release: 2024.10.4

providers/oauth2: fix migration (#12138)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.2
+current_version = 2024.10.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/workflows/ci-main.yml

@@ -116,7 +116,7 @@ jobs:
           poetry run make test
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: unit
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -140,7 +140,7 @@ jobs:
           poetry run coverage run manage.py test tests/integration
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: integration
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -198,7 +198,7 @@ jobs:
           poetry run coverage run manage.py test ${{ matrix.job.glob }}
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: e2e
           token: ${{ secrets.CODECOV_TOKEN }}

Dockerfile

@@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.10.2"
+__version__ = "2024.10.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/v1/importer.py

@@ -293,11 +293,7 @@ class Importer:
 
         serializer_kwargs = {}
         model_instance = existing_models.first()
-        if (
-            not isinstance(model(), BaseMetaModel)
-            and model_instance
-            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
-        ):
+        if not isinstance(model(), BaseMetaModel) and model_instance:
             self.logger.debug(
                 "Initialise serializer with instance",
                 model=model,
@@ -307,12 +303,11 @@ class Importer:
             serializer_kwargs["instance"] = model_instance
             serializer_kwargs["partial"] = True
         elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
-            msg = (
-                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
-                "and object exists already",
-            )
             raise EntryInvalidError.from_entry(
-                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
+                (
+                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
+                    "and object exists already",
+                ),
                 entry,
             )
         else:

authentik/core/api/transactional_applications.py

@@ -1,12 +1,10 @@
 """transactional application and provider creation"""
 
 from django.apps import apps
-from django.db.models import Model
-from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -24,7 +22,6 @@ from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
-from authentik.policies.api.bindings import PolicyBindingSerializer
 
 
 def get_provider_serializer_mapping():
@@ -48,13 +45,6 @@ class TransactionProviderField(DictField):
     """Dictionary field which can hold provider creation data"""
 
 
-class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
-    """PolicyBindingSerializer which does not require target as target is set implicitly"""
-
-    class Meta(PolicyBindingSerializer.Meta):
-        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
-
-
 class TransactionApplicationSerializer(PassiveSerializer):
     """Serializer for creating a provider and an application in one transaction"""
 
@@ -62,8 +52,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
     provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
     provider = TransactionProviderField()
 
-    policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
-
     _provider_model: type[Provider] = None
 
     def validate_provider_model(self, fq_model_name: str) -> str:
@@ -108,19 +96,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
                 id="app",
             )
         )
-        for binding in attrs.get("policy_bindings", []):
-            binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
-            for key, value in binding.items():
-                if not isinstance(value, Model):
-                    continue
-                binding[key] = value.pk
-            blueprint.entries.append(
-                BlueprintEntry(
-                    model="authentik_policies.policybinding",
-                    state=BlueprintEntryDesiredState.MUST_CREATED,
-                    identifiers=binding,
-                )
-            )
         importer = Importer(blueprint, {})
         try:
             valid, _ = importer.validate(raise_validation_errors=True)
@@ -145,7 +120,8 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
     """Create provider and application and attach them in a single transaction"""
 
-    permission_classes = [IsAuthenticated]
+    # TODO: Migrate to a more specific permission
+    permission_classes = [IsAdminUser]
 
     @extend_schema(
         request=TransactionApplicationSerializer(),
@@ -157,23 +133,8 @@ class TransactionalApplicationView(APIView):
         """Convert data into a blueprint, validate it and apply it"""
         data = TransactionApplicationSerializer(data=request.data)
         data.is_valid(raise_exception=True)
-        blueprint: Blueprint = data.validated_data
-        for entry in blueprint.entries:
-            full_model = entry.get_model(blueprint)
-            app, __, model = full_model.partition(".")
-            if not request.user.has_perm(f"{app}.add_{model}"):
-                raise PermissionDenied(
-                    {
-                        entry.id: _(
-                            "User lacks permission to create {model}".format_map(
-                                {
-                                    "model": full_model,
-                                }
-                            )
-                        )
-                    }
-                )
-        importer = Importer(blueprint, {})
+
+        importer = Importer(data.validated_data, {})
         applied = importer.apply()
         response = {"applied": False, "logs": []}
         response["applied"] = applied

authentik/core/api/users.py

@@ -666,12 +666,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
 
     @permission_required("authentik_core.impersonate")
     @extend_schema(
-        request=inline_serializer(
-            "ImpersonationSerializer",
-            {
-                "reason": CharField(required=True),
-            },
-        ),
+        request=OpenApiTypes.NONE,
         responses={
             "204": OpenApiResponse(description="Successfully started impersonation"),
             "401": OpenApiResponse(description="Access denied"),
@@ -684,7 +679,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             LOGGER.debug("User attempted to impersonate", user=request.user)
             return Response(status=401)
         user_to_be = self.get_object()
-        reason = request.data.get("reason", "")
         # Check both object-level perms and global perms
         if not request.user.has_perm(
             "authentik_core.impersonate", user_to_be
@@ -694,16 +688,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         if user_to_be.pk == self.request.user.pk:
             LOGGER.debug("User attempted to impersonate themselves", user=request.user)
             return Response(status=401)
-        if not reason and request.tenant.impersonation_require_reason:
-            LOGGER.debug(
-                "User attempted to impersonate without providing a reason", user=request.user
-            )
-            return Response(status=401)
 
         request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
         request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
 
-        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
 
         return Response(status=201)
 

authentik/core/tests/test_impersonation.py

@@ -29,8 +29,7 @@ class TestImpersonation(APITestCase):
             reverse(
                 "authentik_api:user-impersonate",
                 kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
         )
 
         response = self.client.get(reverse("authentik_api:user-me"))
@@ -56,8 +55,7 @@ class TestImpersonation(APITestCase):
             reverse(
                 "authentik_api:user-impersonate",
                 kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
         )
         self.assertEqual(response.status_code, 201)
 
@@ -77,8 +75,7 @@ class TestImpersonation(APITestCase):
             reverse(
                 "authentik_api:user-impersonate",
                 kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
         )
         self.assertEqual(response.status_code, 201)
 
@@ -92,8 +89,7 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.other_user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": "some reason"},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
         )
         self.assertEqual(response.status_code, 403)
 
@@ -109,8 +105,7 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
-            data={"reason": "some reason"},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
         )
         self.assertEqual(response.status_code, 401)
 
@@ -123,22 +118,7 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": "some reason"},
-        )
-        self.assertEqual(response.status_code, 401)
-
-        response = self.client.get(reverse("authentik_api:user-me"))
-        response_body = loads(response.content.decode())
-        self.assertEqual(response_body["user"]["username"], self.user.username)
-
-    def test_impersonate_reason_required(self):
-        """test impersonation that user must provide reason"""
-        self.client.force_login(self.user)
-
-        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": ""},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
         )
         self.assertEqual(response.status_code, 401)
 

authentik/core/tests/test_transactional_applications_api.py

@@ -1,13 +1,11 @@
 """Test Transactional API"""
 
 from django.urls import reverse
-from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Application, Group
-from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
 
 
@@ -15,9 +13,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
     """Test Transactional API"""
 
     def setUp(self) -> None:
-        self.user = create_test_user()
-        assign_perm("authentik_core.add_application", self.user)
-        assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
+        self.user = create_test_admin_user()
 
     def test_create_transactional(self):
         """Test transactional Application + provider creation"""
@@ -46,66 +42,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
         self.assertIsNotNone(app)
         self.assertEqual(app.provider.pk, provider.pk)
 
-    def test_create_transactional_permission_denied(self):
-        """Test transactional Application + provider creation (missing permissions)"""
-        self.client.force_login(self.user)
-        uid = generate_id()
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_saml.samlprovider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                    "acs_url": "https://goauthentik.io",
-                },
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
-        )
-
-    def test_create_transactional_bindings(self):
-        """Test transactional Application + provider creation"""
-        assign_perm("authentik_policies.add_policybinding", self.user)
-        self.client.force_login(self.user)
-        uid = generate_id()
-        group = Group.objects.create(name=generate_id())
-        authorization_flow = create_test_flow()
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_oauth2.oauth2provider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(authorization_flow.pk),
-                    "invalidation_flow": str(authorization_flow.pk),
-                    "redirect_uris": [],
-                },
-                "policy_bindings": [{"group": group.pk, "order": 0}],
-            },
-        )
-        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
-        provider = OAuth2Provider.objects.filter(name=uid).first()
-        self.assertIsNotNone(provider)
-        app = Application.objects.filter(slug=uid).first()
-        self.assertIsNotNone(app)
-        self.assertEqual(app.provider.pk, provider.pk)
-        binding = PolicyBinding.objects.filter(target=app).first()
-        self.assertIsNotNone(binding)
-        self.assertEqual(binding.target, app)
-        self.assertEqual(binding.group, group)
-
     def test_create_transactional_invalid(self):
         """Test transactional Application + provider creation"""
         self.client.force_login(self.user)
@@ -135,32 +71,3 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 }
             },
         )
-
-    def test_create_transactional_duplicate_name_provider(self):
-        """Test transactional Application + provider creation"""
-        self.client.force_login(self.user)
-        uid = generate_id()
-        OAuth2Provider.objects.create(
-            name=uid,
-            authorization_flow=create_test_flow(),
-            invalidation_flow=create_test_flow(),
-        )
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_oauth2.oauth2provider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                },
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"provider": {"name": ["State is set to must_created and object exists already"]}},
-        )

authentik/events/models.py

@@ -60,7 +60,7 @@ def default_event_duration():
     """Default duration an Event is saved.
     This is used as a fallback when no brand is available"""
     try:
-        tenant = get_current_tenant(only=["event_retention"])
+        tenant = get_current_tenant()
         return now() + timedelta_from_string(tenant.event_retention)
     except Tenant.DoesNotExist:
         return now() + timedelta(days=365)

authentik/sources/kerberos/models.py

@@ -6,6 +6,7 @@ from tempfile import gettempdir
 from typing import Any
 
 import gssapi
+import kadmin
 import pglock
 from django.db import connection, models
 from django.db.models.fields import b64decode
@@ -13,8 +14,6 @@ from django.http import HttpRequest
 from django.shortcuts import reverse
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
-from kadmin import KAdmin
-from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
@@ -31,8 +30,9 @@ from authentik.flows.challenge import RedirectChallenge
 LOGGER = get_logger()
 
 
-# Creating kadmin connections is expensive. As such, this global is used to reuse
-# existing kadmin connections instead of creating new ones
+# python-kadmin leaks file descriptors. As such, this global is used to reuse
+# existing kadmin connections instead of creating new ones, which results in less to no file
+# descriptors leaks
 _kadmin_connections: dict[str, Any] = {}
 
 
@@ -198,13 +198,13 @@ class KerberosSource(Source):
         conf_path.write_text(self.krb5_conf)
         return str(conf_path)
 
-    def _kadmin_init(self) -> KAdmin | None:
+    def _kadmin_init(self) -> "kadmin.KAdmin | None":
         # kadmin doesn't use a ccache for its connection
         # as such, we don't need to create a separate ccache for each source
         if not self.sync_principal:
             return None
         if self.sync_password:
-            return KAdmin.with_password(
+            return kadmin.init_with_password(
                 self.sync_principal,
                 self.sync_password,
             )
@@ -215,18 +215,18 @@ class KerberosSource(Source):
                 keytab_path.touch(mode=0o600)
                 keytab_path.write_bytes(b64decode(self.sync_keytab))
                 keytab = f"FILE:{keytab_path}"
-            return KAdmin.with_keytab(
+            return kadmin.init_with_keytab(
                 self.sync_principal,
                 keytab,
             )
         if self.sync_ccache:
-            return KAdmin.with_ccache(
+            return kadmin.init_with_ccache(
                 self.sync_principal,
                 self.sync_ccache,
             )
         return None
 
-    def connection(self) -> KAdmin | None:
+    def connection(self) -> "kadmin.KAdmin | None":
         """Get kadmin connection"""
         if str(self.pk) not in _kadmin_connections:
             kadm = self._kadmin_init()
@@ -246,7 +246,7 @@ class KerberosSource(Source):
                     status["status"] = "no connection"
                     return status
                 status["principal_exists"] = kadm.principal_exists(self.sync_principal)
-            except PyKAdminException as exc:
+            except kadmin.KAdminError as exc:
                 status["status"] = str(exc)
         return status
 

authentik/sources/kerberos/signals.py

@@ -1,8 +1,8 @@
 """authentik kerberos source signals"""
 
+import kadmin
 from django.db.models.signals import post_save
 from django.dispatch import receiver
-from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
 
@@ -48,7 +48,7 @@ def kerberos_sync_password(sender, user: User, password: str, **_):
                 source.connection().getprinc(user_source_connection.identifier).change_password(
                     password
                 )
-            except PyKAdminException as exc:
+            except kadmin.KAdminError as exc:
                 LOGGER.warning("failed to set Kerberos password", exc=exc, source=source)
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,

authentik/sources/kerberos/sync.py

@@ -2,9 +2,9 @@
 
 from typing import Any
 
+import kadmin
 from django.core.exceptions import FieldError
 from django.db import IntegrityError, transaction
-from kadmin import KAdmin
 from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.core.expression.exceptions import (
@@ -30,7 +30,7 @@ class KerberosSync:
 
     _source: KerberosSource
     _logger: BoundLogger
-    _connection: KAdmin
+    _connection: "kadmin.KAdmin"
     mapper: SourceMapper
     user_manager: PropertyMappingManager
     group_manager: PropertyMappingManager
@@ -161,7 +161,7 @@ class KerberosSync:
 
         user_count = 0
         with Krb5ConfContext(self._source):
-            for principal in self._connection.list_principals(None):
+            for principal in self._connection.principals():
                 if self._handle_principal(principal):
                     user_count += 1
         return user_count

authentik/sources/kerberos/tests/test_auth.py

@@ -23,7 +23,6 @@ class TestKerberosAuth(KerberosTestCase):
         )
         self.user = User.objects.create(username=generate_id())
         self.user.set_unusable_password()
-        self.user.save()
         UserKerberosSourceConnection.objects.create(
             source=self.source, user=self.user, identifier=self.realm.user_princ
         )

authentik/sources/kerberos/tests/test_spnego.py

@@ -2,8 +2,6 @@
 
 from base64 import b64decode, b64encode
 from pathlib import Path
-from sys import platform
-from unittest import skipUnless
 
 import gssapi
 from django.urls import reverse
@@ -38,7 +36,6 @@ class TestSPNEGOSource(KerberosTestCase):
         )
         self.assertEqual(response.status_code, 200)
 
-    @skipUnless(platform.startswith("linux"), "Requires compatible GSSAPI implementation")
     def test_source_login(self):
         """test login view"""
         response = self.client.get(

authentik/tenants/api/settings.py

@@ -23,7 +23,6 @@ class SettingsSerializer(ModelSerializer):
             "footer_links",
             "gdpr_compliance",
             "impersonation",
-            "impersonation_require_reason",
             "default_token_duration",
             "default_token_length",
         ]

authentik/tenants/migrations/0004_tenant_impersonation_require_reason.py

@@ -1,21 +0,0 @@
-# Generated by Django 5.0.9 on 2024-11-07 15:08
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_tenants", "0003_alter_tenant_default_token_duration"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="tenant",
-            name="impersonation_require_reason",
-            field=models.BooleanField(
-                default=True,
-                help_text="Require administrators to provide a reason for impersonating a user.",
-            ),
-        ),
-    ]

authentik/tenants/models.py

@@ -85,10 +85,6 @@ class Tenant(TenantMixin, SerializerModel):
     impersonation = models.BooleanField(
         help_text=_("Globally enable/disable impersonation."), default=True
     )
-    impersonation_require_reason = models.BooleanField(
-        help_text=_("Require administrators to provide a reason for impersonating a user."),
-        default=True,
-    )
     default_token_duration = models.TextField(
         help_text=_("Default token duration"),
         default=DEFAULT_TOKEN_DURATION,

authentik/tenants/utils.py

@@ -8,11 +8,9 @@ from authentik.root.install_id import get_install_id
 from authentik.tenants.models import Tenant
 
 
-def get_current_tenant(only: list[str] | None = None) -> Tenant:
+def get_current_tenant() -> Tenant:
     """Get tenant for current request"""
-    if only is None:
-        only = []
-    return Tenant.objects.only(*only).get(schema_name=connection.schema_name)
+    return Tenant.objects.get(schema_name=connection.schema_name)
 
 
 def get_unique_identifier() -> str:

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.10.2 Blueprint schema",
+    "title": "authentik 2024.10.4 Blueprint schema",
     "required": [
         "version",
         "entries"

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -29,10 +29,10 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024102.2
+	goauthentik.io/api/v3 v3.2024083.13
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.24.0
-	golang.org/x/sync v0.9.0
+	golang.org/x/oauth2 v0.23.0
+	golang.org/x/sync v0.8.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )

go.sum

@@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024102.2 h1:k2sIU7TkT2fOomBYo5KEc/mz5ipzaZUp5TuEOJLPX4g=
-goauthentik.io/api/v3 v3.2024102.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024083.13 h1:xKh3feJYUeLw583zZ5ifgV0qjD37ZCOzgXPfbHQSbHM=
+goauthentik.io/api/v3 v3.2024083.13/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -388,8 +388,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
-golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -400,8 +400,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.10.2"
+const VERSION = "2024.10.4"

ldap.Dockerfile

@@ -33,7 +33,6 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
 # Stage 2: Run
 FROM ghcr.io/goauthentik/fips-debian:bookworm-slim-fips
 
-ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 

lifecycle/ak.py

@@ -1,17 +1,15 @@
 """Wrapper for lifecycle/ak, to be installed by poetry"""
 
-from os import system, waitstatus_to_exitcode
+from os import system
 from pathlib import Path
-from sys import argv, exit
+from sys import argv
 
 
 def main():
     """Wrapper around ak bash script"""
     current_path = Path(__file__)
     args = " ".join(argv[1:])
-    res = system(f"{current_path.parent}/ak {args}")  # nosec
-    exit_code = waitstatus_to_exitcode(res)
-    exit(exit_code)
+    system(f"{current_path.parent}/ak {args}")  # nosec
 
 
 if __name__ == "__main__":

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-23 16:39+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -101,21 +101,12 @@ msgstr ""
 msgid "Brands"
 msgstr ""
 
-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr ""
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
 "providers are returned. When set to false, backchannel providers are excluded"
 msgstr ""
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr ""
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr ""
@@ -1135,10 +1126,6 @@ msgstr ""
 msgid "Password not set in context"
 msgstr ""
 
-#: authentik/policies/password/models.py
-msgid "Invalid password."
-msgstr ""
-
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@@ -2627,7 +2614,12 @@ msgid "Captcha Stages"
 msgstr ""
 
 #: authentik/stages/captcha/stage.py
-msgid "Invalid captcha response. Retrying may solve this issue."
+msgid "Unknown error"
+msgstr ""
+
+#: authentik/stages/captcha/stage.py
+#, python-brace-format
+msgid "Failed to validate token: {error}"
 msgstr ""
 
 #: authentik/stages/captcha/stage.py
@@ -3214,10 +3206,6 @@ msgstr ""
 msgid "Globally enable/disable impersonation."
 msgstr ""
 
-#: authentik/tenants/models.py
-msgid "Require administrators to provide a reason for impersonating a user."
-msgstr ""
-
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr ""

locale/it/LC_MESSAGES/django.po

@@ -11,17 +11,15 @@
 # Marco Vitale, 2024
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2024
 # albanobattistella <albanobattistella@gmail.com>, 2024
-# Nicola Mersi, 2024
-# tom max, 2024
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-18 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: tom max, 2024\n"
+"Last-Translator: albanobattistella <albanobattistella@gmail.com>, 2024\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -121,10 +119,6 @@ msgstr "Brand"
 msgid "Brands"
 msgstr "Brands"
 
-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr "Descrizione extra non disponibile"
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -135,11 +129,6 @@ msgstr ""
 " vengono restituiti solo i provider di backchannel. Se impostato su falso, i"
 " provider di backchannel vengono esclusi"
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "L'utente non ha i diritti per creare {model}"
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "Non sono consentite barre oblique iniziali o finali."
@@ -594,28 +583,6 @@ msgstr "Limite massimo di connessioni raggiunto."
 msgid "(You are already connected in another tab/window)"
 msgstr "(Sei già connesso in un'altra scheda/finestra)"
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
-msgid "Endpoint Authenticator Google Device Trust Connector Stage"
-msgstr ""
-"Fase di autenticazione per la verifica dispositivo Google tramite endpoint"
-
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
-msgid "Endpoint Authenticator Google Device Trust Connector Stages"
-msgstr ""
-"Fasi di autenticazione per la verifica dispositivo Google tramite endpoint"
-
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
-msgid "Endpoint Device"
-msgstr "Dispositivo di Accesso"
-
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
-msgid "Endpoint Devices"
-msgstr "Dispositivi di Accesso"
-
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Verifica del tuo browser..."
-
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -1249,10 +1216,6 @@ msgstr ""
 msgid "Password not set in context"
 msgstr "Password non impostata nel contesto"
 
-#: authentik/policies/password/models.py
-msgid "Invalid password."
-msgstr "Password invalida."
-
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@@ -2054,124 +2017,6 @@ msgstr ""
 msgid "Used recovery-link to authenticate."
 msgstr "Utilizzato il link di recupero per autenticarsi."
 
-#: authentik/sources/kerberos/models.py
-msgid "Kerberos realm"
-msgstr "Dominio Kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Custom krb5.conf to use. Uses the system one by default"
-msgstr ""
-"krb5.conf personalizzato da usare. Usa la configurazione di sistema per "
-"default"
-
-#: authentik/sources/kerberos/models.py
-msgid "Sync users from Kerberos into authentik"
-msgstr "Sincronizza utenti da Kerberos a authentik"
-
-#: authentik/sources/kerberos/models.py
-msgid "When a user changes their password, sync it back to Kerberos"
-msgstr "Quando un utente cambia la sua password, sincronizzala in Kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Principal to authenticate to kadmin for sync."
-msgstr "Entità da autenticare su kadmin per la sincronizzazione."
-
-#: authentik/sources/kerberos/models.py
-msgid "Password to authenticate to kadmin for sync"
-msgstr "Password per autenticarsi in kadmin per sincronizzare"
-
-#: authentik/sources/kerberos/models.py
-msgid ""
-"Keytab to authenticate to kadmin for sync. Must be base64-encoded or in the "
-"form TYPE:residual"
-msgstr ""
-"Keytab per autenticarsi su kadmin per la sincronizzazione. Deve essere con "
-"codifica base64 o nel formato TYPE:residual"
-
-#: authentik/sources/kerberos/models.py
-msgid ""
-"Credentials cache to authenticate to kadmin for sync. Must be in the form "
-"TYPE:residual"
-msgstr ""
-"Credenziali memorizzate nella cache per autenticarsi su kadmin per la "
-"sincronizzazione. Devono essere nel formato TYPE:residual"
-
-#: authentik/sources/kerberos/models.py
-msgid ""
-"Force the use of a specific server name for SPNEGO. Must be in the form "
-"HTTP@hostname"
-msgstr ""
-"Forza l'uso di un nome server specifico per SPNEGO. Deve essere nel formato "
-"HTTP@nomehost"
-
-#: authentik/sources/kerberos/models.py
-msgid "SPNEGO keytab base64-encoded or path to keytab in the form FILE:path"
-msgstr ""
-"keytab SPNEGO con codifica base64 o percorso del keytab nel formato "
-"FILE:percorso"
-
-#: authentik/sources/kerberos/models.py
-msgid "Credential cache to use for SPNEGO in form type:residual"
-msgstr ""
-"Cache delle credenziali da utilizzare per SPNEGO nella forma  type:residual"
-
-#: authentik/sources/kerberos/models.py
-msgid ""
-"If enabled, the authentik-stored password will be updated upon login with "
-"the Kerberos password backend"
-msgstr ""
-"Se abilitato, la password memorizzata in authentik verrà aggiornata al login"
-" nel backend Kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Kerberos Source"
-msgstr "Sorgente Kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Kerberos Sources"
-msgstr "Sorgenti Kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Kerberos Source Property Mapping"
-msgstr "Mappa delle proprietà della sorgente kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Kerberos Source Property Mappings"
-msgstr "Mappe delle proprietà della sorgente kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "User Kerberos Source Connection"
-msgstr "Connessione sorgente dell'utente kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "User Kerberos Source Connections"
-msgstr " Connessioni alle sorgente dell'utente kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Group Kerberos Source Connection"
-msgstr " Connessione sorgente del gruppo kerberos"
-
-#: authentik/sources/kerberos/models.py
-msgid "Group Kerberos Source Connections"
-msgstr "Connessioni alle sorgenti del gruppo kerberos"
-
-#: authentik/sources/kerberos/views.py
-msgid "SPNEGO authentication required"
-msgstr "autenticazione  SPNEGO necessaria"
-
-#: authentik/sources/kerberos/views.py
-msgid ""
-"\n"
-"                    Make sure you have valid tickets (obtainable via kinit)\n"
-"                    and configured the browser correctly.\n"
-"                    Please contact your administrator.\n"
-"                "
-msgstr ""
-"\n"
-"Assicurati di avere un ticket valido (ottenibile tramite kinit)\n"
-" e di aver configurato correttamente il browser. \n"
-"Contatta il tuo amministratore."
-
 #: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
@@ -2890,10 +2735,13 @@ msgid "Captcha Stages"
 msgstr "Fasi Captcha"
 
 #: authentik/stages/captcha/stage.py
-msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr ""
-"Risposta captcha non valida. Un nuovo tentativo potrebbe risolvere il "
-"problema."
+msgid "Unknown error"
+msgstr "Errore sconosciuto"
+
+#: authentik/stages/captcha/stage.py
+#, python-brace-format
+msgid "Failed to validate token: {error}"
+msgstr "Impossibile convalidare il token: {error}"
 
 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
@@ -3266,10 +3114,6 @@ msgstr "Database utente + password app"
 msgid "User database + LDAP password"
 msgstr "Database utenti + password LDAP"
 
-#: authentik/stages/password/models.py
-msgid "User database + Kerberos password"
-msgstr "Database utenti + password Kerberos"
-
 #: authentik/stages/password/models.py
 msgid "Selection of backends to test the password against."
 msgstr "Selezione di backend su cui testare la password."
@@ -3563,12 +3407,6 @@ msgstr ""
 msgid "Globally enable/disable impersonation."
 msgstr "Abilita/disabilita globalmente la l'impersonazione."
 
-#: authentik/tenants/models.py
-msgid "Require administrators to provide a reason for impersonating a user."
-msgstr ""
-"Richiedi agli amministratori di fornire una ragione per impersonare un "
-"utente."
-
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr "Durata token predefinita"

locale/zh-Hans/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-23 16:39+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -110,10 +110,6 @@ msgstr "品牌"
 msgid "Brands"
 msgstr "品牌"
 
-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr "额外描述不可用"
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -121,11 +117,6 @@ msgid ""
 "excluded"
 msgstr "如果未设置，则返回所有提供程序。如果启用，仅返回反向通道提供程序。如果禁用，则返回非反向通道提供程序"
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "用户缺少创建 {model} 的权限"
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "不允许以斜线开始或结尾。"
@@ -1149,10 +1140,6 @@ msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"
 msgid "Password not set in context"
 msgstr "未在上下文中设置密码"
 
-#: authentik/policies/password/models.py
-msgid "Invalid password."
-msgstr "无效密码。"
-
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@@ -2662,8 +2649,13 @@ msgid "Captcha Stages"
 msgstr "验证码阶段"
 
 #: authentik/stages/captcha/stage.py
-msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr "无效的验证码响应。重试可能会解决此问题。"
+msgid "Unknown error"
+msgstr "未知错误"
+
+#: authentik/stages/captcha/stage.py
+#, python-brace-format
+msgid "Failed to validate token: {error}"
+msgstr "验证令牌失败：{error}"
 
 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
@@ -3269,10 +3261,6 @@ msgstr "启用时，所有由用户造成的事件会在相应用户被删除时
 msgid "Globally enable/disable impersonation."
 msgstr "全局启用/禁用模拟身份。"
 
-#: authentik/tenants/models.py
-msgid "Require administrators to provide a reason for impersonating a user."
-msgstr "需要管理员提供模拟用户的原因。"
-
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr "默认令牌持续时间"

locale/zh_CN/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-23 16:39+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -109,10 +109,6 @@ msgstr "品牌"
 msgid "Brands"
 msgstr "品牌"
 
-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr "额外描述不可用"
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -120,11 +116,6 @@ msgid ""
 "excluded"
 msgstr "如果未设置，则返回所有提供程序。如果启用，仅返回反向通道提供程序。如果禁用，则返回非反向通道提供程序"
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "用户缺少创建 {model} 的权限"
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "不允许前缀或后缀斜线。"
@@ -1148,10 +1139,6 @@ msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"
 msgid "Password not set in context"
 msgstr "未在上下文中设置密码"
 
-#: authentik/policies/password/models.py
-msgid "Invalid password."
-msgstr "无效密码。"
-
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@@ -2661,8 +2648,13 @@ msgid "Captcha Stages"
 msgstr "验证码阶段"
 
 #: authentik/stages/captcha/stage.py
-msgid "Invalid captcha response. Retrying may solve this issue."
-msgstr "无效的验证码响应。重试可能会解决此问题。"
+msgid "Unknown error"
+msgstr "未知错误"
+
+#: authentik/stages/captcha/stage.py
+#, python-brace-format
+msgid "Failed to validate token: {error}"
+msgstr "验证令牌失败：{error}"
 
 #: authentik/stages/captcha/stage.py
 msgid "Invalid captcha response"
@@ -3268,10 +3260,6 @@ msgstr "启用时，所有由用户造成的事件会在相应用户被删除时
 msgid "Globally enable/disable impersonation."
 msgstr "全局启用/禁用模拟身份。"
 
-#: authentik/tenants/models.py
-msgid "Require administrators to provide a reason for impersonating a user."
-msgstr "需要管理员提供模拟用户的原因。"
-
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr "默认令牌持续时间"

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2024.10.2",
+    "version": "2024.10.4",
     "private": true
 }

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.10.2"
+version = "2024.10.4"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 
@@ -131,7 +131,8 @@ pydantic-scim = "*"
 pyjwt = "*"
 pyrad = "*"
 python = "~3.12"
-python-kadmin-rs = "0.2.0"
+# Fork of python-kadmin with compilation fixes as it's unmaintained
+python-kadmin = { git = "https://github.com/authentik-community/python-kadmin.git", tag = "v0.2.0" }
 pyyaml = "*"
 requests-oauthlib = "*"
 scim2-filter-parser = "*"

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.10.2
+  version: 2024.10.4
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -5295,12 +5295,6 @@ paths:
         required: true
       tags:
       - core
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/ImpersonationRequest'
-        required: true
       security:
       - authentik: []
       responses:
@@ -42718,14 +42712,6 @@ components:
             incorrect user info is entered.
       required:
       - name
-    ImpersonationRequest:
-      type: object
-      properties:
-        reason:
-          type: string
-          minLength: 1
-      required:
-      - reason
     InstallID:
       type: object
       properties:
@@ -50046,10 +50032,6 @@ components:
         impersonation:
           type: boolean
           description: Globally enable/disable impersonation.
-        impersonation_require_reason:
-          type: boolean
-          description: Require administrators to provide a reason for impersonating
-            a user.
         default_token_duration:
           type: string
           minLength: 1
@@ -53804,10 +53786,6 @@ components:
         impersonation:
           type: boolean
           description: Globally enable/disable impersonation.
-        impersonation_require_reason:
-          type: boolean
-          description: Require administrators to provide a reason for impersonating
-            a user.
         default_token_duration:
           type: string
           description: Default token duration
@@ -53847,10 +53825,6 @@ components:
         impersonation:
           type: boolean
           description: Globally enable/disable impersonation.
-        impersonation_require_reason:
-          type: boolean
-          description: Require administrators to provide a reason for impersonating
-            a user.
         default_token_duration:
           type: string
           minLength: 1
@@ -54707,10 +54681,6 @@ components:
           $ref: '#/components/schemas/ProviderModelEnum'
         provider:
           $ref: '#/components/schemas/modelRequest'
-        policy_bindings:
-          type: array
-          items:
-            $ref: '#/components/schemas/TransactionPolicyBindingRequest'
       required:
       - app
       - provider
@@ -54728,41 +54698,6 @@ components:
       required:
       - applied
       - logs
-    TransactionPolicyBindingRequest:
-      type: object
-      description: PolicyBindingSerializer which does not require target as target
-        is set implicitly
-      properties:
-        policy:
-          type: string
-          format: uuid
-          nullable: true
-        group:
-          type: string
-          format: uuid
-          nullable: true
-        user:
-          type: integer
-          nullable: true
-        negate:
-          type: boolean
-          description: Negates the outcome of the policy. Messages are unaffected.
-        enabled:
-          type: boolean
-        order:
-          type: integer
-          maximum: 2147483647
-          minimum: -2147483648
-        timeout:
-          type: integer
-          maximum: 2147483647
-          minimum: 0
-          description: Timeout after which Policy execution is terminated.
-        failure_result:
-          type: boolean
-          description: Result if the Policy execution fails.
-      required:
-      - order
     TypeCreate:
       type: object
       description: Types of an object that can be created

scripts/generate_config.py

@@ -12,6 +12,9 @@ with open("local.env.yml", "w", encoding="utf-8") as _config:
             "secret_key": generate_id(),
             "postgresql": {
                 "user": "postgres",
+                "read_replicas": {
+                    "0": {},
+                },
             },
             "outposts": {
                 "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",

web/lit-localize.json

@@ -6,7 +6,6 @@
         "de",
         "es",
         "fr",
-        "it",
         "ko",
         "nl",
         "pl",

web/src/admin/admin-settings/AdminSettingsForm.ts

@@ -208,13 +208,6 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                 help=${msg("Globally enable/disable impersonation.")}
             >
             </ak-switch-input>
-            <ak-switch-input
-                name="impersonationRequireReason"
-                label=${msg("Require reason for impersonation")}
-                ?checked="${this._settings?.impersonationRequireReason}"
-                help=${msg("Require administrators to provide a reason for impersonating a user.")}
-            >
-            </ak-switch-input>
             <ak-text-input
                 name="defaultTokenDuration"
                 label=${msg("Default token duration")}

web/src/admin/applications/ApplicationListPage.ts

@@ -2,7 +2,6 @@ import "@goauthentik/admin/applications/ApplicationForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import MDApplication from "@goauthentik/docs/add-secure-apps/applications/index.md";
 import "@goauthentik/elements/AppIcon.js";
-import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import "@goauthentik/elements/Markdown";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
@@ -13,7 +12,7 @@ import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { msg, str } from "@lit/localize";
+import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
@@ -41,7 +40,7 @@ export const applicationListStyle = css`
 `;
 
 @customElement("ak-application-list")
-export class ApplicationListPage extends WithBrandConfig(TablePage<Application>) {
+export class ApplicationListPage extends TablePage<Application> {
     searchEnabled(): boolean {
         return true;
     }
@@ -50,7 +49,7 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
     }
     pageDescription(): string {
         return msg(
-            str`External applications that use ${this.brand.brandingTitle || "authentik"} as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.`,
+            "External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.",
         );
     }
     pageIcon(): string {

web/src/admin/applications/wizard/commit/ak-application-wizard-commit-application.ts

@@ -25,7 +25,6 @@ import {
     type TransactionApplicationRequest,
     type TransactionApplicationResponse,
     ValidationError,
-    instanceOfValidationError,
 } from "@goauthentik/api";
 
 import BasePanel from "../BasePanel";
@@ -70,9 +69,6 @@ const successState: State = {
     icon: ["fa-check-circle", "pf-m-success"],
 };
 
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-const isValidationError = (v: any): v is ValidationError => instanceOfValidationError(v);
-
 @customElement("ak-application-wizard-commit-application")
 export class ApplicationWizardCommitApplication extends BasePanel {
     static get styles() {
@@ -138,25 +134,10 @@ export class ApplicationWizardCommitApplication extends BasePanel {
             // eslint-disable-next-line @typescript-eslint/no-explicit-any
             .catch(async (resolution: any) => {
                 const errors = await parseAPIError(resolution);
-
-                // THIS is a really gross special case; if the user is duplicating the name of an
-                // existing provider, the error appears on the `app` (!) error object. We have to
-                // move that to the `provider.name` error field so it shows up in the right place.
-                if (isValidationError(errors) && Array.isArray(errors?.app?.provider)) {
-                    const providerError = errors.app.provider;
-                    errors.provider = errors.provider ?? {};
-                    errors.provider.name = providerError;
-                    delete errors.app.provider;
-                    if (Object.keys(errors.app).length === 0) {
-                        delete errors.app;
-                    }
-                }
-
-                this.errors = errors;
                 this.dispatchWizardUpdate({
                     update: {
                         ...this.wizard,
-                        errors: this.errors,
+                        errors,
                     },
                     status: "failed",
                 });

web/src/admin/applications/wizard/methods/ldap/ak-application-wizard-authentication-by-ldap.ts

@@ -71,7 +71,6 @@ export class ApplicationWizardApplicationDetails extends WithBrandConfig(BasePro
                         flowType=${FlowsInstancesListDesignationEnum.Invalidation}
                         .currentFlow=${provider?.invalidationFlow}
                         .brandFlow=${this.brand.flowInvalidation}
-                        defaultFlowSlug="default-invalidation-flow"
                         required
                     ></ak-branded-flow-search>
                     <p class="pf-c-form__helper-text">${msg("Flow used for unbinding users.")}</p>

web/src/admin/applications/wizard/methods/radius/ak-application-wizard-authentication-by-radius.ts

@@ -86,7 +86,7 @@ export class ApplicationWizardAuthenticationByRadius extends WithBrandConfig(Bas
                             <ak-flow-search
                                 flowType=${FlowsInstancesListDesignationEnum.Invalidation}
                                 .currentFlow=${provider?.invalidationFlow}
-                                defaultFlowSlug="default-invalidation-flow"
+                                defaultFlowSlug="default-provider-invalidation-flow"
                                 required
                             ></ak-flow-search>
                             <p class="pf-c-form__helper-text">

web/src/admin/groups/RelatedUserList.ts

@@ -1,11 +1,9 @@
 import "@goauthentik/admin/users/ServiceAccountForm";
 import "@goauthentik/admin/users/UserActiveForm";
 import "@goauthentik/admin/users/UserForm";
-import "@goauthentik/admin/users/UserImpersonateForm";
 import "@goauthentik/admin/users/UserPasswordForm";
 import "@goauthentik/admin/users/UserResetEmailForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { PFSize } from "@goauthentik/common/enums.js";
 import { MessageLevel } from "@goauthentik/common/messages";
 import { me } from "@goauthentik/common/users";
 import { getRelativeTime } from "@goauthentik/common/utils";
@@ -215,22 +213,20 @@ export class RelatedUserList extends WithBrandConfig(WithCapabilitiesConfig(Tabl
                 </ak-forms-modal>
                 ${canImpersonate
                     ? html`
-                          <ak-forms-modal size=${PFSize.Medium} id="impersonate-request">
-                              <span slot="submit">${msg("Impersonate")}</span>
-                              <span slot="header">${msg("Impersonate")} ${item.username}</span>
-                              <ak-user-impersonate-form
-                                  slot="form"
-                                  .instancePk=${item.pk}
-                              ></ak-user-impersonate-form>
-                              <button slot="trigger" class="pf-c-button pf-m-tertiary">
-                                  <pf-tooltip
-                                      position="top"
-                                      content=${msg("Temporarily assume the identity of this user")}
+                          <ak-action-button
+                              class="pf-m-tertiary"
+                              .apiRequest=${() => {
+                                  return new CoreApi(DEFAULT_CONFIG)
+                                      .coreUsersImpersonateCreate({
+                                          id: item.pk,
+                                      })
+                                      .then(() => {
+                                          window.location.href = "/";
+                                      });
+                              }}
                           >
-                                      <span>${msg("Impersonate")}</span>
-                                  </pf-tooltip>
-                              </button>
-                          </ak-forms-modal>
+                              ${msg("Impersonate")}
+                          </ak-action-button>
                       `
                     : html``}`,
         ];

web/src/admin/providers/ldap/LDAPProviderForm.ts

@@ -157,7 +157,6 @@ export class LDAPProviderFormPage extends WithBrandConfig(BaseProviderForm<LDAPP
                             flowType=${FlowsInstancesListDesignationEnum.Invalidation}
                             .currentFlow=${this.instance?.invalidationFlow}
                             .brandFlow=${this.brand.flowInvalidation}
-                            defaultFlowSlug="default-invalidation-flow"
                             required
                         ></ak-branded-flow-search>
                         <p class="pf-c-form__helper-text">

web/src/admin/providers/radius/RadiusProviderForm.ts

@@ -176,7 +176,7 @@ export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<Rad
                         <ak-flow-search
                             flowType=${FlowsInstancesListDesignationEnum.Invalidation}
                             .currentFlow=${this.instance?.invalidationFlow}
-                            defaultFlowSlug="default-invalidation-flow"
+                            defaultFlowSlug="default-provider-invalidation-flow"
                             required
                         ></ak-flow-search>
                         <p class="pf-c-form__helper-text">

web/src/admin/users/UserForm.ts

@@ -20,9 +20,6 @@ export class UserForm extends ModelForm<User, number> {
     @property({ attribute: false })
     group?: Group;
 
-    @property()
-    defaultPath: string = "users";
-
     static get defaultUserAttributes(): { [key: string]: unknown } {
         return {};
     }
@@ -175,7 +172,7 @@ export class UserForm extends ModelForm<User, number> {
             <ak-form-element-horizontal label=${msg("Path")} ?required=${true} name="path">
                 <input
                     type="text"
-                    value="${first(this.instance?.path, this.defaultPath)}"
+                    value="${first(this.instance?.path, "users")}"
                     class="pf-c-form-control"
                     required
                 />

web/src/admin/users/UserImpersonateForm.ts

@@ -1,40 +0,0 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-text-input";
-import { Form } from "@goauthentik/elements/forms/Form";
-
-import { msg } from "@lit/localize";
-import { TemplateResult, html } from "lit";
-import { customElement, property } from "lit/decorators.js";
-
-import { CoreApi, ImpersonationRequest } from "@goauthentik/api";
-
-@customElement("ak-user-impersonate-form")
-export class UserImpersonateForm extends Form<ImpersonationRequest> {
-    @property({ type: Number })
-    instancePk?: number;
-
-    async send(data: ImpersonationRequest): Promise<void> {
-        return new CoreApi(DEFAULT_CONFIG)
-            .coreUsersImpersonateCreate({
-                id: this.instancePk || 0,
-                impersonationRequest: data,
-            })
-            .then(() => {
-                window.location.href = "/";
-            });
-    }
-
-    renderForm(): TemplateResult {
-        return html`<ak-text-input
-            name="reason"
-            label=${msg("Reason")}
-            help=${msg("Reason for impersonating the user")}
-        ></ak-text-input>`;
-    }
-}
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-user-impersonate-form": UserImpersonateForm;
-    }
-}

web/src/admin/users/UserListPage.ts

@@ -2,7 +2,6 @@ import { AdminInterface } from "@goauthentik/admin/AdminInterface";
 import "@goauthentik/admin/users/ServiceAccountForm";
 import "@goauthentik/admin/users/UserActiveForm";
 import "@goauthentik/admin/users/UserForm";
-import "@goauthentik/admin/users/UserImpersonateForm";
 import "@goauthentik/admin/users/UserPasswordForm";
 import "@goauthentik/admin/users/UserResetEmailForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
@@ -267,22 +266,20 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa
                 </ak-forms-modal>
                 ${canImpersonate
                     ? html`
-                          <ak-forms-modal size=${PFSize.Medium} id="impersonate-request">
-                              <span slot="submit">${msg("Impersonate")}</span>
-                              <span slot="header">${msg("Impersonate")} ${item.username}</span>
-                              <ak-user-impersonate-form
-                                  slot="form"
-                                  .instancePk=${item.pk}
-                              ></ak-user-impersonate-form>
-                              <button slot="trigger" class="pf-c-button pf-m-tertiary">
-                                  <pf-tooltip
-                                      position="top"
-                                      content=${msg("Temporarily assume the identity of this user")}
+                          <ak-action-button
+                              class="pf-m-tertiary"
+                              .apiRequest=${() => {
+                                  return new CoreApi(DEFAULT_CONFIG)
+                                      .coreUsersImpersonateCreate({
+                                          id: item.pk,
+                                      })
+                                      .then(() => {
+                                          window.location.href = "/";
+                                      });
+                              }}
                           >
-                                      <span>${msg("Impersonate")}</span>
-                                  </pf-tooltip>
-                              </button>
-                          </ak-forms-modal>
+                              ${msg("Impersonate")}
+                          </ak-action-button>
                       `
                     : html``}`,
         ];
@@ -395,7 +392,7 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa
             <ak-forms-modal>
                 <span slot="submit"> ${msg("Create")} </span>
                 <span slot="header"> ${msg("Create User")} </span>
-                <ak-user-form defaultPath=${this.activePath} slot="form"> </ak-user-form>
+                <ak-user-form slot="form"> </ak-user-form>
                 <button slot="trigger" class="pf-c-button pf-m-primary">${msg("Create")}</button>
             </ak-forms-modal>
             <ak-forms-modal .closeAfterSuccessfulSubmit=${false} .cancelText=${msg("Close")}>
@@ -417,9 +414,6 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa
                     <ak-treeview
                         .items=${this.userPaths?.paths || []}
                         activePath=${this.activePath}
-                        @ak-refresh=${(ev: CustomEvent<{ path: string }>) => {
-                            this.activePath = ev.detail.path;
-                        }}
                     ></ak-treeview>
                 </div>
             </div>

web/src/admin/users/UserViewPage.ts

@@ -5,7 +5,6 @@ import "@goauthentik/admin/users/UserActiveForm";
 import "@goauthentik/admin/users/UserApplicationTable";
 import "@goauthentik/admin/users/UserChart";
 import "@goauthentik/admin/users/UserForm";
-import "@goauthentik/admin/users/UserImpersonateForm";
 import {
     renderRecoveryEmailRequest,
     requestRecoveryLink,
@@ -209,22 +208,26 @@ export class UserViewPage extends WithCapabilitiesConfig(AKElement) {
             </ak-user-active-form>
             ${canImpersonate
                 ? html`
-                      <ak-forms-modal size=${PFSize.Medium} id="impersonate-request">
-                          <span slot="submit">${msg("Impersonate")}</span>
-                          <span slot="header">${msg("Impersonate")} ${user.username}</span>
-                          <ak-user-impersonate-form
-                              slot="form"
-                              .instancePk=${user.pk}
-                          ></ak-user-impersonate-form>
-                          <button slot="trigger" class="pf-c-button pf-m-secondary pf-m-block">
+                      <ak-action-button
+                          class="pf-m-secondary pf-m-block"
+                          id="impersonate-user-button"
+                          .apiRequest=${() => {
+                              return new CoreApi(DEFAULT_CONFIG)
+                                  .coreUsersImpersonateCreate({
+                                      id: user.pk,
+                                  })
+                                  .then(() => {
+                                      window.location.href = "/";
+                                  });
+                          }}
+                      >
                           <pf-tooltip
                               position="top"
                               content=${msg("Temporarily assume the identity of this user")}
                           >
-                                  <span>${msg("Impersonate")}</span>
+                              ${msg("Impersonate")}
                           </pf-tooltip>
-                          </button>
-                      </ak-forms-modal>
+                      </ak-action-button>
                   `
                 : nothing}
         </div> `;

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.10.2";
+export const VERSION = "2024.10.4";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/elements/TreeView.ts

@@ -89,9 +89,6 @@ export class TreeViewNode extends AKElement {
                                 new CustomEvent(EVENT_REFRESH, {
                                     bubbles: true,
                                     composed: true,
-                                    detail: {
-                                        path: this.fullPath,
-                                    },
                                 }),
                             );
                         }}

web/src/elements/ak-locale-context/definitions.ts

@@ -42,19 +42,18 @@ const debug: LocaleRow = [
 
 // prettier-ignore
 const LOCALE_TABLE: LocaleRow[] = [
-    ["de",      /^de([_-]|$)/i,      () => msg("German"),                async () => await import("@goauthentik/locales/de")],
     ["en",      /^en([_-]|$)/i,      () => msg("English"),               async () => await import("@goauthentik/locales/en")],
     ["es",      /^es([_-]|$)/i,      () => msg("Spanish"),               async () => await import("@goauthentik/locales/es")],
+    ["de",      /^de([_-]|$)/i,      () => msg("German"),                async () => await import("@goauthentik/locales/de")],
     ["fr",      /^fr([_-]|$)/i,      () => msg("French"),                async () => await import("@goauthentik/locales/fr")],
-    ["it",      /^it([_-]|$)/i,      () => msg("Italian"),               async () => await import("@goauthentik/locales/it")],
     ["ko",      /^ko([_-]|$)/i,      () => msg("Korean"),                async () => await import("@goauthentik/locales/ko")],
     ["nl",      /^nl([_-]|$)/i,      () => msg("Dutch"),                 async () => await import("@goauthentik/locales/nl")],
     ["pl",      /^pl([_-]|$)/i,      () => msg("Polish"),                async () => await import("@goauthentik/locales/pl")],
     ["ru",      /^ru([_-]|$)/i,      () => msg("Russian"),               async () => await import("@goauthentik/locales/ru")],
     ["tr",      /^tr([_-]|$)/i,      () => msg("Turkish"),               async () => await import("@goauthentik/locales/tr")],
+    ["zh-Hant", /^zh[_-](HK|Hant)/i, () => msg("Chinese (traditional)"), async () => await import("@goauthentik/locales/zh-Hant")],
     ["zh_TW",   /^zh[_-]TW$/i,       () => msg("Taiwanese Mandarin"),    async () => await import("@goauthentik/locales/zh_TW")],
     ["zh-Hans", /^zh(\b|_)/i,        () => msg("Chinese (simplified)"),  async () => await import("@goauthentik/locales/zh-Hans")],
-    ["zh-Hant", /^zh[_-](HK|Hant)/i, () => msg("Chinese (traditional)"), async () => await import("@goauthentik/locales/zh-Hant")],
     debug
 ];
 

web/src/flow/FlowExecutor.ts

@@ -5,14 +5,15 @@ import {
     TITLE_DEFAULT,
 } from "@goauthentik/common/constants";
 import { globalAK } from "@goauthentik/common/global";
+import { purify } from "@goauthentik/common/purify";
 import { configureSentry } from "@goauthentik/common/sentry";
+import { first } from "@goauthentik/common/utils";
 import { WebsocketClient } from "@goauthentik/common/ws";
 import { Interface } from "@goauthentik/elements/Interface";
 import "@goauthentik/elements/LoadingOverlay";
 import "@goauthentik/elements/ak-locale-context";
 import { DefaultBrand } from "@goauthentik/elements/sidebar/SidebarBrand";
 import { themeImage } from "@goauthentik/elements/utils/images";
-import "@goauthentik/flow/components/ak-brand-footer";
 import "@goauthentik/flow/sources/apple/AppleLoginInit";
 import "@goauthentik/flow/sources/plex/PlexLoginInit";
 import "@goauthentik/flow/stages/FlowErrorStage";
@@ -25,7 +26,6 @@ import { CSSResult, PropertyValues, TemplateResult, css, html, nothing } from "l
 import { customElement, property, state } from "lit/decorators.js";
 import { unsafeHTML } from "lit/directives/unsafe-html.js";
 import { until } from "lit/directives/until.js";
-import { html as staticHtml, unsafeStatic } from "lit/static-html.js";
 
 import PFBackgroundImage from "@patternfly/patternfly/components/BackgroundImage/background-image.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
@@ -49,52 +49,6 @@ import {
     UiThemeEnum,
 } from "@goauthentik/api";
 
-type StageRenderer = {
-    // Provide the lit-element tag if it's different from the challenge.component name
-    tag?: string;
-    // Provide a dynamic import whenever possible; otherwise, make sure you include it in the
-    // build-time imports above.
-    import?: () => Promise<unknown>;
-};
-type StageRenderers = { [key: string]: StageRenderer };
-
-// authentik's standard stages and the Lit components that handle them. A "standard stage" conforms
-// to an API that takes two properties:
-// `.host=${host: StageHost} .challenge=${challenge: ChallengeTypes}`
-// Exceptions are handled in a switch/case statement below the renderer for these.
-
-// All of that `async () => await import("@goauthentik/flow/...")` boilerplate cannot be abstracted
-// away because [import is not a function](https://v8.dev/features/dynamic-import), it is a
-// _statement_, and its contents are statically analyzed by bundlers, compilers, and the V8
-// interpreter.
-
-// Prettier ignore to keep the table looking like a table:
-// prettier-ignore
-const allStages: StageRenderers = {
-    "ak-stage-access-denied": { import: async () => await import("@goauthentik/flow/stages/access_denied/AccessDeniedStage") },
-    "ak-stage-identification": { import: async () => await import("@goauthentik/flow/stages/identification/IdentificationStage") },
-    "ak-stage-password": { import: async () => await import("@goauthentik/flow/stages/password/PasswordStage") },
-    "ak-stage-captcha": { import: async () => await import("@goauthentik/flow/stages/captcha/CaptchaStage") },
-    "ak-stage-consent": { import: async () => await import("@goauthentik/flow/stages/consent/ConsentStage") },
-    "ak-stage-dummy": { import: async () => await import("@goauthentik/flow/stages/dummy/DummyStage") },
-    "ak-stage-email": { import: async () => await import("@goauthentik/flow/stages/email/EmailStage") },
-    "ak-stage-autosubmit": { import: async () => await import("@goauthentik/flow/stages/autosubmit/AutosubmitStage") },
-    "ak-stage-prompt": { import: async () => await import("@goauthentik/flow/stages/prompt/PromptStage") },
-    "ak-stage-authenticator-totp": { import: async () => await import("@goauthentik/flow/stages/authenticator_totp/AuthenticatorTOTPStage") },
-    "ak-stage-authenticator-duo": { import: async () => await import("@goauthentik/flow/stages/authenticator_duo/AuthenticatorDuoStage") },
-    "ak-stage-authenticator-static": { import: async () => await import("@goauthentik/flow/stages/authenticator_static/AuthenticatorStaticStage") },
-    "ak-stage-authenticator-webauthn": { },
-    "ak-stage-authenticator-sms": { import: async () => await import("@goauthentik/flow/stages/authenticator_sms/AuthenticatorSMSStage") },
-    "ak-stage-authenticator-validate": { import: async () => await import("@goauthentik/flow/stages/authenticator_validate/AuthenticatorValidateStage") },
-    "ak-stage-user-login": { import: async () => await import("@goauthentik/flow/stages/user_login/UserLoginStage") },
-    "ak-source-plex": { tag: "ak-flow-source-plex" },
-    "ak-source-oauth-apple": { tag: "ak-flow-source-oauth-apple" },
-    "ak-provider-oauth2-device-code": { tag: "ak-flow-provider-oauth2-code", import: async () => await import("@goauthentik/flow/providers/oauth2/DeviceCode") },
-    "ak-provider-oauth2-device-code-finish": { tag: "ak-flow-provider-oauth2-code-finish", import: async () => await import("@goauthentik/flow/providers/oauth2/DeviceCodeFinish") },
-    "ak-stage-session-end": { import: async () => await import("@goauthentik/flow/providers/SessionEnd") },
-    "ak-stage-flow-error": { },
-} as const;
-
 @customElement("ak-flow-executor")
 export class FlowExecutor extends Interface implements StageHost {
     @property()
@@ -345,21 +299,142 @@ export class FlowExecutor extends Interface implements StageHost {
         if (!this.challenge) {
             return html`<ak-empty-state loading> </ak-empty-state>`;
         }
-        const stage = allStages[this.challenge.component];
-        if (stage) {
-            if (stage.import) {
-                await stage.import();
-            }
-            const tag = stage.tag ?? this.challenge.component;
-            // Prettier doesn't know what `staticHTML` is, will try to format it by
-            // prettier-ignore
-            return staticHtml`<${unsafeStatic(tag)}
+        switch (this.challenge?.component) {
+            case "ak-stage-access-denied":
+                await import("@goauthentik/flow/stages/access_denied/AccessDeniedStage");
+                return html`<ak-stage-access-denied
                     .host=${this as StageHost}
                     .challenge=${this.challenge}
-            ></${unsafeStatic(tag)}>`;
-        }
-
-        switch (this.challenge?.component) {
+                ></ak-stage-access-denied>`;
+            case "ak-stage-identification":
+                await import("@goauthentik/flow/stages/identification/IdentificationStage");
+                return html`<ak-stage-identification
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-identification>`;
+            case "ak-stage-password":
+                await import("@goauthentik/flow/stages/password/PasswordStage");
+                return html`<ak-stage-password
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-password>`;
+            case "ak-stage-captcha":
+                await import("@goauthentik/flow/stages/captcha/CaptchaStage");
+                return html`<ak-stage-captcha
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-captcha>`;
+            case "ak-stage-consent":
+                await import("@goauthentik/flow/stages/consent/ConsentStage");
+                return html`<ak-stage-consent
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-consent>`;
+            case "ak-stage-dummy":
+                await import("@goauthentik/flow/stages/dummy/DummyStage");
+                return html`<ak-stage-dummy
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-dummy>`;
+            case "ak-stage-email":
+                await import("@goauthentik/flow/stages/email/EmailStage");
+                return html`<ak-stage-email
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-email>`;
+            case "ak-stage-autosubmit":
+                await import("@goauthentik/flow/stages/autosubmit/AutosubmitStage");
+                return html`<ak-stage-autosubmit
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-autosubmit>`;
+            case "ak-stage-prompt":
+                await import("@goauthentik/flow/stages/prompt/PromptStage");
+                return html`<ak-stage-prompt
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-prompt>`;
+            case "ak-stage-authenticator-totp":
+                await import("@goauthentik/flow/stages/authenticator_totp/AuthenticatorTOTPStage");
+                return html`<ak-stage-authenticator-totp
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-authenticator-totp>`;
+            case "ak-stage-authenticator-duo":
+                await import("@goauthentik/flow/stages/authenticator_duo/AuthenticatorDuoStage");
+                return html`<ak-stage-authenticator-duo
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-authenticator-duo>`;
+            case "ak-stage-authenticator-static":
+                await import(
+                    "@goauthentik/flow/stages/authenticator_static/AuthenticatorStaticStage"
+                );
+                return html`<ak-stage-authenticator-static
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-authenticator-static>`;
+            case "ak-stage-authenticator-webauthn":
+                return html`<ak-stage-authenticator-webauthn
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-authenticator-webauthn>`;
+            case "ak-stage-authenticator-sms":
+                await import("@goauthentik/flow/stages/authenticator_sms/AuthenticatorSMSStage");
+                return html`<ak-stage-authenticator-sms
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-authenticator-sms>`;
+            case "ak-stage-authenticator-validate":
+                await import(
+                    "@goauthentik/flow/stages/authenticator_validate/AuthenticatorValidateStage"
+                );
+                return html`<ak-stage-authenticator-validate
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-authenticator-validate>`;
+            case "ak-stage-user-login":
+                await import("@goauthentik/flow/stages/user_login/UserLoginStage");
+                return html`<ak-stage-user-login
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-user-login>`;
+            // Sources
+            case "ak-source-plex":
+                return html`<ak-flow-source-plex
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-flow-source-plex>`;
+            case "ak-source-oauth-apple":
+                return html`<ak-flow-source-oauth-apple
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-flow-source-oauth-apple>`;
+            // Providers
+            case "ak-provider-oauth2-device-code":
+                await import("@goauthentik/flow/providers/oauth2/DeviceCode");
+                return html`<ak-flow-provider-oauth2-code
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-flow-provider-oauth2-code>`;
+            case "ak-provider-oauth2-device-code-finish":
+                await import("@goauthentik/flow/providers/oauth2/DeviceCodeFinish");
+                return html`<ak-flow-provider-oauth2-code-finish
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-flow-provider-oauth2-code-finish>`;
+            case "ak-stage-session-end":
+                await import("@goauthentik/flow/providers/SessionEnd");
+                return html`<ak-stage-session-end
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-session-end>`;
+            // Internal stages
+            case "ak-stage-flow-error":
+                return html`<ak-stage-flow-error
+                    .host=${this as StageHost}
+                    .challenge=${this.challenge}
+                ></ak-stage-flow-error>`;
             case "xak-flow-redirect":
                 return html`<ak-stage-redirect
                     .host=${this as StageHost}
@@ -429,9 +504,11 @@ export class FlowExecutor extends Interface implements StageHost {
                                             >
                                                 <img
                                                     src="${themeImage(
-                                                        this.brand?.brandingLogo ??
-                                                            globalAK()?.brand.brandingLogo ??
+                                                        first(
+                                                            this.brand?.brandingLogo,
+                                                            globalAK()?.brand.brandingLogo,
                                                             DefaultBrand.brandingLogo,
+                                                        ),
                                                     )}"
                                                     alt="authentik Logo"
                                                 />
@@ -439,9 +516,25 @@ export class FlowExecutor extends Interface implements StageHost {
                                             ${until(this.renderChallenge())}
                                         </div>
                                         <footer class="pf-c-login__footer">
-                                            <ak-brand-links
-                                                .links=${this.brand?.uiFooterLinks ?? []}
-                                            ></ak-brand-links>
+                                            <ul class="pf-c-list pf-m-inline">
+                                                ${this.brand?.uiFooterLinks?.map((link) => {
+                                                    if (link.href) {
+                                                        return html`${purify(
+                                                            html`<li>
+                                                                <a href="${link.href}"
+                                                                    >${link.name}</a
+                                                                >
+                                                            </li>`,
+                                                        )}`;
+                                                    }
+                                                    return html`<li>
+                                                        <span>${link.name}</span>
+                                                    </li>`;
+                                                })}
+                                                <li>
+                                                    <span>${msg("Powered by authentik")}</span>
+                                                </li>
+                                            </ul>
                                         </footer>
                                     </div>
                                 </div>

web/src/flow/components/ak-brand-footer.ts

@@ -1,51 +0,0 @@
-import { purify } from "@goauthentik/common/purify";
-import { AKElement } from "@goauthentik/elements/Base.js";
-
-import { msg } from "@lit/localize";
-import { css, html } from "lit";
-import { customElement, property } from "lit/decorators.js";
-import { map } from "lit/directives/map.js";
-
-import PFList from "@patternfly/patternfly/components/List/list.css";
-import PFBase from "@patternfly/patternfly/patternfly-base.css";
-
-import { FooterLink } from "@goauthentik/api";
-
-const styles = css`
-    .pf-c-list a {
-        color: unset;
-    }
-    ul.pf-c-list.pf-m-inline {
-        justify-content: center;
-        padding: calc(var(--pf-global--spacer--xs) / 2) 0px;
-    }
-`;
-
-const salesMark: FooterLink = { name: msg("Powered by authentik"), href: "" };
-
-@customElement("ak-brand-links")
-export class BrandLinks extends AKElement {
-    static get styles() {
-        return [PFBase, PFList, styles];
-    }
-
-    @property({ type: Array, attribute: false })
-    links: FooterLink[] = [];
-
-    render() {
-        const links = [...(this.links ?? []), salesMark];
-        return html` <ul class="pf-c-list pf-m-inline">
-            ${map(links, (link) =>
-                link.href
-                    ? purify(html`<li><a href="${link.href}">${link.name}</a></li>`)
-                    : html`<li><span>${link.name}</span></li>`,
-            )}
-        </ul>`;
-    }
-}
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-brand-links": BrandLinks;
-    }
-}

web/src/locale-codes.ts

@@ -15,7 +15,6 @@ export const targetLocales = [
   `en`,
   `es`,
   `fr`,
-  `it`,
   `ko`,
   `nl`,
   `pl`,
@@ -37,7 +36,6 @@ export const allLocales = [
   `en`,
   `es`,
   `fr`,
-  `it`,
   `ko`,
   `nl`,
   `pl`,

web/xliff/de.xlf

@@ -5741,6 +5741,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s070fdfb03034ca9b">
   <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
 </trans-unit>
@@ -5816,6 +5819,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sfc31264ef7ff86ef">
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
 </trans-unit>
@@ -5960,6 +5966,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s38e7cd1a24e70faa">
   <source>Create Endpoint</source>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
 </trans-unit>
@@ -6214,6 +6223,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sd176021da2ea0fe3">
   <source>Selected Applications</source>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
 </trans-unit>
@@ -7008,51 +7020,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -6006,6 +6006,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s070fdfb03034ca9b">
   <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
 </trans-unit>
@@ -6081,6 +6084,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sfc31264ef7ff86ef">
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
 </trans-unit>
@@ -6225,6 +6231,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s38e7cd1a24e70faa">
   <source>Create Endpoint</source>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
 </trans-unit>
@@ -6479,6 +6488,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sd176021da2ea0fe3">
   <source>Selected Applications</source>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
 </trans-unit>
@@ -7273,51 +7285,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -5658,6 +5658,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s070fdfb03034ca9b">
   <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
 </trans-unit>
@@ -5733,6 +5736,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sfc31264ef7ff86ef">
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
 </trans-unit>
@@ -5877,6 +5883,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s38e7cd1a24e70faa">
   <source>Create Endpoint</source>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
 </trans-unit>
@@ -6131,6 +6140,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sd176021da2ea0fe3">
   <source>Selected Applications</source>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
 </trans-unit>
@@ -6925,51 +6937,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -7542,6 +7542,10 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>Un indice, l'assistant nouvelle application est actuellement caché</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>Applications externes qui utilisent authentik comme fournisseur d'identité, en utilisant des protocoles comme OAuth2 et SAML. Toutes les applications sont affichées ici, même celles auxquelles vous n'avez pas accès.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>Message de refus</target>
@@ -7642,6 +7646,10 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
   <target>Pour nginx auth_request ou traefik forwardAuth par domaine racine</target>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+  <target>RBAC est en aperçu.</target>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
   <target>Type d'utilisateur pour les utilisateurs nouvellement créés.</target>
@@ -7834,6 +7842,10 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <source>Create Endpoint</source>
   <target>Créer un point de terminaison</target>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+  <target>RAC est en aperçu.</target>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
   <target>Mettre à jour le fournisseur RAC</target>
@@ -8176,6 +8188,10 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <source>Selected Applications</source>
   <target>Applications sélectionnées</target>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+  <target>Cette option configure les liens de pied de page sur les pages de l'exécuteur de flux. Doit être une liste YAML ou JSON valide et peut être utilisée comme suit :</target>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
   <target>Utilisé pour la dernière fois</target>
@@ -9232,51 +9248,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/ko.xlf

@@ -7512,6 +7512,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>힌트, '새 애플리케이션 마법사'는 현재, 숨겨져 있습니다.</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>OAuth2 및 SAML과 같은 프로토콜을 통해 인증서를 ID 공급자로 사용하는 외부 애플리케이션. 액세스할 수 없는 애플리케이션을 포함한 모든 애플리케이션이 여기에 표시됩니다.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>거부 메시지</target>
@@ -7612,6 +7616,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
   <target>루트 도메인 당 Nginx의 auth_request 또는 Traefik의 forwardAuth 경우</target>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+  <target>RBAC 는 현재 프리뷰입니다.</target>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
   <target>새로 생성된 사용자에 사용되는 사용자 유형입니다.</target>
@@ -7806,6 +7814,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s38e7cd1a24e70faa">
   <source>Create Endpoint</source>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
 </trans-unit>
@@ -8045,6 +8056,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sd176021da2ea0fe3">
   <source>Selected Applications</source>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
 </trans-unit>
@@ -8839,51 +8853,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/nl.xlf

@@ -7396,6 +7396,9 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="sf79f8681e5ffaee2">
   <source>Assign to new user</source>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+</trans-unit>
 <trans-unit id="saabeb4cab074b0b9">
   <source>User Object Permissions</source>
 </trans-unit>
@@ -7483,6 +7486,9 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="s38e7cd1a24e70faa">
   <source>Create Endpoint</source>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
 </trans-unit>
@@ -7495,6 +7501,9 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="s2b1c81130a65a55b">
   <source>Sync currently running.</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="sb35c08e3a541188f">
   <source>Also known as Client ID.</source>
 </trans-unit>
@@ -7893,6 +7902,9 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="sd176021da2ea0fe3">
   <source>Selected Applications</source>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
 </trans-unit>
@@ -8687,51 +8699,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pl.xlf

@@ -7546,6 +7546,10 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>Jedna podpowiedź, „Kreator nowej aplikacji”, jest obecnie ukryty</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>Aplikacje zewnętrzne, które używają authentik jako dostawcy tożsamości za pośrednictwem protokołów takich jak OAuth2 i SAML. Tutaj wyświetlane są wszystkie aplikacje, nawet te, do których nie masz dostępu.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>Komunikat odmowy</target>
@@ -7646,6 +7650,10 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
   <target>Dla nginx's auth_request lub traefik's forwardAuth dla domeny głównej</target>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+  <target>RBAC jest w fazie zapoznawczej.</target>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
   <target>Typ użytkownika używany dla nowo utworzonych użytkowników.</target>
@@ -7838,6 +7846,10 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
   <source>Create Endpoint</source>
   <target>Utwórz punkt końcowy</target>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+  <target>RAC jest w fazie zapoznawczej.</target>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
   <target>Aktualizuj dostawcę RAC</target>
@@ -8180,6 +8192,10 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
   <source>Selected Applications</source>
   <target>Wybrane aplikacje</target>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+  <target>Ta opcja konfiguruje linki stopki na stronach wykonawców przepływu. Musi to być prawidłowa lista YAML lub JSON i może być używana w następujący sposób:</target>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
   <target>Ostatnio używany</target>
@@ -9102,51 +9118,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pseudo-LOCALE.xlf

@@ -7490,6 +7490,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>Ōńē ĥĩńţ, 'Ńēŵ Àƥƥĺĩćàţĩōń Ŵĩźàŕď', ĩś ćũŕŕēńţĺŷ ĥĩďďēń</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>Ēxţēŕńàĺ àƥƥĺĩćàţĩōńś ţĥàţ ũśē àũţĥēńţĩķ àś àń ĩďēńţĩţŷ ƥŕōvĩďēŕ vĩà ƥŕōţōćōĺś ĺĩķē ŌÀũţĥ2 àńď ŚÀḾĹ. Àĺĺ àƥƥĺĩćàţĩōńś àŕē śĥōŵń ĥēŕē, ēvēń ōńēś ŷōũ ćàńńōţ àććēśś.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>Ďēńŷ ḿēśśàĝē</target>
@@ -7590,6 +7594,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
   <target>Ƒōŕ ńĝĩńx'ś àũţĥ_ŕēǫũēśţ ōŕ ţŕàēƒĩķ'ś ƒōŕŵàŕďÀũţĥ ƥēŕ ŕōōţ ďōḿàĩń</target>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+  <target>ŔßÀĆ ĩś ĩń ƥŕēvĩēŵ.</target>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
   <target>Ũśēŕ ţŷƥē ũśēď ƒōŕ ńēŵĺŷ ćŕēàţēď ũśēŕś.</target>
@@ -7782,6 +7790,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Create Endpoint</source>
   <target>Ćŕēàţē Ēńďƥōĩńţ</target>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+  <target>ŔÀĆ ĩś ĩń ƥŕēvĩēŵ.</target>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
   <target>Ũƥďàţē ŔÀĆ Ƥŕōvĩďēŕ</target>
@@ -8124,6 +8136,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Selected Applications</source>
   <target>Śēĺēćţēď Àƥƥĺĩćàţĩōńś</target>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+  <target>Ţĥĩś ōƥţĩōń ćōńƒĩĝũŕēś ţĥē ƒōōţēŕ ĺĩńķś ōń ţĥē ƒĺōŵ ēxēćũţōŕ ƥàĝēś. Ĩţ ḿũśţ ƀē à vàĺĩď ŶÀḾĹ ōŕ ĵŚŌŃ ĺĩśţ àńď ćàń ƀē ũśēď àś ƒōĺĺōŵś:</target>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
   <target>Ĺàśţ ũśēď</target>
@@ -9142,49 +9158,4 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
 </trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-</trans-unit>
 </body></file></xliff>

web/xliff/ru.xlf

@@ -7545,6 +7545,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>Одна подсказка, "Мастер создания нового приложения", в настоящее время скрыта</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>Внешние приложения, использующие authentik в качестве поставщика идентификационных данных по таким протоколам, как OAuth2 и SAML. Здесь показаны все приложения, даже те, к которым вы не можете получить доступ.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>Запретить сообщение</target>
@@ -7645,6 +7649,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
   <target>Для nginx's auth_request или traefik's forwardAuth для корневого домена</target>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+  <target>RBAC находится в предварительной версии.</target>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
   <target>Тип пользователя, используемый для вновь созданных пользователей.</target>
@@ -7837,6 +7845,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Create Endpoint</source>
   <target>Создать конечную точку</target>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+  <target>RAC находится в предварительной версии.</target>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
   <target>Обновить RAC провайдера</target>
@@ -8179,6 +8191,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Selected Applications</source>
   <target>Выбранные приложения</target>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+  <target>Этот параметр настраивает ссылки нижнего колонтитула на страницах исполнителей потока. Это должен быть корректный YAML или JSON, который можно использовать следующим образом:</target>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
   <target>Послед. использование</target>
@@ -9165,51 +9181,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-CN.xlf

@@ -1375,6 +1375,9 @@
 <trans-unit id="s9fb28be12e2c6317">
   <source>Superuser</source>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+</trans-unit>
 <trans-unit id="sa1db89262360550b">
   <source>Send us feedback!</source>
 </trans-unit>
@@ -1911,6 +1914,9 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s38e7cd1a24e70faa">
   <source>Create Endpoint</source>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
 </trans-unit>
@@ -1989,6 +1995,9 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s6ba50bb0842ba1e2">
   <source>Applications</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="s96b2fefc550e4b1c">
   <source>Provider Type</source>
 </trans-unit>
@@ -5062,6 +5071,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sd176021da2ea0fe3">
   <source>Selected Applications</source>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
 </trans-unit>
@@ -5857,51 +5869,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
 </trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -7544,6 +7544,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>“新应用程序向导”提示目前已隐藏</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>通过 OAuth2 和 SAML 等协议，使用 authentik 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>拒绝消息</target>
@@ -7644,6 +7648,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
   <target>适用于按根域名配置的 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+  <target>RBAC 目前处于预览状态。</target>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
   <target>新创建用户使用的用户类型。</target>
@@ -7836,6 +7844,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Create Endpoint</source>
   <target>创建端点</target>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+  <target>RAC 目前处于预览状态。</target>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
   <target>更新 RAC 提供程序</target>
@@ -8178,6 +8190,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Selected Applications</source>
   <target>已选应用</target>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+  <target>此选项配置流程执行器页面上的页脚链接。必须为有效的 YAML 或 JSON 列表，可以使用以下值：</target>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
   <target>上次使用</target>
@@ -9112,190 +9128,99 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sbfee780fa0a2c83e">
   <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be deleted</source>
-  <target>设备类型 <x id="0" equiv-text="${device.verboseName}"/> 无法被删除</target>
 </trans-unit>
 <trans-unit id="s336936629cdeb3e5">
   <source>Stage used to verify users' browsers using Google Chrome Device Trust. This stage can be used in authentication/authorization flows.</source>
-  <target>通过 Google Chrome 设备信任来验证用户浏览器的阶段。此阶段可在身份验证/授权流程中使用。</target>
 </trans-unit>
 <trans-unit id="s85fe794c71b4ace8">
   <source>Google Verified Access API</source>
-  <target>Google Verified Access API</target>
 </trans-unit>
 <trans-unit id="s013620384af7c8b4">
   <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
-  <target>设备类型 <x id="0" equiv-text="${device.verboseName}"/> 无法被编辑</target>
 </trans-unit>
 <trans-unit id="s4347135696fc7cde">
   <source>Advanced flow settings</source>
-  <target>高级流程设置</target>
 </trans-unit>
 <trans-unit id="sf52ff57fd136cc2f">
   <source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
-  <target>启用此选项会将 authentik 作出的密码修改写入回 Kerberos。如果未启用同步则忽略。</target>
 </trans-unit>
 <trans-unit id="s14a16542f956e11d">
   <source>Realm settings</source>
-  <target>领域设置</target>
 </trans-unit>
 <trans-unit id="s9c2eae548d3c1c30">
   <source>Realm</source>
-  <target>领域</target>
 </trans-unit>
 <trans-unit id="s6b032212997e2491">
   <source>Kerberos 5 configuration</source>
-  <target>Kerberos 5 配置</target>
 </trans-unit>
 <trans-unit id="sbf50181022f47de3">
   <source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
-  <target>Kerberos 5 配置。请阅读 man krb5.conf(5) 了解配置格式。如果留空，则使用默认的 krb5.conf。</target>
 </trans-unit>
 <trans-unit id="s2386539a0bd62fab">
   <source>Sync connection settings</source>
-  <target>同步连接设置</target>
 </trans-unit>
 <trans-unit id="s0d1a6f3fe81351f8">
   <source>Sync principal</source>
-  <target>同步主体</target>
 </trans-unit>
 <trans-unit id="sa691d6e1974295fa">
   <source>Principal used to authenticate to the KDC for syncing.</source>
-  <target>向 KDC 进行身份验证以进行同步的主体。</target>
 </trans-unit>
 <trans-unit id="s977b9c629eed3d33">
   <source>Sync password</source>
-  <target>同步密码</target>
 </trans-unit>
 <trans-unit id="s77772860385de948">
   <source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
-  <target>向 KDC 进行身份验证以进行同步的密码。如果提供了同步 Keytab 或同步凭据缓存，则此选项是可选的。</target>
 </trans-unit>
 <trans-unit id="sc59ec59c3d5e74dc">
   <source>Sync keytab</source>
-  <target>同步 Keytab</target>
 </trans-unit>
 <trans-unit id="scd42997958453f05">
   <source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
-  <target>向 KDC 进行身份验证以进行同步的 Keytab。如果提供了同步密码或同步凭据缓存，则此选项是可选的。必须以 Base64 编码，或者形式为 TYPE:residual。</target>
 </trans-unit>
 <trans-unit id="s60eaf439ccdca1f2">
   <source>Sync credentials cache</source>
-  <target>同步凭据缓存</target>
 </trans-unit>
 <trans-unit id="s95722900b0c9026f">
   <source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
-  <target>向 KDC 进行身份验证以进行同步的凭据缓存。如果提供了同步密码或同步 Keytab，则此选项是可选的。形式必须为 TYPE:residual。</target>
 </trans-unit>
 <trans-unit id="sf9c055db98d7994a">
   <source>SPNEGO settings</source>
-  <target>SPNEGO 设置</target>
 </trans-unit>
 <trans-unit id="sab580a45dc46937f">
   <source>SPNEGO server name</source>
-  <target>SPNEGO 服务器名称</target>
 </trans-unit>
 <trans-unit id="s7a79d6174d17ab2d">
   <source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
-  <target>强制为 SPNEGO 使用特定服务器名称。形式必须为 HTTP@域名</target>
 </trans-unit>
 <trans-unit id="sa4ba2b2081472ccd">
   <source>SPNEGO keytab</source>
-  <target>SPNEGO Keytab</target>
 </trans-unit>
 <trans-unit id="s64adda975c1106c0">
   <source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
-  <target>SPNEGO 使用的 Keytab。如果提供了 SPNEGO 凭据缓存，则此选项是可选的。必须以 Base64 编码，或者形式为 TYPE:residual。</target>
 </trans-unit>
 <trans-unit id="s92247825b92587b5">
   <source>SPNEGO credentials cache</source>
-  <target>SPNEGO 凭据缓存</target>
 </trans-unit>
 <trans-unit id="sd9757c345e4062f8">
   <source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
-  <target>SPNEGO 使用的凭据缓存。如果提供了 SPNEGO Keytab，则此选项是可选的。形式必须为 TYPE:residual。</target>
 </trans-unit>
 <trans-unit id="s734ab8fbcae0b69e">
   <source>Kerberos Attribute mapping</source>
-  <target>Kerberos 属性映射</target>
 </trans-unit>
 <trans-unit id="s2c378e86e025fdb2">
   <source>Update Kerberos Source</source>
-  <target>更新 Kerberos 源</target>
 </trans-unit>
 <trans-unit id="s03e4044abe0b556c">
   <source>User database + Kerberos password</source>
-  <target>用户数据库 + Kerberos 密码</target>
 </trans-unit>
 <trans-unit id="s98bb2ae796f1ceef">
   <source>Select another authentication method</source>
-  <target>选择另一种身份验证方法</target>
 </trans-unit>
 <trans-unit id="s21d95b4651ad7a1e">
   <source>Enter a one-time recovery code for this user.</source>
-  <target>为此用户输入一次性恢复代码。</target>
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-  <target>请输入来自您身份验证设备的代码。</target>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-  <target>Kerberos 源目前处于预览状态。</target>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-  <target>验证码阶段</target>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-  <target>设置后，添加与验证码阶段完全相同的功能，但融入识别阶段。</target>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-  <target>端点 Google Chrome 设备信任处于预览状态。</target>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-  <target>交互式</target>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-  <target>如果配置的验证码需要用户交互则启用此选项。reCAPTCHA v2、hCaptcha 和 Cloudflare Turnstile 需要启用。</target>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-  <target>原因</target>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-  <target>模拟此用户的原因</target>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-  <target>需要模拟原因</target>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-  <target>需要管理员提供模拟用户的原因。</target>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-  <target>意大利语</target>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-  <target>添加条目</target>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-  <target>链接标题</target>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-  <target>此选项配置流程执行器页面上的页脚链接。URL 限为 Web 和电子邮件地址。如果名称留空，则显示 URL 自身。</target>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-Hant.xlf

@@ -5699,6 +5699,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s070fdfb03034ca9b">
   <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
 </trans-unit>
@@ -5774,6 +5777,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sfc31264ef7ff86ef">
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
 </trans-unit>
@@ -5918,6 +5924,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s38e7cd1a24e70faa">
   <source>Create Endpoint</source>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
 </trans-unit>
@@ -6172,6 +6181,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sd176021da2ea0fe3">
   <source>Selected Applications</source>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
 </trans-unit>
@@ -6966,51 +6978,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_CN.xlf

@@ -6618,6 +6618,11 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Please enter your code</source>
         <target>请输入您的代码</target>
         
+      </trans-unit>
+      <trans-unit id="s18b910437b73e8e8">
+        <source>Return to device picker</source>
+        <target>返回设备选择器</target>
+        
       </trans-unit>
       <trans-unit id="se409d01b52c4e12f">
         <source>Retry authentication</source>
@@ -7648,6 +7653,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
   <target>适用于按根域名配置的 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+  <target>RBAC 目前处于预览状态。</target>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
   <target>新创建用户使用的用户类型。</target>
@@ -7840,6 +7849,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Create Endpoint</source>
   <target>创建端点</target>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+  <target>RAC 目前处于预览状态。</target>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
   <target>更新 RAC 提供程序</target>
@@ -8182,6 +8195,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Selected Applications</source>
   <target>已选应用</target>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+  <target>此选项配置流程执行器页面上的页脚链接。必须为有效的 YAML 或 JSON 列表，可以使用以下值：</target>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
   <target>上次使用</target>
@@ -9113,190 +9130,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s8a598f7aef81c3bc">
   <source>Key used to encrypt the tokens.</source>
   <target>用于加密令牌的密钥。</target>
-</trans-unit>
-<trans-unit id="sbfee780fa0a2c83e">
-  <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be deleted</source>
-  <target>设备类型 <x id="0" equiv-text="${device.verboseName}"/> 无法被删除</target>
-</trans-unit>
-<trans-unit id="s336936629cdeb3e5">
-  <source>Stage used to verify users' browsers using Google Chrome Device Trust. This stage can be used in authentication/authorization flows.</source>
-  <target>通过 Google Chrome 设备信任来验证用户浏览器的阶段。此阶段可在身份验证/授权流程中使用。</target>
-</trans-unit>
-<trans-unit id="s85fe794c71b4ace8">
-  <source>Google Verified Access API</source>
-  <target>Google Verified Access API</target>
-</trans-unit>
-<trans-unit id="s013620384af7c8b4">
-  <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
-  <target>设备类型 <x id="0" equiv-text="${device.verboseName}"/> 无法被编辑</target>
-</trans-unit>
-<trans-unit id="s4347135696fc7cde">
-  <source>Advanced flow settings</source>
-  <target>高级流程设置</target>
-</trans-unit>
-<trans-unit id="sf52ff57fd136cc2f">
-  <source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
-  <target>启用此选项会将 authentik 作出的密码修改写入回 Kerberos。如果未启用同步则忽略。</target>
-</trans-unit>
-<trans-unit id="s14a16542f956e11d">
-  <source>Realm settings</source>
-  <target>领域设置</target>
-</trans-unit>
-<trans-unit id="s9c2eae548d3c1c30">
-  <source>Realm</source>
-  <target>领域</target>
-</trans-unit>
-<trans-unit id="s6b032212997e2491">
-  <source>Kerberos 5 configuration</source>
-  <target>Kerberos 5 配置</target>
-</trans-unit>
-<trans-unit id="sbf50181022f47de3">
-  <source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
-  <target>Kerberos 5 配置。请阅读 man krb5.conf(5) 了解配置格式。如果留空，则使用默认的 krb5.conf。</target>
-</trans-unit>
-<trans-unit id="s2386539a0bd62fab">
-  <source>Sync connection settings</source>
-  <target>同步连接设置</target>
-</trans-unit>
-<trans-unit id="s0d1a6f3fe81351f8">
-  <source>Sync principal</source>
-  <target>同步主体</target>
-</trans-unit>
-<trans-unit id="sa691d6e1974295fa">
-  <source>Principal used to authenticate to the KDC for syncing.</source>
-  <target>向 KDC 进行身份验证以进行同步的主体。</target>
-</trans-unit>
-<trans-unit id="s977b9c629eed3d33">
-  <source>Sync password</source>
-  <target>同步密码</target>
-</trans-unit>
-<trans-unit id="s77772860385de948">
-  <source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
-  <target>向 KDC 进行身份验证以进行同步的密码。如果提供了同步 Keytab 或同步凭据缓存，则此选项是可选的。</target>
-</trans-unit>
-<trans-unit id="sc59ec59c3d5e74dc">
-  <source>Sync keytab</source>
-  <target>同步 Keytab</target>
-</trans-unit>
-<trans-unit id="scd42997958453f05">
-  <source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
-  <target>向 KDC 进行身份验证以进行同步的 Keytab。如果提供了同步密码或同步凭据缓存，则此选项是可选的。必须以 Base64 编码，或者形式为 TYPE:residual。</target>
-</trans-unit>
-<trans-unit id="s60eaf439ccdca1f2">
-  <source>Sync credentials cache</source>
-  <target>同步凭据缓存</target>
-</trans-unit>
-<trans-unit id="s95722900b0c9026f">
-  <source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
-  <target>向 KDC 进行身份验证以进行同步的凭据缓存。如果提供了同步密码或同步 Keytab，则此选项是可选的。形式必须为 TYPE:residual。</target>
-</trans-unit>
-<trans-unit id="sf9c055db98d7994a">
-  <source>SPNEGO settings</source>
-  <target>SPNEGO 设置</target>
-</trans-unit>
-<trans-unit id="sab580a45dc46937f">
-  <source>SPNEGO server name</source>
-  <target>SPNEGO 服务器名称</target>
-</trans-unit>
-<trans-unit id="s7a79d6174d17ab2d">
-  <source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
-  <target>强制为 SPNEGO 使用特定服务器名称。形式必须为 HTTP@域名</target>
-</trans-unit>
-<trans-unit id="sa4ba2b2081472ccd">
-  <source>SPNEGO keytab</source>
-  <target>SPNEGO Keytab</target>
-</trans-unit>
-<trans-unit id="s64adda975c1106c0">
-  <source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
-  <target>SPNEGO 使用的 Keytab。如果提供了 SPNEGO 凭据缓存，则此选项是可选的。必须以 Base64 编码，或者形式为 TYPE:residual。</target>
-</trans-unit>
-<trans-unit id="s92247825b92587b5">
-  <source>SPNEGO credentials cache</source>
-  <target>SPNEGO 凭据缓存</target>
-</trans-unit>
-<trans-unit id="sd9757c345e4062f8">
-  <source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
-  <target>SPNEGO 使用的凭据缓存。如果提供了 SPNEGO Keytab，则此选项是可选的。形式必须为 TYPE:residual。</target>
-</trans-unit>
-<trans-unit id="s734ab8fbcae0b69e">
-  <source>Kerberos Attribute mapping</source>
-  <target>Kerberos 属性映射</target>
-</trans-unit>
-<trans-unit id="s2c378e86e025fdb2">
-  <source>Update Kerberos Source</source>
-  <target>更新 Kerberos 源</target>
-</trans-unit>
-<trans-unit id="s03e4044abe0b556c">
-  <source>User database + Kerberos password</source>
-  <target>用户数据库 + Kerberos 密码</target>
-</trans-unit>
-<trans-unit id="s98bb2ae796f1ceef">
-  <source>Select another authentication method</source>
-  <target>选择另一种身份验证方法</target>
-</trans-unit>
-<trans-unit id="s21d95b4651ad7a1e">
-  <source>Enter a one-time recovery code for this user.</source>
-  <target>为此用户输入一次性恢复代码。</target>
-</trans-unit>
-<trans-unit id="s2e1d5a7d320c25ef">
-  <source>Enter the code from your authenticator device.</source>
-  <target>请输入来自您身份验证设备的代码。</target>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-  <target>Kerberos 源目前处于预览状态。</target>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-  <target>验证码阶段</target>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-  <target>设置后，添加与验证码阶段完全相同的功能，但融入识别阶段。</target>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-  <target>端点 Google Chrome 设备信任处于预览状态。</target>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-  <target>交互式</target>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-  <target>如果配置的验证码需要用户交互则启用此选项。reCAPTCHA v2、hCaptcha 和 Cloudflare Turnstile 需要启用。</target>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-  <target>原因</target>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-  <target>模拟此用户的原因</target>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-  <target>需要模拟原因</target>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-  <target>需要管理员提供模拟用户的原因。</target>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-  <target>意大利语</target>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-  <target>添加条目</target>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-  <target>链接标题</target>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-  <target>此选项配置流程执行器页面上的页脚链接。URL 限为 Web 和电子邮件地址。如果名称留空，则显示 URL 自身。</target>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_TW.xlf

@@ -7486,6 +7486,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>提示：「新增應用程式設定精靈」目前處於隱藏中</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>使用 authentik 作為身份供應商的外部應用程式，透過像 OAuth2 和 SAML 這樣的協議。此處顯示所有應用程式，即使是您無法存取的應用程式也包括在內。</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>拒絕的訊息</target>
@@ -7586,6 +7590,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
   <target>適用於每個主網域的 nginx 的「auth_request」或 traefik 的「forwardAuth」</target>
 </trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+  <target>RBAC 正處於預覽版本。</target>
+</trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
   <target>用於建立使用者的使用者類型。</target>
@@ -7752,6 +7760,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s38e7cd1a24e70faa">
   <source>Create Endpoint</source>
 </trans-unit>
+<trans-unit id="s4770c10e5b1c028c">
+  <source>RAC is in preview.</source>
+</trans-unit>
 <trans-unit id="s168565f5ac74a89f">
   <source>Update RAC Provider</source>
 </trans-unit>
@@ -8006,6 +8017,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sd176021da2ea0fe3">
   <source>Selected Applications</source>
 </trans-unit>
+<trans-unit id="s862505f29064fc72">
+  <source>This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:</source>
+</trans-unit>
 <trans-unit id="s6d3f81dc4bcacbda">
   <source>Last used</source>
 </trans-unit>
@@ -8800,51 +8814,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s2e1d5a7d320c25ef">
   <source>Enter the code from your authenticator device.</source>
-</trans-unit>
-<trans-unit id="scc1a17d28912e974">
-  <source>Kerberos Source is in preview.</source>
-</trans-unit>
-<trans-unit id="s54154a8d64a3597b">
-  <source>Captcha stage</source>
-</trans-unit>
-<trans-unit id="s0c250af62ddbf801">
-  <source>When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.</source>
-</trans-unit>
-<trans-unit id="sabf8a430d504f8c8">
-  <source>Endpoint Google Chrome Device Trust is in preview.</source>
-</trans-unit>
-<trans-unit id="s6f4f35a5a4b9b3cb">
-  <source>Interactive</source>
-</trans-unit>
-<trans-unit id="sd020240e41e4c207">
-  <source>Enable this flag if the configured captcha requires User-interaction. Required for reCAPTCHA v2, hCaptcha and Cloudflare Turnstile.</source>
-</trans-unit>
-<trans-unit id="saa29a2ac03cd9d19">
-  <source>Reason</source>
-</trans-unit>
-<trans-unit id="se9fd92a824994eba">
-  <source>Reason for impersonating the user</source>
-</trans-unit>
-<trans-unit id="s29fab8887734192f">
-  <source>Require reason for impersonation</source>
-</trans-unit>
-<trans-unit id="sc24af6de78468cfa">
-  <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="sd48cc52117f4d68b">
-  <source>Italian</source>
-</trans-unit>
-<trans-unit id="s6cee92a3b310e650">
-  <source>Add entry</source>
-</trans-unit>
-<trans-unit id="s8f36fb59c31d33eb">
-  <source>Link Title</source>
-</trans-unit>
-<trans-unit id="s92205c10ba1f0f4c">
-  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

website/docs/add-secure-apps/applications/index.md

@@ -34,7 +34,7 @@ The following options can be configured:
 
     If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
 
-    If there is a mount under `/media` or if [S3 storage](../../sys-mgmt/ops/storage-s3.md) is configured, you'll instead see a field to upload a file.
+    If there is a mount under `/media` or if [S3 storage](../../install-config/storage-s3.md) is configured, you'll instead see a field to upload a file.
 
 -   _Publisher_: Text shown below the application
 -   _Description_: Subtext shown on the application card below the publisher

website/docs/add-secure-apps/providers/proxy/_traefik_ingress.md

@@ -7,7 +7,6 @@ metadata:
     name: authentik
 spec:
     forwardAuth:
-        # This address should point to the cluster endpoint provided by the kubernetes service, not the Ingress.
         address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
         trustForwardHeader: true
         authResponseHeaders:

website/docs/install-config/geoip.mdx

@@ -1,6 +1,6 @@
 # GeoIP
 
-authentik supports GeoIP to add additional information to login/authorization/enrollment requests. Additionally, a [GeoIP policy](../../customize/policies/index.md#geoip-policy) can be used to make policy decisions based on the lookup result.
+authentik supports GeoIP to add additional information to login/authorization/enrollment requests. Additionally, a [GeoIP policy](../customize/policies/index.md#geoip-policy) can be used to make policy decisions based on the lookup result.
 
 ### Configuration
 

website/docs/install-config/index.mdx

@@ -1,13 +1,13 @@
 ---
-title: Installation and Configuration
+title: Installation
 ---
 
 Everything you need to get authentik up and running!
 
-The installation process for our free open source version and our [Enterprise](../enterprise/index.md) version are exactly the same. For information about obtaining an Enterprise license, refer to [License management](../enterprise/manage-enterprise.md#license-management) documentation.
-
 For information about upgrading to a new version, refer to the <b>Upgrade</b> section in the relevant [Release Notes](../releases) and to our [Upgrade authentik](./upgrade.mdx) documentation.
 
+The installation process for our free open source version and our [Enterprise](../enterprise/index.md) version are exactly the same. For information about obtaining an Enterprise license, refer to [License management](../enterprise/manage-enterprise.md#license-management) documentation.
+
 import DocCardList from "@theme/DocCardList";
 
 <DocCardList />

website/docs/install-config/storage-s3.md

@@ -83,7 +83,7 @@ The `ENDPOINT` setting specifies how authentik talks to the S3 provider.
 
 The `CUSTOM_DOMAIN` setting specifies how URLs are constructed to be shown on the web interface. For example, an object stored at `application-icons/application.png` with a `CUSTOM__DOMAIN` setting of `s3.provider/authentik-media` will result in a URL of `https://s3.provider/authentik-media/application-icons/application.png`. You can also use subdomains for your buckets depending on what your S3 provider offers: `authentik-media.s3.provider`. Whether HTTPS is used is controlled by `AUTHENTIK_STORAGE__MEDIA__S3__SECURE_URLS`, which defaults to true.
 
-For more control over settings, refer to the [configuration reference](../../install-config/configuration/configuration.mdx#media-storage-settings)
+For more control over settings, refer to the [configuration reference](./configuration/configuration.mdx#media-storage-settings)
 
 ### Migrating between storage backends
 

website/docs/releases/2022/v2022.12.md

@@ -13,7 +13,7 @@ slug: "/releases/2022.12"
 
 -   Bundled GeoIP City database
 
-    authentik now comes with a bundled MaxMind GeoLite2 City database. This allows everyone to take advantage of the extra data provided by GeoIP. The default docker-compose file removes the GeoIP update container as it is no longer needed. See more [here](../../sys-mgmt/ops/geoip.mdx).
+    authentik now comes with a bundled MaxMind GeoLite2 City database. This allows everyone to take advantage of the extra data provided by GeoIP. The default docker-compose file removes the GeoIP update container as it is no longer needed. See more [here](../../install-config/geoip.mdx).
 
 -   Improved UX for user & group management and stage/policy binding
 

website/docs/releases/2024/v2024.10.md

@@ -157,30 +157,6 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.10
 -   stages/password: use recovery flow from brand (cherry-pick #11953) (#11969)
 -   web: bump API Client version (#11992)
 
-## Fixed in 2024.10.3
-
--   core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (cherry-pick #12080) (#12081)
--   internal: add CSP header to files in `/media` (cherry-pick #12092) (#12108)
--   providers/ldap: fix global search_full_directory permission not being sufficient (cherry-pick #12028) (#12030)
--   providers/scim: accept string and int for SCIM IDs (cherry-pick #12093) (#12095)
--   rbac: fix incorrect object_description for object-level permissions (cherry-pick #12029) (#12043)
--   root: check remote IP for proxy protocol same as HTTP/etc (cherry-pick #12094) (#12097)
--   root: fix activation of locale not being scoped (cherry-pick #12091) (#12096)
--   security: fix [CVE-2024-52287](../../security/cves/CVE-2024-52287.md), reported by [@matt1097](https://github.com/matt1097) (#12117)
--   security: fix [CVE-2024-52289](../../security/cves/CVE-2024-52289.md), reported by [@PontusHanssen](https://github.com/PontusHanssen) (#12113)
--   security: fix [CVE-2024-52307](../../security/cves/CVE-2024-52307.md), reported by [@mgerstner](https://github.com/mgerstner) (#12115)
--   web/admin: better footer links (#12004)
--   web/flows: fix invisible captcha call (cherry-pick #12048) (#12049)
--   website/docs: add CSP to hardening (cherry-pick #11970) (#12116)
-
-## Fixed in 2024.10.4
-
--   providers/oauth2: fix migration (cherry-pick #12138) (#12139)
--   providers/oauth2: fix migration dependencies (cherry-pick #12123) (#12132)
--   providers/oauth2: fix redirect uri input (cherry-pick #12122) (#12127)
--   providers/proxy: fix redirect_uri (cherry-pick #12121) (#12125)
--   web: bump API Client version (cherry-pick #12129) (#12130)
-
 ## API Changes
 
 ### API Changes in 2024.10.0

website/docs/releases/2024/v2024.2.md

@@ -118,7 +118,7 @@ slug: /releases/2024.2
 
 -   **S3 file storage**
 
-    Media files can now be stored on S3. Follow the [setup guide](../../sys-mgmt/ops/storage-s3.md) to get started.
+    Media files can now be stored on S3. Follow the [setup guide](../../install-config/storage-s3.md) to get started.
 
 -   **_Pretend user exists_ option for Identification stage**
 

website/docs/releases/2024/v2024.8.md

@@ -286,35 +286,6 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.8
 -   web: Fix missing integrity fields in package-lock.json (#11509)
 -   web/admin: fix Authentication flow being required (cherry-pick #11496) (#11497)
 
-## Fixed in 2024.8.4
-
--   blueprints: fix validation error when using internal storage (cherry-pick #11654) (#11656)
--   core: fix permission check for scoped impersonation (cherry-pick #11603) (#11650)
--   internal: restore /ping behaviour for embedded outpost (cherry-pick #11568) (#11570)
--   policies/event_matcher: fix inconsistent behaviour (cherry-pick #11724) (#11726)
--   providers/oauth2: don't overwrite attributes when updating service account (cherry-pick #11709) (#11723)
--   providers/saml: fix incorrect ds:Reference URI (cherry-pick #11699) (#11701)
--   providers/scim: add comparison with existing group on update and delta update users (cherry-pick #11414) (#11796)
--   providers/scim: clamp batch size for patch requests (cherry-pick #11797) (#11802)
--   providers/scim: handle no members in group in consistency check (cherry-pick #11801) (#11812)
--   web/admin: fix invalid create date shown for MFA registered before date was saved (cherry-pick #11728) (#11729)
--   web/admin: fix sync single button throwing error (cherry-pick #11727) (#11730)
-
-## Fixed in 2024.8.5
-
--   security: fix [CVE-2024-52287](../../security/cves/CVE-2024-52287.md), reported by [@matt1097](https://github.com/matt1097) (#12114)
--   security: fix [CVE-2024-52289](../../security/cves/CVE-2024-52289.md), reported by [@PontusHanssen](https://github.com/PontusHanssen) (#12113)
--   security: fix [CVE-2024-52307](../../security/cves/CVE-2024-52307.md), reported by [@mgerstner](https://github.com/mgerstner) (#12115)
--   web/admin: better footer links (#12004)
--   web: bump API Client version (#12118)
-
-## Fixed in 2024.8.6
-
--   providers/oauth2: fix migration (cherry-pick #12138) (#12140)
--   providers/oauth2: fix redirect uri input (cherry-pick #12122) (#12128)
--   providers/proxy: fix redirect_uri (cherry-pick #12121) (#12126)
--   web: bump API Client version (cherry-pick #12129) (#12131)
-
 ## API Changes
 
 #### What's New

website/docs/sys-mgmt/settings.md

@@ -35,7 +35,7 @@ Enable the ability for users to change their Email address, defaults to `false`.
 
 ### Allow users to change username
 
-Enable the ability for users to change their usernames, defaults to `false`.
+Enable the ability for users to change their Usernames, defaults to `false`.
 
 ### Event retention
 
@@ -43,11 +43,15 @@ Configure how long [Events](./events/index.md) are retained for within authentik
 
 ### Footer links
 
-This option allows you to add linked text (footer links) on the bottom of flow pages. You can also use this setting to display additional static text to the flow pages, even if no URL is provided.
+This option configures the footer links on the flow executor pages.
 
-The URL is limited to web and email addresses. If the name is left blank, the URL will be shown.
+The setting can be used as follows:
 
-This is a global setting. All flow pages that are rendered by the [Flow Executor](../add-secure-apps/flows-stages/flow/executors/if-flow.md) will display the footer links.
+```json
+[{ "name": "Link Name", "href": "https://goauthentik.io" }]
+```
+
+Starting with authentik 2024.6.1, the `href` attribute is optional, and this option can be used to add additional text to the flow executor pages.
 
 ### GDPR compliance
 

website/integrations/services/jellyfin/index.md

@@ -121,9 +121,9 @@ Set the launch URL to `https://jellyfin.company/sso/OID/start/authentik`
 
 ### Jellyfin Configuration
 
-1. Log in to Jellyfin with an admin account and navigate to the **Admin Dashboard** by selecting your profile icon in the top right, then clicking **Dashboard**.
-2. Go to **Dashboard > Plugins > Catalog**.
-3. Click the gear icon in the top left, then click **+** to add a new repository. Use the following URL and name it "SSO-Auth":
+1. Navigate to your Jellyfin installation and log in with the admin account or currently configured local admin.
+2. Open the **Administrator dashboard** and go to the **Plugins** section.
+3. Then click the **Repositories** section at the top and add the below repository with the name of SSO-Auth
 
 ```
 https://raw.githubusercontent.com/9p4/jellyfin-plugin-sso/manifest-release/manifest.json

website/integrations/services/nextcloud/index.md

@@ -14,11 +14,7 @@ sidebar_label: Nextcloud
 > -- https://en.wikipedia.org/wiki/Nextcloud
 
 :::caution
-If you require [Server Side Encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html), you must use LDAP. OpenID and SAML will cause **irrevocable data loss**. Nextcloud Server-Side Encryption requires access to the user's cleartext password, which Nextcloud only has access to when using LDAP as the user enters their password directly into Nextcloud.
-:::
-
-:::caution
-This setup only works when Nextcloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.
+This setup only works, when Nextcloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.
 :::
 
 :::info
@@ -27,11 +23,10 @@ In case something goes wrong with the configuration, you can use the URL `http:/
 
 ## Authentication
 
-There are 3 ways to setup single sign on (SSO) for Nextcloud:
+There are 2 ways to setup single sign on (SSO) for Nextcloud:
 
 -   [via OIDC Connect (OAuth)](#openid-connect-auth)
 -   [via SAML](#saml-auth)
--   via LDAP outpost (required for SSE, not covered in this documentation)
 
 ### OpenID Connect auth
 

website/integrations/services/vmware-vcenter/index.md

@@ -14,83 +14,96 @@ sidebar_label: VMware vCenter
 > -- https://en.wikipedia.org/wiki/VCenter
 
 :::caution
-Integration with authentik requires VMware vCenter 8.03 or newer.
+This requires authentik 0.10.3 or newer.
 :::
 
-The following placeholders will be used in the examples below:
+:::caution
+This requires VMware vCenter 7.0.0 or newer.
+:::
+
+:::note
+It seems that the vCenter still needs to be joined to the Active Directory Domain, otherwise group membership does not work correctly. We're working on a fix for this, for the meantime your vCenter should be part of your Domain.
+:::
+
+## Preparation
+
+The following placeholders will be used:
 
 -   `vcenter.company` is the FQDN of the vCenter server.
 -   `authentik.company` is the FQDN of the authentik install.
 
-## authentik configuration
+Since vCenter only allows OpenID-Connect in combination with Active Directory/LDAP, it is recommended to have authentik sync with the same Active Directory. You also have the option of connecting to an authentik managed LDAP outpost for user management.
 
-Create an application and an OAuth2/OpenID provider, using the authentik Wizard.
+### Step 1
 
-1.  Log into authentik as an admin, and navigate to **Applications --> Applications**, and then click **Create with Wizard**.
+Under _Customization_ -> _Property Mappings_, create a _Scope Mapping_. Give it a name like "OIDC-Scope-VMware-vCenter". Set the scope name to `openid` and the expression to the following
 
-2.  In the Wizard, follow the prompts to create an application and its provider.
+```python
+return {
+  "domain": "<your active directory domain>",
+}
+```
 
-    Create the application with these settings:
+If you are using an authentik managed LDAP outpost you can use the following expression in your property mapping. This will correctly return the `groups` claim as a list of LDAP DNs instead of their names.
 
-    -   Select OIDC as the provider type.
-    -   Ensure that the **Redirect URI Setting** is left empty.
+```python
+ldap_base_dn = "DC=ldap,DC=goauthentik,DC=io"
+groups = []
+for group in request.user.ak_groups.all():
+    group_dn = f"CN={group.name},dc=groups,{ldap_base_dn}"
+    groups.append(group_dn)
+return {
+    "name": request.user.name,
+    "email": request.user.email,
+    "given_name": request.user.name,
+    "preferred_username": request.user.username,
+    "nickname": request.user.username,
+    "groups": groups,
+    "domain": "ldap.goauthentik.io"
+}
+```
 
-    Create the provider with these settings:
+### Step 2
+
+:::note
+If your Active Directory Schema is the same as your Email address schema, skip to Step 3.
+:::
+
+Under _Sources_, click _Edit_ and ensure that "authentik default Active Directory Mapping: userPrincipalName" has been added to your source.
+
+### Step 3
+
+Under _Providers_, create an OAuth2/OpenID provider with these settings:
 
 -   Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode`
-        -   Ensure that a signing key is selected, for example the Self-signed Certificate.
+-   Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...". If you are using authentik's managed LDAP outpost, chose "Based on the User's username"
+-   Scopes: Select the Scope Mapping you've created in Step 1
+-   Signing Key: Select any available key
 
-3.  Click **Submit** to create the application and provider, and then click **Close** to close the Wizard.
+![](./authentik_setup.png)
 
-Optionally, you can use a policy to apply access restrictions to the application.
+### Step 4
 
-## vCenter configuration
+Create an application which uses this provider. Optionally apply access restrictions to the application.
 
-1. Log in to vCenter with your local Administrator account. Using the menu in the left navigation bar, navigate to **Administration -> Single Sign-on -> Configuration**.
+Set the Launch URL to `https://vcenter.company/ui/login/oauth2`. This will skip vCenter's User Prompt and directly log you in.
 
-2. Click **Change Provider** in the top-right corner, and then select **Okta** from the drop-down list.
+:::caution
+This Launch URL only works for vCenter < 7.0u2. If you're running 7.0u2 or later, set the launch URL to `https://vcenter.company/ui/login`
+:::
 
-3. In the wizard, click **Run Prechecks**, select the confirmation box, and then click **Next**
+## vCenter Setup
 
-    - Enter the **Directory Name**. For example `authentik` or any other name.
-    - Add a **Domain Name**. For example `authentik.company`.
-    - Click on the Plus (+) sign to show the default domain name.
+Login as local Administrator account (most likely ends with vsphere.local). Using the Menu in the Navigation bar, navigate to _Administration -> Single Sing-on -> Configuration_.
 
-4. Click **Next**.
+Click on _Change Identity Provider_ in the top-right corner.
 
-5. On the OpenID Connect page, enter the following values:
+In the wizard, select "Microsoft ADFS" and click Next.
 
-    - Set **Identity Provider Name** to `authentik`.
-    - Set **Client Identifier** to the client ID from authentik.
-    - Set **Shared secret** to the client secret from authentik.
-    - Set **OpenID Address** to the _OpenID Configuration URL_ from authentik.
+Fill in the Client Identifier and Shared Secret from the Provider in authentik. For the OpenID Address, click on _View Setup URLs_ in authentik, and copy the OpenID Configuration URL.
 
-6. Click **Next**, and then **Finish**.
+On the next page, fill in your Active Directory Connection Details. These should be similar to what you have set in authentik.
 
-7. On the **Single Sign On -> Configuration** page, in the **User Provisioning** area, take the following steps:
+![](./vcenter_post_setup.png)
 
-    - Copy the **Tenant URL** and save to a safe place.
-    - Click on **Generate** to generate a SCIM token.
-    - Click **Generate** in the newly opened modal box.
-    - Copy the token and save to a safe place.
-
-8. Return to the authentik Admin interface.
-
-    - Create a SCIM provider with the name `vcenter-scim`.
-    - Paste the Tenant URL into **URL** field for the provider.
-    - Paste the token you saved into the **Token** field.
-    - If your vCenter certificate is self-signed (which is the default), toggle **Verify SCIM server's certificates** to be off.
-    - Configure options under `User filtering` to your needs.
-    - Save the provider.
-    - Edit the application that you created earlier and select this newly created SCIM provider as the backchannel provider.
-    - Navigate to the provider and trigger a sync.
-
-9. Return to vCenter.
-
-    - Navigate to **Administration -> Access Control -> Global Permissions**.
-    - Click **Add**.
-    - Select the Domain created above from the dropdown.
-    - Enter the name of the group to which you want to assign permissions.
-    - Select the role.
-
-10. Click **Save**.
+If your vCenter was already setup with LDAP beforehand, your Role assignments will continue to work.

website/netlify.toml

@@ -1073,19 +1073,3 @@
   to = "/docs/developer-docs/translation"
   status = 302
   force = true
-
-
-# Moved GeoIP and S3 under System Management/user_basic_operations
-
-[[redirects]]
-  from = "/docs/install-config/storage-s3"
-  to = "/docs/sys-mgmt/ops/storage-s3"
-  status = 302
-  force = true
-
-
-[[redirects]]
-  from = "/docs/install-config/geoip"
-  to = "/docs/sys-mgmt/ops/geoip"
-  status = 302
-  force = true

website/package.json

@@ -17,18 +17,18 @@
         "watch": "docusaurus gen-api-docs all && docusaurus start"
     },
     "dependencies": {
-        "@docusaurus/core": "^3.6.2",
-        "@docusaurus/plugin-client-redirects": "^3.6.2",
-        "@docusaurus/plugin-content-docs": "^3.6.2",
-        "@docusaurus/preset-classic": "^3.6.2",
-        "@docusaurus/theme-common": "^3.6.2",
-        "@docusaurus/theme-mermaid": "^3.6.2",
+        "@docusaurus/core": "^3.5.2",
+        "@docusaurus/plugin-client-redirects": "^3.5.2",
+        "@docusaurus/plugin-content-docs": "^3.5.2",
+        "@docusaurus/preset-classic": "^3.5.2",
+        "@docusaurus/theme-common": "^3.5.2",
+        "@docusaurus/theme-mermaid": "^3.5.2",
         "@mdx-js/react": "^3.1.0",
         "clsx": "^2.1.1",
         "disqus-react": "^1.1.5",
-        "docusaurus-plugin-openapi-docs": "^4.2.0",
-        "docusaurus-theme-openapi-docs": "^4.2.0",
-        "postcss": "^8.4.49",
+        "docusaurus-plugin-openapi-docs": "^4.1.0",
+        "docusaurus-theme-openapi-docs": "^4.1.0",
+        "postcss": "^8.4.47",
         "prism-react-renderer": "^2.4.0",
         "react": "^18.3.1",
         "react-before-after-slider-component": "^1.1.8",
@@ -52,7 +52,7 @@
     },
     "devDependencies": {
         "@docusaurus/module-type-aliases": "^3.3.2",
-        "@docusaurus/tsconfig": "^3.6.2",
+        "@docusaurus/tsconfig": "^3.5.2",
         "@docusaurus/types": "^3.3.2",
         "@types/react": "^18.3.12",
         "cross-env": "^7.0.3",

website/sidebars.js

@@ -111,8 +111,10 @@ export default {
                 "install-config/upgrade",
                 "install-config/beta",
                 "install-config/reverse-proxy",
+                "install-config/geoip",
                 "install-config/automated-install",
                 "install-config/air-gapped",
+                "install-config/storage-s3",
             ],
         },
         {
@@ -541,11 +543,7 @@ export default {
                     type: "category",
                     label: "Operations",
                     collapsed: true,
-                    items: [
-                        "sys-mgmt/ops/monitoring",
-                        "sys-mgmt/ops/storage-s3",
-                        "sys-mgmt/ops/geoip",
-                    ],
+                    items: ["sys-mgmt/ops/monitoring"],
                 },
                 {
                     type: "category",