providers/saml: configuration for default NameID Policy

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
core, web: update translations (#15102 )
2025-06-18 11:39:28 +02:00 · 2025-06-18 11:15:00 +02:00 · 2025-06-18 11:14:24 +02:00 · 2025-06-18 11:14:15 +02:00 · 2025-06-18 11:14:08 +02:00 · 2025-06-17 16:15:07 -05:00
104 changed files with 6123 additions and 6183 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.6.1
+current_version = 2025.6.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -202,7 +202,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
--- a/2
+++ b/2
@ -77,7 +77,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
 # Stage 4: Download uv
 FROM ghcr.io/astral-sh/uv:0.7.13 AS uv
 # Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.4-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base
 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
--- a/2
+++ b/2
@ -94,7 +94,7 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema > blueprints/schema.json
+		uv run ak make_blueprint_schema --file blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2025.6.1"
+__version__ = "2025.6.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -72,20 +72,33 @@ class Command(BaseCommand):
                    "additionalProperties": True,
                },
                "entries": {
-                    "type": "array",
+                    "anyOf": [
-                    "items": {
+                        {
-                        "oneOf": [],
+                            "type": "array",
-                    },
+                            "items": {"$ref": "#/$defs/blueprint_entry"},
                        },
                        {
                            "type": "object",
                            "additionalProperties": {
                                "type": "array",
                                "items": {"$ref": "#/$defs/blueprint_entry"},
                            },
                        },
                    ],
                },
            },
-            "$defs": {},
+            "$defs": {"blueprint_entry": {"oneOf": []}},
        }
    def add_arguments(self, parser):
        parser.add_argument("--file", type=str)
    @no_translations
-    def handle(self, *args, **options):
+    def handle(self, *args, file: str, **options):
        """Generate JSON Schema for blueprints"""
        self.build()
-        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))
+        with open(file, "w") as _schema:
            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
    @staticmethod
    def json_default(value: Any) -> Any:
@ -112,7 +125,7 @@ class Command(BaseCommand):
                }
            )
            model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["properties"]["entries"]["items"]["oneOf"].append(
+            self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
                self.template_entry(model_path, model, serializer)
            )
--- a/authentik/blueprints/tests/fixtures/state_present.yaml
+++ b/authentik/blueprints/tests/fixtures/state_present.yaml
@ -1,10 +1,11 @@
 version: 1
 entries:
-    - identifiers:
+  foo:
-          name: "%(id)s"
+      - identifiers:
-          slug: "%(id)s"
+            name: "%(id)s"
-      model: authentik_flows.flow
+            slug: "%(id)s"
-      state: present
+        model: authentik_flows.flow
-      attrs:
+        state: present
-          designation: stage_configuration
+        attrs:
-          title: foo
+            designation: stage_configuration
            title: foo
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -191,11 +191,18 @@ class Blueprint:
    """Dataclass used for a full export"""
    version: int = field(default=1)
-    entries: list[BlueprintEntry] = field(default_factory=list)
+    entries: list[BlueprintEntry] | dict[str, list[BlueprintEntry]] = field(default_factory=list)
    context: dict = field(default_factory=dict)
    metadata: BlueprintMetadata | None = field(default=None)
    def iter_entries(self) -> Iterable[BlueprintEntry]:
        if isinstance(self.entries, dict):
            for _section, entries in self.entries.items():
                yield from entries
        else:
            yield from self.entries
 class YAMLTag:
    """Base class for all YAML Tags"""
@ -226,7 +233,7 @@ class KeyOf(YAMLTag):
        self.id_from = node.value
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        for _entry in blueprint.entries:
+        for _entry in blueprint.iter_entries():
            if _entry.id == self.id_from and _entry._state.instance:
                # Special handling for PolicyBindingModels, as they'll have a different PK
                # which is used when creating policy bindings
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -384,7 +384,7 @@ class Importer:
    def _apply_models(self, raise_errors=False) -> bool:
        """Apply (create/update) models yaml"""
        self.__pk_map = {}
-        for entry in self._import.entries:
+        for entry in self._import.iter_entries():
            model_app_label, model_name = entry.get_model(self._import).split(".")
            try:
                model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -387,8 +387,7 @@ class TestAuthorize(OAuthTestCase):
            self.assertEqual(
                response.url,
                (
-                    f"http://localhost#access_token={token.token}"
+                    f"http://localhost#id_token={provider.encode(token.id_token.to_dict())}"
                    f"&id_token={provider.encode(token.id_token.to_dict())}"
                    f"&token_type={TOKEN_TYPE}"
                    f"&expires_in={int(expires)}&state={state}"
                ),
@ -563,7 +562,6 @@ class TestAuthorize(OAuthTestCase):
                "url": "http://localhost",
                "title": f"Redirecting to {app.name}...",
                "attrs": {
                    "access_token": token.token,
                    "id_token": provider.encode(token.id_token.to_dict()),
                    "token_type": TOKEN_TYPE,
                    "expires_in": "3600",
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -150,12 +150,12 @@ class OAuthAuthorizationParams:
        self.check_redirect_uri()
        self.check_grant()
        self.check_scope(github_compat)
        self.check_nonce()
        self.check_code_challenge()
        if self.request:
            raise AuthorizeError(
                self.redirect_uri, "request_not_supported", self.grant_type, self.state
            )
        self.check_nonce()
        self.check_code_challenge()
    def check_grant(self):
        """Check grant"""
@ -630,7 +630,6 @@ class OAuthFulfillmentStage(StageView):
        if self.params.response_type in [
            ResponseTypes.ID_TOKEN_TOKEN,
            ResponseTypes.CODE_ID_TOKEN_TOKEN,
            ResponseTypes.ID_TOKEN,
            ResponseTypes.CODE_TOKEN,
        ]:
            query_fragment["access_token"] = token.token
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@ -190,6 +190,7 @@ class SAMLProviderSerializer(ProviderSerializer):
            "sign_response",
            "sp_binding",
            "default_relay_state",
            "default_name_id_policy",
            "url_download_metadata",
            "url_sso_post",
            "url_sso_redirect",
--- a/authentik/providers/saml/migrations/0019_samlprovider_default_name_id_policy.py
+++ b/authentik/providers/saml/migrations/0019_samlprovider_default_name_id_policy.py
@ -0,0 +1,31 @@
 # Generated by Django 5.1.11 on 2025-06-18 09:27
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_saml", "0018_alter_samlprovider_acs_url"),
    ]
    operations = [
        migrations.AddField(
            model_name="samlprovider",
            name="default_name_id_policy",
            field=models.TextField(
                choices=[
                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "Email"),
                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "Persistent"),
                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", "X509"),
                    (
                        "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
                        "Windows",
                    ),
                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "Transient"),
                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "Unspecified"),
                ],
                default="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
            ),
        ),
    ]
--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@ -12,6 +12,7 @@ from authentik.core.models import PropertyMapping, Provider
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.models import DomainlessURLValidator
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import (
    DSA_SHA1,
    ECDSA_SHA1,
@ -179,6 +180,9 @@ class SAMLProvider(Provider):
    default_relay_state = models.TextField(
        default="", blank=True, help_text=_("Default relay_state value for IDP-initiated logins")
    )
    default_name_id_policy = models.TextField(
        choices=SAMLNameIDPolicy.choices, default=SAMLNameIDPolicy.UNSPECIFIED
    )
    sign_assertion = models.BooleanField(default=True)
    sign_response = models.BooleanField(default=False)
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@ -205,6 +205,13 @@ class AssertionProcessor:
    def get_name_id(self) -> Element:
        """Get NameID Element"""
        name_id = Element(f"{{{NS_SAML_ASSERTION}}}NameID")
        # For requests that don't specify a NameIDPolicy, check if we
        # can fall back to the provider default
        if (
            self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_UNSPECIFIED
            and self.provider.default_name_id_policy != SAML_NAME_ID_FORMAT_UNSPECIFIED
        ):
            self.auth_n_request.name_id_policy = self.provider.default_name_id_policy
        name_id.attrib["Format"] = self.auth_n_request.name_id_policy
        # persistent is used as a fallback, so always generate it
        persistent = self.http_request.user.uid
--- a/authentik/providers/saml/processors/authn_request_parser.py
+++ b/authentik/providers/saml/processors/authn_request_parser.py
@ -13,6 +13,7 @@ from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
 from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import (
    DSA_SHA1,
    NS_MAP,
@ -175,7 +176,9 @@ class AuthNRequestParser:
    def idp_initiated(self) -> AuthNRequest:
        """Create IdP Initiated AuthNRequest"""
-        relay_state = None
+        request = AuthNRequest(relay_state=None)
        if self.provider.default_relay_state != "":
-            relay_state = self.provider.default_relay_state
+            request.relay_state = self.provider.default_relay_state
-        return AuthNRequest(relay_state=relay_state)
+        if self.provider.default_name_id_policy != SAMLNameIDPolicy.UNSPECIFIED:
            request.name_id_policy = self.provider.default_name_id_policy
        return request
--- a/authentik/providers/saml/processors/metadata_parser.py
+++ b/authentik/providers/saml/processors/metadata_parser.py
@ -13,6 +13,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.utils.encoding import PEM_FOOTER, PEM_HEADER
 from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import (
    NS_MAP,
    NS_SAML_METADATA,
@ -46,6 +47,7 @@ class ServiceProviderMetadata:
    auth_n_request_signed: bool
    assertion_signed: bool
    name_id_policy: SAMLNameIDPolicy
    signing_keypair: CertificateKeyPair | None = None
@ -60,6 +62,7 @@ class ServiceProviderMetadata:
        provider.issuer = self.entity_id
        provider.sp_binding = self.acs_binding
        provider.acs_url = self.acs_location
        provider.default_name_id_policy = self.name_id_policy
        if self.signing_keypair and self.auth_n_request_signed:
            self.signing_keypair.name = f"Provider {name} - SAML Signing Certificate"
            self.signing_keypair.save()
@ -148,6 +151,11 @@ class ServiceProviderMetadataParser:
        if signing_keypair:
            self.check_signature(root, signing_keypair)
        name_id_format = descriptor.findall(f"{{{NS_SAML_METADATA}}}NameIDFormat")
        name_id_policy = SAMLNameIDPolicy.UNSPECIFIED
        if len(name_id_format) > 0:
            name_id_policy = SAMLNameIDPolicy(name_id_format[0].text)
        return ServiceProviderMetadata(
            entity_id=entity_id,
            acs_binding=acs_binding,
@ -155,4 +163,5 @@ class ServiceProviderMetadataParser:
            auth_n_request_signed=auth_n_request_signed,
            assertion_signed=assertion_signed,
            signing_keypair=signing_keypair,
            name_id_policy=name_id_policy,
        )
--- a/authentik/providers/saml/tests/fixtures/simple.xml
+++ b/authentik/providers/saml/tests/fixtures/simple.xml
@ -4,7 +4,7 @@
                     cacheDuration="PT604800S"
                     entityID="http://localhost:8080/saml/metadata">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="http://localhost:8080/saml/acs"
                                     index="1" />
--- a/authentik/providers/saml/tests/test_metadata.py
+++ b/authentik/providers/saml/tests/test_metadata.py
@ -14,6 +14,7 @@ from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.metadata import MetadataProcessor
 from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser
 from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import ECDSA_SHA256, NS_MAP, NS_SAML_METADATA
@ -86,6 +87,7 @@ class TestServiceProviderMetadataParser(TestCase):
        self.assertEqual(provider.acs_url, "http://localhost:8080/saml/acs")
        self.assertEqual(provider.issuer, "http://localhost:8080/saml/metadata")
        self.assertEqual(provider.sp_binding, SAMLBindings.POST)
        self.assertEqual(provider.default_name_id_policy, SAMLNameIDPolicy.EMAIL)
        self.assertEqual(
            len(provider.property_mappings.all()),
            len(SAMLPropertyMapping.objects.exclude(managed__isnull=True)),
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -166,6 +166,7 @@ SPECTACULAR_SETTINGS = {
        "UserVerificationEnum": "authentik.stages.authenticator_webauthn.models.UserVerification",
        "UserTypeEnum": "authentik.core.models.UserTypes",
        "OutgoingSyncDeleteAction": "authentik.lib.sync.outgoing.models.OutgoingSyncDeleteAction",
        "SAMLNameIDPolicyEnum": "authentik.sources.saml.models.SAMLNameIDPolicy",
    },
    "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
    "ENUM_GENERATE_CHOICE_DESCRIPTION": False,
--- a/authentik/sources/saml/migrations/0020_alter_samlsource_name_id_policy.py
+++ b/authentik/sources/saml/migrations/0020_alter_samlsource_name_id_policy.py
@ -0,0 +1,32 @@
 # Generated by Django 5.1.11 on 2025-06-18 09:27
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_sources_saml", "0019_migrate_usersamlsourceconnection_identifier"),
    ]
    operations = [
        migrations.AlterField(
            model_name="samlsource",
            name="name_id_policy",
            field=models.TextField(
                choices=[
                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "Email"),
                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "Persistent"),
                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", "X509"),
                    (
                        "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
                        "Windows",
                    ),
                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "Transient"),
                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "Unspecified"),
                ],
                default="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
                help_text="NameID Policy sent to the IdP. Can be unset, in which case no Policy is sent.",
            ),
        ),
    ]
--- a/authentik/sources/saml/models.py
+++ b/authentik/sources/saml/models.py
@ -39,6 +39,7 @@ from authentik.sources.saml.processors.constants import (
    SAML_NAME_ID_FORMAT_EMAIL,
    SAML_NAME_ID_FORMAT_PERSISTENT,
    SAML_NAME_ID_FORMAT_TRANSIENT,
    SAML_NAME_ID_FORMAT_UNSPECIFIED,
    SAML_NAME_ID_FORMAT_WINDOWS,
    SAML_NAME_ID_FORMAT_X509,
    SHA1,
@ -73,6 +74,7 @@ class SAMLNameIDPolicy(models.TextChoices):
    X509 = SAML_NAME_ID_FORMAT_X509
    WINDOWS = SAML_NAME_ID_FORMAT_WINDOWS
    TRANSIENT = SAML_NAME_ID_FORMAT_TRANSIENT
    UNSPECIFIED = SAML_NAME_ID_FORMAT_UNSPECIFIED
 class SAMLSource(Source):
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.2}
    restart: unless-stopped
    command: server
    environment:
@ -55,7 +55,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.2}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -18,7 +18,7 @@ require (
 	github.com/gorilla/sessions v1.4.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/grafana/pyroscope-go v1.2.2
-	github.com/jellydator/ttlcache/v3 v3.3.0
+	github.com/jellydator/ttlcache/v3 v3.4.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.1
@ -29,7 +29,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025061.2
+	goauthentik.io/api/v3 v3.2025062.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.15.0
--- a/go.sum
+++ b/go.sum
@ -203,8 +203,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc=
+github.com/jellydator/ttlcache/v3 v3.4.0 h1:YS4P125qQS0tNhtL6aeYkheEaB/m8HCqdMMP4mnWdTY=
-github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
+github.com/jellydator/ttlcache/v3 v3.4.0/go.mod h1:Hw9EgjymziQD3yGsQdf1FqFdpp7YjFMd4Srg5EJlgD4=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@ -298,8 +298,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025061.2 h1:bKmrl82Gz6J8lz3f+QIH9g+MEkl3MvkMXF34GktesA0=
+goauthentik.io/api/v3 v3.2025062.1 h1:spvILDpDDWJNO3pM6QGqmryx6NvSchr1E8H60J/XUCA=
-goauthentik.io/api/v3 v3.2025061.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025062.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -33,4 +33,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
-const VERSION = "2025.6.1"
+const VERSION = "2025.6.2"
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.6.1
+    Default: 2025.6.2
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/locale/es/LC_MESSAGES/django.po
+++ b/locale/es/LC_MESSAGES/django.po
@ -6,18 +6,18 @@
 # Translators:
 # jcamat, 2022
 # Angel, 2024
 # Iamanaws, 2024
 # Marcelo Elizeche Landó, 2025
 # Jens L. <jens@goauthentik.io>, 2025
 # Iamanaws, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-06-04 00:12+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
+"Last-Translator: Iamanaws, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/authentik/teams/119923/es/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -111,7 +111,7 @@ msgstr "Certificado Web usado por el servidor web Core de authentik"
 #: authentik/brands/models.py
 msgid "Certificates used for client authentication."
-msgstr ""
+msgstr "Certificados utilizados para la autenticación del cliente."
 #: authentik/brands/models.py
 msgid "Brand"
@ -131,7 +131,7 @@ msgstr "Descripción adicional no disponible."
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
-msgstr "No se puede establecer el grupo como padre de sí mismo."
+msgstr "No se puede establecer un grupo como su propio padre."
 #: authentik/core/api/providers.py
 msgid ""
@ -183,11 +183,11 @@ msgstr "Remueve usuario del grupo"
 #: authentik/core/models.py
 msgid "Enable superuser status"
-msgstr "Habiliar estado de \"superusuario\""
+msgstr "Habilitar el estado de superusuario"
 #: authentik/core/models.py
 msgid "Disable superuser status"
-msgstr "Deshabiliar estado de \"superusuario\""
+msgstr "Deshabilitar el estado de superusuario"
 #: authentik/core/models.py
 msgid "User's display name."
@ -241,7 +241,7 @@ msgstr "Flujo utilizado al autorizar a este proveedor."
 #: authentik/core/models.py
 msgid "Flow used ending the session from a provider."
-msgstr "Flujo usado para terminar la sesión de un proveedor."
+msgstr "Flujo utilizado para finalizar la sesión desde un proveedor."
 #: authentik/core/models.py
 msgid ""
@ -273,11 +273,11 @@ msgstr "Aplicaciones"
 #: authentik/core/models.py
 msgid "Application Entitlement"
-msgstr ""
+msgstr "Derecho de Aplicación"
 #: authentik/core/models.py
 msgid "Application Entitlements"
-msgstr ""
+msgstr "Derechos de Aplicación"
 #: authentik/core/models.py
 msgid "Use the source-specific identifier"
@ -288,9 +288,9 @@ msgid ""
 "Link to a user with identical email address. Can have security implications "
 "when a source doesn't validate email addresses."
 msgstr ""
-"Apunta a un usuario con una dirección de correo electrónico idéntica. Puede "
+"Enlace a un usuario con la misma dirección de correo electrónico. Puede "
-"tener implicaciones de seguridad cuando una fuente no valida la dirección de"
+"tener implicaciones de seguridad cuando una fuente no valida las direcciones"
-" correo electrónico."
+" de correo electrónico."
 #: authentik/core/models.py
 msgid ""
@ -305,8 +305,8 @@ msgid ""
 "Link to a user with identical username. Can have security implications when "
 "a username is used with another source."
 msgstr ""
-"Enlace a un usuario con un nombre de usuario idéntico. Puede tener "
+"Enlace a un usuario con el mismo nombre de usuario. Puede tener "
-"implicaciones de seguridad cuando se usa un nombre de usuario con otra "
+"implicaciones de seguridad cuando un nombre de usuario se utiliza con otra "
 "fuente."
 #: authentik/core/models.py
@ -322,8 +322,8 @@ msgid ""
 "Link to a group with identical name. Can have security implications when a "
 "group name is used with another source."
 msgstr ""
-"Enlace a un grupo con un nombre idéntico. Puede tener implicaciones de "
+"Enlace a un grupo con el mismo nombre. Puede tener implicaciones de "
-"seguridad cuando se utiliza un nombre de grupo con otra fuente."
+"seguridad cuando un nombre de grupo se utiliza con otra fuente."
 #: authentik/core/models.py
 msgid "Use the group name, but deny enrollment when the name already exists."
@ -385,7 +385,7 @@ msgstr "Asignaciones de Propiedades"
 #: authentik/core/models.py
 msgid "session data"
-msgstr ""
+msgstr "datos de sesión"
 #: authentik/core/models.py
 msgid "Session"
@ -424,7 +424,7 @@ msgstr "¡Autenticado exitosamente con {source}!"
 #: authentik/core/sources/flow_manager.py
 #, python-brace-format
 msgid "Successfully linked {source}!"
-msgstr "¡{source} vinculado exitosamente!"
+msgstr "¡{source} enlazado correctamente!"
 #: authentik/core/sources/flow_manager.py
 msgid "Source is not configured for enrollment."
@ -476,11 +476,11 @@ msgstr ""
 #: authentik/crypto/models.py
 msgid "Certificate-Key Pair"
-msgstr "Par de claves de certificado"
+msgstr "Par Certificado-Clave"
 #: authentik/crypto/models.py
 msgid "Certificate-Key Pairs"
-msgstr "Pares de claves de certificado"
+msgstr "Pares Certificado-Clave"
 #: authentik/enterprise/api.py
 msgid "Enterprise is required to create/update this object."
@ -511,7 +511,7 @@ msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
-msgstr ""
+msgstr "Número de contraseñas contra las que verificar."
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
@ -521,18 +521,20 @@ msgstr "La contraseña no se ha establecido en contexto"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 "Esta contraseña se ha utilizado anteriormente. Por favor, elija una "
 "diferente."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
-msgstr ""
+msgstr "Política de Unicidad de Contraseñas"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
-msgstr ""
+msgstr "Políticas de Unicidad de Contraseñas"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
-msgstr ""
+msgstr "Historial de Contraseñas del Usuario"
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
@ -617,39 +619,39 @@ msgstr "Clave de firma"
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Key used to sign the SSF Events."
-msgstr ""
+msgstr "Clave utilizada para firmar los eventos SSF."
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Provider"
-msgstr ""
+msgstr "Proveedor del Marco de Señales Compartidas"
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Providers"
-msgstr ""
+msgstr "Proveedores del Marco de Señales Compartidas"
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Add stream to SSF provider"
-msgstr ""
+msgstr "Agregar flujo de datos al proveedor SSF"
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream"
-msgstr ""
+msgstr "Flujo de Datos SSF"
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Streams"
-msgstr ""
+msgstr "Flujos de Datos SSF"
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Event"
-msgstr ""
+msgstr "Evento de Flujo de Datos SSF"
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Events"
-msgstr ""
+msgstr "Eventos de Flujos de Datos SSF"
 #: authentik/enterprise/providers/ssf/tasks.py
 msgid "Failed to send request"
-msgstr "Falló envio de petición"
+msgstr "Error al enviar la solicitud"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
@ -681,26 +683,29 @@ msgid ""
 "option has a higher priority than the `client_certificate` option on "
 "`Brand`."
 msgstr ""
 "Configura las autoridades certificadoras para validar el certificado. Esta "
 "opción tiene una prioridad mayor que la opción `client_certificate` en "
 "`Brand`."
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Mutual TLS Stage"
-msgstr ""
+msgstr "Etapa de TLS mutuo"
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Mutual TLS Stages"
-msgstr ""
+msgstr "Etapas de TLS mutuo"
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Permissions to pass Certificates for outposts."
-msgstr ""
+msgstr "Permisos para pasar Certificados a los puestos avanzados."
 #: authentik/enterprise/stages/mtls/stage.py
 msgid "Certificate required but no certificate was given."
-msgstr ""
+msgstr "Se requiere certificado, pero no se proporcionó ninguno."
 #: authentik/enterprise/stages/mtls/stage.py
 msgid "No user found for certificate."
-msgstr ""
+msgstr "No se encontró usuario para el certificado."
 #: authentik/enterprise/stages/source/models.py
 msgid ""
@ -753,12 +758,16 @@ msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
 "serializable."
 msgstr ""
 "Personaliza el cuerpo de la solicitud. El mapeo debe devolver datos que sean"
 " serializables en JSON."
 #: authentik/events/models.py
 msgid ""
 "Configure additional headers to be sent. Mapping should return a dictionary "
 "of key-value pairs"
 msgstr ""
 "Configura encabezados adicionales para enviar. El mapeo debe devolver un "
 "diccionario de pares clave-valor"
 #: authentik/events/models.py
 msgid ""
@ -786,7 +795,7 @@ msgstr "Transporte de notificaciones"
 #: authentik/events/models.py
 msgid "Notification Transports"
-msgstr "Transportes de notificación"
+msgstr "Medios de Notificación"
 #: authentik/events/models.py
 msgid "Notice"
@ -813,9 +822,9 @@ msgid ""
 "Select which transports should be used to notify the user. If none are "
 "selected, the notification will only be shown in the authentik UI."
 msgstr ""
-"Seleccione qué transportes se deben usar para notificar al usuario. Si no se"
+"Selecciona qué medios se deben usar para notificar al usuario. Si no se "
-" selecciona ninguno, la notificación solo se mostrará en la interfaz de "
+"selecciona ninguno, la notificación solo se mostrará en la interfaz de "
-"usuario de authentik."
+"authentik."
 #: authentik/events/models.py
 msgid "Controls which severity level the created notifications will have."
@ -987,7 +996,7 @@ msgstr "Evalúa políticas durante el proceso de planeación del Flujo."
 #: authentik/flows/models.py
 msgid "Evaluate policies when the Stage is presented to the user."
-msgstr ""
+msgstr "Evaluar las políticas cuando la Etapa se presenta al usuario."
 #: authentik/flows/models.py
 msgid ""
@ -1034,6 +1043,8 @@ msgid ""
 "When enabled, provider will not modify or create objects in the remote "
 "system."
 msgstr ""
 "Cuando está habilitado, el proveedor no modificará ni creará objetos en el "
 "sistema remoto."
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
@ -1041,20 +1052,21 @@ msgstr "Iniciando sincronización completa de proveedor"
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing users"
-msgstr ""
+msgstr "Sincronizando usuarios"
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing groups"
-msgstr ""
+msgstr "Sincronizando grupos"
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
-msgid "Syncing page {page} of groups"
+msgid "Syncing page {page} of {object_type}"
-msgstr "Sincronizando página {page} de grupos"
+msgstr "Sincronizando página {page} de {object_type}"
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Dropping mutating request due to dry run"
 msgstr ""
 "Descartando solicitud de mutación debido a ejecución en modo de simulación"
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@ -1233,7 +1245,7 @@ msgstr ""
 #: authentik/policies/expiry/models.py
 msgid "Password has expired."
-msgstr "La contraseña ha caducado."
+msgstr "La contraseña ha expirado."
 #: authentik/policies/expiry/models.py
 msgid "Password Expiry Policy"
@ -1271,7 +1283,7 @@ msgstr "La IP del cliente no está en un país permitido."
 #: authentik/policies/geoip/models.py
 msgid "Distance from previous authentication is larger than threshold."
-msgstr "La distancia desde la autenticación previa es mayor que el límite."
+msgstr "La distancia desde la autenticación anterior es mayor que el umbral."
 #: authentik/policies/geoip/models.py
 msgid "Distance is further than possible."
@ -1320,7 +1332,7 @@ msgstr "Vinculación de Políticas"
 #: authentik/policies/models.py
 msgid "Policy Bindings"
-msgstr "Vinculaciones de políticas"
+msgstr "Vinculaciones de Políticas"
 #: authentik/policies/models.py
 msgid ""
@ -1594,11 +1606,11 @@ msgstr "ES256 (Encriptación Asimétrica)"
 #: authentik/providers/oauth2/models.py
 msgid "ES384 (Asymmetric Encryption)"
-msgstr ""
+msgstr "ES384 (Encriptación Asimétrica)"
 #: authentik/providers/oauth2/models.py
 msgid "ES512 (Asymmetric Encryption)"
-msgstr ""
+msgstr "ES512 (Encriptación Asimétrica)"
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
@ -1813,7 +1825,7 @@ msgstr "Valida Certificados SSL de servidores de origen"
 #: authentik/providers/proxy/models.py
 msgid "Internal host SSL Validation"
-msgstr "Validación SSL de host interno"
+msgstr "Validación SSL del host interno"
 #: authentik/providers/proxy/models.py
 msgid ""
@ -2027,7 +2039,7 @@ msgstr ""
 #: authentik/providers/saml/models.py
 msgid "AuthnContextClassRef Property Mapping"
-msgstr ""
+msgstr "Asignación de Propiedades de AuthnContextClassRef"
 #: authentik/providers/saml/models.py
 msgid ""
@ -2035,6 +2047,9 @@ msgid ""
 "empty, the AuthnContextClassRef will be set based on which authentication "
 "methods the user used to authenticate."
 msgstr ""
 "Configura cómo se creará el valor de AuthnContextClassRef. Si se deja vacío,"
 " el AuthnContextClassRef se establecerá según los métodos de autenticación "
 "que el usuario haya utilizado para autenticarse."
 #: authentik/providers/saml/models.py
 msgid ""
@ -2184,11 +2199,11 @@ msgstr "Predeterminado"
 #: authentik/providers/scim/models.py
 msgid "AWS"
-msgstr ""
+msgstr "AWS"
 #: authentik/providers/scim/models.py
 msgid "Slack"
-msgstr ""
+msgstr "Slack"
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
@ -2200,11 +2215,13 @@ msgstr "Token de Autenticación"
 #: authentik/providers/scim/models.py
 msgid "SCIM Compatibility Mode"
-msgstr ""
+msgstr "Modo de Compatibilidad SCIM"
 #: authentik/providers/scim/models.py
 msgid "Alter authentik behavior for vendor-specific SCIM implementations."
 msgstr ""
 "Modificar el comportamiento de authentik para implementaciones SCIM "
 "específicas de proveedores."
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
@ -2232,7 +2249,7 @@ msgstr "Roles"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
-msgstr ""
+msgstr "Permisos Iniciales"
 #: authentik/rbac/models.py
 msgid "System permission"
@ -2270,7 +2287,7 @@ msgstr ""
 #: authentik/recovery/views.py
 msgid "Used recovery-link to authenticate."
-msgstr "Se usó el enlace de recuperación para autenticarse."
+msgstr "Se utilizó un enlace de recuperación para autenticarse."
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos realm"
@ -2282,7 +2299,7 @@ msgstr "krb5.conf personalizado a usar. Usa el del sistema por defecto."
 #: authentik/sources/kerberos/models.py
 msgid "KAdmin server type"
-msgstr ""
+msgstr "Tipo de servidor KAdmin"
 #: authentik/sources/kerberos/models.py
 msgid "Sync users from Kerberos into authentik"
@ -2290,23 +2307,24 @@ msgstr "Sincronizar usuarios desde Kerberos hacia Authentik"
 #: authentik/sources/kerberos/models.py
 msgid "When a user changes their password, sync it back to Kerberos"
-msgstr "Cuando un usuario cambia su contraseña, sincronizarlo hacia Kerberos"
+msgstr ""
 "Cuando un usuario cambie su contraseña, sincronizarla de vuelta a Kerberos."
 #: authentik/sources/kerberos/models.py
 msgid "Principal to authenticate to kadmin for sync."
-msgstr "Principal para autenticarse como kadmin para la sincronización."
+msgstr "Principal para autenticarse en kadmin para la sincronización."
 #: authentik/sources/kerberos/models.py
 msgid "Password to authenticate to kadmin for sync"
-msgstr "Contraseña para autenticarse como kadmin para la sincronización"
+msgstr "Contraseña para autenticarse en kadmin para la sincronización"
 #: authentik/sources/kerberos/models.py
 msgid ""
 "Keytab to authenticate to kadmin for sync. Must be base64-encoded or in the "
 "form TYPE:residual"
 msgstr ""
-"Keytab para autenticarse como kadmin para la sincronización. Debe estar "
+"Keytab para autenticarse en kadmin para la sincronización. Debe estar "
-"codificado en base64 o en el formato TIPO:residual"
+"codificado en base64 o en el formato TIPO:residuo"
 #: authentik/sources/kerberos/models.py
 msgid ""
@ -2322,7 +2340,7 @@ msgid ""
 "HTTP@hostname"
 msgstr ""
 "Forzar el uso de un nombre de servidor específico para SPNEGO. Debe estar en"
-" el formato HTTP@nombredelservidor"
+" el formato HTTP@nombre_de_host"
 #: authentik/sources/kerberos/models.py
 msgid "SPNEGO keytab base64-encoded or path to keytab in the form FILE:path"
@ -2339,8 +2357,8 @@ msgid ""
 "If enabled, the authentik-stored password will be updated upon login with "
 "the Kerberos password backend"
 msgstr ""
-"Si está habilitado, la contraseña almacenada por authentik será actualizada "
+"Si está habilitado, la contraseña almacenada en authentik se actualizará al "
-"al iniciar sesión con el backend de contraseñas Kerberos"
+"iniciar sesión con el backend de contraseñas de Kerberos."
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Source"
@ -2388,7 +2406,7 @@ msgid ""
 msgstr ""
 "\n"
 "                    Asegúrate de que tienes entradas válidas\n"
-"                    (se obtienen a través de kinit) \n"
+"                    (obtenibles mediante kinit) \n"
 "                    y de haber configurado correctamente el navegador.\n"
 "                    Por favor, contacta a tu administrador.\n"
 "                "
@ -2453,6 +2471,10 @@ msgstr "DN de grupo de adición"
 msgid "Consider Objects matching this filter to be Users."
 msgstr "Considere que los objetos que coinciden con este filtro son usuarios."
 #: authentik/sources/ldap/models.py
 msgid "Attribute which matches the value of `group_membership_field`."
 msgstr "Atributo que coincide con el valor de `group_membership_field`."
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr "Campo que contiene los miembros de un grupo."
@ -2485,12 +2507,17 @@ msgid ""
 "attribute. This allows nested group resolution on systems like FreeIPA and "
 "Active Directory"
 msgstr ""
 "Buscar la pertenencia a grupos basándose en un atributo del usuario en lugar"
 " de un atributo del grupo. Esto permite la resolución de grupos anidados en "
 "sistemas como FreeIPA y Active Directory"
 #: authentik/sources/ldap/models.py
 msgid ""
 "Delete authentik users and groups which were previously supplied by this "
 "source, but are now missing from it."
 msgstr ""
 "Eliminar usuarios y grupos de authentik que fueron proporcionados "
 "previamente por esta fuente, pero que ahora están ausentes."
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
@ -2512,22 +2539,24 @@ msgstr "Asignaciones de Propiedades de Fuente de LDAP"
 msgid ""
 "Unique ID used while checking if this object still exists in the directory."
 msgstr ""
 "ID único utilizado para verificar si este objeto aún existe en el "
 "directorio."
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
-msgstr ""
+msgstr "Conexión de Fuente LDAP de Usuario"
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
-msgstr ""
+msgstr "Conexiones de Fuente LDAP de Usuario"
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
-msgstr ""
+msgstr "Conexión de Fuente LDAP de Grupo"
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
-msgstr ""
+msgstr "Conexiones de Fuente LDAP de Grupo"
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
@ -2539,11 +2568,11 @@ msgstr "No se recibió ningún token."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
-msgstr ""
+msgstr "Autenticación Básica HTTP"
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
-msgstr ""
+msgstr "Incluir el ID de cliente y el secreto como parámetros de la solicitud"
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
@ -2590,6 +2619,8 @@ msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 "Cómo realizar la autenticación durante un flujo de solicitud de token con "
 "authorization_code"
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
@ -2907,7 +2938,7 @@ msgstr "Conexiones de Fuente de SAML de Grupo"
 #: authentik/sources/saml/views.py
 #, python-brace-format
 msgid "Continue to {source_name}"
-msgstr ""
+msgstr "Continuar a {source_name}"
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
@ -2943,7 +2974,7 @@ msgstr "Dispositivos Duo"
 #: authentik/stages/authenticator_email/models.py
 msgid "Email OTP"
-msgstr ""
+msgstr "OTP por Correo Electrónico"
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/email/models.py
@ -2964,11 +2995,11 @@ msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Authenticator Setup Stage"
-msgstr ""
+msgstr "Etapa de Configuración del Autenticador de Correo Electrónico"
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Authenticator Setup Stages"
-msgstr ""
+msgstr "Etapas de Configuración del Autenticador de Correo Electrónico"
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/authenticator_email/stage.py
@ -2979,11 +3010,11 @@ msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Device"
-msgstr "Dispositivo de Email"
+msgstr "Dispositivo de correo electrónico"
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Devices"
-msgstr "Dispositivos de Email"
+msgstr "Dispositivos de correo electrónico"
 #: authentik/stages/authenticator_email/stage.py
 #: authentik/stages/authenticator_sms/stage.py
@ -2993,7 +3024,7 @@ msgstr "El código no coincide"
 #: authentik/stages/authenticator_email/stage.py
 msgid "Invalid email"
-msgstr "Email Inválido"
+msgstr "Correo electrónico inválido"
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 #: authentik/stages/email/templates/email/password_reset.html
@ -3013,6 +3044,9 @@ msgid ""
 "          Email MFA code.\n"
 "          "
 msgstr ""
 "\n"
 "          Código MFA por correo electrónico.\n"
 "          "
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 #, python-format
@ -3022,7 +3056,8 @@ msgid ""
 "    "
 msgstr ""
 "\n"
-"Si no solicitaste este código, por favor ignora este correo. El código anterior es válido por %(expires)s."
+"    Si no solicitaste este código, por favor ignora este correo. El código anterior es válido por %(expires)s.\n"
 "    "
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 #: authentik/stages/email/templates/email/password_reset.txt
@ -3035,6 +3070,8 @@ msgid ""
 "\n"
 "Email MFA code\n"
 msgstr ""
 "\n"
 "Código MFA por correo electrónico\n"
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 #, python-format
@ -3276,8 +3313,8 @@ msgstr "No se pudo validar el token"
 msgid ""
 "Offset after which consent expires. (Format: hours=1;minutes=2;seconds=3)."
 msgstr ""
-"Compensación después de la cual caduca el consentimiento. (Formato: horas = "
+"Desfase después del cual expira el consentimiento. (Formato: "
-"1; minutos = 2; segundos = 3)."
+"hours=1;minutes=2;seconds=3)."
 #: authentik/stages/consent/models.py
 msgid "Consent Stage"
@ -3297,7 +3334,7 @@ msgstr "Consentimientos del usuario"
 #: authentik/stages/consent/stage.py
 msgid "Invalid consent token, re-showing prompt"
-msgstr ""
+msgstr "Token de consentimiento inválido, mostrando el aviso nuevamente"
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
@ -3317,11 +3354,11 @@ msgstr "Etapas ficticias"
 #: authentik/stages/email/flow.py
 msgid "Continue to confirm this email address."
-msgstr ""
+msgstr "Continúa para confirmar esta dirección de correo electrónico."
 #: authentik/stages/email/flow.py
 msgid "Link was already used, please request a new link."
-msgstr ""
+msgstr "El enlace ya fue utilizado, por favor, solícita uno nuevo."
 #: authentik/stages/email/models.py
 msgid "Password Reset"
@ -3445,7 +3482,8 @@ msgid ""
 "    "
 msgstr ""
 "\n"
-"Si no solicitaste un cambio de contraseña, por favor ignora este correo. El enlace anterior es válido por %(expires)s."
+"    Si no solicitaste un cambio de contraseña, por favor ignora este correo. El enlace anterior es válido por %(expires)s.\n"
 "    "
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
@ -3529,24 +3567,26 @@ msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 "Mostrar al usuario la opción \"Recordarme en este dispositivo\", permitiendo"
 " que los usuarios recurrentes pasen directamente a ingresar su contraseña."
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
-"Flujo de inscripción opcional, que está vinculado en la parte inferior de la"
+"Flujo de inscripción opcional, que se enlaza en la parte inferior de la "
-" página."
+"página."
 #: authentik/stages/identification/models.py
 msgid "Optional recovery flow, which is linked at the bottom of the page."
 msgstr ""
-"Flujo de recuperación opcional, que está vinculado en la parte inferior de "
+"Flujo de recuperación opcional, que se enlaza en la parte inferior de la "
-"la página."
+"página."
 #: authentik/stages/identification/models.py
 msgid "Optional passwordless flow, which is linked at the bottom of the page."
 msgstr ""
-"Flujo sin contraseña opcional, el cual está vinculado en la parte inferior "
+"Flujo opcional sin contraseña, que se enlaza en la parte inferior de la "
-"de la página."
+"página."
 #: authentik/stages/identification/models.py
 msgid "Specify which sources should be shown."
@ -3780,11 +3820,11 @@ msgstr "Las contraseñas no coinciden."
 #: authentik/stages/redirect/api.py
 msgid "Target URL should be present when mode is Static."
-msgstr ""
+msgstr "La URL de destino debe estar presente cuando el modo es Estático."
 #: authentik/stages/redirect/api.py
 msgid "Target Flow should be present when mode is Flow."
-msgstr ""
+msgstr "El Flujo de Destino debe estar presente cuando el modo es Flujo."
 #: authentik/stages/redirect/models.py
 msgid "Redirect Stage"
@ -3841,10 +3881,6 @@ msgstr "Etapas de inicio de"
 msgid "No Pending user to login."
 msgstr "Ningún usuario pendiente para iniciar sesión."
 #: authentik/stages/user_login/stage.py
 msgid "Successfully logged in!"
 msgstr "¡Se ha iniciado sesión correctamente!"
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr "Etapa de cierre de sesión del usuario"
@ -3920,10 +3956,12 @@ msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 "La reputación no puede disminuir por debajo de este valor. Cero o negativo."
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 "La reputación no puede aumentar por encima de este valor. Cero o positivo."
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
@ -3946,8 +3984,8 @@ msgstr "Personificación habilitada/deshabilitada globalmente."
 #: authentik/tenants/models.py
 msgid "Require administrators to provide a reason for impersonating a user."
 msgstr ""
-"Requerir a los administradores proporcionar una razón para suplantar un "
+"Requerir que los administradores proporcionen una razón para personificar a "
-"usuario."
+"un usuario."
 #: authentik/tenants/models.py
 msgid "Default token duration"
@ -3959,7 +3997,7 @@ msgstr "Longitud predeterminada del token"
 #: authentik/tenants/models.py
 msgid "Tenant"
-msgstr "inquilino"
+msgstr "Inquilino"
 #: authentik/tenants/models.py
 msgid "Tenants"
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.6.1",
+    "version": "2025.6.2",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/authentik",
-            "version": "2025.6.1",
+            "version": "2025.6.2",
            "devDependencies": {
                "@trivago/prettier-plugin-sort-imports": "^5.2.2",
                "prettier": "^3.3.3",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.6.1",
+    "version": "2025.6.2",
    "private": true,
    "type": "module",
    "devDependencies": {
--- a/packages/eslint-config/package-lock.json
+++ b/packages/eslint-config/package-lock.json
@ -216,9 +216,9 @@
            }
        },
        "node_modules/@eslint/config-array": {
-            "version": "0.20.0",
+            "version": "0.20.1",
-            "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.20.0.tgz",
+            "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.20.1.tgz",
-            "integrity": "sha512-fxlS1kkIjx8+vy2SjuCB94q3htSNrufYTXubwiBFeaQHbH6Ipi43gFJq2zCMt6PHhImH3Xmr0NksKDvchWlpQQ==",
+            "integrity": "sha512-OL0RJzC/CBzli0DrrR31qzj6d6i6Mm3HByuhflhl4LOBiWxN+3i6/t/ZQQNii4tjksXi8r2CRW1wMpWA2ULUEw==",
            "license": "Apache-2.0",
            "dependencies": {
                "@eslint/object-schema": "^2.1.6",
@ -274,9 +274,9 @@
            }
        },
        "node_modules/@eslint/js": {
-            "version": "9.28.0",
+            "version": "9.29.0",
-            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.28.0.tgz",
+            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.29.0.tgz",
-            "integrity": "sha512-fnqSjGWd/CoIp4EXIxWVK/sHA6DOHN4+8Ix2cX5ycOY7LG0UY8nHCU5pIp2eaE1Mc7Qd8kHspYNzYXT2ojPLzg==",
+            "integrity": "sha512-3PIF4cBw/y+1u2EazflInpV+lYsSG0aByVIQzAgb1m1MhHFSbqTyNqtBKHgWf/9Ykud+DhILS9EGkmekVhbKoQ==",
            "license": "MIT",
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -576,17 +576,17 @@
            "license": "MIT"
        },
        "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.34.1.tgz",
-            "integrity": "sha512-QXwAlHlbcAwNlEEMKQS2RCgJsgXrTJdjXT08xEgbPFa2yYQgVjBymxP5DrfrE7X7iodSzd9qBUHUycdyVJTW1w==",
+            "integrity": "sha512-STXcN6ebF6li4PxwNeFnqF8/2BNDvBupf2OPx2yWNzr6mKNGF7q49VM00Pz5FaomJyqvbXpY6PhO+T9w139YEQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@eslint-community/regexpp": "^4.10.0",
-                "@typescript-eslint/scope-manager": "8.34.0",
+                "@typescript-eslint/scope-manager": "8.34.1",
-                "@typescript-eslint/type-utils": "8.34.0",
+                "@typescript-eslint/type-utils": "8.34.1",
-                "@typescript-eslint/utils": "8.34.0",
+                "@typescript-eslint/utils": "8.34.1",
-                "@typescript-eslint/visitor-keys": "8.34.0",
+                "@typescript-eslint/visitor-keys": "8.34.1",
                "graphemer": "^1.4.0",
                "ignore": "^7.0.0",
                "natural-compare": "^1.4.0",
@ -600,7 +600,7 @@
                "url": "https://opencollective.com/typescript-eslint"
            },
            "peerDependencies": {
-                "@typescript-eslint/parser": "^8.34.0",
+                "@typescript-eslint/parser": "^8.34.1",
                "eslint": "^8.57.0 || ^9.0.0",
                "typescript": ">=4.8.4 <5.9.0"
            }
@ -616,16 +616,16 @@
            }
        },
        "node_modules/@typescript-eslint/parser": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.34.1.tgz",
-            "integrity": "sha512-vxXJV1hVFx3IXz/oy2sICsJukaBrtDEQSBiV48/YIV5KWjX1dO+bcIr/kCPrW6weKXvsaGKFNlwH0v2eYdRRbA==",
+            "integrity": "sha512-4O3idHxhyzjClSMJ0a29AcoK0+YwnEqzI6oz3vlRf3xw0zbzt15MzXwItOlnr5nIth6zlY2RENLsOPvhyrKAQA==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/scope-manager": "8.34.0",
+                "@typescript-eslint/scope-manager": "8.34.1",
-                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/types": "8.34.1",
-                "@typescript-eslint/typescript-estree": "8.34.0",
+                "@typescript-eslint/typescript-estree": "8.34.1",
-                "@typescript-eslint/visitor-keys": "8.34.0",
+                "@typescript-eslint/visitor-keys": "8.34.1",
                "debug": "^4.3.4"
            },
            "engines": {
@ -641,14 +641,14 @@
            }
        },
        "node_modules/@typescript-eslint/project-service": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.34.1.tgz",
-            "integrity": "sha512-iEgDALRf970/B2YExmtPMPF54NenZUf4xpL3wsCRx/lgjz6ul/l13R81ozP/ZNuXfnLCS+oPmG7JIxfdNYKELw==",
+            "integrity": "sha512-nuHlOmFZfuRwLJKDGQOVc0xnQrAmuq1Mj/ISou5044y1ajGNp2BNliIqp7F2LPQ5sForz8lempMFCovfeS1XoA==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/tsconfig-utils": "^8.34.0",
+                "@typescript-eslint/tsconfig-utils": "^8.34.1",
-                "@typescript-eslint/types": "^8.34.0",
+                "@typescript-eslint/types": "^8.34.1",
                "debug": "^4.3.4"
            },
            "engines": {
@ -663,14 +663,14 @@
            }
        },
        "node_modules/@typescript-eslint/scope-manager": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.34.1.tgz",
-            "integrity": "sha512-9Ac0X8WiLykl0aj1oYQNcLZjHgBojT6cW68yAgZ19letYu+Hxd0rE0veI1XznSSst1X5lwnxhPbVdwjDRIomRw==",
+            "integrity": "sha512-beu6o6QY4hJAgL1E8RaXNC071G4Kso2MGmJskCFQhRhg8VOH/FDbC8soP8NHN7e/Hdphwp8G8cE6OBzC8o41ZA==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/types": "8.34.1",
-                "@typescript-eslint/visitor-keys": "8.34.0"
+                "@typescript-eslint/visitor-keys": "8.34.1"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -681,9 +681,9 @@
            }
        },
        "node_modules/@typescript-eslint/tsconfig-utils": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.34.1.tgz",
-            "integrity": "sha512-+W9VYHKFIzA5cBeooqQxqNriAP0QeQ7xTiDuIOr71hzgffm3EL2hxwWBIIj4GuofIbKxGNarpKqIq6Q6YrShOA==",
+            "integrity": "sha512-K4Sjdo4/xF9NEeA2khOb7Y5nY6NSXBnod87uniVYW9kHP+hNlDV8trUSFeynA2uxWam4gIWgWoygPrv9VMWrYg==",
            "dev": true,
            "license": "MIT",
            "engines": {
@ -698,14 +698,14 @@
            }
        },
        "node_modules/@typescript-eslint/type-utils": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.34.1.tgz",
-            "integrity": "sha512-n7zSmOcUVhcRYC75W2pnPpbO1iwhJY3NLoHEtbJwJSNlVAZuwqu05zY3f3s2SDWWDSo9FdN5szqc73DCtDObAg==",
+            "integrity": "sha512-Tv7tCCr6e5m8hP4+xFugcrwTOucB8lshffJ6zf1mF1TbU67R+ntCc6DzLNKM+s/uzDyv8gLq7tufaAhIBYeV8g==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/typescript-estree": "8.34.0",
+                "@typescript-eslint/typescript-estree": "8.34.1",
-                "@typescript-eslint/utils": "8.34.0",
+                "@typescript-eslint/utils": "8.34.1",
                "debug": "^4.3.4",
                "ts-api-utils": "^2.1.0"
            },
@ -722,9 +722,9 @@
            }
        },
        "node_modules/@typescript-eslint/types": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.34.1.tgz",
-            "integrity": "sha512-9V24k/paICYPniajHfJ4cuAWETnt7Ssy+R0Rbcqo5sSFr3QEZ/8TSoUi9XeXVBGXCaLtwTOKSLGcInCAvyZeMA==",
+            "integrity": "sha512-rjLVbmE7HR18kDsjNIZQHxmv9RZwlgzavryL5Lnj2ujIRTeXlKtILHgRNmQ3j4daw7zd+mQgy+uyt6Zo6I0IGA==",
            "dev": true,
            "license": "MIT",
            "engines": {
@ -736,16 +736,16 @@
            }
        },
        "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.34.1.tgz",
-            "integrity": "sha512-rOi4KZxI7E0+BMqG7emPSK1bB4RICCpF7QD3KCLXn9ZvWoESsOMlHyZPAHyG04ujVplPaHbmEvs34m+wjgtVtg==",
+            "integrity": "sha512-rjCNqqYPuMUF5ODD+hWBNmOitjBWghkGKJg6hiCHzUvXRy6rK22Jd3rwbP2Xi+R7oYVvIKhokHVhH41BxPV5mA==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/project-service": "8.34.0",
+                "@typescript-eslint/project-service": "8.34.1",
-                "@typescript-eslint/tsconfig-utils": "8.34.0",
+                "@typescript-eslint/tsconfig-utils": "8.34.1",
-                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/types": "8.34.1",
-                "@typescript-eslint/visitor-keys": "8.34.0",
+                "@typescript-eslint/visitor-keys": "8.34.1",
                "debug": "^4.3.4",
                "fast-glob": "^3.3.2",
                "is-glob": "^4.0.3",
@ -765,9 +765,9 @@
            }
        },
        "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-            "version": "2.0.1",
+            "version": "2.0.2",
-            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-            "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+            "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
@ -804,16 +804,16 @@
            }
        },
        "node_modules/@typescript-eslint/utils": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.34.1.tgz",
-            "integrity": "sha512-8L4tWatGchV9A1cKbjaavS6mwYwp39jql8xUmIIKJdm+qiaeHy5KMKlBrf30akXAWBzn2SqKsNOtSENWUwg7XQ==",
+            "integrity": "sha512-mqOwUdZ3KjtGk7xJJnLbHxTuWVn3GO2WZZuM+Slhkun4+qthLdXx32C8xIXbO1kfCECb3jIs3eoxK3eryk7aoQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@eslint-community/eslint-utils": "^4.7.0",
-                "@typescript-eslint/scope-manager": "8.34.0",
+                "@typescript-eslint/scope-manager": "8.34.1",
-                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/types": "8.34.1",
-                "@typescript-eslint/typescript-estree": "8.34.0"
+                "@typescript-eslint/typescript-estree": "8.34.1"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -828,14 +828,14 @@
            }
        },
        "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.34.1.tgz",
-            "integrity": "sha512-qHV7pW7E85A0x6qyrFn+O+q1k1p3tQCsqIZ1KZ5ESLXY57aTvUd3/a4rdPTeXisvhXn2VQG0VSKUqs8KHF2zcA==",
+            "integrity": "sha512-xoh5rJ+tgsRKoXnkBPFRLZ7rjKM0AfVbC68UZ/ECXoDbfggb9RbEySN359acY1vS3qZ0jVTVWzbtfapwm5ztxw==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/types": "8.34.1",
-                "eslint-visitor-keys": "^4.2.0"
+                "eslint-visitor-keys": "^4.2.1"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -846,9 +846,9 @@
            }
        },
        "node_modules/acorn": {
-            "version": "8.14.1",
+            "version": "8.15.0",
-            "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.1.tgz",
+            "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
-            "integrity": "sha512-OvQ/2pUDKmgfCg++xsTX1wGxfTaszcHVcTctW4UJB4hibJx2HXxxO5UmVgyjMa+ZDsiaf5wWLXYpRWMmBI0QHg==",
+            "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
            "license": "MIT",
            "bin": {
                "acorn": "bin/acorn"
@ -1554,18 +1554,18 @@
            }
        },
        "node_modules/eslint": {
-            "version": "9.28.0",
+            "version": "9.29.0",
-            "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.28.0.tgz",
+            "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.29.0.tgz",
-            "integrity": "sha512-ocgh41VhRlf9+fVpe7QKzwLj9c92fDiqOj8Y3Sd4/ZmVA4Btx4PlUYPq4pp9JDyupkf1upbEXecxL2mwNV7jPQ==",
+            "integrity": "sha512-GsGizj2Y1rCWDu6XoEekL3RLilp0voSePurjZIkxL3wlm5o5EC9VpgaP7lrCvjnkuLvzFBQWB3vWB3K5KQTveQ==",
            "license": "MIT",
            "dependencies": {
                "@eslint-community/eslint-utils": "^4.2.0",
                "@eslint-community/regexpp": "^4.12.1",
-                "@eslint/config-array": "^0.20.0",
+                "@eslint/config-array": "^0.20.1",
                "@eslint/config-helpers": "^0.2.1",
                "@eslint/core": "^0.14.0",
                "@eslint/eslintrc": "^3.3.1",
-                "@eslint/js": "9.28.0",
+                "@eslint/js": "9.29.0",
                "@eslint/plugin-kit": "^0.3.1",
                "@humanfs/node": "^0.16.6",
                "@humanwhocodes/module-importer": "^1.0.1",
@ -1577,9 +1577,9 @@
                "cross-spawn": "^7.0.6",
                "debug": "^4.3.2",
                "escape-string-regexp": "^4.0.0",
-                "eslint-scope": "^8.3.0",
+                "eslint-scope": "^8.4.0",
-                "eslint-visitor-keys": "^4.2.0",
+                "eslint-visitor-keys": "^4.2.1",
-                "espree": "^10.3.0",
+                "espree": "^10.4.0",
                "esquery": "^1.5.0",
                "esutils": "^2.0.2",
                "fast-deep-equal": "^3.1.3",
@ -1792,9 +1792,9 @@
            }
        },
        "node_modules/eslint-scope": {
-            "version": "8.3.0",
+            "version": "8.4.0",
-            "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-8.3.0.tgz",
+            "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-8.4.0.tgz",
-            "integrity": "sha512-pUNxi75F8MJ/GdeKtVLSbYg4ZI34J6C0C7sbL4YOp2exGwen7ZsuBqKzUhXd0qMQ362yET3z+uPwKeg/0C2XCQ==",
+            "integrity": "sha512-sNXOfKCn74rt8RICKMvJS7XKV/Xk9kA7DyJr8mJik3S7Cwgy3qlkkmyS2uQB3jiJg6VNdZd/pDBJu0nvG2NlTg==",
            "license": "BSD-2-Clause",
            "dependencies": {
                "esrecurse": "^4.3.0",
@ -1808,9 +1808,9 @@
            }
        },
        "node_modules/eslint-visitor-keys": {
-            "version": "4.2.0",
+            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.0.tgz",
+            "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
-            "integrity": "sha512-UyLnSehNt62FFhSwjZlHmeokpRK59rcz29j+F1/aDgbkbRTk7wIc9XzdoasMUbRNKDM0qQt/+BJ4BrpFeABemw==",
+            "integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
            "license": "Apache-2.0",
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -1820,14 +1820,14 @@
            }
        },
        "node_modules/espree": {
-            "version": "10.3.0",
+            "version": "10.4.0",
-            "resolved": "https://registry.npmjs.org/espree/-/espree-10.3.0.tgz",
+            "resolved": "https://registry.npmjs.org/espree/-/espree-10.4.0.tgz",
-            "integrity": "sha512-0QYC8b24HWY8zjRnDTL6RiHfDbAWn63qb4LMj1Z4b076A4une81+z03Kg7l7mn/48PUTqoLptSXez8oknU8Clg==",
+            "integrity": "sha512-j6PAQ2uUr79PZhBjP5C5fhl8e39FmRnOjsD5lGnWrFU8i2G776tBK7+nP8KuQUTTyAZUwfQqXAgrVH5MbH9CYQ==",
            "license": "BSD-2-Clause",
            "dependencies": {
-                "acorn": "^8.14.0",
+                "acorn": "^8.15.0",
                "acorn-jsx": "^5.3.2",
-                "eslint-visitor-keys": "^4.2.0"
+                "eslint-visitor-keys": "^4.2.1"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -4035,15 +4035,15 @@
            }
        },
        "node_modules/typescript-eslint": {
-            "version": "8.34.0",
+            "version": "8.34.1",
-            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.34.0.tgz",
+            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.34.1.tgz",
-            "integrity": "sha512-MRpfN7uYjTrTGigFCt8sRyNqJFhjN0WwZecldaqhWm+wy0gaRt8Edb/3cuUy0zdq2opJWT6iXINKAtewnDOltQ==",
+            "integrity": "sha512-XjS+b6Vg9oT1BaIUfkW3M3LvqZE++rbzAMEHuccCfO/YkP43ha6w3jTEMilQxMF92nVOYCcdjv1ZUhAa1D/0ow==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/eslint-plugin": "8.34.0",
+                "@typescript-eslint/eslint-plugin": "8.34.1",
-                "@typescript-eslint/parser": "8.34.0",
+                "@typescript-eslint/parser": "8.34.1",
-                "@typescript-eslint/utils": "8.34.0"
+                "@typescript-eslint/utils": "8.34.1"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.6.1"
+version = "2025.6.2"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"
@ -48,7 +48,7 @@ dependencies = [
    "packaging==25.0",
    "paramiko==3.5.1",
    "psycopg[c,pool]==3.2.9",
-    "pydantic==2.11.5",
+    "pydantic==2.11.7",
    "pydantic-scim==0.0.8",
    "pyjwt==2.10.1",
    "pyrad==2.4",
@ -68,7 +68,7 @@ dependencies = [
    "urllib3<3",
    "uvicorn[standard]==0.34.3",
    "watchdog==6.0.0",
-    "webauthn==2.5.2",
+    "webauthn==2.6.0",
    "wsproto==1.2.0",
    "xmlsec==1.3.15",
    "zxcvbn==4.5.0",
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.6.1
+  version: 2025.6.2
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -22454,6 +22454,17 @@ paths:
        schema:
          type: string
          format: uuid
      - in: query
        name: default_name_id_policy
        schema:
          type: string
          enum:
          - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
          - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
          - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
          - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
          - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
          - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      - in: query
        name: default_relay_state
        schema:
@ -29670,6 +29681,7 @@ paths:
          enum:
          - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
          - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
          - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
          - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
          - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
          - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
@ -48745,14 +48757,6 @@ components:
      - mode
      - name
      - user_attribute
    NameIdPolicyEnum:
      enum:
      - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
      - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
      - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
      - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      type: string
    NetworkBindingEnum:
      enum:
      - no_binding
@ -54501,6 +54505,8 @@ components:
        default_relay_state:
          type: string
          description: Default relay_state value for IDP-initiated logins
        default_name_id_policy:
          $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
    PatchedSAMLSourcePropertyMappingRequest:
      type: object
      description: SAMLSourcePropertyMapping Serializer
@ -54594,7 +54600,7 @@ components:
            be a security risk, as no validation of the request ID is done.
        name_id_policy:
          allOf:
-          - $ref: '#/components/schemas/NameIdPolicyEnum'
+          - $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
          description: NameID Policy sent to the IdP. Can be unset, in which case
            no Policy is sent.
        binding_type:
@ -57305,6 +57311,15 @@ components:
      required:
      - download_url
      - metadata
    SAMLNameIDPolicyEnum:
      enum:
      - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
      - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
      - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
      - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
      type: string
    SAMLPropertyMapping:
      type: object
      description: SAMLPropertyMapping Serializer
@ -57522,6 +57537,8 @@ components:
        default_relay_state:
          type: string
          description: Default relay_state value for IDP-initiated logins
        default_name_id_policy:
          $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
        url_download_metadata:
          type: string
          description: Get metadata download URL
@ -57694,6 +57711,8 @@ components:
        default_relay_state:
          type: string
          description: Default relay_state value for IDP-initiated logins
        default_name_id_policy:
          $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
      required:
      - acs_url
      - authorization_flow
@ -57802,7 +57821,7 @@ components:
            be a security risk, as no validation of the request ID is done.
        name_id_policy:
          allOf:
-          - $ref: '#/components/schemas/NameIdPolicyEnum'
+          - $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
          description: NameID Policy sent to the IdP. Can be unset, in which case
            no Policy is sent.
        binding_type:
@ -57992,7 +58011,7 @@ components:
            be a security risk, as no validation of the request ID is done.
        name_id_policy:
          allOf:
-          - $ref: '#/components/schemas/NameIdPolicyEnum'
+          - $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
          description: NameID Policy sent to the IdP. Can be unset, in which case
            no Policy is sent.
        binding_type:
--- a/tests/e2e/docker-compose.yml
+++ b/tests/e2e/docker-compose.yml
@ -7,7 +7,7 @@ services:
    network_mode: host
    restart: always
  mailpit:
-    image: docker.io/axllent/mailpit:v1.26.0
+    image: docker.io/axllent/mailpit:v1.26.1
    ports:
      - 1025:1025
      - 8025:8025
--- a/uv.lock
+++ b/uv.lock
@ -165,7 +165,7 @@ wheels = [
 [[package]]
 name = "authentik"
-version = "2025.6.1"
+version = "2025.6.2"
 source = { editable = "." }
 dependencies = [
    { name = "argon2-cffi" },
@ -309,7 +309,7 @@ requires-dist = [
    { name = "packaging", specifier = "==25.0" },
    { name = "paramiko", specifier = "==3.5.1" },
    { name = "psycopg", extras = ["c", "pool"], specifier = "==3.2.9" },
-    { name = "pydantic", specifier = "==2.11.5" },
+    { name = "pydantic", specifier = "==2.11.7" },
    { name = "pydantic-scim", specifier = "==0.0.8" },
    { name = "pyjwt", specifier = "==2.10.1" },
    { name = "pyrad", specifier = "==2.4" },
@ -329,7 +329,7 @@ requires-dist = [
    { name = "urllib3", specifier = "<3" },
    { name = "uvicorn", extras = ["standard"], specifier = "==0.34.3" },
    { name = "watchdog", specifier = "==6.0.0" },
-    { name = "webauthn", specifier = "==2.5.2" },
+    { name = "webauthn", specifier = "==2.6.0" },
    { name = "wsproto", specifier = "==1.2.0" },
    { name = "xmlsec", specifier = "==1.3.15" },
    { name = "zxcvbn", specifier = "==4.5.0" },
@ -2463,7 +2463,7 @@ wheels = [
 [[package]]
 name = "pydantic"
-version = "2.11.5"
+version = "2.11.7"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "annotated-types" },
@ -2471,9 +2471,9 @@ dependencies = [
    { name = "typing-extensions" },
    { name = "typing-inspection" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/f0/86/8ce9040065e8f924d642c58e4a344e33163a07f6b57f836d0d734e0ad3fb/pydantic-2.11.5.tar.gz", hash = "sha256:7f853db3d0ce78ce8bbb148c401c2cdd6431b3473c0cdff2755c7690952a7b7a", size = 787102, upload-time = "2025-05-22T21:18:08.761Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/00/dd/4325abf92c39ba8623b5af936ddb36ffcfe0beae70405d456ab1fb2f5b8c/pydantic-2.11.7.tar.gz", hash = "sha256:d989c3c6cb79469287b1569f7447a17848c998458d49ebe294e975b9baf0f0db", size = 788350, upload-time = "2025-06-14T08:33:17.137Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/b5/69/831ed22b38ff9b4b64b66569f0e5b7b97cf3638346eb95a2147fdb49ad5f/pydantic-2.11.5-py3-none-any.whl", hash = "sha256:f9c26ba06f9747749ca1e5c94d6a85cb84254577553c8785576fd38fa64dc0f7", size = 444229, upload-time = "2025-05-22T21:18:06.329Z" },
+    { url = "https://files.pythonhosted.org/packages/6a/c0/ec2b1c8712ca690e5d61979dee872603e92b8a32f94cc1b72d53beab008a/pydantic-2.11.7-py3-none-any.whl", hash = "sha256:dde5df002701f6de26248661f6835bbe296a47bf73990135c7d07ce741b9623b", size = 444782, upload-time = "2025-06-14T08:33:14.905Z" },
 ]
 [package.optional-dependencies]
@ -3391,7 +3391,7 @@ wheels = [
 [[package]]
 name = "webauthn"
-version = "2.5.2"
+version = "2.6.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "asn1crypto" },
@ -3399,9 +3399,9 @@ dependencies = [
    { name = "cryptography" },
    { name = "pyopenssl" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/8d/92/8d2a4eec83d8e7feacdaad37c6eb6eb922100cecce5c14a41d8069a59a03/webauthn-2.5.2.tar.gz", hash = "sha256:09c13dfc1c68c810f32fa4d89b1d37acb9f9ae9091c9d7019e313be4525a95ef", size = 124114, upload-time = "2025-03-07T19:44:05.243Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/63/38/5792cb2034673c162a721df0ad65825699516ee0c938a65670ad3cdabf6c/webauthn-2.6.0.tar.gz", hash = "sha256:13cf5b009a64cef569599ffecf24550df1d7c0cd4fbaea870f937148484a80b4", size = 123608, upload-time = "2025-06-16T22:25:26.76Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7f/fe/f6ae41de9f383439e30b303a67f6f45d2fceabedaedc34c62f74d58c5c73/webauthn-2.5.2-py3-none-any.whl", hash = "sha256:44246e496e617eb5e2f51165046b9f0197fcdf470f69cd6734061a27ba365f8e", size = 71624, upload-time = "2025-03-07T19:44:03.728Z" },
+    { url = "https://files.pythonhosted.org/packages/56/c5/b1bba7f6a50caca77f37003e098f48f8dc68d990aba8a03ac8376016430b/webauthn-2.6.0-py3-none-any.whl", hash = "sha256:459973eb5780c1f41bec42b682acf587456b185733398a0b99a0714705b79447", size = 71189, upload-time = "2025-06-16T22:25:25.535Z" },
 ]
 [[package]]
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@ -93,7 +93,7 @@
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.7.11",
        "@fortawesome/fontawesome-free": "^6.7.2",
-        "@goauthentik/api": "^2025.6.1-1749515784",
+        "@goauthentik/api": "^2025.6.2-1750112513",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
        "@lit/reactive-element": "^2.0.4",
@ -102,10 +102,9 @@
        "@open-wc/lit-helpers": "^0.7.0",
        "@patternfly/elements": "^4.1.0",
        "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^9.28.1",
+        "@sentry/browser": "^9.30.0",
        "@spotlightjs/spotlight": "^3.0.0",
        "@webcomponents/webcomponentsjs": "^2.8.0",
        "base64-js": "^1.5.1",
        "change-case": "^5.4.4",
        "chart.js": "^4.4.9",
        "chartjs-adapter-date-fns": "^3.0.0",
@ -137,6 +136,7 @@
        "trusted-types": "^2.0.0",
        "ts-pattern": "^5.7.1",
        "unist-util-visit": "^5.0.0",
        "webauthn-polyfills": "^0.1.7",
        "webcomponent-qr-code": "^1.2.0",
        "yaml": "^2.8.0"
    },
@ -170,16 +170,16 @@
        "@types/react-dom": "^19.1.5",
        "@typescript-eslint/eslint-plugin": "^8.8.0",
        "@typescript-eslint/parser": "^8.8.0",
-        "@wdio/browser-runner": "9.4",
+        "@wdio/browser-runner": "9.15",
-        "@wdio/cli": "9.4",
+        "@wdio/cli": "9.15",
-        "@wdio/spec-reporter": "^9.1.2",
+        "@wdio/spec-reporter": "^9.15.0",
        "@web/test-runner": "^0.20.2",
        "chromedriver": "^136.0.3",
        "esbuild": "^0.25.5",
        "esbuild-plugin-copy": "^2.1.1",
        "esbuild-plugin-polyfill-node": "^0.3.0",
        "esbuild-plugins-node-modules-polyfill": "^1.7.0",
-        "eslint": "^9.28.0",
+        "eslint": "^9.29.0",
        "eslint-plugin-lit": "^2.1.1",
        "eslint-plugin-wc": "^3.0.1",
        "github-slugger": "^2.0.0",
@ -194,7 +194,7 @@
        "storybook-addon-mock": "^5.0.0",
        "turnstile-types": "^1.2.3",
        "typescript": "^5.8.3",
-        "typescript-eslint": "^8.34.0",
+        "typescript-eslint": "^8.34.1",
        "vite-plugin-lit-css": "^2.0.0",
        "vite-tsconfig-paths": "^5.0.1",
        "wireit": "^0.14.12"
--- a/web/packages/core/types/node.d.ts
+++ b/web/packages/core/types/node.d.ts
@ -14,7 +14,7 @@ declare module "module" {
         * const relativeDirname = dirname(fileURLToPath(import.meta.url));
         * ```
         */
-        // eslint-disable-next-line no-var
+
        var __dirname: string;
    }
 }
--- a/web/packages/sfe/package.json
+++ b/web/packages/sfe/package.json
@ -11,11 +11,11 @@
    },
    "dependencies": {
        "@goauthentik/api": "^2024.6.0-1719577139",
        "base64-js": "^1.5.1",
        "bootstrap": "^4.6.1",
        "formdata-polyfill": "^4.0.10",
        "jquery": "^3.7.1",
-        "weakmap-polyfill": "^2.0.4"
+        "weakmap-polyfill": "^2.0.4",
        "webauthn-polyfills": "^0.1.7"
    },
    "devDependencies": {
        "@goauthentik/core": "^1.0.0",
--- a/web/packages/sfe/src/index.ts
+++ b/web/packages/sfe/src/index.ts
@ -1,7 +1,7 @@
 import { fromByteArray } from "base64-js";
 import "formdata-polyfill";
 import $ from "jquery";
 import "weakmap-polyfill";
 import "webauthn-polyfills";
 import {
    type AuthenticatorValidationChallenge,
@ -257,47 +257,9 @@ class AutosubmitStage extends Stage<AutosubmitChallenge> {
    }
 }
 export interface Assertion {
    id: string;
    rawId: string;
    type: string;
    registrationClientExtensions: string;
    response: {
        clientDataJSON: string;
        attestationObject: string;
    };
 }
 export interface AuthAssertion {
    id: string;
    rawId: string;
    type: string;
    assertionClientExtensions: string;
    response: {
        clientDataJSON: string;
        authenticatorData: string;
        signature: string;
        userHandle: string | null;
    };
 }
 class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge> {
    deviceChallenge?: DeviceChallenge;
    b64enc(buf: Uint8Array): string {
        return fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
    }
    b64RawEnc(buf: Uint8Array): string {
        return fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_");
    }
    u8arr(input: string): Uint8Array {
        return Uint8Array.from(atob(input.replace(/_/g, "/").replace(/-/g, "+")), (c) =>
            c.charCodeAt(0),
        );
    }
    checkWebAuthnSupport(): boolean {
        if ("credentials" in navigator) {
            return true;
@ -310,98 +272,6 @@ class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge>
        return false;
    }
    /**
     * Transforms items in the credentialCreateOptions generated on the server
     * into byte arrays expected by the navigator.credentials.create() call
     */
    transformCredentialCreateOptions(
        credentialCreateOptions: PublicKeyCredentialCreationOptions,
        userId: string,
    ): PublicKeyCredentialCreationOptions {
        const user = credentialCreateOptions.user;
        // Because json can't contain raw bytes, the server base64-encodes the User ID
        // So to get the base64 encoded byte array, we first need to convert it to a regular
        // string, then a byte array, re-encode it and wrap that in an array.
        const stringId = decodeURIComponent(window.atob(userId));
        user.id = this.u8arr(this.b64enc(this.u8arr(stringId)));
        const challenge = this.u8arr(credentialCreateOptions.challenge.toString());
        return Object.assign({}, credentialCreateOptions, {
            challenge,
            user,
        });
    }
    /**
     * Transforms the binary data in the credential into base64 strings
     * for posting to the server.
     * @param {PublicKeyCredential} newAssertion
     */
    transformNewAssertionForServer(newAssertion: PublicKeyCredential): Assertion {
        const attObj = new Uint8Array(
            (newAssertion.response as AuthenticatorAttestationResponse).attestationObject,
        );
        const clientDataJSON = new Uint8Array(newAssertion.response.clientDataJSON);
        const rawId = new Uint8Array(newAssertion.rawId);
        const registrationClientExtensions = newAssertion.getClientExtensionResults();
        return {
            id: newAssertion.id,
            rawId: this.b64enc(rawId),
            type: newAssertion.type,
            registrationClientExtensions: JSON.stringify(registrationClientExtensions),
            response: {
                clientDataJSON: this.b64enc(clientDataJSON),
                attestationObject: this.b64enc(attObj),
            },
        };
    }
    transformCredentialRequestOptions(
        credentialRequestOptions: PublicKeyCredentialRequestOptions,
    ): PublicKeyCredentialRequestOptions {
        const challenge = this.u8arr(credentialRequestOptions.challenge.toString());
        const allowCredentials = (credentialRequestOptions.allowCredentials || []).map(
            (credentialDescriptor) => {
                const id = this.u8arr(credentialDescriptor.id.toString());
                return Object.assign({}, credentialDescriptor, { id });
            },
        );
        return Object.assign({}, credentialRequestOptions, {
            challenge,
            allowCredentials,
        });
    }
    /**
     * Encodes the binary data in the assertion into strings for posting to the server.
     * @param {PublicKeyCredential} newAssertion
     */
    transformAssertionForServer(newAssertion: PublicKeyCredential): AuthAssertion {
        const response = newAssertion.response as AuthenticatorAssertionResponse;
        const authData = new Uint8Array(response.authenticatorData);
        const clientDataJSON = new Uint8Array(response.clientDataJSON);
        const rawId = new Uint8Array(newAssertion.rawId);
        const sig = new Uint8Array(response.signature);
        const assertionClientExtensions = newAssertion.getClientExtensionResults();
        return {
            id: newAssertion.id,
            rawId: this.b64enc(rawId),
            type: newAssertion.type,
            assertionClientExtensions: JSON.stringify(assertionClientExtensions),
            response: {
                clientDataJSON: this.b64RawEnc(clientDataJSON),
                signature: this.b64RawEnc(sig),
                authenticatorData: this.b64RawEnc(authData),
                userHandle: null,
            },
        };
    }
    render() {
        if (this.challenge.deviceChallenges.length === 1) {
            this.deviceChallenge = this.challenge.deviceChallenges[0];
@ -505,8 +375,8 @@ class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge>
            `);
        navigator.credentials
            .get({
-                publicKey: this.transformCredentialRequestOptions(
+                publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(
-                    this.deviceChallenge?.challenge as PublicKeyCredentialRequestOptions,
+                    this.deviceChallenge?.challenge as PublicKeyCredentialRequestOptionsJSON,
                ),
            })
            .then((assertion) => {
@ -514,15 +384,9 @@ class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge>
                    throw new Error("No assertion");
                }
                try {
                    // we now have an authentication assertion! encode the byte arrays contained
                    // in the assertion data as strings for posting to the server
                    const transformedAssertionForServer = this.transformAssertionForServer(
                        assertion as PublicKeyCredential,
                    );
                    // post the assertion to the server for verification.
                    this.executor.submit({
-                        webauthn: transformedAssertionForServer,
+                        webauthn: (assertion as PublicKeyCredential).toJSON(),
                    });
                } catch (err) {
                    throw new Error(`Error when validating assertion on server: ${err}`);
--- a/web/src/admin/admin-overview/cards/RecentEventsCard.ts
+++ b/web/src/admin/admin-overview/cards/RecentEventsCard.ts
@ -88,7 +88,8 @@ export class RecentEventsCard extends Table<Event> {
        }
        return super.renderEmpty(
-            html`<ak-empty-state header=${msg("No Events found.")}>
+            html`<ak-empty-state
                ><span slot="header">${msg("No Events found.")}</span>
                <div slot="body">${msg("No matching events could be found.")}</div>
            </ak-empty-state>`,
        );
--- a/web/src/admin/applications/ApplicationForm.ts
+++ b/web/src/admin/applications/ApplicationForm.ts
@ -5,6 +5,7 @@ import { policyEngineModes } from "@goauthentik/admin/policies/PolicyEngineModes
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-file-input";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-slug-input";
 import "@goauthentik/components/ak-switch-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
@ -130,14 +131,14 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
                required
                help=${msg("Application's display Name.")}
            ></ak-text-input>
-            <ak-text-input
+            <ak-slug-input
                name="slug"
                value=${ifDefined(this.instance?.slug)}
                label=${msg("Slug")}
                required
                help=${msg("Internal application name used in URLs.")}
                input-hint="code"
-            ></ak-text-input>
+            ></ak-slug-input>
            <ak-text-input
                name="group"
                value=${ifDefined(this.instance?.group)}
--- a/web/src/admin/applications/wizard/steps/ak-application-wizard-application-step.ts
+++ b/web/src/admin/applications/wizard/steps/ak-application-wizard-application-step.ts
@ -117,13 +117,11 @@ export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
                    ?invalid=${this.errors.has("name")}
                    .errorMessages=${errors.name ?? this.errorMessages("name")}
                    help=${msg("Application's display Name.")}
                    id="ak-application-wizard-details-name"
                ></ak-text-input>
                <ak-slug-input
                    name="slug"
                    value=${ifDefined(app.slug)}
                    label=${msg("Slug")}
                    source="#ak-application-wizard-details-name"
                    required
                    ?invalid=${errors.slug ?? this.errors.has("slug")}
                    .errorMessages=${this.errorMessages("slug")}
--- a/web/src/admin/applications/wizard/steps/ak-application-wizard-bindings-step.ts
+++ b/web/src/admin/applications/wizard/steps/ak-application-wizard-bindings-step.ts
@ -115,7 +115,8 @@ export class ApplicationWizardBindingsStep extends ApplicationWizardStep {
                    .columns=${COLUMNS}
                    .content=${[]}
                ></ak-select-table>
-                <ak-empty-state header=${msg("No bound policies.")} icon="pf-icon-module">
+                <ak-empty-state icon="pf-icon-module"
                    ><span slot="header">${msg("No bound policies.")} </span>
                    <div slot="body">${msg("No policies are currently bound to this object.")}</div>
                    <div slot="primary">
                        <button
--- a/web/src/admin/flows/BoundStagesList.ts
+++ b/web/src/admin/flows/BoundStagesList.ts
@ -135,7 +135,8 @@ export class BoundStagesList extends Table<FlowStageBinding> {
    renderEmpty(): TemplateResult {
        return super.renderEmpty(
-            html`<ak-empty-state header=${msg("No Stages bound")} icon="pf-icon-module">
+            html`<ak-empty-state icon="pf-icon-module">
                <span slot="header">${msg("No Stages bound")}</span>
                <div slot="body">${msg("No stages are currently bound to this flow.")}</div>
                <div slot="primary">
                    <ak-stage-wizard
--- a/web/src/admin/flows/FlowForm.ts
+++ b/web/src/admin/flows/FlowForm.ts
@ -3,6 +3,7 @@ import { DesignationToLabel, LayoutToLabel } from "@goauthentik/admin/flows/util
 import { policyEngineModes } from "@goauthentik/admin/policies/PolicyEngineModes";
 import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-slug-input.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@ -91,17 +92,16 @@ export class FlowForm extends WithCapabilitiesConfig(ModelForm<Flow, string>) {
                />
                <p class="pf-c-form__helper-text">${msg("Shown as the Title in Flow pages.")}</p>
            </ak-form-element-horizontal>
-            <ak-form-element-horizontal label=${msg("Slug")} required name="slug">
+
-                <input
+            <ak-slug-input
-                    type="text"
+                name="slug"
-                    value="${ifDefined(this.instance?.slug)}"
+                value=${ifDefined(this.instance?.slug)}
-                    class="pf-c-form-control pf-m-monospace"
+                label=${msg("Slug")}
-                    autocomplete="off"
+                required
-                    spellcheck="false"
+                help=${msg("Visible in the URL.")}
-                    required
+                input-hint="code"
-                />
+            ></ak-slug-input>
-                <p class="pf-c-form__helper-text">${msg("Visible in the URL.")}</p>
+
            </ak-form-element-horizontal>
            <ak-form-element-horizontal label=${msg("Designation")} required name="designation">
                <select class="pf-c-form-control">
                    <option value="" ?selected=${this.instance?.designation === undefined}>
--- a/web/src/admin/policies/BoundPoliciesList.ts
+++ b/web/src/admin/policies/BoundPoliciesList.ts
@ -198,7 +198,8 @@ export class BoundPoliciesList extends Table<PolicyBinding> {
    renderEmpty(): TemplateResult {
        return super.renderEmpty(
-            html`<ak-empty-state header=${msg("No Policies bound.")} icon="pf-icon-module">
+            html`<ak-empty-state icon="pf-icon-module"
                ><span slot="header">${msg("No Policies bound.")}</span>
                <div slot="body">${msg("No policies are currently bound to this object.")}</div>
                <div slot="primary">
                    <ak-policy-wizard
--- a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts
+++ b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts
@ -4,6 +4,7 @@ import {
    propertyMappingsSelector,
 } from "@goauthentik/admin/providers/microsoft_entra/MicrosoftEntraProviderFormHelpers.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
@ -68,21 +69,15 @@ export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEn
                            ${msg("Client ID for the app registration.")}
                        </p>
                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
+                    <ak-hidden-text-input
                        label=${msg("Client Secret")}
                        required
                        name="clientSecret"
                        label=${msg("Client Secret")}
                        value="${this.instance?.clientSecret ?? ""}"
                        input-hint="code"
                        required
                        .help=${msg("Client secret for the app registration.")}
                    >
-                        <input
+                    </ak-hidden-text-input>
                            type="text"
                            value="${this.instance?.clientSecret ?? ""}"
                            class="pf-c-form-control pf-m-monospace"
                            required
                        />
                        <p class="pf-c-form__helper-text">
                            ${msg("Client secret for the app registration.")}
                        </p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal label=${msg("Tenant ID")} required name="tenantId">
                        <input
                            type="text"
--- a/web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts
@ -5,6 +5,7 @@ import {
    akOAuthRedirectURIInput,
 } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
 import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
@ -166,17 +167,16 @@ export function renderForm(
                    input-hint="code"
                >
                </ak-text-input>
-                <ak-text-input
+                <ak-hidden-text-input
                    name="clientSecret"
                    label=${msg("Client Secret")}
                    value="${provider?.clientSecret ?? randomString(128, ascii_letters + digits)}"
                    input-hint="code"
                    ?hidden=${!showClientSecret}
                >
-                </ak-text-input>
+                </ak-hidden-text-input>
                <ak-form-element-horizontal
                    label=${msg("Redirect URIs/Origins (RegEx)")}
                    required
                    name="redirectUris"
                >
                    <ak-array-input
--- a/web/src/admin/providers/radius/RadiusProviderFormForm.ts
+++ b/web/src/admin/providers/radius/RadiusProviderFormForm.ts
@ -1,6 +1,8 @@
 import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/SearchSelect";
@ -74,14 +76,14 @@ export function renderForm(
        <ak-form-group expanded>
            <span slot="header"> ${msg("Protocol settings")} </span>
            <div slot="body" class="pf-c-form">
-                <ak-text-input
+                <ak-hidden-text-input
                    name="sharedSecret"
                    label=${msg("Shared secret")}
                    .errorMessages=${errors?.sharedSecret ?? []}
                    value=${provider?.sharedSecret ?? randomString(128, ascii_letters + digits)}
                    required
                    input-hint="code"
-                ></ak-text-input>
+                ></ak-hidden-text-input>
                <ak-text-input
                    name="clientNetworks"
                    label=${msg("Client Networks")}
--- a/web/src/admin/providers/saml/SAMLProviderFormForm.ts
+++ b/web/src/admin/providers/saml/SAMLProviderFormForm.ts
@ -16,6 +16,7 @@ import {
    FlowsInstancesListDesignationEnum,
    PropertymappingsApi,
    PropertymappingsProviderSamlListRequest,
    SAMLNameIDPolicyEnum,
    SAMLPropertyMapping,
    SAMLProvider,
    SpBindingEnum,
@ -316,6 +317,54 @@ export function renderForm(
                        "When using IDP-initiated logins, the relay state will be set to this value.",
                    )}
                ></ak-text-input>
                <ak-form-element-horizontal
                    label=${msg("Default NameID Policy")}
                    required
                    name="defaultNameIdPolicy"
                >
                    <select class="pf-c-form-control">
                        <option
                            value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
                            ?selected=${provider?.defaultNameIdPolicy ===
                            SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
                        >
                            ${msg("Persistent")}
                        </option>
                        <option
                            value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
                            ?selected=${provider?.defaultNameIdPolicy ===
                            SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
                        >
                            ${msg("Email address")}
                        </option>
                        <option
                            value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
                            ?selected=${provider?.defaultNameIdPolicy ===
                            SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
                        >
                            ${msg("Windows")}
                        </option>
                        <option
                            value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
                            ?selected=${provider?.defaultNameIdPolicy ===
                            SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
                        >
                            ${msg("X509 Subject")}
                        </option>
                        <option
                            value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
                            ?selected=${provider?.defaultNameIdPolicy ===
                            SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
                        >
                            ${msg("Transient")}
                        </option>
                    </select>
                    <p class="pf-c-form__helper-text">
                        ${msg(
                            "Configure the default NameID Policy used by IDP-initiated logins and when an incoming assertion doesn't specify a NameID Policy (also applies when using a custom NameID Mapping).",
                        )}
                    </p>
                </ak-form-element-horizontal>
                <ak-radio-input
                    name="digestAlgorithm"
--- a/web/src/admin/providers/scim/SCIMProviderFormForm.ts
+++ b/web/src/admin/providers/scim/SCIMProviderFormForm.ts
@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -50,7 +51,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
                >
                </ak-switch-input>
-                <ak-text-input
+                <ak-hidden-text-input
                    name="token"
                    label=${msg("Token")}
                    value="${provider?.token ?? ""}"
@ -60,7 +61,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
                        "Token to authenticate with. Currently only bearer authentication is supported.",
                    )}
                    input-hint="code"
-                ></ak-text-input>
+                ></ak-hidden-text-input>
                <ak-radio-input
                    name="compatibilityMode"
                    label=${msg("Compatibility Mode")}
--- a/web/src/admin/sources/kerberos/KerberosSourceForm.ts
+++ b/web/src/admin/sources/kerberos/KerberosSourceForm.ts
@ -9,6 +9,7 @@ import {
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-secret-text-input.js";
 import "@goauthentik/components/ak-secret-textarea-input.js";
 import "@goauthentik/components/ak-slug-input.js";
 import "@goauthentik/components/ak-switch-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
@ -87,12 +88,13 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
                value=${ifDefined(this.instance?.name)}
                required
            ></ak-text-input>
-            <ak-text-input
+            <ak-slug-input
                name="slug"
                label=${msg("Slug")}
                value=${ifDefined(this.instance?.slug)}
                label=${msg("Slug")}
                required
-            ></ak-text-input>
+                input-hint="code"
            ></ak-slug-input>
            <ak-switch-input
                name="enabled"
                ?checked=${this.instance?.enabled ?? true}
--- a/web/src/admin/sources/ldap/LDAPSourceForm.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceForm.ts
@ -3,6 +3,7 @@ import { placeholderHelperText } from "@goauthentik/admin/helperText";
 import { BaseSourceForm } from "@goauthentik/admin/sources/BaseSourceForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-secret-text-input.js";
 import "@goauthentik/components/ak-slug-input.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -54,14 +55,15 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                    required
                />
            </ak-form-element-horizontal>
-            <ak-form-element-horizontal label=${msg("Slug")} required name="slug">
+
-                <input
+            <ak-slug-input
-                    type="text"
+                name="slug"
-                    value="${ifDefined(this.instance?.slug)}"
+                value=${ifDefined(this.instance?.slug)}
-                    class="pf-c-form-control"
+                label=${msg("Slug")}
-                    required
+                required
-                />
+                input-hint="code"
-            </ak-form-element-horizontal>
+            ></ak-slug-input>
            <ak-form-element-horizontal name="enabled">
                <label class="pf-c-switch">
                    <input
--- a/web/src/admin/sources/oauth/OAuthSourceForm.ts
+++ b/web/src/admin/sources/oauth/OAuthSourceForm.ts
@ -10,6 +10,7 @@ import {
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-secret-textarea-input.js";
 import "@goauthentik/components/ak-slug-input.js";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
@ -267,16 +268,13 @@ export class OAuthSourceForm extends WithCapabilitiesConfig(BaseSourceForm<OAuth
                    required
                />
            </ak-form-element-horizontal>
-            <ak-form-element-horizontal label=${msg("Slug")} required name="slug">
+            <ak-slug-input
-                <input
+                name="slug"
-                    type="text"
+                value=${ifDefined(this.instance?.slug)}
-                    value="${ifDefined(this.instance?.slug)}"
+                label=${msg("Slug")}
-                    class="pf-c-form-control pf-m-monospace"
+                required
-                    autocomplete="off"
+                input-hint="code"
-                    spellcheck="false"
+            ></ak-slug-input>
                    required
                />
            </ak-form-element-horizontal>
            <ak-form-element-horizontal name="enabled">
                <label class="pf-c-switch">
                    <input
--- a/web/src/admin/sources/plex/PlexSourceForm.ts
+++ b/web/src/admin/sources/plex/PlexSourceForm.ts
@ -10,6 +10,7 @@ import {
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { PlexAPIClient, PlexResource, popupCenterScreen } from "@goauthentik/common/helpers/plex";
 import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-slug-input.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
@ -128,7 +129,7 @@ export class PlexSourceForm extends WithCapabilitiesConfig(BaseSourceForm<PlexSo
                    this.doAuth();
                }}
            >
-                ${msg("Re-authenticate with plex")}
+                ${msg("Re-authenticate with Plex")}
            </button>
            <ak-form-element-horizontal name="allowFriends">
                <label class="pf-c-switch">
@ -183,14 +184,15 @@ export class PlexSourceForm extends WithCapabilitiesConfig(BaseSourceForm<PlexSo
                    required
                />
            </ak-form-element-horizontal>
-            <ak-form-element-horizontal label=${msg("Slug")} required name="slug">
+
-                <input
+            <ak-slug-input
-                    type="text"
+                name="slug"
-                    value="${ifDefined(this.instance?.slug)}"
+                value=${ifDefined(this.instance?.slug)}
-                    class="pf-c-form-control"
+                label=${msg("Slug")}
-                    required
+                required
-                />
+                input-hint="code"
-            </ak-form-element-horizontal>
+            ></ak-slug-input>
            <ak-form-element-horizontal name="enabled">
                <label class="pf-c-switch">
                    <input
--- a/web/src/admin/sources/saml/SAMLSourceForm.ts
+++ b/web/src/admin/sources/saml/SAMLSourceForm.ts
@ -9,6 +9,7 @@ import {
    UserMatchingModeToLabel,
 } from "@goauthentik/admin/sources/oauth/utils";
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-slug-input.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -25,7 +26,7 @@ import {
    DigestAlgorithmEnum,
    FlowsInstancesListDesignationEnum,
    GroupMatchingModeEnum,
-    NameIdPolicyEnum,
+    SAMLNameIDPolicyEnum,
    SAMLSource,
    SignatureAlgorithmEnum,
    SourcesApi,
@ -89,14 +90,15 @@ export class SAMLSourceForm extends WithCapabilitiesConfig(BaseSourceForm<SAMLSo
                    required
                />
            </ak-form-element-horizontal>
-            <ak-form-element-horizontal label=${msg("Slug")} required name="slug">
+
-                <input
+            <ak-slug-input
-                    type="text"
+                name="slug"
-                    value="${ifDefined(this.instance?.slug)}"
+                value=${ifDefined(this.instance?.slug)}
-                    class="pf-c-form-control"
+                label=${msg("Slug")}
-                    required
+                required
-                />
+                input-hint="code"
-            </ak-form-element-horizontal>
+            ></ak-slug-input>
            <ak-form-element-horizontal name="enabled">
                <label class="pf-c-switch">
                    <input
@ -351,37 +353,37 @@ export class SAMLSourceForm extends WithCapabilitiesConfig(BaseSourceForm<SAMLSo
                    >
                        <select class="pf-c-form-control">
                            <option
-                                value=${NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
+                                value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
                                ?selected=${this.instance?.nameIdPolicy ===
-                                NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
+                                SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatPersistent}
                            >
                                ${msg("Persistent")}
                            </option>
                            <option
-                                value=${NameIdPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
+                                value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
                                ?selected=${this.instance?.nameIdPolicy ===
-                                NameIdPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
+                                SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatEmailAddress}
                            >
                                ${msg("Email address")}
                            </option>
                            <option
-                                value=${NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
+                                value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
                                ?selected=${this.instance?.nameIdPolicy ===
-                                NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
+                                SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatWindowsDomainQualifiedName}
                            >
                                ${msg("Windows")}
                            </option>
                            <option
-                                value=${NameIdPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
+                                value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
                                ?selected=${this.instance?.nameIdPolicy ===
-                                NameIdPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
+                                SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml11NameidFormatX509SubjectName}
                            >
                                ${msg("X509 Subject")}
                            </option>
                            <option
-                                value=${NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
+                                value=${SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
                                ?selected=${this.instance?.nameIdPolicy ===
-                                NameIdPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
+                                SAMLNameIDPolicyEnum.UrnOasisNamesTcSaml20NameidFormatTransient}
                            >
                                ${msg("Transient")}
                            </option>
--- a/web/src/admin/sources/scim/SCIMSourceForm.ts
+++ b/web/src/admin/sources/scim/SCIMSourceForm.ts
@ -1,6 +1,7 @@
 import { placeholderHelperText } from "@goauthentik/admin/helperText";
 import { BaseSourceForm } from "@goauthentik/admin/sources/BaseSourceForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-slug-input.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -48,14 +49,15 @@ export class SCIMSourceForm extends BaseSourceForm<SCIMSource> {
                    required
                />
            </ak-form-element-horizontal>
-            <ak-form-element-horizontal label=${msg("Slug")} required name="slug">
+
-                <input
+            <ak-slug-input
-                    type="text"
+                name="slug"
-                    value="${ifDefined(this.instance?.slug)}"
+                value=${ifDefined(this.instance?.slug)}
-                    class="pf-c-form-control"
+                label=${msg("Slug")}
-                    required
+                required
-                />
+                input-hint="code"
-            </ak-form-element-horizontal>
+            ></ak-slug-input>
            <ak-form-element-horizontal name="enabled">
                <div class="pf-c-check">
                    <input
--- a/web/src/admin/stages/invitation/InvitationForm.ts
+++ b/web/src/admin/stages/invitation/InvitationForm.ts
@ -41,14 +41,27 @@ export class InvitationForm extends ModelForm<Invitation, string> {
    }
    renderForm(): TemplateResult {
-        return html` <ak-form-element-horizontal slugMode label=${msg("Name")} required name="name">
+        const checkSlug = (ev: InputEvent) => {
            if (ev && ev.target && ev.target instanceof HTMLInputElement) {
                ev.target.value = (ev.target.value ?? "").replace(/[^a-z0-9-]/g, "");
            }
        };
        return html` <ak-form-element-horizontal label=${msg("Name")} required name="name">
                <input
                    type="text"
                    id="admin-stages-invitation-name"
                    value="${this.instance?.name || ""}"
                    class="pf-c-form-control"
                    required
                    @input=${(ev: InputEvent) => checkSlug(ev)}
                    data-ak-slug="true"
                />
                <p class="pf-c-form__helper-text">
                    ${msg(
                        "The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.",
                    )}
                </p>
            </ak-form-element-horizontal>
            <ak-form-element-horizontal label=${msg("Expires")} required name="expires">
                <input
--- a/web/src/admin/users/ServiceAccountForm.ts
+++ b/web/src/admin/users/ServiceAccountForm.ts
@ -1,5 +1,6 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { dateTimeLocal } from "@goauthentik/common/temporal";
 import "@goauthentik/components/ak-hidden-text-input";
 import { Form } from "@goauthentik/elements/forms/Form";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModalForm } from "@goauthentik/elements/forms/ModalForm";
@ -124,19 +125,14 @@ export class ServiceAccountForm extends Form<UserServiceAccountRequest> {
                        class="pf-c-form-control"
                    />
                </ak-form-element-horizontal>
-                <ak-form-element-horizontal label=${msg("Password")}>
+                <ak-hidden-text-input
-                    <input
+                    label=${msg("Password")}
-                        type="text"
+                    value="${this.result?.token ?? ""}"
-                        readonly
+                    .help=${msg(
-                        value=${ifDefined(this.result?.token)}
+                        "Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List.",
-                        class="pf-c-form-control"
+                    )}
-                    />
+                >
-                    <p class="pf-c-form__helper-text">
+                </ak-hidden-text-input>
                        ${msg(
                            "Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List.",
                        )}
                    </p>
                </ak-form-element-horizontal>
            </form>`;
    }
--- a/web/src/common/helpers/webauthn.ts
+++ b/web/src/common/helpers/webauthn.ts
@ -1,21 +1,5 @@
 import * as base64js from "base64-js";
 import { msg } from "@lit/localize";
 export function b64enc(buf: Uint8Array): string {
    return base64js.fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
 export function b64RawEnc(buf: Uint8Array): string {
    return base64js.fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_");
 }
 export function u8arr(input: string): Uint8Array {
    return Uint8Array.from(atob(input.replace(/_/g, "/").replace(/-/g, "+")), (c) =>
        c.charCodeAt(0),
    );
 }
 export function checkWebAuthnSupport() {
    if ("credentials" in navigator) {
        return;
@ -25,121 +9,3 @@ export function checkWebAuthnSupport() {
    }
    throw new Error(msg("WebAuthn not supported by browser."));
 }
 /**
 * Transforms items in the credentialCreateOptions generated on the server
 * into byte arrays expected by the navigator.credentials.create() call
 */
 export function transformCredentialCreateOptions(
    credentialCreateOptions: PublicKeyCredentialCreationOptions,
    userId: string,
 ): PublicKeyCredentialCreationOptions {
    const user = credentialCreateOptions.user;
    // Because json can't contain raw bytes, the server base64-encodes the User ID
    // So to get the base64 encoded byte array, we first need to convert it to a regular
    // string, then a byte array, re-encode it and wrap that in an array.
    const stringId = decodeURIComponent(window.atob(userId));
    user.id = u8arr(b64enc(u8arr(stringId)));
    const challenge = u8arr(credentialCreateOptions.challenge.toString());
    return {
        ...credentialCreateOptions,
        challenge,
        user,
    };
 }
 export interface Assertion {
    id: string;
    rawId: string;
    type: string;
    registrationClientExtensions: string;
    response: {
        clientDataJSON: string;
        attestationObject: string;
    };
 }
 /**
 * Transforms the binary data in the credential into base64 strings
 * for posting to the server.
 * @param {PublicKeyCredential} newAssertion
 */
 export function transformNewAssertionForServer(newAssertion: PublicKeyCredential): Assertion {
    const attObj = new Uint8Array(
        (newAssertion.response as AuthenticatorAttestationResponse).attestationObject,
    );
    const clientDataJSON = new Uint8Array(newAssertion.response.clientDataJSON);
    const rawId = new Uint8Array(newAssertion.rawId);
    const registrationClientExtensions = newAssertion.getClientExtensionResults();
    return {
        id: newAssertion.id,
        rawId: b64enc(rawId),
        type: newAssertion.type,
        registrationClientExtensions: JSON.stringify(registrationClientExtensions),
        response: {
            clientDataJSON: b64enc(clientDataJSON),
            attestationObject: b64enc(attObj),
        },
    };
 }
 export function transformCredentialRequestOptions(
    credentialRequestOptions: PublicKeyCredentialRequestOptions,
 ): PublicKeyCredentialRequestOptions {
    const challenge = u8arr(credentialRequestOptions.challenge.toString());
    const allowCredentials = (credentialRequestOptions.allowCredentials || []).map(
        (credentialDescriptor) => {
            const id = u8arr(credentialDescriptor.id.toString());
            return Object.assign({}, credentialDescriptor, { id });
        },
    );
    return {
        ...credentialRequestOptions,
        challenge,
        allowCredentials,
    };
 }
 export interface AuthAssertion {
    id: string;
    rawId: string;
    type: string;
    assertionClientExtensions: string;
    response: {
        clientDataJSON: string;
        authenticatorData: string;
        signature: string;
        userHandle: string | null;
    };
 }
 /**
 * Encodes the binary data in the assertion into strings for posting to the server.
 * @param {PublicKeyCredential} newAssertion
 */
 export function transformAssertionForServer(newAssertion: PublicKeyCredential): AuthAssertion {
    const response = newAssertion.response as AuthenticatorAssertionResponse;
    const authData = new Uint8Array(response.authenticatorData);
    const clientDataJSON = new Uint8Array(response.clientDataJSON);
    const rawId = new Uint8Array(newAssertion.rawId);
    const sig = new Uint8Array(response.signature);
    const assertionClientExtensions = newAssertion.getClientExtensionResults();
    return {
        id: newAssertion.id,
        rawId: b64enc(rawId),
        type: newAssertion.type,
        assertionClientExtensions: JSON.stringify(assertionClientExtensions),
        response: {
            clientDataJSON: b64RawEnc(clientDataJSON),
            signature: b64RawEnc(sig),
            authenticatorData: b64RawEnc(authData),
            userHandle: null,
        },
    };
 }
--- a/web/src/common/ui/config.ts
+++ b/web/src/common/ui/config.ts
@ -1,5 +1,6 @@
 import { me } from "@goauthentik/common/users.js";
 import { isUserRoute } from "@goauthentik/elements/router/utils.js";
 import { deepmerge, deepmergeInto } from "deepmerge-ts";
 import { UiThemeEnum, UserSelf } from "@goauthentik/api";
 import { CurrentBrand } from "@goauthentik/api";
@ -96,13 +97,12 @@ export class DefaultUIConfig implements UIConfig {
 let globalUiConfig: Promise<UIConfig>;
 export function getConfigForUser(user: UserSelf): UIConfig {
-    const settings = user.settings;
+    const settings = user.settings as UIConfig;
-    let config = new DefaultUIConfig();
+    const config = new DefaultUIConfig();
    if (!settings) {
        return config;
    }
-    config = Object.assign(new DefaultUIConfig(), settings);
+    return deepmerge({ ...config }, settings);
    return config;
 }
 export function uiConfig(): Promise<UIConfig> {
--- a/web/src/components/ak-slug-input.ts
+++ b/web/src/components/ak-slug-input.ts
@ -1,4 +1,5 @@
-import { formatSlug } from "@goauthentik/elements/router/utils.js";
+import { bound } from "@goauthentik/elements/decorators/bound.js";
 import { kebabCase } from "change-case";
 import { html } from "lit";
 import { customElement, property, query } from "lit/decorators.js";
@ -6,59 +7,83 @@ import { ifDefined } from "lit/directives/if-defined.js";
 import { HorizontalLightComponent } from "./HorizontalLightComponent";
 const slugify = (s: string) => kebabCase(s, { suffixCharacters: "-" });
 /**
 * @element ak-slug-input
 * @class AkSlugInput
 *
 * A wrapper around `ak-form-element-horizontal` and a text input control that listens for input on
 * a peer text input control and automatically mirrors that control's value, transforming the value
 * into a slug and displaying it separately.
 *
 * If the user manually changes the slug, mirroring and transformation stop. If, after that, both
 * fields are cleared manually, mirroring and transformation resume.
 *
 * ## Limitations:
 *
 * Both the source text field and the slug field must be rendered in the same render pass (i.e.,
 * part of the same singular call to a `render` function) so that the slug field can find its
 * source.
 *
 * For the same reason, both the source text field and the slug field must share the same immediate
 * parent DOM object.
 *
 * Since we expect the source text field and the slug to be part of the same form and rendered not
 * just in the same form but in the same form group, these are not considered burdensome
 * restrictions.
 */
@customElement("ak-slug-input")
 export class AkSlugInput extends HorizontalLightComponent<string> {
-    @property({ type: String, reflect: true })
+    /**
-    value = "";
+     * A selector indicating the source text input control. Must be unique within the whole DOM
-
+     * context of the slug and source controls. The most common use in authentik is the default:
     * slugifying the "name" of something.
     */
    @property({ type: String })
-    source = "";
+    public source = "[name='name']";
-    origin?: HTMLInputElement | null;
+    @property({ type: String, reflect: true })
    public value = "";
    @query("input")
-    input!: HTMLInputElement;
+    private input!: HTMLInputElement;
-    touched: boolean = false;
+    #origin?: HTMLInputElement | null;
-    constructor() {
+    #touched: boolean = false;
        super();
        this.slugify = this.slugify.bind(this);
        this.handleTouch = this.handleTouch.bind(this);
    }
    firstUpdated() {
        this.input.addEventListener("input", this.handleTouch);
    }
    // Do not stop propagation of this event; it must be sent up the tree so that a parent
    // component, such as a custom forms manager, may receive it.
-    handleTouch(ev: Event) {
+    protected handleTouch(ev: Event) {
-        this.input.value = formatSlug(this.input.value);
+        this.value = this.input.value = slugify(this.input.value);
        this.value = this.input.value;
-        if (this.origin && this.origin.value === "" && this.input.value === "") {
+        // Reset 'touched' status if the slug & target have been reset
-            this.touched = false;
+        if (this.#origin && this.#origin.value === "" && this.input.value === "") {
            this.#touched = false;
            return;
        }
        if (ev && ev.target && ev.target instanceof HTMLInputElement) {
-            this.touched = true;
+            this.#touched = true;
        }
    }
-    slugify(ev: Event) {
+    @bound
    protected slugify(ev: Event) {
        if (!(ev && ev.target && ev.target instanceof HTMLInputElement)) {
            return;
        }
        // Reset 'touched' status if the slug & target have been reset
        if (ev.target.value === "" && this.input.value === "") {
-            this.touched = false;
+            this.#touched = false;
        }
-        // Don't proceed if the user has hand-modified the slug
+        // Don't proceed if the user has hand-modified the slug. (Note the order of statements: if
-        if (this.touched) {
+        // the user hand modified the slug to be empty as part of resetting the slug/source
        // relationship, that's a "not-touched" condition and falls through.)
        if (this.#touched) {
            return;
        }
@ -67,7 +92,7 @@ export class AkSlugInput extends HorizontalLightComponent<string> {
        // "any event which adds or removes a character but leaves the rest of the slug looking like
        // the previous iteration, set it to the current iteration."
-        const newSlug = formatSlug(ev.target.value);
+        const newSlug = slugify(ev.target.value);
        const oldSlug = this.input.value;
        const [shorter, longer] =
            newSlug.length < oldSlug.length ? [newSlug, oldSlug] : [oldSlug, newSlug];
@ -81,7 +106,6 @@ export class AkSlugInput extends HorizontalLightComponent<string> {
        // to listeners, both the name and value of the host must match those of the target
        // input. The name is already handled since it's both required and automatically
        // forwarded to our templated input, but the value must also be set.
        this.value = this.input.value = newSlug;
        this.dispatchEvent(
            new Event("input", {
@ -91,38 +115,36 @@ export class AkSlugInput extends HorizontalLightComponent<string> {
        );
    }
-    connectedCallback() {
+    public override disconnectedCallback() {
-        super.connectedCallback();
+        if (this.#origin) {
-
+            this.#origin.removeEventListener("input", this.slugify);
        // Set up listener on source element, so we can slugify the content.
        setTimeout(() => {
            if (this.source) {
                const rootNode = this.getRootNode();
                if (rootNode instanceof ShadowRoot || rootNode instanceof Document) {
                    this.origin = rootNode.querySelector(this.source);
                }
                if (this.origin) {
                    this.origin.addEventListener("input", this.slugify);
                }
            }
        }, 0);
    }
    disconnectedCallback() {
        if (this.origin) {
            this.origin.removeEventListener("input", this.slugify);
        }
        super.disconnectedCallback();
    }
-    renderControl() {
+    public override renderControl() {
        return html`<input
            @input=${(ev: Event) => this.handleTouch(ev)}
            type="text"
            value=${ifDefined(this.value)}
            class="pf-c-form-control"
            ?required=${this.required}
        />`;
    }
    public override firstUpdated() {
        if (!this.source) {
            return;
        }
        const rootNode = this.getRootNode();
        if (rootNode instanceof ShadowRoot || rootNode instanceof Document) {
            this.#origin = rootNode.querySelector(this.source);
        }
        if (this.#origin) {
            this.#origin.addEventListener("input", this.slugify);
        }
    }
 }
 export default AkSlugInput;
--- a/web/src/components/events/ObjectChangelog.ts
+++ b/web/src/components/events/ObjectChangelog.ts
@ -94,7 +94,8 @@ export class ObjectChangelog extends Table<Event> {
    renderEmpty(): TemplateResult {
        return super.renderEmpty(
-            html`<ak-empty-state header=${msg("No Events found.")}>
+            html`<ak-empty-state
                ><span slot="header">${msg("No Events found.")}</span>
                <div slot="body">${msg("No matching events could be found.")}</div>
            </ak-empty-state>`,
        );
--- a/web/src/components/events/UserEvents.ts
+++ b/web/src/components/events/UserEvents.ts
@ -66,7 +66,8 @@ export class UserEvents extends Table<Event> {
    renderEmpty(): TemplateResult {
        return super.renderEmpty(
-            html`<ak-empty-state header=${msg("No Events found.")}>
+            html`<ak-empty-state
                ><span slot="header">${msg("No Events found.")}</span>
                <div slot="body">${msg("No matching events could be found.")}</div>
            </ak-empty-state>`,
        );
--- a/web/src/elements/EmptyState.ts
+++ b/web/src/elements/EmptyState.ts
@ -3,6 +3,7 @@ import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/Spinner";
 import { type SlottedTemplateResult, type Spread } from "@goauthentik/elements/types";
 import { spread } from "@open-wc/lit-helpers";
 import { SlotController } from "@patternfly/pfe-core/controllers/slot-controller.js";
 import { msg } from "@lit/localize";
 import { css, html, nothing } from "lit";
@ -33,6 +34,8 @@ export class EmptyState extends AKElement implements IEmptyState {
    @property()
    header?: string;
    slots = new SlotController(this, "header", "body", "primary");
    static get styles() {
        return [
            PFBase,
@ -48,6 +51,12 @@ export class EmptyState extends AKElement implements IEmptyState {
    }
    render() {
        const showHeader = this.loading || this.slots.hasSlotted("header");
        const header = () =>
            this.slots.hasSlotted("header")
                ? html`<slot name="header"></slot>`
                : html`<span>${msg("Loading")}</span>`;
        return html`<div class="pf-c-empty-state ${this.fullHeight && "pf-m-full-height"}">
            <div class="pf-c-empty-state__content">
                ${this.loading
@ -59,15 +68,17 @@ export class EmptyState extends AKElement implements IEmptyState {
                          "fa-question-circle"} pf-c-empty-state__icon"
                          aria-hidden="true"
                      ></i>`}
-                <h1 class="pf-c-title pf-m-lg">
+                ${showHeader ? html` <h1 class="pf-c-title pf-m-lg">${header()}</h1>` : nothing}
-                    ${this.loading && this.header === undefined ? msg("Loading") : this.header}
+                ${this.slots.hasSlotted("body")
-                </h1>
+                    ? html` <div class="pf-c-empty-state__body">
-                <div class="pf-c-empty-state__body">
+                          <slot name="body"></slot>
-                    <slot name="body"></slot>
+                      </div>`
-                </div>
+                    : nothing}
-                <div class="pf-c-empty-state__primary">
+                ${this.slots.hasSlotted("primary")
-                    <slot name="primary"></slot>
+                    ? html` <div class="pf-c-empty-state__primary">
-                </div>
+                          <slot name="primary"></slot>
                      </div>`
                    : nothing}
            </div>
        </div>`;
    }
--- a/web/src/elements/ak-dual-select/ak-dual-select.ts
+++ b/web/src/elements/ak-dual-select/ak-dual-select.ts
@ -33,7 +33,7 @@ import {
 function localeComparator(a: DualSelectPair, b: DualSelectPair) {
    const aSortBy = a[2] || a[0];
-    const bSortBy = b[2] || a[0];
+    const bSortBy = b[2] || b[0];
    return aSortBy.localeCompare(bSortBy);
 }
--- a/web/src/elements/charts/Chart.ts
+++ b/web/src/elements/charts/Chart.ts
@ -200,7 +200,8 @@ export abstract class AKChart<T> extends AKElement {
            <div class="container">
                ${this.error
                    ? html`
-                          <ak-empty-state header="${msg("Failed to fetch data.")}" icon="fa-times">
+                          <ak-empty-state icon="fa-times"
                              ><span slot="header">${msg("Failed to fetch data.")}</span>
                              <p slot="body">${pluckErrorDetail(this.error)}</p>
                          </ak-empty-state>
                      `
--- a/web/src/elements/events/LogViewer.ts
+++ b/web/src/elements/events/LogViewer.ts
@ -40,7 +40,9 @@ export class LogViewer extends Table<LogEvent> {
    renderEmpty(): TemplateResult {
        return super.renderEmpty(
-            html`<ak-empty-state header=${msg("No log messages.")}> </ak-empty-state>`,
+            html`<ak-empty-state
                ><span slot="header">${msg("No log messages.")}</span>
            </ak-empty-state>`,
        );
    }
--- a/web/src/elements/forms/Form.ts
+++ b/web/src/elements/forms/Form.ts
@ -7,7 +7,6 @@ import { AKElement } from "@goauthentik/elements/Base";
 import { HorizontalFormElement } from "@goauthentik/elements/forms/HorizontalFormElement";
 import { PreventFormSubmit } from "@goauthentik/elements/forms/helpers";
 import { showMessage } from "@goauthentik/elements/messages/MessageContainer";
 import { formatSlug } from "@goauthentik/elements/router/utils.js";
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
@ -197,39 +196,6 @@ export abstract class Form<T> extends AKElement {
        return this.successMessage;
    }
    /**
     * After rendering the form, if there is both a `name` and `slug` element within the form,
     * events the `name` element so that the slug will always have a slugified version of the
     * `name.`. This duplicates functionality within ak-form-element-horizontal.
     */
    updated(): void {
        this.shadowRoot
            ?.querySelectorAll("ak-form-element-horizontal[name=name]")
            .forEach((nameInput) => {
                const input = nameInput.firstElementChild as HTMLInputElement;
                const form = nameInput.closest("form");
                if (form === null) {
                    return;
                }
                const slugFieldWrapper = form.querySelector(
                    "ak-form-element-horizontal[name=slug]",
                );
                if (!slugFieldWrapper) {
                    return;
                }
                const slugField = slugFieldWrapper.firstElementChild as HTMLInputElement;
                // Only attach handler if the slug is already equal to the name
                // if not, they are probably completely different and shouldn't update
                // each other
                if (formatSlug(input.value) !== slugField.value) {
                    return;
                }
                nameInput.addEventListener("input", () => {
                    slugField.value = formatSlug(input.value);
                });
            });
    }
    resetForm(): void {
        const form = this.shadowRoot?.querySelector<HTMLFormElement>("form");
        form?.reset();
--- a/web/src/elements/forms/HorizontalFormElement.ts
+++ b/web/src/elements/forms/HorizontalFormElement.ts
@ -77,9 +77,6 @@ export class HorizontalFormElement extends AKElement {
    @property({ attribute: false })
    errorMessages: string[] | string[][] = [];
    @property({ type: Boolean })
    slugMode = false;
    _invalid = false;
    /* If this property changes, we want to make sure the parent control is "opened" so
@ -109,13 +106,6 @@ export class HorizontalFormElement extends AKElement {
        this.querySelectorAll<HTMLInputElement>("input[autofocus]").forEach((input) => {
            input.focus();
        });
        if (this.name === "slug" || this.slugMode) {
            this.querySelectorAll<HTMLInputElement>("input[type='text']").forEach((input) => {
                input.addEventListener("keyup", () => {
                    input.value = formatSlug(input.value);
                });
            });
        }
        this.querySelectorAll("*").forEach((input) => {
            if (isAkControl(input) && !input.getAttribute("name")) {
                input.setAttribute("name", this.name);
--- a/web/src/elements/notifications/NotificationDrawer.ts
+++ b/web/src/elements/notifications/NotificationDrawer.ts
@ -163,7 +163,8 @@ export class NotificationDrawer extends AKElement {
    }
    renderEmpty() {
-        return html`<ak-empty-state header=${msg("No notifications found.")}>
+        return html`<ak-empty-state
            ><span slot="header">${msg("No notifications found.")}</span>
            <div slot="body">${msg("You don't have any notifications currently.")}</div>
        </ak-empty-state>`;
    }
--- a/web/src/elements/table/Table.ts
+++ b/web/src/elements/table/Table.ts
@ -288,7 +288,9 @@ export abstract class Table<T> extends AKElement implements TableLike {
        return html`<tr role="row">
            <td role="cell" colspan="25">
                <div class="pf-l-bullseye">
-                    <ak-empty-state loading header=${msg("Loading")}></ak-empty-state>
+                    <ak-empty-state loading
                        ><span slot="header">${msg("Loading")}</span></ak-empty-state
                    >
                </div>
            </td>
        </tr>`;
@ -300,8 +302,9 @@ export abstract class Table<T> extends AKElement implements TableLike {
                <td role="cell" colspan="8">
                    <div class="pf-l-bullseye">
                        ${inner ??
-                        html`<ak-empty-state header="${msg("No objects found.")}"
+                        html`<ak-empty-state
-                            ><div slot="primary">${this.renderObjectCreate()}</div>
+                            ><span slot="header">${msg("No objects found.")}</span> >
                            <div slot="primary">${this.renderObjectCreate()}</div>
                        </ak-empty-state>`}
                    </div>
                </td>
@ -316,7 +319,8 @@ export abstract class Table<T> extends AKElement implements TableLike {
    renderError(): SlottedTemplateResult {
        if (!this.error) return nothing;
-        return html`<ak-empty-state header="${msg("Failed to fetch objects.")}" icon="fa-ban">
+        return html`<ak-empty-state icon="fa-ban"
            ><span slot="header">${msg("Failed to fetch objects.")}</span>
            <div slot="body">${pluckErrorDetail(this.error)}</div>
        </ak-empty-state>`;
    }
--- a/web/src/elements/tests/EmptyState.test.ts
+++ b/web/src/elements/tests/EmptyState.test.ts
@ -19,7 +19,11 @@ describe("ak-empty-state", () => {
    });
    it("should render the default loader", async () => {
-        render(html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`);
+        render(
            html`<ak-empty-state loading
                ><span slot="header">${msg("Loading")}</span>
            </ak-empty-state>`,
        );
        const empty = await $("ak-empty-state").$(">>>.pf-c-empty-state__icon");
        await expect(empty).toExist();
@ -29,7 +33,11 @@ describe("ak-empty-state", () => {
    });
    it("should handle standard boolean", async () => {
-        render(html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`);
+        render(
            html`<ak-empty-state loading
                ><span slot="header">${msg("Loading")}</span>
            </ak-empty-state>`,
        );
        const empty = await $("ak-empty-state").$(">>>.pf-c-empty-state__icon");
        await expect(empty).toExist();
@ -39,7 +47,11 @@ describe("ak-empty-state", () => {
    });
    it("should render a static empty state", async () => {
-        render(html`<ak-empty-state header=${msg("No messages found")}> </ak-empty-state>`);
+        render(
            html`<ak-empty-state
                ><span slot="header">${msg("No messages found")}</span>
            </ak-empty-state>`,
        );
        const empty = await $("ak-empty-state").$(">>>.pf-c-empty-state__icon");
        await expect(empty).toExist();
@ -51,7 +63,8 @@ describe("ak-empty-state", () => {
    it("should render a slotted message", async () => {
        render(
-            html`<ak-empty-state header=${msg("No messages found")}>
+            html`<ak-empty-state
                ><span slot="header">${msg("No messages found")}</span>
                <p slot="body">Try again with a different filter</p>
            </ak-empty-state>`,
        );
--- a/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn.ts
+++ b/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn.ts
@ -1,8 +1,4 @@
-import {
+import { checkWebAuthnSupport } from "@goauthentik/common/helpers/webauthn";
    checkWebAuthnSupport,
    transformAssertionForServer,
    transformCredentialRequestOptions,
 } from "@goauthentik/common/helpers/webauthn";
 import "@goauthentik/elements/EmptyState";
 import { BaseDeviceStage } from "@goauthentik/flow/stages/authenticator_validate/base";
@ -38,12 +34,12 @@ export class AuthenticatorValidateStageWebAuthn extends BaseDeviceStage<
    async authenticate(): Promise<void> {
        // request the authenticator to create an assertion signature using the
        // credential private key
-        let assertion;
+        let assertion: PublicKeyCredential;
        checkWebAuthnSupport();
        try {
-            assertion = await navigator.credentials.get({
+            assertion = (await navigator.credentials.get({
                publicKey: this.transformedCredentialRequestOptions,
-            });
+            })) as PublicKeyCredential;
            if (!assertion) {
                throw new Error("Assertions is empty");
            }
@ -51,17 +47,11 @@ export class AuthenticatorValidateStageWebAuthn extends BaseDeviceStage<
            throw new Error(`Error when creating credential: ${err}`);
        }
        // we now have an authentication assertion! encode the byte arrays contained
        // in the assertion data as strings for posting to the server
        const transformedAssertionForServer = transformAssertionForServer(
            assertion as PublicKeyCredential,
        );
        // post the assertion to the server for verification.
        try {
            await this.host?.submit(
                {
-                    webauthn: transformedAssertionForServer,
+                    webauthn: assertion.toJSON(),
                },
                {
                    invisible: true,
@ -74,12 +64,10 @@ export class AuthenticatorValidateStageWebAuthn extends BaseDeviceStage<
    updated(changedProperties: PropertyValues<this>) {
        if (changedProperties.has("challenge") && this.challenge !== undefined) {
            // convert certain members of the PublicKeyCredentialRequestOptions into
            // byte arrays as expected by the spec.
            const credentialRequestOptions = this.deviceChallenge
-                ?.challenge as PublicKeyCredentialRequestOptions;
+                ?.challenge as unknown as PublicKeyCredentialRequestOptionsJSON;
            this.transformedCredentialRequestOptions =
-                transformCredentialRequestOptions(credentialRequestOptions);
+                PublicKeyCredential.parseRequestOptionsFromJSON(credentialRequestOptions);
            this.authenticateWrapper();
        }
    }
--- a/web/src/flow/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage.ts
+++ b/web/src/flow/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage.ts
@ -1,9 +1,4 @@
-import {
+import { checkWebAuthnSupport } from "@goauthentik/common/helpers/webauthn";
    Assertion,
    checkWebAuthnSupport,
    transformCredentialCreateOptions,
    transformNewAssertionForServer,
 } from "@goauthentik/common/helpers/webauthn";
 import "@goauthentik/elements/EmptyState";
 import { BaseStage } from "@goauthentik/flow/stages/base";
@ -24,10 +19,6 @@ import {
    AuthenticatorWebAuthnChallengeResponseRequest,
 } from "@goauthentik/api";
 export interface WebAuthnAuthenticatorRegisterChallengeResponse {
    response: Assertion;
 }
@customElement("ak-stage-authenticator-webauthn")
 export class WebAuthnAuthenticatorRegisterStage extends BaseStage<
    AuthenticatorWebAuthnChallenge,
@ -68,7 +59,7 @@ export class WebAuthnAuthenticatorRegisterStage extends BaseStage<
        }
        checkWebAuthnSupport();
        // request the authenticator(s) to create a new credential keypair.
-        let credential;
+        let credential: PublicKeyCredential;
        try {
            credential = (await navigator.credentials.create({
                publicKey: this.publicKeyCredentialCreateOptions,
@ -80,16 +71,12 @@ export class WebAuthnAuthenticatorRegisterStage extends BaseStage<
            throw new Error(msg(str`Error creating credential: ${err}`));
        }
        // we now have a new credential! We now need to encode the byte arrays
        // in the credential into strings, for posting to our server.
        const newAssertionForServer = transformNewAssertionForServer(credential);
        // post the transformed credential data to the server for validation
        // and storing the public key
        try {
            await this.host?.submit(
                {
-                    response: newAssertionForServer,
+                    response: credential.toJSON(),
                },
                {
                    invisible: true,
@ -118,12 +105,10 @@ export class WebAuthnAuthenticatorRegisterStage extends BaseStage<
    updated(changedProperties: PropertyValues<this>) {
        if (changedProperties.has("challenge") && this.challenge !== undefined) {
-            // convert certain members of the PublicKeyCredentialCreateOptions into
+            this.publicKeyCredentialCreateOptions =
-            // byte arrays as expected by the spec.
+                PublicKeyCredential.parseCreationOptionsFromJSON(
-            this.publicKeyCredentialCreateOptions = transformCredentialCreateOptions(
+                    this.challenge?.registration as PublicKeyCredentialCreationOptionsJSON,
-                this.challenge?.registration as PublicKeyCredentialCreationOptions,
+                );
                this.challenge?.registration.user.id,
            );
            this.registerWrapper();
        }
    }
--- a/web/src/polyfill/index.entrypoint.ts
+++ b/web/src/polyfill/index.entrypoint.ts
@ -3,6 +3,7 @@ import "construct-style-sheets-polyfill";
 import "@webcomponents/webcomponentsjs";
 import "lit/polyfill-support.js";
 import "core-js/actual";
 import "webauthn-polyfills";
 import "@formatjs/intl-listformat/polyfill";
 import "@formatjs/intl-listformat/locale-data/en";
--- a/web/types/node.d.ts
+++ b/web/types/node.d.ts
@ -14,7 +14,7 @@ declare module "module" {
         * const relativeDirname = dirname(fileURLToPath(import.meta.url));
         * ```
         */
-        // eslint-disable-next-line no-var
+
        var __dirname: string;
    }
 }
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -3001,11 +3001,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>Server laden</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Mit Plex erneut authentifizieren</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9241,6 +9236,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@ -2414,10 +2414,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>Load servers</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Re-authenticate with plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
        <target>Allow friends to authenticate via Plex, even if you don't share any servers</target>
@ -7748,6 +7744,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/es.xlf
+++ b/web/xliff/es.xlf
@ -2982,11 +2982,6 @@ no se aprueba cuando una o ambas de las opciones seleccionadas son iguales o sup
        <source>Load servers</source>
        <target>Servidores de carga</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Vuelva a autenticarse con plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9301,6 +9296,18 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@ -3010,11 +3010,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>Charger les serveurs</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Se ré-authentifier avec Plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9870,6 +9865,18 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/it.xlf
+++ b/web/xliff/it.xlf
@ -3011,11 +3011,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>Carico server</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Riautenticarsi con plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9853,6 +9848,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/ko.xlf
+++ b/web/xliff/ko.xlf
@ -2973,11 +2973,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>서버 로드</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Plex로 다시 인증하기</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9209,6 +9204,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/nl.xlf
+++ b/web/xliff/nl.xlf
@ -2987,11 +2987,6 @@ slaagt niet wanneer een of beide geselecteerde opties gelijk zijn aan of boven d
        <source>Load servers</source>
        <target>Servers laden</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Opnieuw authenticeren met Plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9113,6 +9108,18 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pl.xlf
+++ b/web/xliff/pl.xlf
@ -3012,11 +3012,6 @@ nie przechodzi, gdy jedna lub obie wybrane opcje są równe lub wyższe od progu
        <source>Load servers</source>
        <target>Załaduj serwery</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Ponowne uwierzytelnienie za pomocą plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9536,6 +9531,18 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pseudo-LOCALE.xlf
+++ b/web/xliff/pseudo-LOCALE.xlf
@ -2990,11 +2990,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
  <target>Ĺōàď śēŕvēŕś</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
  <target>Ŕē-àũţĥēńţĩćàţē ŵĩţĥ ƥĺēx</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9545,4 +9540,16 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
 </body></file></xliff>
--- a/web/xliff/ru.xlf
+++ b/web/xliff/ru.xlf
@ -3011,11 +3011,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>Загрузить серверы</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Повторная аутентификация с помощью plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9628,6 +9623,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -2990,11 +2990,6 @@ Belirlenen seçeneklerden biri veya her ikisi de eşiğe eşit veya eşiğin üz
        <source>Load servers</source>
        <target>Sunucuları yükle</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Plex ile yeniden kimlik doğrulama</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9600,6 +9595,18 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-CN.xlf
+++ b/web/xliff/zh-CN.xlf
@ -2128,9 +2128,6 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s91f389c796720a81">
  <source>Load servers</source>
 </trans-unit>
 <trans-unit id="s24f405197ede5ebb">
  <source>Re-authenticate with plex</source>
 </trans-unit>
 <trans-unit id="sc297b2e13c28ecf9">
  <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
 </trans-unit>
@ -6362,6 +6359,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
 </body>
 </file>
 </xliff>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -3011,11 +3011,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>加载服务器</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>使用 Plex 重新验证身份</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9880,6 +9875,21 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
  <target>生成新的证书密钥对</target>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
  <target>显示字段内容</target>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
  <target>隐藏字段内容</target>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
  <target>使用 Plex 重新验证身份</target>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-Hant.xlf
+++ b/web/xliff/zh-Hant.xlf
@ -2290,10 +2290,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>加载服务器</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>使用 plex 重新进行身份验证</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
        <target>允许好友通过Plex进行身份验证，即使您不共享任何服务器</target>
@ -7448,6 +7444,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_CN.xlf
+++ b/web/xliff/zh_CN.xlf
@ -3011,11 +3011,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>加载服务器</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>使用 Plex 重新验证身份</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9880,6 +9875,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
  <target>生成新的证书密钥对</target>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
  <target>显示字段内容</target>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
  <target>隐藏字段内容</target>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
  <target>使用 Plex 重新验证身份</target>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_TW.xlf
+++ b/web/xliff/zh_TW.xlf
@ -2972,11 +2972,6 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>載入伺服器</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>使用 plex 重新身分認證</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9188,6 +9183,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 <trans-unit id="s0433d667ea6eec1a">
  <source>The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.</source>
 </trans-unit>
    </body>
  </file>
--- a/website/docs/install-config/configuration/configuration.mdx
+++ b/website/docs/install-config/configuration/configuration.mdx
@ -70,9 +70,6 @@ To check if your config has been applied correctly, you can run the following co
 - `AUTHENTIK_POSTGRESQL__USER`: Database user
 - `AUTHENTIK_POSTGRESQL__PORT`: Database port, defaults to 5432
 - `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD`
  {/* TODO: Temporarily deactivated feature, see https://github.com/goauthentik/authentik/issues/14320 */}
  {/* - `AUTHENTIK_POSTGRESQL__USE_POOL`: Use a [connection pool](https://docs.djangoproject.com/en/stable/ref/databases/#connection-pool) for PostgreSQL connections. Defaults to `false`. :ak-version[2025.4] */}
  {/* - `AUTHENTIK_POSTGRESQL__POOL_OPTIONS`: Extra configuration to pass to the [ConnectionPool object](https://www.psycopg.org/psycopg3/docs/api/pool.html#psycopg_pool.ConnectionPool) when it is created. Must be a base64-encoded JSON dictionary. Ignored when `USE_POOL` is set to `false`. :ak-version[2025.4] */}
 - `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer. Deprecated, see below
 - `AUTHENTIK_POSTGRESQL__USE_PGPOOL`: Adjust configuration to support connection to Pgpool. Deprecated, see below
 - `AUTHENTIK_POSTGRESQL__SSLMODE`: Strictness of ssl verification. Defaults to `"verify-ca"`
@ -85,7 +82,7 @@ To check if your config has been applied correctly, you can run the following co
 The PostgreSQL settings `HOST`, `PORT`, `USER`, and `PASSWORD` support hot-reloading. Adding and removing read replicas doesn't support hot-reloading.
- `AUTHENTIK_POSTGRESQL__DEFAULT_SCHEMA`:ak-version[2024.12]
+- `AUTHENTIK_POSTGRESQL__DEFAULT_SCHEMA` :ak-version[2024.12]
    The name of the schema used by default in the database. Defaults to `public`.
--- a/website/docs/releases/2025/v2025.6.md
+++ b/website/docs/releases/2025/v2025.6.md
@ -142,6 +142,17 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.6
 - tenants: fix tenant aware celery scheduler (cherry-pick #14921)
 - web/user: fix user settings flow not loading (cherry-pick #14911) (#14930)
 ## Fixed in 2025.6.2
 - brands: fix custom_css being escaped (cherry-pick #14994) (#14996)
 - core: bump django from 5.1.10 to 5.1.11 (cherry-pick #14997) (#15010)
 - core: bump django from 5.1.9 to 5.1.10 (cherry-pick #14951) (#15008)
 - internal/outpost: fix incorrect usage of golang SHA API (cherry-pick #14981) (#14982)
 - providers/rac: fixes prompt data not being merged with connection_settings (cherry-pick #15037) (#15038)
 - stages/email: Only attach logo to email if used (cherry-pick #14835) (#14969)
 - web/elements: fix dual select without sortBy (cherry-pick #14977) (#14979)
 - web/elements: fix typo in localeComparator (cherry-pick #15054) (#15055)
 ## API Changes
 #### What's New
--- a/website/docs/troubleshooting/login.md
+++ b/website/docs/troubleshooting/login.md
@ -27,3 +27,29 @@ uv run ak create_recovery_key 10 akadmin
 ```
 This will output a link, that can be used to instantly gain access to authentik as the user specified above. The link is valid for amount of years specified above, in this case, 10 years.
 ## Can't access initial setup flow during installation steps
 If you're unable to access the initial setup flow (`/if/flow/initial-setup/`) immediately after installing authentik, first try restarting the containers because this often resolves temporary issues.
 However, if the issue persists after restarting, you can directly set the admin password using the following commands:
 Docker Compose deployments:
    ```bash
    docker compose exec server ak changepassword akadmin
    ```
 Kubernetes deployments:
    ```bash
    kubectl exec -it deployment/authentik-server -c server -- ak changepassword akadmin
    ```
 After following the prompts to set a new password, you can then login via: `https://authentik.company/if/flow/default-authentication-flow/?next=%2F`
 After logging in, you can set the email address and other settings for the account by navigating to **Directory** > **Users** and editing the user account.
 :::note
 This method bypasses the initial setup flow and should only be used as a last resort. The initial setup flow is the recommended method to configure the administrator user.
 :::
--- a/website/docs/troubleshooting/postgres/upgrade_kubernetes.md
+++ b/website/docs/troubleshooting/postgres/upgrade_kubernetes.md
@ -49,7 +49,7 @@ After you are connected, execute these commands to create a database backup:
 cd /bitnami/postgresql/
 # Set the PostgreSQL password from environment variable
-export PGPASSWORD=$POSTGRES_POSTGRES_PASSWORD
+export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
 # Create a full database dump
 pg_dump -U $POSTGRES_USER $POSTGRES_DB > /bitnami/postgresql/dump.sql
@ -117,7 +117,7 @@ cd /bitnami/postgresql/
 ls -lh dump.sql
 # Set the PostgreSQL password
-export PGPASSWORD=$POSTGRES_POSTGRES_PASSWORD
+export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
 # Import the database dump
 psql -U $POSTGRES_USER $POSTGRES_DB < dump.sql
--- a/Show More
+++ b/Show More