=new_ct
-        )
-
-        # Object role permissions
-        GroupObjectPermission = apps.get_model("guardian", "GroupObjectPermission")
-        GroupObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
-            permission=new_perm, content_type=new_ct
-        )
-
-
 def remove_old_authenticated_session_content_type(
    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
 ):
@ -92,12 +21,7 @@ class Migration(migrations.Migration):
    ]

    operations = [
-        migrations.RunPython(
-            code=migrate_authenticated_session_permissions,
-            reverse_code=migrations.RunPython.noop,
-        ),
        migrations.RunPython(
            code=remove_old_authenticated_session_content_type,
-            reverse_code=migrations.RunPython.noop,
        ),
    ]
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,7 +16,7 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand_css }}</style>
+        <style>{{ brand.branding_custom_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
--- a/authentik/endpoints/init.py
+++ b/authentik/endpoints/init.py
--- a/authentik/endpoints/apps.py
+++ b/authentik/endpoints/apps.py
@ -0,0 +1,12 @@
+"""authentik endpoints app config"""
+
+from authentik.blueprints.apps import ManagedAppConfig
+
+
+class AuthentikEndpointsConfig(ManagedAppConfig):
+    """authentik endpoints app config"""
+
+    name = "authentik.endpoints"
+    label = "authentik_endpoints"
+    verbose_name = "authentik Endpoints"
+    default = True
--- a/authentik/endpoints/common_data.py
+++ b/authentik/endpoints/common_data.py
@ -0,0 +1,47 @@
+from enum import Enum
+
+from pydantic import BaseModel
+
+
+class UNSUPPORTED(BaseModel):
+    pass
+
+
+class OSFamily(Enum):
+
+    linux = "linux"
+    unix = "unix"
+    bsd = "bsd"
+    windows = "windows"
+    macOS = "mac_os"
+    android = "android"
+    iOS = "i_os"
+    other = "other"
+
+class CommonDeviceData(BaseModel):
+    class Disk(BaseModel):
+        encryption: bool
+
+    class OS(BaseModel):
+        firewall_enabled: bool
+        family: OSFamily
+        name: str
+        version: str
+
+    class Network(BaseModel):
+        hostname: str
+        dns_servers: list[str]
+
+    class Hardware(BaseModel):
+        model: str
+        manufacturer: str
+
+    class Software(BaseModel):
+        name: str
+        version: str
+
+    os: OS | UNSUPPORTED
+    disks: list[Disk] | UNSUPPORTED
+    network: Network | UNSUPPORTED
+    hardware: Hardware | UNSUPPORTED
+    software: list[Software] | UNSUPPORTED
--- a/authentik/endpoints/connector.py
+++ b/authentik/endpoints/connector.py
@ -0,0 +1,16 @@
+from authentik.blueprints import models
+
+
+class EnrollmentMethods(models.TextChoices):
+    AUTOMATIC_USER = "automatic_user"  # Automatically enrolled through user action
+    AUTOMATIC_API = "automatic_api"  # Automatically enrolled through connector integration
+    MANUAL_USER = "manual_user"  # Manually enrolled
+
+
+class BaseConnector:
+
+    def __init__(self) -> None:
+        pass
+
+    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
+        return []
--- a/authentik/endpoints/connectors/init.py
+++ b/authentik/endpoints/connectors/init.py
--- a/authentik/endpoints/connectors/google_chrome/init.py
+++ b/authentik/endpoints/connectors/google_chrome/init.py
--- a/authentik/endpoints/connectors/google_chrome/apps.py
+++ b/authentik/endpoints/connectors/google_chrome/apps.py
--- a/authentik/endpoints/connectors/google_chrome/connector.py
+++ b/authentik/endpoints/connectors/google_chrome/connector.py
@ -0,0 +1,7 @@
+from authentik.endpoints.connector import BaseConnector, EnrollmentMethods
+
+
+class GoogleChromeConnector(BaseConnector):
+
+    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
+        return [EnrollmentMethods.AUTOMATIC_USER]
--- a/authentik/endpoints/connectors/google_chrome/models.py
+++ b/authentik/endpoints/connectors/google_chrome/models.py
@ -0,0 +1,7 @@
+from django.db import models
+
+from authentik.endpoints.models import Connector
+
+
+class GoogleChromeConnector(Connector):
+    credentials = models.JSONField()
--- a/authentik/endpoints/migrations/0001_initial.py
+++ b/authentik/endpoints/migrations/0001_initial.py
@ -0,0 +1,125 @@
+# Generated by Django 5.0.9 on 2024-09-24 19:16
+
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Connector",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("connector_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("name", models.TextField()),
+                (
+                    "enrollment_method",
+                    models.TextField(
+                        choices=[
+                            ("automatic_user", "Automatic User"),
+                            ("automatic_api", "Automatic Api"),
+                            ("manual_user", "Manual User"),
+                        ]
+                    ),
+                ),
+            ],
+            options={
+                "abstract": False,
+            },
+        ),
+        migrations.CreateModel(
+            name="Device",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("device_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("identifier", models.TextField(unique=True)),
+            ],
+            options={
+                "abstract": False,
+            },
+        ),
+        migrations.CreateModel(
+            name="DeviceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("device_connection_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("data", models.JSONField(default=dict)),
+                (
+                    "connection",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_endpoints.connector",
+                    ),
+                ),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_endpoints.device"
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="device",
+            name="connections",
+            field=models.ManyToManyField(
+                through="authentik_endpoints.DeviceConnection", to="authentik_endpoints.connector"
+            ),
+        ),
+        migrations.CreateModel(
+            name="DeviceUser",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("device_user_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("is_primary", models.BooleanField()),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_endpoints.device"
+                    ),
+                ),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="device",
+            name="users",
+            field=models.ManyToManyField(
+                through="authentik_endpoints.DeviceUser", to=settings.AUTH_USER_MODEL
+            ),
+        ),
+    ]
--- a/authentik/endpoints/migrations/init.py
+++ b/authentik/endpoints/migrations/init.py
--- a/authentik/endpoints/models.py
+++ b/authentik/endpoints/models.py
@ -0,0 +1,40 @@
+from uuid import uuid4
+
+from django.db import models
+from django.utils.functional import cached_property
+
+from authentik.core.models import User
+from authentik.endpoints.common_data import CommonDeviceData
+from authentik.lib.models import SerializerModel
+
+
+class Device(SerializerModel):
+    device_uuid = models.UUIDField(default=uuid4)
+
+    identifier = models.TextField(unique=True)
+    users = models.ManyToManyField(User, through="DeviceUser")
+    connections = models.ManyToManyField("Connector", through="DeviceConnection")
+
+    @cached_property
+    def data(self) -> CommonDeviceData:
+        pass
+
+
+class DeviceUser(models.Model):
+    device_user_uuid = models.UUIDField(default=uuid4)
+    device = models.ForeignKey("Device", on_delete=models.CASCADE)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    is_primary = models.BooleanField()
+
+
+class DeviceConnection(models.Model):
+    device_connection_uuid = models.UUIDField(default=uuid4)
+    device = models.ForeignKey("Device", on_delete=models.CASCADE)
+    connection = models.ForeignKey("Connector", on_delete=models.CASCADE)
+    data = models.JSONField(default=dict)
+
+
+class Connector(SerializerModel):
+    connector_uuid = models.UUIDField(default=uuid4)
+
+    name = models.TextField()
--- a/authentik/events/context_processors/mmdb.py
+++ b/authentik/events/context_processors/mmdb.py
@ -15,13 +15,13 @@ class MMDBContextProcessor(EventContextProcessor):
        self.reader: Reader | None = None
        self._last_mtime: float = 0.0
        self.logger = get_logger()
-        self.load()
+        self.open()

    def path(self) -> str | None:
        """Get the path to the MMDB file to load"""
        raise NotImplementedError

-    def load(self):
+    def open(self):
        """Get GeoIP Reader, if configured, otherwise none"""
        path = self.path()
        if path == "" or not path:
@ -44,7 +44,7 @@ class MMDBContextProcessor(EventContextProcessor):
            diff = self._last_mtime < mtime
            if diff > 0:
                self.logger.info("Found new MMDB Database, reopening", diff=diff, path=path)
-                self.load()
+                self.open()
        except OSError as exc:
            self.logger.warning("Failed to check MMDB age", exc=exc)

--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -81,6 +81,7 @@ debugger: false

 log_level: info

+session_storage: cache
 sessions:
  unauthenticated_age: days=1

--- a/authentik/lib/sync/outgoing/tasks.py
+++ b/authentik/lib/sync/outgoing/tasks.py
@ -130,7 +130,7 @@ class SyncTasks:
    def sync_objects(
        self, object_type: str, page: int, provider_pk: int, override_dry_run=False, **filter
    ):
-        _object_type: type[Model] = path_to_class(object_type)
+        _object_type = path_to_class(object_type)
        self.logger = get_logger().bind(
            provider_type=class_to_path(self._provider_model),
            provider_pk=provider_pk,
@ -156,11 +156,7 @@ class SyncTasks:
        messages.append(
            asdict(
                LogEvent(
-                    _(
-                        "Syncing page {page} of {object_type}".format(
-                            page=page, object_type=_object_type._meta.verbose_name_plural
-                        )
-                    ),
+                    _("Syncing page {page} of groups".format(page=page)),
                    log_level="info",
                    logger=f"{provider._meta.verbose_name}@{object_type}",
                )
--- a/authentik/outposts/tests/test_ws.py
+++ b/authentik/outposts/tests/test_ws.py
@ -1,9 +1,11 @@
 """Websocket tests"""

 from dataclasses import asdict
+from unittest.mock import patch

 from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
+from django.contrib.contenttypes.models import ContentType
 from django.test import TransactionTestCase

 from authentik import __version__
@ -14,6 +16,12 @@ from authentik.providers.proxy.models import ProxyProvider
 from authentik.root import websocket


+def patched__get_ct_cached(app_label, codename):
+    """Caches `ContentType` instances like its `QuerySet` does."""
+    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
+
+
+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestOutpostWS(TransactionTestCase):
    """Websocket tests"""

--- a/authentik/providers/rac/consumer_client.py
+++ b/authentik/providers/rac/consumer_client.py
@ -66,10 +66,7 @@ class RACClientConsumer(AsyncWebsocketConsumer):
    def init_outpost_connection(self):
        """Initialize guac connection settings"""
        self.token = (
-            ConnectionToken.filter_not_expired(
-                token=self.scope["url_route"]["kwargs"]["token"],
-                session__session__session_key=self.scope["session"].session_key,
-            )
+            ConnectionToken.filter_not_expired(token=self.scope["url_route"]["kwargs"]["token"])
            .select_related("endpoint", "provider", "session", "session__user")
            .first()
        )
--- a/authentik/providers/rac/models.py
+++ b/authentik/providers/rac/models.py
@ -166,6 +166,7 @@ class ConnectionToken(ExpiringModel):
        always_merger.merge(settings, default_settings)
        always_merger.merge(settings, self.endpoint.provider.settings)
        always_merger.merge(settings, self.endpoint.settings)
+        always_merger.merge(settings, self.settings)

        def mapping_evaluator(mappings: QuerySet):
            for mapping in mappings:
@ -190,7 +191,6 @@ class ConnectionToken(ExpiringModel):
        mapping_evaluator(
            RACPropertyMapping.objects.filter(endpoint__in=[self.endpoint]).order_by("name")
        )
-        always_merger.merge(settings, self.settings)

        settings["drive-path"] = f"/tmp/connection/{self.token}"  # nosec
        settings["create-drive-path"] = "true"
--- a/authentik/providers/rac/tests/test_models.py
+++ b/authentik/providers/rac/tests/test_models.py
@ -90,6 +90,23 @@ class TestModels(TransactionTestCase):
                "resize-method": "display-update",
            },
        )
+        # Set settings in token
+        token.settings = {
+            "level": "token",
+        }
+        token.save()
+        self.assertEqual(
+            token.get_settings(),
+            {
+                "hostname": self.endpoint.host.split(":")[0],
+                "port": "1324",
+                "client-name": f"authentik - {self.user}",
+                "drive-path": path,
+                "create-drive-path": "true",
+                "level": "token",
+                "resize-method": "display-update",
+            },
+        )
        # Set settings in property mapping (provider)
        mapping = RACPropertyMapping.objects.create(
            name=generate_id(),
@ -134,22 +151,3 @@ class TestModels(TransactionTestCase):
                "resize-method": "display-update",
            },
        )
-        # Set settings in token
-        token.settings = {
-            "level": "token",
-        }
-        token.save()
-        self.assertEqual(
-            token.get_settings(),
-            {
-                "hostname": self.endpoint.host.split(":")[0],
-                "port": "1324",
-                "client-name": f"authentik - {self.user}",
-                "drive-path": path,
-                "create-drive-path": "true",
-                "foo": "true",
-                "bar": "6",
-                "resize-method": "display-update",
-                "level": "token",
-            },
-        )
--- a/authentik/providers/rac/tests/test_views.py
+++ b/authentik/providers/rac/tests/test_views.py
@ -87,22 +87,3 @@ class TestRACViews(APITestCase):
        )
        body = loads(flow_response.content)
        self.assertEqual(body["component"], "ak-stage-access-denied")
-
-    def test_different_session(self):
-        """Test request"""
-        self.client.force_login(self.user)
-        response = self.client.get(
-            reverse(
-                "authentik_providers_rac:start",
-                kwargs={"app": self.app.slug, "endpoint": str(self.endpoint.pk)},
-            )
-        )
-        self.assertEqual(response.status_code, 302)
-        flow_response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-        body = loads(flow_response.content)
-        next_url = body["to"]
-        self.client.logout()
-        final_response = self.client.get(next_url)
-        self.assertEqual(final_response.url, reverse("authentik_core:if-user"))
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -20,9 +20,6 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-PLAN_CONNECTION_SETTINGS = "connection_settings"


 class RACStartView(PolicyAccessView):
@ -68,10 +65,7 @@ class RACInterface(InterfaceView):

    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
        # Early sanity check to ensure token still exists
-        token = ConnectionToken.filter_not_expired(
-            token=self.kwargs["token"],
-            session__session__session_key=request.session.session_key,
-        ).first()
+        token = ConnectionToken.filter_not_expired(token=self.kwargs["token"]).first()
        if not token:
            return redirect("authentik_core:if-user")
        self.token = token
@ -115,15 +109,10 @@ class RACFinalStage(RedirectStage):
        return super().dispatch(request, *args, **kwargs)

    def get_challenge(self, *args, **kwargs) -> RedirectChallenge:
-        settings = self.executor.plan.context.get(PLAN_CONNECTION_SETTINGS)
-        if not settings:
-            settings = self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {}).get(
-                PLAN_CONNECTION_SETTINGS
-            )
        token = ConnectionToken.objects.create(
            provider=self.provider,
            endpoint=self.endpoint,
-            settings=settings or {},
+            settings=self.executor.plan.context.get("connection_settings", {}),
            session=self.request.session["authenticatedsession"],
            expires=now() + timedelta_from_string(self.provider.connection_expiry),
            expiring=True,
--- a/authentik/providers/scim/clients/groups.py
+++ b/authentik/providers/scim/clients/groups.py
@ -47,16 +47,15 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):

    def to_schema(self, obj: Group, connection: SCIMProviderGroup) -> SCIMGroupSchema:
        """Convert authentik user into SCIM"""
-        raw_scim_group = super().to_schema(obj, connection)
+        raw_scim_group = super().to_schema(
+            obj,
+            connection,
+            schemas=(SCIM_GROUP_SCHEMA,),
+        )
        try:
            scim_group = SCIMGroupSchema.model_validate(delete_none_values(raw_scim_group))
        except ValidationError as exc:
            raise StopSync(exc, obj) from exc
-        if SCIM_GROUP_SCHEMA not in scim_group.schemas:
-            scim_group.schemas.insert(0, SCIM_GROUP_SCHEMA)
-        # As this might be unset, we need to tell pydantic it's set so ensure the schemas
-        # are included, even if its just the defaults
-        scim_group.schemas = list(scim_group.schemas)
        if not scim_group.externalId:
            scim_group.externalId = str(obj.pk)

--- a/authentik/providers/scim/clients/users.py
+++ b/authentik/providers/scim/clients/users.py
@ -31,16 +31,15 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):

    def to_schema(self, obj: User, connection: SCIMProviderUser) -> SCIMUserSchema:
        """Convert authentik user into SCIM"""
-        raw_scim_user = super().to_schema(obj, connection)
+        raw_scim_user = super().to_schema(
+            obj,
+            connection,
+            schemas=(SCIM_USER_SCHEMA,),
+        )
        try:
            scim_user = SCIMUserSchema.model_validate(delete_none_values(raw_scim_user))
        except ValidationError as exc:
            raise StopSync(exc, obj) from exc
-        if SCIM_USER_SCHEMA not in scim_user.schemas:
-            scim_user.schemas.insert(0, SCIM_USER_SCHEMA)
-        # As this might be unset, we need to tell pydantic it's set so ensure the schemas
-        # are included, even if its just the defaults
-        scim_user.schemas = list(scim_user.schemas)
        if not scim_user.externalId:
            scim_user.externalId = str(obj.uid)
        return scim_user
--- a/authentik/providers/scim/tests/test_user.py
+++ b/authentik/providers/scim/tests/test_user.py
@ -91,57 +91,6 @@ class SCIMUserTests(TestCase):
            },
        )

-    @Mocker()
-    def test_user_create_custom_schema(self, mock: Mocker):
-        """Test user creation with custom schema"""
-        schema = SCIMMapping.objects.create(
-            name="custom_schema",
-            expression="""return {"schemas": ["foo"]}""",
-        )
-        self.provider.property_mappings.add(schema)
-        scim_id = generate_id()
-        mock.get(
-            "https://localhost/ServiceProviderConfig",
-            json={},
-        )
-        mock.post(
-            "https://localhost/Users",
-            json={
-                "id": scim_id,
-            },
-        )
-        uid = generate_id()
-        user = User.objects.create(
-            username=uid,
-            name=f"{uid} {uid}",
-            email=f"{uid}@goauthentik.io",
-        )
-        self.assertEqual(mock.call_count, 2)
-        self.assertEqual(mock.request_history[0].method, "GET")
-        self.assertEqual(mock.request_history[1].method, "POST")
-        self.assertJSONEqual(
-            mock.request_history[1].body,
-            {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "foo"],
-                "active": True,
-                "emails": [
-                    {
-                        "primary": True,
-                        "type": "other",
-                        "value": f"{uid}@goauthentik.io",
-                    }
-                ],
-                "externalId": user.uid,
-                "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
-                    "givenName": uid,
-                },
-                "displayName": f"{uid} {uid}",
-                "userName": uid,
-            },
-        )
-
    @Mocker()
    def test_user_create_different_provider_same_id(self, mock: Mocker):
        """Test user creation with multiple providers that happen
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -73,6 +73,7 @@ TENANT_APPS = [
    "authentik.admin",
    "authentik.api",
    "authentik.crypto",
+    "authentik.endpoints",
    "authentik.flows",
    "authentik.outposts",
    "authentik.policies.dummy",
--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@ -3,46 +3,25 @@
 import os
 from argparse import ArgumentParser
 from unittest import TestCase
-from unittest.mock import patch

 import pytest
 from django.conf import settings
-from django.contrib.contenttypes.models import ContentType
 from django.test.runner import DiscoverRunner
-from structlog.stdlib import get_logger

-from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR
-from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import sentry_init
 from authentik.root.signals import post_startup, pre_startup, startup
+from tests.e2e.utils import get_docker_tag

 # globally set maxDiff to none to show full assert error
 TestCase.maxDiff = None


-def get_docker_tag() -> str:
-    """Get docker-tag based off of CI variables"""
-    env_pr_branch = "GITHUB_HEAD_REF"
-    default_branch = "GITHUB_REF"
-    branch_name = os.environ.get(default_branch, "main")
-    if os.environ.get(env_pr_branch, "") != "":
-        branch_name = os.environ[env_pr_branch]
-    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
-    return f"gh-{branch_name}"
-
-
-def patched__get_ct_cached(app_label, codename):
-    """Caches `ContentType` instances like its `QuerySet` does."""
-    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
-
-
 class PytestTestRunner(DiscoverRunner):  # pragma: no cover
    """Runs pytest to discover and run tests."""

    def __init__(self, **kwargs):
        super().__init__(**kwargs)
-        self.logger = get_logger().bind(runner="pytest")

        self.args = []
        if self.failfast:
@ -69,10 +48,6 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
        CONFIG.set("error_reporting.sample_rate", 0)
        CONFIG.set("error_reporting.environment", "testing")
        CONFIG.set("error_reporting.send_pii", True)
-
-        ASN_CONTEXT_PROCESSOR.load()
-        GEOIP_CONTEXT_PROCESSOR.load()
-
        sentry_init()

        pre_startup.send(sender=self, mode="test")
@ -138,10 +113,4 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
                    f"path instead."
                )

-        self.logger.info("Running tests", test_files=self.args)
-        with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
-            try:
-                return pytest.main(self.args)
-            except Exception as e:
-                self.logger.error("Error running tests", error=str(e), test_files=self.args)
-                return 1
+        return pytest.main(self.args)
--- a/authentik/sources/ldap/api.py
+++ b/authentik/sources/ldap/api.py
@ -103,7 +103,6 @@ class LDAPSourceSerializer(SourceSerializer):
            "user_object_filter",
            "group_object_filter",
            "group_membership_field",
-            "user_membership_attribute",
            "object_uniqueness_field",
            "password_login_update_internal_password",
            "sync_users",
@ -140,7 +139,6 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
        "user_object_filter",
        "group_object_filter",
        "group_membership_field",
-        "user_membership_attribute",
        "object_uniqueness_field",
        "password_login_update_internal_password",
        "sync_users",
--- a/authentik/sources/ldap/migrations/0010_ldapsource_user_membership_attribute.py
+++ b/authentik/sources/ldap/migrations/0010_ldapsource_user_membership_attribute.py
@ -1,32 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-29 11:22
-
-from django.apps.registry import Apps
-from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def set_user_membership_attribute(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    LDAPSource = apps.get_model("authentik_sources_ldap", "LDAPSource")
-    db_alias = schema_editor.connection.alias
-
-    LDAPSource.objects.using(db_alias).filter(group_membership_field="memberUid").all().update(
-        user_membership_attribute="ldap_uniq"
-    )
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_sources_ldap", "0009_groupldapsourceconnection_validated_by_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="ldapsource",
-            name="user_membership_attribute",
-            field=models.TextField(
-                default="distinguishedName",
-                help_text="Attribute which matches the value of `group_membership_field`.",
-            ),
-        ),
-        migrations.RunPython(set_user_membership_attribute, migrations.RunPython.noop),
-    ]
--- a/authentik/sources/ldap/models.py
+++ b/authentik/sources/ldap/models.py
@ -100,10 +100,6 @@ class LDAPSource(Source):
        default="(objectClass=person)",
        help_text=_("Consider Objects matching this filter to be Users."),
    )
-    user_membership_attribute = models.TextField(
-        default=LDAP_DISTINGUISHED_NAME,
-        help_text=_("Attribute which matches the value of `group_membership_field`."),
-    )
    group_membership_field = models.TextField(
        default="member", help_text=_("Field which contains members of a group.")
    )
--- a/authentik/sources/ldap/sync/membership.py
+++ b/authentik/sources/ldap/sync/membership.py
@ -71,11 +71,17 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
            if not ak_group:
                continue

+            membership_mapping_attribute = LDAP_DISTINGUISHED_NAME
+            if self._source.group_membership_field == "memberUid":
+                # If memberships are based on the posixGroup's 'memberUid'
+                # attribute we use the RDN instead of the FDN to lookup members.
+                membership_mapping_attribute = LDAP_UNIQUENESS
+
            users = User.objects.filter(
-                Q(**{f"attributes__{self._source.user_membership_attribute}__in": members})
+                Q(**{f"attributes__{membership_mapping_attribute}__in": members})
                | Q(
                    **{
-                        f"attributes__{self._source.user_membership_attribute}__isnull": True,
+                        f"attributes__{membership_mapping_attribute}__isnull": True,
                        "ak_groups__in": [ak_group],
                    }
                )
--- a/authentik/sources/ldap/tasks.py
+++ b/authentik/sources/ldap/tasks.py
@ -71,31 +71,37 @@ def ldap_sync_single(source_pk: str):
            return
        # Delete all sync tasks from the cache
        DBSystemTask.objects.filter(name="ldap_sync", uid__startswith=source.slug).delete()
-
-        # The order of these operations needs to be preserved as each depends on the previous one(s)
-        # 1. User and group sync can happen simultaneously
-        # 2. Membership sync needs to run afterwards
-        # 3. Finally, user and group deletions can happen simultaneously
-        user_group_sync = ldap_sync_paginator(source, UserLDAPSynchronizer) + ldap_sync_paginator(
-            source, GroupLDAPSynchronizer
+        task = chain(
+            # User and group sync can happen at once, they have no dependencies on each other
+            group(
+                ldap_sync_paginator(source, UserLDAPSynchronizer)
+                + ldap_sync_paginator(source, GroupLDAPSynchronizer),
+            ),
+            # Membership sync needs to run afterwards
+            group(
+                ldap_sync_paginator(source, MembershipLDAPSynchronizer),
+            ),
+            # Finally, deletions. What we'd really like to do here is something like
+            # ```
+            # user_identifiers = <ldap query>
+            # User.objects.exclude(
+            #     usersourceconnection__identifier__in=user_uniqueness_identifiers,
+            # ).delete()
+            # ```
+            # This runs into performance issues in large installations. So instead we spread the
+            # work out into three steps:
+            # 1. Get every object from the LDAP source.
+            # 2. Mark every object as "safe" in the database. This is quick, but any error could
+            #    mean deleting users which should not be deleted, so we do it immediately, in
+            #    large chunks, and only queue the deletion step afterwards.
+            # 3. Delete every unmarked item. This is slow, so we spread it over many tasks in
+            #    small chunks.
+            group(
+                ldap_sync_paginator(source, UserLDAPForwardDeletion)
+                + ldap_sync_paginator(source, GroupLDAPForwardDeletion),
+            ),
        )
-        membership_sync = ldap_sync_paginator(source, MembershipLDAPSynchronizer)
-        user_group_deletion = ldap_sync_paginator(
-            source, UserLDAPForwardDeletion
-        ) + ldap_sync_paginator(source, GroupLDAPForwardDeletion)
-
-        # Celery is buggy with empty groups, so we are careful only to add non-empty groups.
-        # See https://github.com/celery/celery/issues/9772
-        task_groups = []
-        if user_group_sync:
-            task_groups.append(group(user_group_sync))
-        if membership_sync:
-            task_groups.append(group(membership_sync))
-        if user_group_deletion:
-            task_groups.append(group(user_group_deletion))
-
-        all_tasks = chain(task_groups)
-        all_tasks()
+        task()


 def ldap_sync_paginator(source: LDAPSource, sync: type[BaseLDAPSynchronizer]) -> list:
--- a/authentik/sources/ldap/tests/test_sync.py
+++ b/authentik/sources/ldap/tests/test_sync.py
@ -269,56 +269,12 @@ class LDAPSyncTests(TestCase):
        self.source.group_membership_field = "memberUid"
        self.source.user_object_filter = "(objectClass=posixAccount)"
        self.source.group_object_filter = "(objectClass=posixGroup)"
-        self.source.user_membership_attribute = "uid"
        self.source.user_property_mappings.set(
-            [
-                *LDAPSourcePropertyMapping.objects.filter(
-                    Q(managed__startswith="goauthentik.io/sources/ldap/default")
-                    | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
-                ).all(),
-                LDAPSourcePropertyMapping.objects.create(
-                    name="name",
-                    expression='return {"attributes": {"uid": list_flatten(ldap.get("uid"))}}',
-                ),
-            ]
-        )
-        self.source.group_property_mappings.set(
            LDAPSourcePropertyMapping.objects.filter(
-                managed="goauthentik.io/sources/ldap/openldap-cn"
+                Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
            )
        )
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            self.source.save()
-            user_sync = UserLDAPSynchronizer(self.source)
-            user_sync.sync_full()
-            group_sync = GroupLDAPSynchronizer(self.source)
-            group_sync.sync_full()
-            membership_sync = MembershipLDAPSynchronizer(self.source)
-            membership_sync.sync_full()
-            # Test if membership mapping based on memberUid works.
-            posix_group = Group.objects.filter(name="group-posix").first()
-            self.assertTrue(posix_group.users.filter(name="user-posix").exists())
-
-    def test_sync_groups_openldap_posix_group_nonstandard_membership_attribute(self):
-        """Test posix group sync"""
-        self.source.object_uniqueness_field = "cn"
-        self.source.group_membership_field = "memberUid"
-        self.source.user_object_filter = "(objectClass=posixAccount)"
-        self.source.group_object_filter = "(objectClass=posixGroup)"
-        self.source.user_membership_attribute = "cn"
-        self.source.user_property_mappings.set(
-            [
-                *LDAPSourcePropertyMapping.objects.filter(
-                    Q(managed__startswith="goauthentik.io/sources/ldap/default")
-                    | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
-                ).all(),
-                LDAPSourcePropertyMapping.objects.create(
-                    name="name",
-                    expression='return {"attributes": {"cn": list_flatten(ldap.get("cn"))}}',
-                ),
-            ]
-        )
        self.source.group_property_mappings.set(
            LDAPSourcePropertyMapping.objects.filter(
                managed="goauthentik.io/sources/ldap/openldap-cn"
--- a/authentik/stages/authenticator_validate/tests/test_webauthn.py
+++ b/authentik/stages/authenticator_validate/tests/test_webauthn.py
@ -151,7 +151,9 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
            webauthn_user_verification=UserVerification.PREFERRED,
        )
        stage.webauthn_allowed_device_types.set(
-            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
+            WebAuthnDeviceType.objects.filter(
+                description="Android Authenticator with SafetyNet Attestation"
+            )
        )
        session = self.client.session
        plan = FlowPlan(flow_pk=flow.pk.hex)
@ -337,7 +339,9 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
            device_classes=[DeviceClasses.WEBAUTHN],
        )
        stage.webauthn_allowed_device_types.set(
-            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
+            WebAuthnDeviceType.objects.filter(
+                description="Android Authenticator with SafetyNet Attestation"
+            )
        )
        session = self.client.session
        plan = FlowPlan(flow_pk=flow.pk.hex)
--- a/authentik/stages/authenticator_webauthn/mds/aaguid.json
+++ b/authentik/stages/authenticator_webauthn/mds/aaguid.json
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/authenticator_webauthn/tests.py
+++ b/authentik/stages/authenticator_webauthn/tests.py
@ -141,7 +141,9 @@ class TestAuthenticatorWebAuthnStage(FlowTestCase):
        """Test registration with restricted devices (fail)"""
        webauthn_mds_import.delay(force=True).get()
        self.stage.device_type_restrictions.set(
-            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
+            WebAuthnDeviceType.objects.filter(
+                description="Android Authenticator with SafetyNet Attestation"
+            )
        )

        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@ -100,11 +100,9 @@ def send_mail(
        # Because we use the Message-ID as UID for the task, manually assign it
        message_object.extra_headers["Message-ID"] = message_id

-        # Add the logo if it is used in the email body (we can't add it in the
-        # previous message since MIMEImage can't be converted to json)
-        body = get_email_body(message_object)
-        if "cid:logo" in body:
-            message_object.attach(logo_data())
+        # Add the logo (we can't add it in the previous message since MIMEImage
+        # can't be converted to json)
+        message_object.attach(logo_data())

        if (
            message_object.to
--- a/authentik/stages/email/templates/email/base.html
+++ b/authentik/stages/email/templates/email/base.html
@ -96,7 +96,7 @@
                <table width="100%" style="background-color: #FFFFFF; border-spacing: 0; margin-top: 15px;">
                  <tr height="80">
                    <td align="center" style="padding: 20px 0;">
-                      <img src="{% block logo_url %}cid:logo{% endblock %}" border="0=" alt="authentik logo" class="flexibleImage logo">
+                      <img src="{% block logo_url %}cid:logo.png{% endblock %}" border="0=" alt="authentik logo" class="flexibleImage logo">
                    </td>
                  </tr>
                  {% block content %}
--- a/authentik/stages/email/utils.py
+++ b/authentik/stages/email/utils.py
@ -19,8 +19,7 @@ def logo_data() -> MIMEImage:
        path = Path("web/dist/assets/icons/icon_left_brand.png")
    with open(path, "rb") as _logo_file:
        logo = MIMEImage(_logo_file.read())
-    logo.add_header("Content-ID", "<logo>")
-    logo.add_header("Content-Disposition", "inline", filename="logo.png")
+    logo.add_header("Content-ID", "logo.png")
    return logo


--- a/authentik/stages/user_login/middleware.py
+++ b/authentik/stages/user_login/middleware.py
@ -101,9 +101,9 @@ class BoundSessionMiddleware(SessionMiddleware):
            SESSION_KEY_BINDING_GEO, GeoIPBinding.NO_BINDING
        )
        if configured_binding_net != NetworkBinding.NO_BINDING:
-            BoundSessionMiddleware.recheck_session_net(configured_binding_net, last_ip, new_ip)
+            self.recheck_session_net(configured_binding_net, last_ip, new_ip)
        if configured_binding_geo != GeoIPBinding.NO_BINDING:
-            BoundSessionMiddleware.recheck_session_geo(configured_binding_geo, last_ip, new_ip)
+            self.recheck_session_geo(configured_binding_geo, last_ip, new_ip)
        # If we got to this point without any error being raised, we need to
        # update the last saved IP to the current one
        if SESSION_KEY_BINDING_NET in request.session or SESSION_KEY_BINDING_GEO in request.session:
@ -111,8 +111,7 @@ class BoundSessionMiddleware(SessionMiddleware):
            # (== basically requires the user to be logged in)
            request.session[request.session.model.Keys.LAST_IP] = new_ip

-    @staticmethod
-    def recheck_session_net(binding: NetworkBinding, last_ip: str, new_ip: str):
+    def recheck_session_net(self, binding: NetworkBinding, last_ip: str, new_ip: str):
        """Check network/ASN binding"""
        last_asn = ASN_CONTEXT_PROCESSOR.asn(last_ip)
        new_asn = ASN_CONTEXT_PROCESSOR.asn(new_ip)
@ -159,8 +158,7 @@ class BoundSessionMiddleware(SessionMiddleware):
                    new_ip,
                )

-    @staticmethod
-    def recheck_session_geo(binding: GeoIPBinding, last_ip: str, new_ip: str):
+    def recheck_session_geo(self, binding: GeoIPBinding, last_ip: str, new_ip: str):
        """Check GeoIP binding"""
        last_geo = GEOIP_CONTEXT_PROCESSOR.city(last_ip)
        new_geo = GEOIP_CONTEXT_PROCESSOR.city(new_ip)
@ -181,8 +179,8 @@ class BoundSessionMiddleware(SessionMiddleware):
            if last_geo.continent != new_geo.continent:
                raise SessionBindingBroken(
                    "geoip.continent",
-                    last_geo.continent.to_dict(),
-                    new_geo.continent.to_dict(),
+                    last_geo.continent,
+                    new_geo.continent,
                    last_ip,
                    new_ip,
                )
@ -194,8 +192,8 @@ class BoundSessionMiddleware(SessionMiddleware):
            if last_geo.country != new_geo.country:
                raise SessionBindingBroken(
                    "geoip.country",
-                    last_geo.country.to_dict(),
-                    new_geo.country.to_dict(),
+                    last_geo.country,
+                    new_geo.country,
                    last_ip,
                    new_ip,
                )
@ -204,8 +202,8 @@ class BoundSessionMiddleware(SessionMiddleware):
            if last_geo.city != new_geo.city:
                raise SessionBindingBroken(
                    "geoip.city",
-                    last_geo.city.to_dict(),
-                    new_geo.city.to_dict(),
+                    last_geo.city,
+                    new_geo.city,
                    last_ip,
                    new_ip,
                )
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@ -11,7 +11,7 @@ from rest_framework.fields import BooleanField, CharField
 from authentik.core.models import Session, User
 from authentik.events.middleware import audit_ignore
 from authentik.flows.challenge import ChallengeResponse, WithUserInfoChallenge
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE
 from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.root.middleware import ClientIPMiddleware
@ -108,6 +108,10 @@ class UserLoginStageView(ChallengeStageView):
            flow_slug=self.executor.flow.slug,
            session_duration=delta,
        )
+        # Only show success message if we don't have a source in the flow
+        # as sources show their own success messages
+        if not self.executor.plan.context.get(PLAN_CONTEXT_SOURCE, None):
+            messages.success(self.request, _("Successfully logged in!"))
        if self.executor.current_stage.terminate_other_sessions:
            Session.objects.filter(
                authenticatedsession__user=user,
--- a/authentik/stages/user_login/tests.py
+++ b/authentik/stages/user_login/tests.py
@ -3,7 +3,6 @@
 from time import sleep
 from unittest.mock import patch

-from django.http import HttpRequest
 from django.urls import reverse
 from django.utils.timezone import now

@ -18,12 +17,7 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.root.middleware import ClientIPMiddleware
-from authentik.stages.user_login.middleware import (
-    BoundSessionMiddleware,
-    SessionBindingBroken,
-    logout_extra,
-)
-from authentik.stages.user_login.models import GeoIPBinding, NetworkBinding, UserLoginStage
+from authentik.stages.user_login.models import UserLoginStage


 class TestUserLoginStage(FlowTestCase):
@ -198,52 +192,3 @@ class TestUserLoginStage(FlowTestCase):
        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
        response = self.client.get(reverse("authentik_api:application-list"))
        self.assertEqual(response.status_code, 403)
-
-    def test_binding_net_break_log(self):
-        """Test logout_extra with exception"""
-        # IPs from https://github.com/maxmind/MaxMind-DB/blob/main/source-data/GeoLite2-ASN-Test.json
-        for args, expect in [
-            [[NetworkBinding.BIND_ASN, "8.8.8.8", "8.8.8.8"], ["network.missing"]],
-            [[NetworkBinding.BIND_ASN, "1.0.0.1", "1.128.0.1"], ["network.asn"]],
-            [
-                [NetworkBinding.BIND_ASN_NETWORK, "12.81.96.1", "12.81.128.1"],
-                ["network.asn_network"],
-            ],
-            [[NetworkBinding.BIND_ASN_NETWORK_IP, "1.0.0.1", "1.0.0.2"], ["network.ip"]],
-        ]:
-            with self.subTest(args[0]):
-                with self.assertRaises(SessionBindingBroken) as cm:
-                    BoundSessionMiddleware.recheck_session_net(*args)
-                self.assertEqual(cm.exception.reason, expect[0])
-                # Ensure the request can be logged without throwing errors
-                self.client.force_login(self.user)
-                request = HttpRequest()
-                request.session = self.client.session
-                request.user = self.user
-                logout_extra(request, cm.exception)
-
-    def test_binding_geo_break_log(self):
-        """Test logout_extra with exception"""
-        # IPs from https://github.com/maxmind/MaxMind-DB/blob/main/source-data/GeoLite2-City-Test.json
-        for args, expect in [
-            [[GeoIPBinding.BIND_CONTINENT, "8.8.8.8", "8.8.8.8"], ["geoip.missing"]],
-            [[GeoIPBinding.BIND_CONTINENT, "2.125.160.216", "67.43.156.1"], ["geoip.continent"]],
-            [
-                [GeoIPBinding.BIND_CONTINENT_COUNTRY, "81.2.69.142", "89.160.20.112"],
-                ["geoip.country"],
-            ],
-            [
-                [GeoIPBinding.BIND_CONTINENT_COUNTRY_CITY, "2.125.160.216", "81.2.69.142"],
-                ["geoip.city"],
-            ],
-        ]:
-            with self.subTest(args[0]):
-                with self.assertRaises(SessionBindingBroken) as cm:
-                    BoundSessionMiddleware.recheck_session_geo(*args)
-                self.assertEqual(cm.exception.reason, expect[0])
-                # Ensure the request can be logged without throwing errors
-                self.client.force_login(self.user)
-                request = HttpRequest()
-                request.session = self.client.session
-                request.user = self.user
-                logout_extra(request, cm.exception)
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.6.3 Blueprint schema",
+    "title": "authentik 2025.4.1 Blueprint schema",
    "required": [
        "version",
        "entries"
@ -8147,12 +8147,6 @@
                    "title": "Group membership field",
                    "description": "Field which contains members of a group."
                },
-                "user_membership_attribute": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "User membership attribute",
-                    "description": "Attribute which matches the value of `group_membership_field`."
-                },
                "object_uniqueness_field": {
                    "type": "string",
                    "minLength": 1,
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
    restart: unless-stopped
    command: server
    environment:
@ -55,7 +55,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -27,7 +27,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025041.4
+	goauthentik.io/api/v3 v3.2025041.2
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.14.0
--- a/go.sum
+++ b/go.sum
@ -290,8 +290,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025041.4 h1:cGqzWYnUHrWDoaXWDpIL/kWnX9sFrIhkYDye0P0OEAo=
-goauthentik.io/api/v3 v3.2025041.4/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025041.2 h1:vFYYnhcDcxL95RczZwhzt3i4LptFXMvIRN+vgf8sQYg=
+goauthentik.io/api/v3 v3.2025041.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -33,4 +33,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2025.6.3"
+const VERSION = "2025.4.1"
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -5,7 +5,6 @@ import (
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/gob"
-	"encoding/hex"
 	"fmt"
 	"html/template"
 	"net/http"
@ -119,8 +118,8 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
 	mux := mux.NewRouter()

 	// Save cookie name, based on hashed client ID
-	hs := sha256.Sum256([]byte(*p.ClientId))
-	bs := hex.EncodeToString(hs[:])
+	h := sha256.New()
+	bs := string(h.Sum([]byte(*p.ClientId)))
 	sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])

 	// When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match
--- a/internal/outpost/proxyv2/application/claims.go
+++ b/internal/outpost/proxyv2/application/claims.go
@ -3,7 +3,6 @@ package application
 type ProxyClaims struct {
 	UserAttributes  map[string]interface{} `json:"user_attributes"`
 	BackendOverride string                 `json:"backend_override"`
-	HostHeader      string                 `json:"host_header"`
 	IsSuperuser     bool                   `json:"is_superuser"`
 }

--- a/internal/outpost/proxyv2/application/mode_proxy.go
+++ b/internal/outpost/proxyv2/application/mode_proxy.go
@ -74,18 +74,13 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 		r.URL.Scheme = ou.Scheme
 		r.URL.Host = ou.Host
 		claims := a.getClaimsFromSession(r)
-		if claims != nil && claims.Proxy != nil {
-			if claims.Proxy.BackendOverride != "" {
-				u, err := url.Parse(claims.Proxy.BackendOverride)
-				if err != nil {
-					a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override")
-				} else {
-					r.URL.Scheme = u.Scheme
-					r.URL.Host = u.Host
-				}
-			}
-			if claims.Proxy.HostHeader != "" {
-				r.Host = claims.Proxy.HostHeader
+		if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
+			u, err := url.Parse(claims.Proxy.BackendOverride)
+			if err != nil {
+				a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override")
+			} else {
+				r.URL.Scheme = u.Scheme
+				r.URL.Host = u.Host
 			}
 		}
 		a.log.WithField("upstream_url", r.URL.String()).Trace("final upstream url")
--- a/internal/outpost/radius/handler.go
+++ b/internal/outpost/radius/handler.go
@ -2,7 +2,6 @@ package radius

 import (
 	"crypto/sha512"
-	"encoding/hex"
 	"time"

 	"github.com/getsentry/sentry-go"
@ -69,9 +68,7 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
 		}
 	}
 	if pi == nil {
-		hs := sha512.Sum512([]byte(r.Secret))
-		bs := hex.EncodeToString(hs[:])
-		nr.Log().WithField("hashed_secret", bs).Warning("No provider found")
+		nr.Log().WithField("hashed_secret", string(sha512.New().Sum(r.Secret))).Warning("No provider found")
 		_ = w.Write(r.Response(radius.CodeAccessReject))
 		return
 	}
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.6.3
+    Default: 2025.4.1
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-06-02 00:12+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -2226,10 +2226,6 @@ msgstr ""
 msgid "Consider Objects matching this filter to be Users."
 msgstr ""

-#: authentik/sources/ldap/models.py
-msgid "Attribute which matches the value of `group_membership_field`."
-msgstr ""
-
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr ""
@ -3497,6 +3493,10 @@ msgstr ""
 msgid "No Pending user to login."
 msgstr ""

+#: authentik/stages/user_login/stage.py
+msgid "Successfully logged in!"
+msgstr ""
+
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr ""
--- a/locale/zh_CN/LC_MESSAGES/django.po
+++ b/locale/zh_CN/LC_MESSAGES/django.po
@ -975,11 +975,11 @@ msgstr "开始全量提供程序同步"

 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing users"
-msgstr "正在同步用户"
+msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing groups"
-msgstr "正在同步组"
+msgstr ""

 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@ -2291,7 +2291,7 @@ msgstr "基于用户属性而非组属性查询组成员身份。这允许在 Fr
 msgid ""
 "Delete authentik users and groups which were previously supplied by this "
 "source, but are now missing from it."
-msgstr "删除之前由此源提供，但现已缺失的用户和组。"
+msgstr ""

 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
@ -2312,7 +2312,7 @@ msgstr "LDAP 源属性映射"
 #: authentik/sources/ldap/models.py
 msgid ""
 "Unique ID used while checking if this object still exists in the directory."
-msgstr "检查此对象是否仍在目录中时使用的唯一 ID。"
+msgstr ""

 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
@ -2694,7 +2694,7 @@ msgstr "组 SAML 源连接"
 #: authentik/sources/saml/views.py
 #, python-brace-format
 msgid "Continue to {source_name}"
-msgstr "继续前往 {source_name}"
+msgstr ""

 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
@ -3064,7 +3064,7 @@ msgstr "用户同意授权"

 #: authentik/stages/consent/stage.py
 msgid "Invalid consent token, re-showing prompt"
-msgstr "无效的同意令牌，将重新显示输入"
+msgstr ""

 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
@ -3084,11 +3084,11 @@ msgstr "虚拟阶段"

 #: authentik/stages/email/flow.py
 msgid "Continue to confirm this email address."
-msgstr "继续以确认电子邮件地址。"
+msgstr ""

 #: authentik/stages/email/flow.py
 msgid "Link was already used, please request a new link."
-msgstr "链接已被使用，请申请一个新链接。"
+msgstr ""

 #: authentik/stages/email/models.py
 msgid "Password Reset"
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.6.3",
+    "version": "2025.4.1",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/authentik",
-            "version": "2025.6.3",
+            "version": "2025.4.1",
            "devDependencies": {
                "@trivago/prettier-plugin-sort-imports": "^5.2.2",
                "prettier": "^3.3.3",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.6.3",
+    "version": "2025.4.1",
    "private": true,
    "type": "module",
    "devDependencies": {
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.6.3"
+version = "2025.4.1"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"
@ -13,7 +13,7 @@ dependencies = [
    "dacite==1.9.2",
    "deepmerge==2.0",
    "defusedxml==0.7.1",
-    "django==5.1.11",
+    "django==5.1.9",
    "django-countries==7.6.1",
    "django-cte==1.3.3",
    "django-filter==25.1",
@ -61,7 +61,7 @@ dependencies = [
    "setproctitle==1.3.6",
    "structlog==25.3.0",
    "swagger-spec-validator==3.0.4",
-    "tenant-schemas-celery==3.0.0",
+    "tenant-schemas-celery==4.0.1",
    "twilio==9.6.1",
    "ua-parser==1.0.1",
    "unidecode==1.4.0",
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.6.3
+  version: 2025.4.1
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -28581,10 +28581,6 @@ paths:
        name: sync_users_password
        schema:
          type: boolean
-      - in: query
-        name: user_membership_attribute
-        schema:
-          type: string
      - in: query
        name: user_object_filter
        schema:
@ -47897,9 +47893,6 @@ components:
        group_membership_field:
          type: string
          description: Field which contains members of a group.
-        user_membership_attribute:
-          type: string
-          description: Attribute which matches the value of `group_membership_field`.
        object_uniqueness_field:
          type: string
          description: Field which contains a unique Identifier.
@ -48113,10 +48106,6 @@ components:
          type: string
          minLength: 1
          description: Field which contains members of a group.
-        user_membership_attribute:
-          type: string
-          minLength: 1
-          description: Attribute which matches the value of `group_membership_field`.
        object_uniqueness_field:
          type: string
          minLength: 1
@ -53454,10 +53443,6 @@ components:
          type: string
          minLength: 1
          description: Field which contains members of a group.
-        user_membership_attribute:
-          type: string
-          minLength: 1
-          description: Attribute which matches the value of `group_membership_field`.
        object_uniqueness_field:
          type: string
          minLength: 1
--- a/tests/GeoLite2-ASN-Test.mmdb
+++ b/tests/GeoLite2-ASN-Test.mmdb
--- a/tests/GeoLite2-City-Test.mmdb
+++ b/tests/GeoLite2-City-Test.mmdb
--- a/tests/e2e/test_provider_ldap.py
+++ b/tests/e2e/test_provider_ldap.py
@ -2,6 +2,7 @@

 from dataclasses import asdict
 from time import sleep
+from unittest.mock import patch

 from guardian.shortcuts import assign_perm
 from ldap3 import ALL, ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE, Connection, Server
@ -15,10 +16,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost, OutpostConfig, OutpostType
+from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.ldap.models import APIAccessMode, LDAPProvider
 from tests.e2e.utils import SeleniumTestCase, retry


+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderLDAP(SeleniumTestCase):
    """LDAP and Outpost e2e tests"""

--- a/tests/e2e/test_provider_proxy.py
+++ b/tests/e2e/test_provider_proxy.py
@ -6,6 +6,7 @@ from json import loads
 from sys import platform
 from time import sleep
 from unittest.case import skip, skipUnless
+from unittest.mock import patch

 from channels.testing import ChannelsLiveServerTestCase
 from jwt import decode
@ -17,10 +18,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostConfig, OutpostType
 from authentik.outposts.tasks import outpost_connection_discovery
+from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.proxy.models import ProxyProvider
 from tests.e2e.utils import SeleniumTestCase, retry


+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderProxy(SeleniumTestCase):
    """Proxy and Outpost e2e tests"""

--- a/tests/e2e/test_provider_proxy_forward.py
+++ b/tests/e2e/test_provider_proxy_forward.py
@ -4,6 +4,7 @@ from json import loads
 from pathlib import Path
 from time import sleep
 from unittest import skip
+from unittest.mock import patch

 from selenium.webdriver.common.by import By

@ -12,10 +13,12 @@ from authentik.core.models import Application
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import Outpost, OutpostType
+from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
 from tests.e2e.utils import SeleniumTestCase, retry


+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderProxyForward(SeleniumTestCase):
    """Proxy and Outpost e2e tests"""

--- a/tests/e2e/test_provider_radius.py
+++ b/tests/e2e/test_provider_radius.py
@ -2,6 +2,7 @@

 from dataclasses import asdict
 from time import sleep
+from unittest.mock import patch

 from pyrad.client import Client
 from pyrad.dictionary import Dictionary
@ -12,10 +13,12 @@ from authentik.core.models import Application, User
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.outposts.models import Outpost, OutpostConfig, OutpostType
+from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.radius.models import RadiusProvider
 from tests.e2e.utils import SeleniumTestCase, retry


+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderRadius(SeleniumTestCase):
    """Radius Outpost e2e tests"""

--- a/tests/e2e/utils.py
+++ b/tests/e2e/utils.py
@ -1,6 +1,7 @@
 """authentik e2e testing utilities"""

 import json
+import os
 import socket
 from collections.abc import Callable
 from functools import lru_cache, wraps
@ -36,12 +37,22 @@ from authentik.core.api.users import UserSerializer
 from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
-from authentik.root.test_runner import get_docker_tag

 IS_CI = "CI" in environ
 RETRIES = int(environ.get("RETRIES", "3")) if IS_CI else 1


+def get_docker_tag() -> str:
+    """Get docker-tag based off of CI variables"""
+    env_pr_branch = "GITHUB_HEAD_REF"
+    default_branch = "GITHUB_REF"
+    branch_name = os.environ.get(default_branch, "main")
+    if os.environ.get(env_pr_branch, "") != "":
+        branch_name = os.environ[env_pr_branch]
+    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
+    return f"gh-{branch_name}"
+
+
 def get_local_ip() -> str:
    """Get the local machine's IP"""
    hostname = socket.gethostname()
--- a/uv.lock
+++ b/uv.lock
@ -164,7 +164,7 @@ wheels = [

 [[package]]
 name = "authentik"
-version = "2025.6.3"
+version = "2025.4.1"
 source = { editable = "." }
 dependencies = [
    { name = "argon2-cffi" },
@ -273,7 +273,7 @@ requires-dist = [
    { name = "dacite", specifier = "==1.9.2" },
    { name = "deepmerge", specifier = "==2.0" },
    { name = "defusedxml", specifier = "==0.7.1" },
-    { name = "django", specifier = "==5.1.11" },
+    { name = "django", specifier = "==5.1.9" },
    { name = "django-countries", specifier = "==7.6.1" },
    { name = "django-cte", specifier = "==1.3.3" },
    { name = "django-filter", specifier = "==25.1" },
@ -321,7 +321,7 @@ requires-dist = [
    { name = "setproctitle", specifier = "==1.3.6" },
    { name = "structlog", specifier = "==25.3.0" },
    { name = "swagger-spec-validator", specifier = "==3.0.4" },
-    { name = "tenant-schemas-celery", specifier = "==3.0.0" },
+    { name = "tenant-schemas-celery", specifier = "==4.0.1" },
    { name = "twilio", specifier = "==9.6.1" },
    { name = "ua-parser", specifier = "==1.0.1" },
    { name = "unidecode", specifier = "==1.4.0" },
@ -979,16 +979,16 @@ wheels = [

 [[package]]
 name = "django"
-version = "5.1.11"
+version = "5.1.9"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "asgiref" },
    { name = "sqlparse" },
    { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/83/80/bf0f9b0aa434fca2b46fc6a31c39b08ea714b87a0a72a16566f053fb05a8/django-5.1.11.tar.gz", hash = "sha256:3bcdbd40e4d4623b5e04f59c28834323f3086df583058e65ebce99f9982385ce", size = 10734926, upload-time = "2025-06-10T10:12:48.229Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/10/08/2e6f05494b3fc0a3c53736846034f882b82ee6351791a7815bbb45715d79/django-5.1.9.tar.gz", hash = "sha256:565881bdd0eb67da36442e9ac788bda90275386b549070d70aee86327781a4fc", size = 10710887, upload-time = "2025-05-07T14:06:45.257Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/59/91/2972ce330c6c0bd5b3200d4c2ad5cbf47eecff5243220c5a56444d3267a0/django-5.1.11-py3-none-any.whl", hash = "sha256:e48091f364007068728aca938e7450fbfe3f2217079bfd2b8af45122585acf64", size = 8277453, upload-time = "2025-06-10T10:12:42.236Z" },
+    { url = "https://files.pythonhosted.org/packages/e1/d1/d8b6b8250b84380d5a123e099ad3298a49407d81598faa13b43a2c6d96d7/django-5.1.9-py3-none-any.whl", hash = "sha256:2fd1d4a0a66a5ba702699eb692e75b0d828b73cc2f4e1fc4b6a854a918967411", size = 8277363, upload-time = "2025-05-07T14:06:37.426Z" },
 ]

 [[package]]
@ -2383,16 +2383,16 @@ wheels = [

 [[package]]
 name = "protobuf"
-version = "6.31.1"
+version = "6.30.2"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/52/f3/b9655a711b32c19720253f6f06326faf90580834e2e83f840472d752bc8b/protobuf-6.31.1.tar.gz", hash = "sha256:d8cac4c982f0b957a4dc73a80e2ea24fab08e679c0de9deb835f4a12d69aca9a", size = 441797, upload-time = "2025-05-28T19:25:54.947Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c8/8c/cf2ac658216eebe49eaedf1e06bc06cbf6a143469236294a1171a51357c3/protobuf-6.30.2.tar.gz", hash = "sha256:35c859ae076d8c56054c25b59e5e59638d86545ed6e2b6efac6be0b6ea3ba048", size = 429315, upload-time = "2025-03-26T19:12:57.394Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/f3/6f/6ab8e4bf962fd5570d3deaa2d5c38f0a363f57b4501047b5ebeb83ab1125/protobuf-6.31.1-cp310-abi3-win32.whl", hash = "sha256:7fa17d5a29c2e04b7d90e5e32388b8bfd0e7107cd8e616feef7ed3fa6bdab5c9", size = 423603, upload-time = "2025-05-28T19:25:41.198Z" },
-    { url = "https://files.pythonhosted.org/packages/44/3a/b15c4347dd4bf3a1b0ee882f384623e2063bb5cf9fa9d57990a4f7df2fb6/protobuf-6.31.1-cp310-abi3-win_amd64.whl", hash = "sha256:426f59d2964864a1a366254fa703b8632dcec0790d8862d30034d8245e1cd447", size = 435283, upload-time = "2025-05-28T19:25:44.275Z" },
-    { url = "https://files.pythonhosted.org/packages/6a/c9/b9689a2a250264a84e66c46d8862ba788ee7a641cdca39bccf64f59284b7/protobuf-6.31.1-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:6f1227473dc43d44ed644425268eb7c2e488ae245d51c6866d19fe158e207402", size = 425604, upload-time = "2025-05-28T19:25:45.702Z" },
-    { url = "https://files.pythonhosted.org/packages/76/a1/7a5a94032c83375e4fe7e7f56e3976ea6ac90c5e85fac8576409e25c39c3/protobuf-6.31.1-cp39-abi3-manylinux2014_aarch64.whl", hash = "sha256:a40fc12b84c154884d7d4c4ebd675d5b3b5283e155f324049ae396b95ddebc39", size = 322115, upload-time = "2025-05-28T19:25:47.128Z" },
-    { url = "https://files.pythonhosted.org/packages/fa/b1/b59d405d64d31999244643d88c45c8241c58f17cc887e73bcb90602327f8/protobuf-6.31.1-cp39-abi3-manylinux2014_x86_64.whl", hash = "sha256:4ee898bf66f7a8b0bd21bce523814e6fbd8c6add948045ce958b73af7e8878c6", size = 321070, upload-time = "2025-05-28T19:25:50.036Z" },
-    { url = "https://files.pythonhosted.org/packages/f7/af/ab3c51ab7507a7325e98ffe691d9495ee3d3aa5f589afad65ec920d39821/protobuf-6.31.1-py3-none-any.whl", hash = "sha256:720a6c7e6b77288b85063569baae8536671b39f15cc22037ec7045658d80489e", size = 168724, upload-time = "2025-05-28T19:25:53.926Z" },
+    { url = "https://files.pythonhosted.org/packages/be/85/cd53abe6a6cbf2e0029243d6ae5fb4335da2996f6c177bb2ce685068e43d/protobuf-6.30.2-cp310-abi3-win32.whl", hash = "sha256:b12ef7df7b9329886e66404bef5e9ce6a26b54069d7f7436a0853ccdeb91c103", size = 419148, upload-time = "2025-03-26T19:12:41.359Z" },
+    { url = "https://files.pythonhosted.org/packages/97/e9/7b9f1b259d509aef2b833c29a1f3c39185e2bf21c9c1be1cd11c22cb2149/protobuf-6.30.2-cp310-abi3-win_amd64.whl", hash = "sha256:7653c99774f73fe6b9301b87da52af0e69783a2e371e8b599b3e9cb4da4b12b9", size = 431003, upload-time = "2025-03-26T19:12:44.156Z" },
+    { url = "https://files.pythonhosted.org/packages/8e/66/7f3b121f59097c93267e7f497f10e52ced7161b38295137a12a266b6c149/protobuf-6.30.2-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:0eb523c550a66a09a0c20f86dd554afbf4d32b02af34ae53d93268c1f73bc65b", size = 417579, upload-time = "2025-03-26T19:12:45.447Z" },
+    { url = "https://files.pythonhosted.org/packages/d0/89/bbb1bff09600e662ad5b384420ad92de61cab2ed0f12ace1fd081fd4c295/protobuf-6.30.2-cp39-abi3-manylinux2014_aarch64.whl", hash = "sha256:50f32cc9fd9cb09c783ebc275611b4f19dfdfb68d1ee55d2f0c7fa040df96815", size = 317319, upload-time = "2025-03-26T19:12:46.999Z" },
+    { url = "https://files.pythonhosted.org/packages/28/50/1925de813499546bc8ab3ae857e3ec84efe7d2f19b34529d0c7c3d02d11d/protobuf-6.30.2-cp39-abi3-manylinux2014_x86_64.whl", hash = "sha256:4f6c687ae8efae6cf6093389a596548214467778146b7245e886f35e1485315d", size = 316212, upload-time = "2025-03-26T19:12:48.458Z" },
+    { url = "https://files.pythonhosted.org/packages/e5/a1/93c2acf4ade3c5b557d02d500b06798f4ed2c176fa03e3c34973ca92df7f/protobuf-6.30.2-py3-none-any.whl", hash = "sha256:ae86b030e69a98e08c77beab574cbcb9fff6d031d57209f574a5aea1445f4b51", size = 167062, upload-time = "2025-03-26T19:12:55.892Z" },
 ]

 [[package]]
@ -2776,7 +2776,7 @@ wheels = [

 [[package]]
 name = "requests"
-version = "2.32.4"
+version = "2.32.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "certifi" },
@ -2784,9 +2784,9 @@ dependencies = [
    { name = "idna" },
    { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/e1/0a/929373653770d8a0d7ea76c37de6e41f11eb07559b103b1c02cafb3f7cf8/requests-2.32.4.tar.gz", hash = "sha256:27d0316682c8a29834d3264820024b62a36942083d52caf2f14c0591336d3422", size = 135258, upload-time = "2025-06-09T16:43:07.34Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/63/70/2bf7780ad2d390a8d301ad0b550f1581eadbd9a20f896afe06353c2a2913/requests-2.32.3.tar.gz", hash = "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760", size = 131218, upload-time = "2024-05-29T15:37:49.536Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7c/e4/56027c4a6b4ae70ca9de302488c5ca95ad4a39e190093d6c1a8ace08341b/requests-2.32.4-py3-none-any.whl", hash = "sha256:27babd3cda2a6d50b30443204ee89830707d396671944c998b5975b031ac2b2c", size = 64847, upload-time = "2025-06-09T16:43:05.728Z" },
+    { url = "https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl", hash = "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6", size = 64928, upload-time = "2024-05-29T15:37:47.027Z" },
 ]

 [[package]]
@ -3100,33 +3100,32 @@ wheels = [

 [[package]]
 name = "tenant-schemas-celery"
-version = "3.0.0"
+version = "4.0.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "celery" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/d0/fe/cfe19eb7cc3ad8e39d7df7b7c44414bf665b6ac6660c998eb498f89d16c6/tenant_schemas_celery-3.0.0.tar.gz", hash = "sha256:6be3ae1a5826f262f0f3dd343c6a85a34a1c59b89e04ae37de018f36562fed55", size = 15954, upload-time = "2024-05-19T11:16:41.837Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/19/f8/cf055bf171b5d83d6fe96f1840fba90d3d274be2b5c35cd21b873302b128/tenant_schemas_celery-4.0.1.tar.gz", hash = "sha256:8b8f055fcd82aa53274c09faf88653a935241518d93b86ab2d43a3df3b70c7f8", size = 18870, upload-time = "2025-04-22T18:23:51.061Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/db/2c/376e1e641ad08b374c75d896468a7be2e6906ce3621fd0c9f9dc09ff1963/tenant_schemas_celery-3.0.0-py3-none-any.whl", hash = "sha256:ca0f69e78ef698eb4813468231df5a0ab6a660c08e657b65f5ac92e16887eec8", size = 18108, upload-time = "2024-05-19T11:16:39.92Z" },
+    { url = "https://files.pythonhosted.org/packages/e9/a8/fd663c461550d6fedfb24e987acc1557ae5b6615ca08fc6c70dbaaa88aa5/tenant_schemas_celery-4.0.1-py3-none-any.whl", hash = "sha256:d06a3ff6956db3a95168ce2051b7bff2765f9ce0d070e14df92f07a2b60ae0a0", size = 21364, upload-time = "2025-04-22T18:23:49.899Z" },
 ]

 [[package]]
 name = "tornado"
-version = "6.5.1"
+version = "6.4.2"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/51/89/c72771c81d25d53fe33e3dca61c233b665b2780f21820ba6fd2c6793c12b/tornado-6.5.1.tar.gz", hash = "sha256:84ceece391e8eb9b2b95578db65e920d2a61070260594819589609ba9bc6308c", size = 509934, upload-time = "2025-05-22T18:15:38.788Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/59/45/a0daf161f7d6f36c3ea5fc0c2de619746cc3dd4c76402e9db545bd920f63/tornado-6.4.2.tar.gz", hash = "sha256:92bad5b4746e9879fd7bf1eb21dce4e3fc5128d71601f80005afa39237ad620b", size = 501135, upload-time = "2024-11-22T03:06:38.036Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/77/89/f4532dee6843c9e0ebc4e28d4be04c67f54f60813e4bf73d595fe7567452/tornado-6.5.1-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:d50065ba7fd11d3bd41bcad0825227cc9a95154bad83239357094c36708001f7", size = 441948, upload-time = "2025-05-22T18:15:20.862Z" },
-    { url = "https://files.pythonhosted.org/packages/15/9a/557406b62cffa395d18772e0cdcf03bed2fff03b374677348eef9f6a3792/tornado-6.5.1-cp39-abi3-macosx_10_9_x86_64.whl", hash = "sha256:9e9ca370f717997cb85606d074b0e5b247282cf5e2e1611568b8821afe0342d6", size = 440112, upload-time = "2025-05-22T18:15:22.591Z" },
-    { url = "https://files.pythonhosted.org/packages/55/82/7721b7319013a3cf881f4dffa4f60ceff07b31b394e459984e7a36dc99ec/tornado-6.5.1-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b77e9dfa7ed69754a54c89d82ef746398be82f749df69c4d3abe75c4d1ff4888", size = 443672, upload-time = "2025-05-22T18:15:24.027Z" },
-    { url = "https://files.pythonhosted.org/packages/7d/42/d11c4376e7d101171b94e03cef0cbce43e823ed6567ceda571f54cf6e3ce/tornado-6.5.1-cp39-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:253b76040ee3bab8bcf7ba9feb136436a3787208717a1fb9f2c16b744fba7331", size = 443019, upload-time = "2025-05-22T18:15:25.735Z" },
-    { url = "https://files.pythonhosted.org/packages/7d/f7/0c48ba992d875521ac761e6e04b0a1750f8150ae42ea26df1852d6a98942/tornado-6.5.1-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:308473f4cc5a76227157cdf904de33ac268af770b2c5f05ca6c1161d82fdd95e", size = 443252, upload-time = "2025-05-22T18:15:27.499Z" },
-    { url = "https://files.pythonhosted.org/packages/89/46/d8d7413d11987e316df4ad42e16023cd62666a3c0dfa1518ffa30b8df06c/tornado-6.5.1-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:caec6314ce8a81cf69bd89909f4b633b9f523834dc1a352021775d45e51d9401", size = 443930, upload-time = "2025-05-22T18:15:29.299Z" },
-    { url = "https://files.pythonhosted.org/packages/78/b2/f8049221c96a06df89bed68260e8ca94beca5ea532ffc63b1175ad31f9cc/tornado-6.5.1-cp39-abi3-musllinux_1_2_i686.whl", hash = "sha256:13ce6e3396c24e2808774741331638ee6c2f50b114b97a55c5b442df65fd9692", size = 443351, upload-time = "2025-05-22T18:15:31.038Z" },
-    { url = "https://files.pythonhosted.org/packages/76/ff/6a0079e65b326cc222a54720a748e04a4db246870c4da54ece4577bfa702/tornado-6.5.1-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:5cae6145f4cdf5ab24744526cc0f55a17d76f02c98f4cff9daa08ae9a217448a", size = 443328, upload-time = "2025-05-22T18:15:32.426Z" },
-    { url = "https://files.pythonhosted.org/packages/49/18/e3f902a1d21f14035b5bc6246a8c0f51e0eef562ace3a2cea403c1fb7021/tornado-6.5.1-cp39-abi3-win32.whl", hash = "sha256:e0a36e1bc684dca10b1aa75a31df8bdfed656831489bc1e6a6ebed05dc1ec365", size = 444396, upload-time = "2025-05-22T18:15:34.205Z" },
-    { url = "https://files.pythonhosted.org/packages/7b/09/6526e32bf1049ee7de3bebba81572673b19a2a8541f795d887e92af1a8bc/tornado-6.5.1-cp39-abi3-win_amd64.whl", hash = "sha256:908e7d64567cecd4c2b458075589a775063453aeb1d2a1853eedb806922f568b", size = 444840, upload-time = "2025-05-22T18:15:36.1Z" },
-    { url = "https://files.pythonhosted.org/packages/55/a7/535c44c7bea4578e48281d83c615219f3ab19e6abc67625ef637c73987be/tornado-6.5.1-cp39-abi3-win_arm64.whl", hash = "sha256:02420a0eb7bf617257b9935e2b754d1b63897525d8a289c9d65690d580b4dcf7", size = 443596, upload-time = "2025-05-22T18:15:37.433Z" },
+    { url = "https://files.pythonhosted.org/packages/26/7e/71f604d8cea1b58f82ba3590290b66da1e72d840aeb37e0d5f7291bd30db/tornado-6.4.2-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:e828cce1123e9e44ae2a50a9de3055497ab1d0aeb440c5ac23064d9e44880da1", size = 436299, upload-time = "2024-11-22T03:06:20.162Z" },
+    { url = "https://files.pythonhosted.org/packages/96/44/87543a3b99016d0bf54fdaab30d24bf0af2e848f1d13d34a3a5380aabe16/tornado-6.4.2-cp38-abi3-macosx_10_9_x86_64.whl", hash = "sha256:072ce12ada169c5b00b7d92a99ba089447ccc993ea2143c9ede887e0937aa803", size = 434253, upload-time = "2024-11-22T03:06:22.39Z" },
+    { url = "https://files.pythonhosted.org/packages/cb/fb/fdf679b4ce51bcb7210801ef4f11fdac96e9885daa402861751353beea6e/tornado-6.4.2-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1a017d239bd1bb0919f72af256a970624241f070496635784d9bf0db640d3fec", size = 437602, upload-time = "2024-11-22T03:06:24.214Z" },
+    { url = "https://files.pythonhosted.org/packages/4f/3b/e31aeffffc22b475a64dbeb273026a21b5b566f74dee48742817626c47dc/tornado-6.4.2-cp38-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c36e62ce8f63409301537222faffcef7dfc5284f27eec227389f2ad11b09d946", size = 436972, upload-time = "2024-11-22T03:06:25.559Z" },
+    { url = "https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bca9eb02196e789c9cb5c3c7c0f04fb447dc2adffd95265b2c7223a8a615ccbf", size = 437173, upload-time = "2024-11-22T03:06:27.584Z" },
+    { url = "https://files.pythonhosted.org/packages/79/5e/be4fb0d1684eb822c9a62fb18a3e44a06188f78aa466b2ad991d2ee31104/tornado-6.4.2-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:304463bd0772442ff4d0f5149c6f1c2135a1fae045adf070821c6cdc76980634", size = 437892, upload-time = "2024-11-22T03:06:28.933Z" },
+    { url = "https://files.pythonhosted.org/packages/f5/33/4f91fdd94ea36e1d796147003b490fe60a0215ac5737b6f9c65e160d4fe0/tornado-6.4.2-cp38-abi3-musllinux_1_2_i686.whl", hash = "sha256:c82c46813ba483a385ab2a99caeaedf92585a1f90defb5693351fa7e4ea0bf73", size = 437334, upload-time = "2024-11-22T03:06:30.428Z" },
+    { url = "https://files.pythonhosted.org/packages/2b/ae/c1b22d4524b0e10da2f29a176fb2890386f7bd1f63aacf186444873a88a0/tornado-6.4.2-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:932d195ca9015956fa502c6b56af9eb06106140d844a335590c1ec7f5277d10c", size = 437261, upload-time = "2024-11-22T03:06:32.458Z" },
+    { url = "https://files.pythonhosted.org/packages/b5/25/36dbd49ab6d179bcfc4c6c093a51795a4f3bed380543a8242ac3517a1751/tornado-6.4.2-cp38-abi3-win32.whl", hash = "sha256:2876cef82e6c5978fde1e0d5b1f919d756968d5b4282418f3146b79b58556482", size = 438463, upload-time = "2024-11-22T03:06:34.71Z" },
+    { url = "https://files.pythonhosted.org/packages/61/cc/58b1adeb1bb46228442081e746fcdbc4540905c87e8add7c277540934edb/tornado-6.4.2-cp38-abi3-win_amd64.whl", hash = "sha256:908b71bf3ff37d81073356a5fadcc660eb10c1476ee6e2725588626ce7e5ca38", size = 438907, upload-time = "2024-11-22T03:06:36.71Z" },
 ]

 [[package]]
@ -3288,11 +3287,11 @@ wheels = [

 [[package]]
 name = "urllib3"
-version = "2.5.0"
+version = "2.4.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/15/22/9ee70a2574a4f4599c47dd506532914ce044817c7752a79b6a51286319bc/urllib3-2.5.0.tar.gz", hash = "sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760", size = 393185, upload-time = "2025-06-18T14:07:41.644Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/8a/78/16493d9c386d8e60e442a35feac5e00f0913c0f4b7c217c11e8ec2ff53e0/urllib3-2.4.0.tar.gz", hash = "sha256:414bc6535b787febd7567804cc015fee39daab8ad86268f1310a9250697de466", size = 390672, upload-time = "2025-04-10T15:23:39.232Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/a7/c2/fe1e52489ae3122415c51f387e221dd0773709bad6c6cdaa599e8a2c5185/urllib3-2.5.0-py3-none-any.whl", hash = "sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc", size = 129795, upload-time = "2025-06-18T14:07:40.39Z" },
+    { url = "https://files.pythonhosted.org/packages/6b/11/cc635220681e93a0183390e26485430ca2c7b5f9d33b15c74c2861cb8091/urllib3-2.4.0-py3-none-any.whl", hash = "sha256:4e16665048960a0900c702d4a66415956a584919c03361cac9f1df5c5dd7e813", size = 128680, upload-time = "2025-04-10T15:23:37.377Z" },
 ]

 [package.optional-dependencies]
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -22,7 +22,7 @@
                "@floating-ui/dom": "^1.6.11",
                "@formatjs/intl-listformat": "^7.7.11",
                "@fortawesome/fontawesome-free": "^6.6.0",
-                "@goauthentik/api": "^2025.4.1-1748622869",
+                "@goauthentik/api": "^2025.4.1-1748431399",
                "@lit/context": "^1.1.2",
                "@lit/localize": "^0.12.2",
                "@lit/reactive-element": "^2.0.4",
@ -1721,9 +1721,9 @@
            }
        },
        "node_modules/@goauthentik/api": {
-            "version": "2025.4.1-1748622869",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.4.1-1748622869.tgz",
-            "integrity": "sha512-nH7+dQVA5yPoR4x0g3mct+M9VCwkBh/7ginUTwzb9O+Fj7HHGeAk/4xFC7Zy1oc6CIOHZbSMrOM5EdkEKE18Og=="
+            "version": "2025.4.1-1748431399",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.4.1-1748431399.tgz",
+            "integrity": "sha512-j4ygP36DXqzBCFi3v8KWFLPLUmV616POZb8zx35RaCskuZ5BFNDaArLDtGHvCkEV3qJouR2w43hD4cX18BFIQw=="
        },
        "node_modules/@goauthentik/core": {
            "resolved": "packages/core",
--- a/web/package.json
+++ b/web/package.json
@ -93,7 +93,7 @@
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.7.11",
        "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2025.4.1-1748622869",
+        "@goauthentik/api": "^2025.4.1-1748431399",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
        "@lit/reactive-element": "^2.0.4",
--- a/web/src/admin/admin-overview/AdminOverviewPage.ts
+++ b/web/src/admin/admin-overview/AdminOverviewPage.ts
@ -85,8 +85,8 @@ export class AdminOverviewPage extends AdminOverviewBase {
    render(): TemplateResult {
        const username = this.user?.user.name || this.user?.user.username;

-        return html`<ak-page-header
-                header=${this.user ? msg(str`Welcome, ${username || ""}.`) : msg("Welcome.")}
+        return html` <ak-page-header
+                header=${msg(str`Welcome, ${username || ""}.`)}
                description=${msg("General system status")}
                ?hasIcon=${false}
            >
--- a/web/src/admin/brands/Certificates.ts
+++ b/web/src/admin/brands/Certificates.ts
@ -1,38 +1,26 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
-import {
-    DataProvision,
-    DualSelectPair,
-    DualSelectPairSource,
-} from "#elements/ak-dual-select/types";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";

 import { CertificateKeyPair, CryptoApi } from "@goauthentik/api";

-const certToSelect = (cert: CertificateKeyPair): DualSelectPair<CertificateKeyPair> => {
-    return [cert.pk, cert.name, cert.name, cert];
-};
+const certToSelect = (s: CertificateKeyPair) => [s.pk, s.name, s.name, s];

-export async function certificateProvider(page = 1, search = ""): Promise<DataProvision> {
-    return new CryptoApi(DEFAULT_CONFIG)
-        .cryptoCertificatekeypairsList({
-            ordering: "name",
-            pageSize: 20,
-            search: search.trim(),
-            page,
-            hasKey: undefined,
-        })
-        .then(({ pagination, results }) => {
-            return {
-                pagination,
-                options: results.map(certToSelect),
-            };
-        });
+export async function certificateProvider(page = 1, search = "") {
+    const certificates = await new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsList({
+        ordering: "name",
+        pageSize: 20,
+        search: search.trim(),
+        page,
+        hasKey: undefined,
+    });
+    return {
+        pagination: certificates.pagination,
+        options: certificates.results.map(certToSelect),
+    };
 }

-export function certificateSelector(
-    instanceMappings?: string[],
-): DualSelectPairSource<CertificateKeyPair> {
+export function certificateSelector(instanceMappings?: string[]) {
    if (!instanceMappings) {
-        return () => Promise.resolve([]);
+        return [];
    }

    return async () => {
--- a/web/src/admin/sources/ldap/LDAPSourceForm.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceForm.ts
@ -361,7 +361,7 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                        <p class="pf-c-form__helper-text">${placeholderHelperText}</p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
-                        label=${msg("Additional User DN")}
+                        label=${msg("Addition User DN")}
                        name="additionalUserDn"
                    >
                        <input
@ -374,7 +374,7 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                        </p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
-                        label=${msg("Additional Group DN")}
+                        label=${msg("Addition Group DN")}
                        name="additionalGroupDn"
                    >
                        <input
@ -429,25 +429,10 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                        />
                        <p class="pf-c-form__helper-text">
                            ${msg(
-                                "Field which contains members of a group. The value of this field is matched against User membership attribute.",
+                                "Field which contains members of a group. Note that if using the \"memberUid\" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.",
                            )}
                        </p>
                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("User membership attribute")}
-                        ?required=${true}
-                        name="userMembershipAttribute"
-                    >
-                        <input
-                            type="text"
-                            value="${this.instance?.userMembershipAttribute || "distinguishedName"}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Attribute which matches the value of Group membership field.")}
-                        </p>
-                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal name="lookupGroupsFromUser">
                        <label class="pf-c-switch">
                            <input
--- a/web/src/common/styles/theme-dark.css
+++ b/web/src/common/styles/theme-dark.css
@ -201,10 +201,6 @@ select[multiple] option:checked {
    --pf-c-input-group--BackgroundColor: transparent;
 }

-select.pf-c-form-control {
-    --pf-c-form-control__select--BackgroundUrl: url("data:image/svg+xml;charset=utf8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 320 512'%3E%3Cpath fill='%23fafafa' d='M31.3 192h257.3c17.8 0 26.7 21.5 14.1 34.1L174.1 354.8c-7.8 7.8-20.5 7.8-28.3 0L17.2 226.1C4.6 213.5 13.5 192 31.3 192z'/%3E%3C/svg%3E");
-}
-
 .pf-c-form-control {
    --pf-c-form-control--BorderTopColor: transparent !important;
    --pf-c-form-control--BorderRightColor: transparent !important;
--- a/web/src/components/ak-event-info.ts
+++ b/web/src/components/ak-event-info.ts
@ -374,7 +374,7 @@ ${JSON.stringify(value.new_value, null, 4)}</pre

    renderEmailSent() {
        let body = this.event.context.body as string;
-        body = body.replace("cid:logo", "/static/dist/assets/icons/icon_left_brand.png");
+        body = body.replace("cid:logo.png", "/static/dist/assets/icons/icon_left_brand.png");
        return html`<div class="pf-c-card__title">${msg("Email info:")}</div>
            <div class="pf-c-card__body">${this.getEmailInfo(this.event.context)}</div>
            <ak-expand>
--- a/web/src/components/ak-page-navbar.ts
+++ b/web/src/components/ak-page-navbar.ts
@ -147,7 +147,7 @@ export class AKPageNavbar
                        }

                        .accent-icon {
-                            height: 1.2em;
+                            height: 1em;
                            width: 1em;

                            @media (max-width: 768px) {
@ -157,7 +157,6 @@ export class AKPageNavbar
                    }

                    &.page-description {
-                        padding-top: 0.3em;
                        grid-area: description;
                        margin-block-end: var(--pf-global--spacer--md);

--- a/web/src/elements/Base.ts
+++ b/web/src/elements/Base.ts
@ -123,9 +123,6 @@ export class AKElement extends LitElement {
            applyUITheme(nextStyleRoot, UiThemeEnum.Dark, this.#customCSSStyleSheet);

            this.activeTheme = UiThemeEnum.Dark;
-        } else if (this.preferredColorScheme === "light") {
-            applyUITheme(nextStyleRoot, UiThemeEnum.Light, this.#customCSSStyleSheet);
-            this.activeTheme = UiThemeEnum.Light;
        } else if (this.preferredColorScheme === "auto") {
            createUIThemeEffect(
                (nextUITheme) => {
--- a/web/src/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.ts
+++ b/web/src/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.ts
@ -4,7 +4,7 @@ import { ref } from "lit/directives/ref.js";

 import { AkDualSelectProvider } from "./ak-dual-select-provider.js";
 import "./ak-dual-select.js";
-import type { DualSelectPair, DualSelectPairSource } from "./types.js";
+import type { DualSelectPair } from "./types.js";

 /**
 * @element ak-dual-select-dynamic-provider
@ -22,7 +22,7 @@ export class AkDualSelectDynamic extends AkDualSelectProvider {
     * @attr
     */
    @property({ attribute: false })
-    selector?: DualSelectPairSource;
+    selector: (_: DualSelectPair[]) => Promise<DualSelectPair[]> = () => Promise.resolve([]);

    #didFirstUpdate = false;

@ -37,7 +37,7 @@ export class AkDualSelectDynamic extends AkDualSelectProvider {

        this.#didFirstUpdate = true;

-        this.selector?.(this.options).then((selected) => {
+        this.selector(this.options).then((selected) => {
            this.selected = selected;
        });
    }
--- a/web/src/elements/ak-dual-select/ak-dual-select.ts
+++ b/web/src/elements/ak-dual-select/ak-dual-select.ts
@ -32,8 +32,8 @@ import {
 } from "./types.js";

 function localeComparator(a: DualSelectPair, b: DualSelectPair) {
-    const aSortBy = String(a[2] || a[0]);
-    const bSortBy = String(b[2] || b[0]);
+    const aSortBy = a[2];
+    const bSortBy = b[2];

    return aSortBy.localeCompare(bSortBy);
 }
--- a/web/src/elements/ak-dual-select/types.ts
+++ b/web/src/elements/ak-dual-select/types.ts
@ -34,7 +34,7 @@ export type DualSelectPair<T = unknown> = [
    /**
     * A string to sort by. If not provided, the key will be used.
     */
-    sortBy?: string,
+    sortBy: string,
    /**
     * A local mapping of the key to the object. This is used by some specific apps.
     *
@ -43,19 +43,15 @@ export type DualSelectPair<T = unknown> = [
    localMapping?: T,
 ];

-export type DualSelectPairSource<T = unknown> = (
-    sourceInit: DualSelectPair<T>[],
-) => Promise<DualSelectPair<T>[]>;
-
 export type BasePagination = Pick<
    Pagination,
    "startIndex" | "endIndex" | "count" | "previous" | "next"
 >;

-export interface DataProvision<T = unknown> {
+export type DataProvision = {
    pagination?: Pagination;
-    options: DualSelectPair<T>[];
-}
+    options: DualSelectPair[];
+};

 export type DataProvider = (page: number, search?: string) => Promise<DataProvision>;

--- a/web/src/user/user-settings/details/UserSettingsFlowExecutor.ts
+++ b/web/src/user/user-settings/details/UserSettingsFlowExecutor.ts
@ -11,7 +11,7 @@ import { StageHost } from "#flow/stages/base";
 import "#user/user-settings/details/stages/prompt/PromptStage";

 import { msg } from "@lit/localize";
-import { CSSResult, TemplateResult, html } from "lit";
+import { CSSResult, PropertyValues, TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { unsafeHTML } from "lit/directives/unsafe-html.js";

@ -36,7 +36,7 @@ export class UserSettingsFlowExecutor
    implements StageHost
 {
    @property()
-    flowSlug = this.brand?.flowUserSettings;
+    flowSlug?: string;

    private _challenge?: ChallengeTypes;

@ -86,15 +86,12 @@ export class UserSettingsFlowExecutor
            });
    }

-    firstUpdated() {
-        if (this.flowSlug) {
-            this.nextChallenge();
-        }
-    }
-
-    updated(): void {
-        if (!this.flowSlug && this.brand?.flowUserSettings) {
+    updated(changedProperties: PropertyValues<this>): void {
+        if (changedProperties.has("brand") && this.brand) {
            this.flowSlug = this.brand.flowUserSettings;
+
+            if (!this.flowSlug) return;
+
            this.nextChallenge();
        }
    }
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -9106,6 +9106,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
  <source>Failed to preview prompt</source>
 </trans-unit>
+<trans-unit id="s783964a224796865">
+  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
+</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
 </trans-unit>
@ -9243,18 +9246,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
  <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
-</trans-unit>
-<trans-unit id="s0a2cb398b54a6207">
-  <source>Welcome.</source>
-</trans-unit>
-<trans-unit id="s4e1d2cb86cf5ecd0">
-  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
-</trans-unit>
-<trans-unit id="s6478025f3e0174fa">
-  <source>User membership attribute</source>
-</trans-unit>
-<trans-unit id="s344be99cf5d36407">
-  <source>Attribute which matches the value of Group membership field.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@ -7608,6 +7608,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
  <source>Failed to preview prompt</source>
 </trans-unit>
+<trans-unit id="s783964a224796865">
+  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
+</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
 </trans-unit>
@ -7745,18 +7748,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
  <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
-</trans-unit>
-<trans-unit id="s0a2cb398b54a6207">
-  <source>Welcome.</source>
-</trans-unit>
-<trans-unit id="s4e1d2cb86cf5ecd0">
-  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
-</trans-unit>
-<trans-unit id="s6478025f3e0174fa">
-  <source>User membership attribute</source>
-</trans-unit>
-<trans-unit id="s344be99cf5d36407">
-  <source>Attribute which matches the value of Group membership field.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/es.xlf
+++ b/web/xliff/es.xlf
@ -9167,6 +9167,9 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 <trans-unit id="sc7524ea24eeeb019">
  <source>Failed to preview prompt</source>
 </trans-unit>
+<trans-unit id="s783964a224796865">
+  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
+</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
 </trans-unit>
@ -9304,18 +9307,6 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
  <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
-</trans-unit>
-<trans-unit id="s0a2cb398b54a6207">
-  <source>Welcome.</source>
-</trans-unit>
-<trans-unit id="s4e1d2cb86cf5ecd0">
-  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
-</trans-unit>
-<trans-unit id="s6478025f3e0174fa">
-  <source>User membership attribute</source>
-</trans-unit>
-<trans-unit id="s344be99cf5d36407">
-  <source>Attribute which matches the value of Group membership field.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@ -9690,6 +9690,10 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <source>Failed to preview prompt</source>
  <target>Échec de la prévisualisation de l'invite</target>
 </trans-unit>
+<trans-unit id="s783964a224796865">
+  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
+  <target>Champ qui contient les membres d'un groupe. Si vous utilisez le champ "memberUid", la valeur est censée contenir un nom distinctif relatif, par exemple 'memberUid=un-utilisateur' au lieu de 'memberUid=cn=un-utilisateur,ou=groups,...'. Lorsque "Recherche avec un attribut utilisateur" est sélectionné, cet attribut doit être un attribut utilisateur, sinon un attribut de groupe.</target>
+</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
  <target>Recherche avec un attribut utilisateur</target>
@ -9873,18 +9877,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="se3b26b762110bda0">
  <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
  <target>Supprimer les utilisateurs et les groupes authentik qui étaient auparavant fournis par cette source, mais qui en sont maintenant absents.</target>
-</trans-unit>
-<trans-unit id="s0a2cb398b54a6207">
-  <source>Welcome.</source>
-</trans-unit>
-<trans-unit id="s4e1d2cb86cf5ecd0">
-  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
-</trans-unit>
-<trans-unit id="s6478025f3e0174fa">
-  <source>User membership attribute</source>
-</trans-unit>
-<trans-unit id="s344be99cf5d36407">
-  <source>Attribute which matches the value of Group membership field.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/it.xlf
+++ b/web/xliff/it.xlf
@ -9690,6 +9690,10 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Failed to preview prompt</source>
  <target>Impossibile visualizzare l'anteprima del prompt</target>
 </trans-unit>
+<trans-unit id="s783964a224796865">
+  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
+  <target>Campo che contiene i membri di un gruppo. Si noti che se si utilizza il campo "memberUid", si presume che il valore contenga un nome relativo distinto. Ad esempio, "memberUid=some-user" invece di "memberUid=cn=some-user,ou=groups,...". Quando si seleziona "Cerca utilizzando un attributo utente", questo dovrebbe essere un attributo utente, altrimenti un attributo di gruppo.</target>
+</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
  <target>Ricerca tramite attributo utente</target>
@ -9856,18 +9860,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
  <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
-</trans-unit>
-<trans-unit id="s0a2cb398b54a6207">
-  <source>Welcome.</source>
-</trans-unit>
-<trans-unit id="s4e1d2cb86cf5ecd0">
-  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
-</trans-unit>
-<trans-unit id="s6478025f3e0174fa">
-  <source>User membership attribute</source>
-</trans-unit>
-<trans-unit id="s344be99cf5d36407">
-  <source>Attribute which matches the value of Group membership field.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/ko.xlf
+++ b/web/xliff/ko.xlf
@ -9075,6 +9075,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
  <source>Failed to preview prompt</source>
 </trans-unit>
+<trans-unit id="s783964a224796865">
+  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
+</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
 </trans-unit>
@ -9212,18 +9215,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
  <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
-</trans-unit>
-<trans-unit id="s0a2cb398b54a6207">
-  <source>Welcome.</source>
-</trans-unit>
-<trans-unit id="s4e1d2cb86cf5ecd0">
-  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
-</trans-unit>
-<trans-unit id="s6478025f3e0174fa">
-  <source>User membership attribute</source>
-</trans-unit>
-<trans-unit id="s344be99cf5d36407">
-  <source>Attribute which matches the value of Group membership field.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/nl.xlf
+++ b/web/xliff/nl.xlf
@ -8977,6 +8977,9 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="sc7524ea24eeeb019">
  <source>Failed to preview prompt</source>
 </trans-unit>
+<trans-unit id="s783964a224796865">
+  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
+</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
 </trans-unit>
@ -9114,18 +9117,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
  <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
-</trans-unit>
-<trans-unit id="s0a2cb398b54a6207">
-  <source>Welcome.</source>
-</trans-unit>
-<trans-unit id="s4e1d2cb86cf5ecd0">
-  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
-</trans-unit>
-<trans-unit id="s6478025f3e0174fa">
-  <source>User membership attribute</source>
-</trans-unit>
-<trans-unit id="s344be99cf5d36407">
-  <source>Attribute which matches the value of Group membership field.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pl.xlf
+++ b/web/xliff/pl.xlf
@ -9402,6 +9402,9 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 <trans-unit id="sc7524ea24eeeb019">
  <source>Failed to preview prompt</source>
 </trans-unit>
+<trans-unit id="s783964a224796865">
+  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
+</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
 </trans-unit>
@ -9539,18 +9542,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
  <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
-</trans-unit>
-<trans-unit id="s0a2cb398b54a6207">
-  <source>Welcome.</source>
-</trans-unit>
-<trans-unit id="s4e1d2cb86cf5ecd0">
-  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
-</trans-unit>
-<trans-unit id="s6478025f3e0174fa">
-  <source>User membership attribute</source>
-</trans-unit>
-<trans-unit id="s344be99cf5d36407">
-  <source>Attribute which matches the value of Group membership field.</source>
 </trans-unit>
    </body>
  </file>
--- a/Show More
+++ b/Show More