Updating version required by SFE.

Merge branch 'main' into web/bug/fix-wdio-and-lint
* main: core: bump goauthentik.io/api/v3 from 3.2024082.1 to 3.2024083.1 (#11555) website: bump @types/react from 18.3.9 to 18.3.10 in /website (#11556) core: bump watchdog from 5.0.2 to 5.0.3 (#11557) core: bump uvicorn from 0.30.6 to 0.31.0 (#11558) core: bump psycopg from 3.2.2 to 3.2.3 (#11559) web: bump the storybook group across 1 directory with 7 updates (#11560) web: bump the rollup group across 2 directories with 4 updates (#11561) web: bump the wdio group across 2 directories with 5 updates (#11562) web: bump chromedriver from 129.0.0 to 129.0.1 in /tests/wdio (#11563) web: bump @types/node from 22.7.3 to 22.7.4 in /web (#11564) web: bump rapidoc from 9.3.6 to 9.3.7 in /web (#11565) web: bump knip from 5.30.5 to 5.30.6 in /web (#11566) website/docs: update wording for events that occur when too many users exist (#11547)
2024-09-30 09:35:59 -07:00 · 2024-09-30 08:52:42 -07:00 · 2024-09-27 08:48:54 -07:00 · 2024-09-27 08:45:11 -07:00 · 2024-09-27 08:42:22 -07:00 · 2024-09-27 07:52:45 -07:00
854 changed files with 38177 additions and 56346 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.2
+current_version = 2024.8.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -14,7 +14,7 @@ runs:
      run: |
        pipx install poetry || true
        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
    - name: Setup python and restore poetry
      uses: actions/setup-python@v5
      with:
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -23,6 +23,7 @@ updates:
  - package-ecosystem: npm
    directories:
      - "/web"
+      - "/tests/wdio"
      - "/web/sfe"
    schedule:
      interval: daily
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,7 +1,7 @@
 <!--
 👋 Hi there! Welcome.

-Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
+Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
 -->

 ## Details
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -116,7 +116,7 @@ jobs:
          poetry run make test
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: unit
          token: ${{ secrets.CODECOV_TOKEN }}
@ -140,7 +140,7 @@ jobs:
          poetry run coverage run manage.py test tests/integration
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: integration
          token: ${{ secrets.CODECOV_TOKEN }}
@ -180,7 +180,7 @@ jobs:
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
        run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
+          docker compose -f tests/e2e/docker-compose.yml up -d
      - id: cache-web
        uses: actions/cache@v4
        with:
@ -198,7 +198,7 @@ jobs:
          poetry run coverage run manage.py test ${{ matrix.job.glob }}
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: e2e
          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -24,11 +24,17 @@ jobs:
          - prettier-check
        project:
          - web
+          - tests/wdio
        include:
          - command: tsc
            project: web
          - command: lit-analyse
            project: web
+        exclude:
+          - command: lint:lockfile
+            project: tests/wdio
+          - command: tsc
+            project: tests/wdio
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@ -44,7 +50,15 @@ jobs:
      - name: Lint
        working-directory: ${{ matrix.project }}/
        run: npm run ${{ matrix.command }}
+  ci-web-mark:
+    needs:
+      - lint
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo mark
  build:
+    needs:
+      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -60,13 +74,6 @@ jobs:
      - name: build
        working-directory: web/
        run: npm run build
-  ci-web-mark:
-    needs:
-      - build
-      - lint
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo mark
  test:
    needs:
      - ci-web-mark
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -6,7 +6,6 @@
        "authn",
        "entra",
        "goauthentik",
-        "jwe",
        "jwks",
        "kubernetes",
        "oidc",
--- a/11
+++ b/11
@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    go build -o /go/authentik ./cmd/server

 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip

 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.6-slim-bookworm-fips-full AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT
@ -110,7 +110,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev

 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
@ -124,7 +124,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    pip install --force-reinstall /wheels/*"

 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.6-slim-bookworm-fips-full AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
@ -141,7 +141,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
    apt-get clean && \
@ -161,7 +161,6 @@ COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
-COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
--- a/3
+++ b/3
@ -19,13 +19,14 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/docs/developer-docs/api/reference/**' \
+		-S 'website/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
 		web/src \
 		website/src \
 		website/blog \
+		website/developer-docs \
 		website/docs \
 		website/integrations \
 		website/src
--- a/README.md
+++ b/README.md
@ -34,7 +34,7 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h

 ## Development

-See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
+See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)

 ## Security

--- a/SECURITY.md
+++ b/SECURITY.md
@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 (.x being the latest patch release for each version)

-| Version   | Supported |
-| --------- | --------- |
-| 2024.8.x  | ✅        |
-| 2024.10.x | ✅        |
+| Version  | Supported |
+| -------- | --------- |
+| 2024.6.x | ✅        |
+| 2024.8.x | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.10.2"
+__version__ = "2024.8.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/version_history.py
+++ b/authentik/admin/api/version_history.py
@ -1,33 +0,0 @@
-from rest_framework.permissions import IsAdminUser
-from rest_framework.viewsets import ReadOnlyModelViewSet
-
-from authentik.admin.models import VersionHistory
-from authentik.core.api.utils import ModelSerializer
-
-
-class VersionHistorySerializer(ModelSerializer):
-    """VersionHistory Serializer"""
-
-    class Meta:
-        model = VersionHistory
-        fields = [
-            "id",
-            "timestamp",
-            "version",
-            "build",
-        ]
-
-
-class VersionHistoryViewSet(ReadOnlyModelViewSet):
-    """VersionHistory Viewset"""
-
-    queryset = VersionHistory.objects.all()
-    serializer_class = VersionHistorySerializer
-    permission_classes = [IsAdminUser]
-    filterset_fields = [
-        "version",
-        "build",
-    ]
-    search_fields = ["version", "build"]
-    ordering = ["-timestamp"]
-    pagination_class = None
--- a/authentik/admin/models.py
+++ b/authentik/admin/models.py
@ -1,22 +0,0 @@
-"""authentik admin models"""
-
-from django.db import models
-from django.utils.translation import gettext_lazy as _
-
-
-class VersionHistory(models.Model):
-    id = models.BigAutoField(primary_key=True)
-    timestamp = models.DateTimeField()
-    version = models.TextField()
-    build = models.TextField()
-
-    class Meta:
-        managed = False
-        db_table = "authentik_version_history"
-        ordering = ("-timestamp",)
-        verbose_name = _("Version history")
-        verbose_name_plural = _("Version history")
-        default_permissions = []
-
-    def __str__(self):
-        return f"{self.version}.{self.build} ({self.timestamp})"
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@ -6,7 +6,6 @@ from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
-from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.admin.api.workers import WorkerView

 api_urlpatterns = [
@ -18,7 +17,6 @@ api_urlpatterns = [
        name="admin_metrics",
    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
-    ("admin/version/history", VersionHistoryViewSet, "version_history"),
    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
    path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }}
 {% endblock %}

 {% block head %}
-<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
+{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@ -51,11 +51,9 @@ class BlueprintInstanceSerializer(ModelSerializer):
        context = self.instance.context if self.instance else {}
        valid, logs = Importer.from_string(content, context).validate()
        if not valid:
+            text_logs = "\n".join([x["event"] for x in logs])
            raise ValidationError(
-                [
-                    _("Failed to validate blueprint"),
-                    *[f"- {x.event}" for x in logs],
-                ]
+                _("Failed to validate blueprint: {logs}".format_map({"logs": text_logs}))
            )
        return content

--- a/authentik/blueprints/migrations/0001_initial.py
+++ b/authentik/blueprints/migrations/0001_initial.py
@ -29,7 +29,9 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
        if version != 1:
            return
        blueprint_file.seek(0)
-    instance = BlueprintInstance.objects.using(db_alias).filter(path=path).first()
+    instance: BlueprintInstance = (
+        BlueprintInstance.objects.using(db_alias).filter(path=path).first()
+    )
    rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
    meta = None
    if metadata:
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@ -27,8 +27,7 @@ def blueprint_tester(file_name: Path) -> Callable:
        base = Path("blueprints/")
        rel_path = Path(file_name).relative_to(base)
        importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        validation, logs = importer.validate()
-        self.assertTrue(validation, logs)
+        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())

    return tester
--- a/authentik/blueprints/tests/test_v1_api.py
+++ b/authentik/blueprints/tests/test_v1_api.py
@ -78,5 +78,5 @@ class TestBlueprintsV1API(APITestCase):
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(
            res.content.decode(),
-            {"content": ["Failed to validate blueprint", "- Invalid blueprint version"]},
+            {"content": ["Failed to validate blueprint: Invalid blueprint version"]},
        )
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -51,10 +51,6 @@ from authentik.enterprise.providers.microsoft_entra.models import (
    MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
-    EndpointDevice,
-    EndpointDeviceConnection,
-)
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
@ -73,7 +69,7 @@ from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant

 # Context set when the serializer is created in a blueprint context
-# Update website/docs/customize/blueprints/v1/models.md when used
+# Update website/developer-docs/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"


@ -123,8 +119,6 @@ def excluded_models() -> list[type[Model]]:
        GoogleWorkspaceProviderGroup,
        MicrosoftEntraProviderUser,
        MicrosoftEntraProviderGroup,
-        EndpointDevice,
-        EndpointDeviceConnection,
    )


@ -293,11 +287,7 @@ class Importer:

        serializer_kwargs = {}
        model_instance = existing_models.first()
-        if (
-            not isinstance(model(), BaseMetaModel)
-            and model_instance
-            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
-        ):
+        if not isinstance(model(), BaseMetaModel) and model_instance:
            self.logger.debug(
                "Initialise serializer with instance",
                model=model,
@ -307,12 +297,11 @@ class Importer:
            serializer_kwargs["instance"] = model_instance
            serializer_kwargs["partial"] = True
        elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
-            msg = (
-                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
-                "and object exists already",
-            )
            raise EntryInvalidError.from_entry(
-                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
+                (
+                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
+                    "and object exists already",
+                ),
                entry,
            )
        else:
@ -440,7 +429,7 @@ class Importer:
        orig_import = deepcopy(self._import)
        if self._import.version != 1:
            self.logger.warning("Invalid blueprint version")
-            return False, [LogEvent("Invalid blueprint version", log_level="warning", logger=None)]
+            return False, [{"event": "Invalid blueprint version"}]
        with (
            transaction_rollback(),
            capture_logs() as logs,
--- a/authentik/brands/middleware.py
+++ b/authentik/brands/middleware.py
@ -4,7 +4,7 @@ from collections.abc import Callable

 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate

 from authentik.brands.utils import get_brand_for_request

@ -18,12 +18,10 @@ class BrandMiddleware:
        self.get_response = get_response

    def __call__(self, request: HttpRequest) -> HttpResponse:
-        locale_to_set = None
        if not hasattr(request, "brand"):
            brand = get_brand_for_request(request)
            request.brand = brand
            locale = brand.default_locale
            if locale != "":
-                locale_to_set = locale
-        with override(locale_to_set):
-            return self.get_response(request)
+                activate(locale)
+        return self.get_response(request)
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -1,55 +1,39 @@
 """Authenticator Devices API Views"""

-from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from rest_framework.fields import (
    BooleanField,
    CharField,
    DateTimeField,
+    IntegerField,
    SerializerMethodField,
 )
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet

 from authentik.core.api.utils import MetaNameSerializer
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
-from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
-from authentik.stages.authenticator_webauthn.models import WebAuthnDevice


 class DeviceSerializer(MetaNameSerializer):
    """Serializer for Duo authenticator devices"""

-    pk = CharField()
+    pk = IntegerField()
    name = CharField()
    type = SerializerMethodField()
    confirmed = BooleanField()
    created = DateTimeField(read_only=True)
    last_updated = DateTimeField(read_only=True)
    last_used = DateTimeField(read_only=True, allow_null=True)
-    extra_description = SerializerMethodField()

    def get_type(self, instance: Device) -> str:
        """Get type of device"""
        return instance._meta.label

-    def get_extra_description(self, instance: Device) -> str:
-        """Get extra description"""
-        if isinstance(instance, WebAuthnDevice):
-            return (
-                instance.device_type.description
-                if instance.device_type
-                else _("Extra description not available")
-            )
-        if isinstance(instance, EndpointDevice):
-            return instance.data.get("deviceSignals", {}).get("deviceModel")
-        return ""
-

 class DeviceViewSet(ViewSet):
    """Viewset for authenticator devices"""
@ -68,7 +52,7 @@ class AdminDeviceViewSet(ViewSet):
    """Viewset for authenticator devices"""

    serializer_class = DeviceSerializer
-    permission_classes = []
+    permission_classes = [IsAdminUser]

    def get_devices(self, **kwargs):
        """Get all devices in all child classes"""
@ -86,10 +70,6 @@ class AdminDeviceViewSet(ViewSet):
        ],
        responses={200: DeviceSerializer(many=True)},
    )
-    @permission_required(
-        None,
-        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
-    )
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
        kwargs = {}
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -38,7 +38,6 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
            "name",
            "authentication_flow",
            "authorization_flow",
-            "invalidation_flow",
            "property_mappings",
            "component",
            "assigned_application_slug",
@ -51,7 +50,6 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
        ]
        extra_kwargs = {
            "authorization_flow": {"required": True, "allow_null": False},
-            "invalidation_flow": {"required": True, "allow_null": False},
        }


--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@ -1,12 +1,10 @@
 """transactional application and provider creation"""

 from django.apps import apps
-from django.db.models import Model
-from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@ -24,7 +22,6 @@ from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
-from authentik.policies.api.bindings import PolicyBindingSerializer


 def get_provider_serializer_mapping():
@ -48,13 +45,6 @@ class TransactionProviderField(DictField):
    """Dictionary field which can hold provider creation data"""


-class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
-    """PolicyBindingSerializer which does not require target as target is set implicitly"""
-
-    class Meta(PolicyBindingSerializer.Meta):
-        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
-
-
 class TransactionApplicationSerializer(PassiveSerializer):
    """Serializer for creating a provider and an application in one transaction"""

@ -62,8 +52,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
    provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
    provider = TransactionProviderField()

-    policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
-
    _provider_model: type[Provider] = None

    def validate_provider_model(self, fq_model_name: str) -> str:
@ -108,19 +96,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
                id="app",
            )
        )
-        for binding in attrs.get("policy_bindings", []):
-            binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
-            for key, value in binding.items():
-                if not isinstance(value, Model):
-                    continue
-                binding[key] = value.pk
-            blueprint.entries.append(
-                BlueprintEntry(
-                    model="authentik_policies.policybinding",
-                    state=BlueprintEntryDesiredState.MUST_CREATED,
-                    identifiers=binding,
-                )
-            )
        importer = Importer(blueprint, {})
        try:
            valid, _ = importer.validate(raise_validation_errors=True)
@ -145,7 +120,8 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
    """Create provider and application and attach them in a single transaction"""

-    permission_classes = [IsAuthenticated]
+    # TODO: Migrate to a more specific permission
+    permission_classes = [IsAdminUser]

    @extend_schema(
        request=TransactionApplicationSerializer(),
@ -157,23 +133,8 @@ class TransactionalApplicationView(APIView):
        """Convert data into a blueprint, validate it and apply it"""
        data = TransactionApplicationSerializer(data=request.data)
        data.is_valid(raise_exception=True)
-        blueprint: Blueprint = data.validated_data
-        for entry in blueprint.entries:
-            full_model = entry.get_model(blueprint)
-            app, __, model = full_model.partition(".")
-            if not request.user.has_perm(f"{app}.add_{model}"):
-                raise PermissionDenied(
-                    {
-                        entry.id: _(
-                            "User lacks permission to create {model}".format_map(
-                                {
-                                    "model": full_model,
-                                }
-                            )
-                        )
-                    }
-                )
-        importer = Importer(blueprint, {})
+
+        importer = Importer(data.validated_data, {})
        applied = importer.apply()
        response = {"applied": False, "logs": []}
        response["applied"] = applied
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -666,12 +666,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):

    @permission_required("authentik_core.impersonate")
    @extend_schema(
-        request=inline_serializer(
-            "ImpersonationSerializer",
-            {
-                "reason": CharField(required=True),
-            },
-        ),
+        request=OpenApiTypes.NONE,
        responses={
            "204": OpenApiResponse(description="Successfully started impersonation"),
            "401": OpenApiResponse(description="Access denied"),
@ -684,26 +679,17 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            LOGGER.debug("User attempted to impersonate", user=request.user)
            return Response(status=401)
        user_to_be = self.get_object()
-        reason = request.data.get("reason", "")
-        # Check both object-level perms and global perms
-        if not request.user.has_perm(
-            "authentik_core.impersonate", user_to_be
-        ) and not request.user.has_perm("authentik_core.impersonate"):
+        if not request.user.has_perm("impersonate", user_to_be):
            LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
            return Response(status=401)
        if user_to_be.pk == self.request.user.pk:
            LOGGER.debug("User attempted to impersonate themselves", user=request.user)
            return Response(status=401)
-        if not reason and request.tenant.impersonation_require_reason:
-            LOGGER.debug(
-                "User attempted to impersonate without providing a reason", user=request.user
-            )
-            return Response(status=401)

        request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
        request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be

-        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)

        return Response(status=201)

--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@ -4,7 +4,6 @@ import code
 import platform
 import sys
 import traceback
-from pprint import pprint

 from django.apps import apps
 from django.core.management.base import BaseCommand
@ -35,9 +34,7 @@ class Command(BaseCommand):

    def get_namespace(self):
        """Prepare namespace with all models"""
-        namespace = {
-            "pprint": pprint,
-        }
+        namespace = {}

        # Gather Django models and constants from each app
        for app in apps.get_app_configs():
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -5,7 +5,7 @@ from contextvars import ContextVar
 from uuid import uuid4

 from django.http import HttpRequest, HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX

@ -31,19 +31,17 @@ class ImpersonateMiddleware:
    def __call__(self, request: HttpRequest) -> HttpResponse:
        # No permission checks are done here, they need to be checked before
        # SESSION_KEY_IMPERSONATE_USER is set.
-        locale_to_set = None
        if request.user.is_authenticated:
            locale = request.user.locale(request)
            if locale != "":
-                locale_to_set = locale
+                activate(locale)

        if SESSION_KEY_IMPERSONATE_USER in request.session:
            request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
            # Ensure that the user is active, otherwise nothing will work
            request.user.is_active = True

-        with override(locale_to_set):
-            return self.get_response(request)
+        return self.get_response(request)


 class RequestIDMiddleware:
--- a/authentik/core/migrations/0040_provider_invalidation_flow.py
+++ b/authentik/core/migrations/0040_provider_invalidation_flow.py
@ -1,55 +0,0 @@
-# Generated by Django 5.0.9 on 2024-10-02 11:35
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-from django.apps.registry import Apps
-from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_invalidation_flow_default(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from authentik.flows.models import FlowDesignation, FlowAuthenticationRequirement
-
-    db_alias = schema_editor.connection.alias
-
-    Flow = apps.get_model("authentik_flows", "Flow")
-    Provider = apps.get_model("authentik_core", "Provider")
-
-    # So this flow is managed via a blueprint, bue we're in a migration so we don't want to rely on that
-    # since the blueprint is just an empty flow we can just create it here
-    # and let it be managed by the blueprint later
-    flow, _ = Flow.objects.using(db_alias).update_or_create(
-        slug="default-provider-invalidation-flow",
-        defaults={
-            "name": "Logged out of application",
-            "title": "You've logged out of %(app)s.",
-            "authentication": FlowAuthenticationRequirement.NONE,
-            "designation": FlowDesignation.INVALIDATION,
-        },
-    )
-    Provider.objects.using(db_alias).filter(invalidation_flow=None).update(invalidation_flow=flow)
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
-        ("authentik_flows", "0027_auto_20231028_1424"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="provider",
-            name="invalidation_flow",
-            field=models.ForeignKey(
-                default=None,
-                help_text="Flow used ending the session from a provider.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                related_name="provider_invalidation",
-                to="authentik_flows.flow",
-            ),
-        ),
-        migrations.RunPython(migrate_invalidation_flow_default),
-    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -330,13 +330,11 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        """superuser == staff user"""
        return self.is_superuser  # type: ignore

-    def set_password(self, raw_password, signal=True, sender=None):
+    def set_password(self, raw_password, signal=True):
        if self.pk and signal:
            from authentik.core.signals import password_changed

-            if not sender:
-                sender = self
-            password_changed.send(sender=sender, user=self, password=raw_password)
+            password_changed.send(sender=self, user=self, password=raw_password)
        self.password_change_date = now()
        return super().set_password(raw_password)

@ -393,23 +391,14 @@ class Provider(SerializerModel):
        ),
        related_name="provider_authentication",
    )
+
    authorization_flow = models.ForeignKey(
        "authentik_flows.Flow",
-        # Set to cascade even though null is allowed, since most providers
-        # still require an authorization flow set
        on_delete=models.CASCADE,
        null=True,
        help_text=_("Flow used when authorizing this provider."),
        related_name="provider_authorization",
    )
-    invalidation_flow = models.ForeignKey(
-        "authentik_flows.Flow",
-        on_delete=models.SET_DEFAULT,
-        default=None,
-        null=True,
-        help_text=_("Flow used ending the session from a provider."),
-        related_name="provider_invalidation",
-    )

    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)

--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -1,9 +1,11 @@
 """Source decision helper"""

+from enum import Enum
 from typing import Any

 from django.contrib import messages
 from django.db import IntegrityError, transaction
+from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse
@ -14,11 +16,12 @@ from authentik.core.models import (
    Group,
    GroupSourceConnection,
    Source,
+    SourceGroupMatchingModes,
+    SourceUserMatchingModes,
    User,
    UserSourceConnection,
 )
 from authentik.core.sources.mapper import SourceMapper
-from authentik.core.sources.matcher import Action, SourceMatcher
 from authentik.core.sources.stage import (
    PLAN_CONTEXT_SOURCES_CONNECTION,
    PostSourceStage,
@ -51,6 +54,16 @@ SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"


+class Action(Enum):
+    """Actions that can be decided based on the request
+    and source settings"""
+
+    LINK = "link"
+    AUTH = "auth"
+    ENROLL = "enroll"
+    DENY = "deny"
+
+
 class MessageStage(StageView):
    """Show a pre-configured message after the flow is done"""

@ -73,7 +86,6 @@ class SourceFlowManager:

    source: Source
    mapper: SourceMapper
-    matcher: SourceMatcher
    request: HttpRequest

    identifier: str
@ -96,9 +108,6 @@ class SourceFlowManager:
    ) -> None:
        self.source = source
        self.mapper = SourceMapper(self.source)
-        self.matcher = SourceMatcher(
-            self.source, self.user_connection_type, self.group_connection_type
-        )
        self.request = request
        self.identifier = identifier
        self.user_info = user_info
@ -122,24 +131,66 @@ class SourceFlowManager:

    def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
        """decide which action should be taken"""
+        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
        # When request is authenticated, always link
        if self.request.user.is_authenticated:
-            new_connection = self.user_connection_type(
-                source=self.source, identifier=self.identifier
-            )
            new_connection.user = self.request.user
            new_connection = self.update_user_connection(new_connection, **kwargs)
-            if existing := self.user_connection_type.objects.filter(
-                source=self.source, identifier=self.identifier
-            ).first():
-                existing = self.update_user_connection(existing)
-                return Action.AUTH, existing
            return Action.LINK, new_connection

-        action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
-        if connection:
-            connection = self.update_user_connection(connection, **kwargs)
-        return action, connection
+        existing_connections = self.user_connection_type.objects.filter(
+            source=self.source, identifier=self.identifier
+        )
+        if existing_connections.exists():
+            connection = existing_connections.first()
+            return Action.AUTH, self.update_user_connection(connection, **kwargs)
+        # No connection exists, but we match on identifier, so enroll
+        if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
+            # We don't save the connection here cause it doesn't have a user assigned yet
+            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
+
+        # Check for existing users with matching attributes
+        query = Q()
+        # Either query existing user based on email or username
+        if self.source.user_matching_mode in [
+            SourceUserMatchingModes.EMAIL_LINK,
+            SourceUserMatchingModes.EMAIL_DENY,
+        ]:
+            if not self.user_properties.get("email", None):
+                self._logger.warning("Refusing to use none email")
+                return Action.DENY, None
+            query = Q(email__exact=self.user_properties.get("email", None))
+        if self.source.user_matching_mode in [
+            SourceUserMatchingModes.USERNAME_LINK,
+            SourceUserMatchingModes.USERNAME_DENY,
+        ]:
+            if not self.user_properties.get("username", None):
+                self._logger.warning("Refusing to use none username")
+                return Action.DENY, None
+            query = Q(username__exact=self.user_properties.get("username", None))
+        self._logger.debug("trying to link with existing user", query=query)
+        matching_users = User.objects.filter(query)
+        # No matching users, always enroll
+        if not matching_users.exists():
+            self._logger.debug("no matching users found, enrolling")
+            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
+
+        user = matching_users.first()
+        if self.source.user_matching_mode in [
+            SourceUserMatchingModes.EMAIL_LINK,
+            SourceUserMatchingModes.USERNAME_LINK,
+        ]:
+            new_connection.user = user
+            new_connection = self.update_user_connection(new_connection, **kwargs)
+            return Action.LINK, new_connection
+        if self.source.user_matching_mode in [
+            SourceUserMatchingModes.EMAIL_DENY,
+            SourceUserMatchingModes.USERNAME_DENY,
+        ]:
+            self._logger.info("denying source because user exists", user=user)
+            return Action.DENY, None
+        # Should never get here as default enroll case is returned above.
+        return Action.DENY, None  # pragma: no cover

    def update_user_connection(
        self, connection: UserSourceConnection, **kwargs
@ -277,6 +328,7 @@ class SourceFlowManager:
        connection: UserSourceConnection,
    ) -> HttpResponse:
        """Login user and redirect."""
+        flow_kwargs = {PLAN_CONTEXT_PENDING_USER: connection.user}
        return self._prepare_flow(
            self.source.authentication_flow,
            connection,
@ -290,11 +342,7 @@ class SourceFlowManager:
                    ),
                )
            ],
-            **{
-                PLAN_CONTEXT_PENDING_USER: connection.user,
-                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
-                PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
-            },
+            **flow_kwargs,
        )

    def handle_existing_link(
@ -360,16 +408,74 @@ class SourceFlowManager:
 class GroupUpdateStage(StageView):
    """Dynamically injected stage which updates the user after enrollment/authentication."""

+    def get_action(
+        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
+    ) -> tuple[Action, GroupSourceConnection | None]:
+        """decide which action should be taken"""
+        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
+
+        existing_connections = self.group_connection_type.objects.filter(
+            source=self.source, identifier=group_id
+        )
+        if existing_connections.exists():
+            return Action.LINK, existing_connections.first()
+        # No connection exists, but we match on identifier, so enroll
+        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
+            # We don't save the connection here cause it doesn't have a user assigned yet
+            return Action.ENROLL, new_connection
+
+        # Check for existing groups with matching attributes
+        query = Q()
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_LINK,
+            SourceGroupMatchingModes.NAME_DENY,
+        ]:
+            if not group_properties.get("name", None):
+                LOGGER.warning(
+                    "Refusing to use none group name", source=self.source, group_id=group_id
+                )
+                return Action.DENY, None
+            query = Q(name__exact=group_properties.get("name"))
+        LOGGER.debug(
+            "trying to link with existing group", source=self.source, query=query, group_id=group_id
+        )
+        matching_groups = Group.objects.filter(query)
+        # No matching groups, always enroll
+        if not matching_groups.exists():
+            LOGGER.debug(
+                "no matching groups found, enrolling", source=self.source, group_id=group_id
+            )
+            return Action.ENROLL, new_connection
+
+        group = matching_groups.first()
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_LINK,
+        ]:
+            new_connection.group = group
+            return Action.LINK, new_connection
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_DENY,
+        ]:
+            LOGGER.info(
+                "denying source because group exists",
+                source=self.source,
+                group=group,
+                group_id=group_id,
+            )
+            return Action.DENY, None
+        # Should never get here as default enroll case is returned above.
+        return Action.DENY, None  # pragma: no cover
+
    def handle_group(
        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
    ) -> Group | None:
-        action, connection = self.matcher.get_group_action(group_id, group_properties)
+        action, connection = self.get_action(group_id, group_properties)
        if action == Action.ENROLL:
            group = Group.objects.create(**group_properties)
            connection.group = group
            connection.save()
            return group
-        elif action in (Action.LINK, Action.AUTH):
+        elif action == Action.LINK:
            group = connection.group
            group.update_attributes(group_properties)
            connection.save()
@ -383,7 +489,6 @@ class GroupUpdateStage(StageView):
        self.group_connection_type: GroupSourceConnection = (
            self.executor.current_stage.group_connection_type
        )
-        self.matcher = SourceMatcher(self.source, None, self.group_connection_type)

        raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
            PLAN_CONTEXT_SOURCE_GROUPS
--- a/authentik/core/sources/matcher.py
+++ b/authentik/core/sources/matcher.py
@ -1,152 +0,0 @@
-"""Source user and group matching"""
-
-from dataclasses import dataclass
-from enum import Enum
-from typing import Any
-
-from django.db.models import Q
-from structlog import get_logger
-
-from authentik.core.models import (
-    Group,
-    GroupSourceConnection,
-    Source,
-    SourceGroupMatchingModes,
-    SourceUserMatchingModes,
-    User,
-    UserSourceConnection,
-)
-
-
-class Action(Enum):
-    """Actions that can be decided based on the request and source settings"""
-
-    LINK = "link"
-    AUTH = "auth"
-    ENROLL = "enroll"
-    DENY = "deny"
-
-
-@dataclass
-class MatchableProperty:
-    property: str
-    link_mode: SourceUserMatchingModes | SourceGroupMatchingModes
-    deny_mode: SourceUserMatchingModes | SourceGroupMatchingModes
-
-
-class SourceMatcher:
-    def __init__(
-        self,
-        source: Source,
-        user_connection_type: type[UserSourceConnection],
-        group_connection_type: type[GroupSourceConnection],
-    ):
-        self.source = source
-        self.user_connection_type = user_connection_type
-        self.group_connection_type = group_connection_type
-        self._logger = get_logger().bind(source=self.source)
-
-    def get_action(
-        self,
-        object_type: type[User | Group],
-        matchable_properties: list[MatchableProperty],
-        identifier: str,
-        properties: dict[str, Any | dict[str, Any]],
-    ) -> tuple[Action, UserSourceConnection | GroupSourceConnection | None]:
-        connection_type = None
-        matching_mode = None
-        identifier_matching_mode = None
-        if object_type == User:
-            connection_type = self.user_connection_type
-            matching_mode = self.source.user_matching_mode
-            identifier_matching_mode = SourceUserMatchingModes.IDENTIFIER
-        if object_type == Group:
-            connection_type = self.group_connection_type
-            matching_mode = self.source.group_matching_mode
-            identifier_matching_mode = SourceGroupMatchingModes.IDENTIFIER
-        if not connection_type or not matching_mode or not identifier_matching_mode:
-            return Action.DENY, None
-
-        new_connection = connection_type(source=self.source, identifier=identifier)
-
-        existing_connections = connection_type.objects.filter(
-            source=self.source, identifier=identifier
-        )
-        if existing_connections.exists():
-            return Action.AUTH, existing_connections.first()
-        # No connection exists, but we match on identifier, so enroll
-        if matching_mode == identifier_matching_mode:
-            # We don't save the connection here cause it doesn't have a user/group assigned yet
-            return Action.ENROLL, new_connection
-
-        # Check for existing users with matching attributes
-        query = Q()
-        for matchable_property in matchable_properties:
-            property = matchable_property.property
-            if matching_mode in [matchable_property.link_mode, matchable_property.deny_mode]:
-                if not properties.get(property, None):
-                    self._logger.warning(
-                        "Refusing to use none property", identifier=identifier, property=property
-                    )
-                    return Action.DENY, None
-                query_args = {
-                    f"{property}__exact": properties[property],
-                }
-                query = Q(**query_args)
-        self._logger.debug(
-            "Trying to link with existing object", query=query, identifier=identifier
-        )
-        matching_objects = object_type.objects.filter(query)
-        # Not matching objects, always enroll
-        if not matching_objects.exists():
-            self._logger.debug("No matching objects found, enrolling")
-            return Action.ENROLL, new_connection
-
-        obj = matching_objects.first()
-        if matching_mode in [mp.link_mode for mp in matchable_properties]:
-            attr = None
-            if object_type == User:
-                attr = "user"
-            if object_type == Group:
-                attr = "group"
-            setattr(new_connection, attr, obj)
-            return Action.LINK, new_connection
-        if matching_mode in [mp.deny_mode for mp in matchable_properties]:
-            self._logger.info("Denying source because object exists", obj=obj)
-            return Action.DENY, None
-
-        # Should never get here as default enroll case is returned above.
-        return Action.DENY, None  # pragma: no cover
-
-    def get_user_action(
-        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
-    ) -> tuple[Action, UserSourceConnection | None]:
-        return self.get_action(
-            User,
-            [
-                MatchableProperty(
-                    "username",
-                    SourceUserMatchingModes.USERNAME_LINK,
-                    SourceUserMatchingModes.USERNAME_DENY,
-                ),
-                MatchableProperty(
-                    "email", SourceUserMatchingModes.EMAIL_LINK, SourceUserMatchingModes.EMAIL_DENY
-                ),
-            ],
-            identifier,
-            properties,
-        )
-
-    def get_group_action(
-        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
-    ) -> tuple[Action, GroupSourceConnection | None]:
-        return self.get_action(
-            Group,
-            [
-                MatchableProperty(
-                    "name", SourceGroupMatchingModes.NAME_LINK, SourceGroupMatchingModes.NAME_DENY
-                ),
-            ],
-            identifier,
-            properties,
-        )
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -15,8 +15,8 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
-        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
+        {% versioned_script "dist/poly-%v.js" %}
+        {% versioned_script "dist/standalone/loading/index-%v.js" %}
        {% block head %}
        {% endblock %}
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -3,7 +3,7 @@
 {% load authentik_core %}

 {% block head %}
-<script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/admin/AdminInterface-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templates/if/end_session.html
+++ b/authentik/core/templates/if/end_session.html
@ -0,0 +1,43 @@
+{% extends 'login/base_full.html' %}
+
+{% load static %}
+{% load i18n %}
+
+{% block title %}
+{% trans 'End session' %} - {{ brand.branding_title }}
+{% endblock %}
+
+{% block card_title %}
+{% blocktrans with application=application.name %}
+You've logged out of {{ application }}.
+{% endblocktrans %}
+{% endblock %}
+
+{% block card %}
+<form method="POST" class="pf-c-form">
+    <p>
+        {% blocktrans with application=application.name branding_title=brand.branding_title %}
+            You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your {{ branding_title }} account.
+        {% endblocktrans %}
+    </p>
+
+    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
+        {% trans 'Go back to overview' %}
+    </a>
+
+    <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">
+        {% blocktrans with branding_title=brand.branding_title %}
+            Log out of {{ branding_title }}
+        {% endblocktrans %}
+    </a>
+
+    {% if application.get_launch_url %}
+    <a href="{{ application.get_launch_url }}" class="pf-c-button pf-m-secondary">
+        {% blocktrans with application=application.name %}
+            Log back into {{ application }}
+        {% endblocktrans %}
+    </a>
+    {% endif %}
+
+</form>
+{% endblock %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -3,7 +3,7 @@
 {% load authentik_core %}

 {% block head %}
-<script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/user/UserInterface-%v.js" %}
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@ -2,6 +2,7 @@

 from django import template
 from django.templatetags.static import static as static_loader
+from django.utils.safestring import mark_safe

 from authentik import get_full_version

@ -11,4 +12,10 @@ register = template.Library()
@register.simple_tag()
 def versioned_script(path: str) -> str:
    """Wrapper around {% static %} tag that supports setting the version"""
-    return static_loader(path.replace("%v", get_full_version()))
+    returned_lines = [
+        (
+            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
+            '" type="module"></script>'
+        ),
+    ]
+    return mark_safe("".join(returned_lines))  # nosec
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.providers.saml.models import SAMLProvider

@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
        self.user = create_test_admin_user()
        self.provider = OAuth2Provider.objects.create(
            name="test",
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
+            redirect_uris="http://some-other-domain",
            authorization_flow=create_test_flow(),
        )
        self.allowed: Application = Application.objects.create(
@ -134,7 +134,6 @@ class TestApplicationsAPI(APITestCase):
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
                            "authentication_flow": None,
-                            "invalidation_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
                            "component": "ak-provider-oauth2-form",
                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@ -187,7 +186,6 @@ class TestApplicationsAPI(APITestCase):
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
                            "authentication_flow": None,
-                            "invalidation_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
                            "component": "ak-provider-oauth2-form",
                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
--- a/authentik/core/tests/test_devices_api.py
+++ b/authentik/core/tests/test_devices_api.py
@ -1,59 +0,0 @@
-"""Test Devices API"""
-
-from json import loads
-
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.tests.utils import create_test_admin_user, create_test_user
-
-
-class TestDevicesAPI(APITestCase):
-    """Test applications API"""
-
-    def setUp(self) -> None:
-        self.admin = create_test_admin_user()
-        self.user1 = create_test_user()
-        self.device1 = self.user1.staticdevice_set.create()
-        self.user2 = create_test_user()
-        self.device2 = self.user2.staticdevice_set.create()
-
-    def test_user_api(self):
-        """Test user API"""
-        self.client.force_login(self.user1)
-        response = self.client.get(
-            reverse(
-                "authentik_api:device-list",
-            )
-        )
-        self.assertEqual(response.status_code, 200)
-        body = loads(response.content.decode())
-        self.assertEqual(len(body), 1)
-        self.assertEqual(body[0]["pk"], str(self.device1.pk))
-
-    def test_user_api_as_admin(self):
-        """Test user API"""
-        self.client.force_login(self.admin)
-        response = self.client.get(
-            reverse(
-                "authentik_api:device-list",
-            )
-        )
-        self.assertEqual(response.status_code, 200)
-        body = loads(response.content.decode())
-        self.assertEqual(len(body), 0)
-
-    def test_admin_api(self):
-        """Test admin API"""
-        self.client.force_login(self.admin)
-        response = self.client.get(
-            reverse(
-                "authentik_api:admin-device-list",
-            )
-        )
-        self.assertEqual(response.status_code, 200)
-        body = loads(response.content.decode())
-        self.assertEqual(len(body), 2)
-        self.assertEqual(
-            {body[0]["pk"], body[1]["pk"]}, {str(self.device1.pk), str(self.device2.pk)}
-        )
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -29,8 +29,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
        )

        response = self.client.get(reverse("authentik_api:user-me"))
@ -45,27 +44,6 @@ class TestImpersonation(APITestCase):
        self.assertEqual(response_body["user"]["username"], self.user.username)
        self.assertNotIn("original", response_body)

-    def test_impersonate_global(self):
-        """Test impersonation with global permissions"""
-        new_user = create_test_user()
-        assign_perm("authentik_core.impersonate", new_user)
-        assign_perm("authentik_core.view_user", new_user)
-        self.client.force_login(new_user)
-
-        response = self.client.post(
-            reverse(
-                "authentik_api:user-impersonate",
-                kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
-        )
-        self.assertEqual(response.status_code, 201)
-
-        response = self.client.get(reverse("authentik_api:user-me"))
-        response_body = loads(response.content.decode())
-        self.assertEqual(response_body["user"]["username"], self.other_user.username)
-        self.assertEqual(response_body["original"]["username"], new_user.username)
-
    def test_impersonate_scoped(self):
        """Test impersonation with scoped permissions"""
        new_user = create_test_user()
@ -77,8 +55,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
        )
        self.assertEqual(response.status_code, 201)

@ -92,8 +69,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.other_user)

        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": "some reason"},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 403)

@ -109,8 +85,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)

        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
-            data={"reason": "some reason"},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
        )
        self.assertEqual(response.status_code, 401)

@ -123,22 +98,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)

        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": "some reason"},
-        )
-        self.assertEqual(response.status_code, 401)
-
-        response = self.client.get(reverse("authentik_api:user-me"))
-        response_body = loads(response.content.decode())
-        self.assertEqual(response_body["user"]["username"], self.user.username)
-
-    def test_impersonate_reason_required(self):
-        """test impersonation that user must provide reason"""
-        self.client.force_login(self.user)
-
-        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": ""},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 401)

--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@ -81,22 +81,6 @@ class TestSourceFlowManager(TestCase):
            reverse("authentik_core:if-user") + "#/settings;page-sources",
        )

-    def test_authenticated_auth(self):
-        """Test authenticated user linking"""
-        user = User.objects.create(username="foo", email="foo@bar.baz")
-        UserOAuthSourceConnection.objects.create(
-            user=user, source=self.source, identifier=self.identifier
-        )
-        request = get_request("/", user=user)
-        flow_manager = OAuthSourceFlowManager(
-            self.source, request, self.identifier, {"info": {}}, {}
-        )
-        action, connection = flow_manager.get_action()
-        self.assertEqual(action, Action.AUTH)
-        self.assertIsNotNone(connection.pk)
-        response = flow_manager.get_flow()
-        self.assertEqual(response.status_code, 302)
-
    def test_unauthenticated_link(self):
        """Test un-authenticated user linking"""
        flow_manager = OAuthSourceFlowManager(
--- a/authentik/core/tests/test_transactional_applications_api.py
+++ b/authentik/core/tests/test_transactional_applications_api.py
@ -1,13 +1,11 @@
 """Test Transactional API"""

 from django.urls import reverse
-from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase

-from authentik.core.models import Application, Group
-from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider


@ -15,68 +13,12 @@ class TestTransactionalApplicationsAPI(APITestCase):
    """Test Transactional API"""

    def setUp(self) -> None:
-        self.user = create_test_user()
-        assign_perm("authentik_core.add_application", self.user)
-        assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
+        self.user = create_test_admin_user()

    def test_create_transactional(self):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
        uid = generate_id()
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_oauth2.oauth2provider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                    "redirect_uris": [],
-                },
-            },
-        )
-        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
-        provider = OAuth2Provider.objects.filter(name=uid).first()
-        self.assertIsNotNone(provider)
-        app = Application.objects.filter(slug=uid).first()
-        self.assertIsNotNone(app)
-        self.assertEqual(app.provider.pk, provider.pk)
-
-    def test_create_transactional_permission_denied(self):
-        """Test transactional Application + provider creation (missing permissions)"""
-        self.client.force_login(self.user)
-        uid = generate_id()
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_saml.samlprovider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                    "acs_url": "https://goauthentik.io",
-                },
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
-        )
-
-    def test_create_transactional_bindings(self):
-        """Test transactional Application + provider creation"""
-        assign_perm("authentik_policies.add_policybinding", self.user)
-        self.client.force_login(self.user)
-        uid = generate_id()
-        group = Group.objects.create(name=generate_id())
        authorization_flow = create_test_flow()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
@ -89,10 +31,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
                "provider": {
                    "name": uid,
                    "authorization_flow": str(authorization_flow.pk),
-                    "invalidation_flow": str(authorization_flow.pk),
-                    "redirect_uris": [],
                },
-                "policy_bindings": [{"group": group.pk, "order": 0}],
            },
        )
        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
@ -101,10 +40,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
        app = Application.objects.filter(slug=uid).first()
        self.assertIsNotNone(app)
        self.assertEqual(app.provider.pk, provider.pk)
-        binding = PolicyBinding.objects.filter(target=app).first()
-        self.assertIsNotNone(binding)
-        self.assertEqual(binding.target, app)
-        self.assertEqual(binding.group, group)

    def test_create_transactional_invalid(self):
        """Test transactional Application + provider creation"""
@ -121,46 +56,10 @@ class TestTransactionalApplicationsAPI(APITestCase):
                "provider": {
                    "name": uid,
                    "authorization_flow": "",
-                    "invalidation_flow": "",
-                    "redirect_uris": [],
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
-            {
-                "provider": {
-                    "authorization_flow": ["This field may not be null."],
-                    "invalidation_flow": ["This field may not be null."],
-                }
-            },
-        )
-
-    def test_create_transactional_duplicate_name_provider(self):
-        """Test transactional Application + provider creation"""
-        self.client.force_login(self.user)
-        uid = generate_id()
-        OAuth2Provider.objects.create(
-            name=uid,
-            authorization_flow=create_test_flow(),
-            invalidation_flow=create_test_flow(),
-        )
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_oauth2.oauth2provider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                },
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"provider": {"name": ["State is set to must_created and object exists already"]}},
+            {"provider": {"authorization_flow": ["This field may not be null."]}},
        )
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -5,6 +5,7 @@ from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
+from django.views.decorators.csrf import ensure_csrf_cookie

 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@ -23,6 +24,7 @@ from authentik.core.views.interface import (
    InterfaceView,
    RootRedirectView,
 )
+from authentik.core.views.session import EndSessionView
 from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
@ -43,21 +45,26 @@ urlpatterns = [
    # Interfaces
    path(
        "if/admin/",
-        BrandDefaultRedirectView.as_view(template_name="if/admin.html"),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
        name="if-admin",
    ),
    path(
        "if/user/",
-        BrandDefaultRedirectView.as_view(template_name="if/user.html"),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
        name="if-user",
    ),
    path(
        "if/flow/<slug:flow_slug>/",
        # FIXME: move this url to the flows app...also will cause all
        # of the reverse calls to be adjusted
-        FlowInterfaceView.as_view(),
+        ensure_csrf_cookie(FlowInterfaceView.as_view()),
        name="if-flow",
    ),
+    path(
+        "if/session-end/<slug:application_slug>/",
+        ensure_csrf_cookie(EndSessionView.as_view()),
+        name="if-session-end",
+    ),
    # Fallback for WS
    path("ws/outpost/<uuid:pk>/", InterfaceView.as_view(template_name="if/admin.html")),
    path(
--- a/authentik/core/views/session.py
+++ b/authentik/core/views/session.py
@ -0,0 +1,23 @@
+"""authentik Session Views"""
+
+from typing import Any
+
+from django.shortcuts import get_object_or_404
+from django.views.generic.base import TemplateView
+
+from authentik.core.models import Application
+from authentik.policies.views import PolicyAccessView
+
+
+class EndSessionView(TemplateView, PolicyAccessView):
+    """Allow the client to end the Session"""
+
+    template_name = "if/end_session.html"
+
+    def resolve_provider_application(self):
+        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        context = super().get_context_data(**kwargs)
+        context["application"] = self.application
+        return context
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -24,7 +24,6 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

@ -182,10 +181,7 @@ class CertificateDataSerializer(PassiveSerializer):
 class CertificateGenerationSerializer(PassiveSerializer):
    """Certificate generation parameters"""

-    common_name = CharField(
-        validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())],
-        source="name",
-    )
+    common_name = CharField()
    subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
    validity_days = IntegerField(initial=365)
    alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
@ -246,10 +242,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def generate(self, request: Request) -> Response:
        """Generate a new, self-signed certificate-key pair"""
        data = CertificateGenerationSerializer(data=request.data)
-        data.is_valid(raise_exception=True)
+        if not data.is_valid():
+            return Response(data.errors, status=400)
        raw_san = data.validated_data.get("subject_alt_name", "")
        sans = raw_san.split(",") if raw_san != "" else []
-        builder = CertificateBuilder(data.validated_data["name"])
+        builder = CertificateBuilder(data.validated_data["common_name"])
        builder.alg = data.validated_data["alg"]
        builder.build(
            subject_alt_names=sans,
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider


 class TestCrypto(APITestCase):
@ -89,17 +89,6 @@ class TestCrypto(APITestCase):
        self.assertIsInstance(ext[1], DNSName)
        self.assertEqual(ext[1].value, "baz")

-    def test_builder_api_duplicate(self):
-        """Test Builder (via API)"""
-        cert = create_test_cert()
-        self.client.force_login(create_test_admin_user())
-        res = self.client.post(
-            reverse("authentik_api:certificatekeypair-generate"),
-            data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3},
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]})
-
    def test_builder_api_empty_san(self):
        """Test Builder (via API)"""
        self.client.force_login(create_test_admin_user())
@ -274,7 +263,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
@ -306,7 +295,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
--- a/authentik/enterprise/providers/rac/api/providers.py
+++ b/authentik/enterprise/providers/rac/api/providers.py
@ -16,28 +16,13 @@ class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):

    class Meta:
        model = RACProvider
-        fields = [
-            "pk",
-            "name",
-            "authentication_flow",
-            "authorization_flow",
-            "property_mappings",
-            "component",
-            "assigned_application_slug",
-            "assigned_application_name",
-            "assigned_backchannel_application_slug",
-            "assigned_backchannel_application_name",
-            "verbose_name",
-            "verbose_name_plural",
-            "meta_model_name",
+        fields = ProviderSerializer.Meta.fields + [
            "settings",
            "outpost_set",
            "connection_expiry",
            "delete_token_on_disconnect",
        ]
-        extra_kwargs = {
-            "authorization_flow": {"required": True, "allow_null": False},
-        }
+        extra_kwargs = ProviderSerializer.Meta.extra_kwargs


 class RACProviderViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@ -3,7 +3,7 @@
 {% load authentik_core %}

 {% block head %}
-<script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
+{% versioned_script "dist/enterprise/rac/index-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon }}">
--- a/authentik/enterprise/providers/rac/tests/test_api.py
+++ b/authentik/enterprise/providers/rac/tests/test_api.py
@ -1,46 +0,0 @@
-"""Test RAC Provider"""
-
-from datetime import timedelta
-from time import mktime
-from unittest.mock import MagicMock, patch
-
-from django.urls import reverse
-from django.utils.timezone import now
-from rest_framework.test import APITestCase
-
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import License
-from authentik.lib.generators import generate_id
-
-
-class TestAPI(APITestCase):
-    """Test Provider API"""
-
-    def setUp(self) -> None:
-        self.user = create_test_admin_user()
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    def test_create(self):
-        """Test creation of RAC Provider"""
-        License.objects.create(key=generate_id())
-        self.client.force_login(self.user)
-        response = self.client.post(
-            reverse("authentik_api:racprovider-list"),
-            data={
-                "name": generate_id(),
-                "authorization_flow": create_test_flow().pk,
-            },
-        )
-        self.assertEqual(response.status_code, 201)
--- a/authentik/enterprise/providers/rac/urls.py
+++ b/authentik/enterprise/providers/rac/urls.py
@ -3,6 +3,7 @@
 from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.urls import path
+from django.views.decorators.csrf import ensure_csrf_cookie

 from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
 from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
@ -18,12 +19,12 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
    path(
        "application/rac/<slug:app>/<uuid:endpoint>/",
-        RACStartView.as_view(),
+        ensure_csrf_cookie(RACStartView.as_view()),
        name="start",
    ),
    path(
        "if/rac/<str:token>/",
-        RACInterface.as_view(),
+        ensure_csrf_cookie(RACInterface.as_view()),
        name="if-rac",
    ),
 ]
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -17,7 +17,6 @@ TENANT_APPS = [
    "authentik.enterprise.providers.google_workspace",
    "authentik.enterprise.providers.microsoft_entra",
    "authentik.enterprise.providers.rac",
-    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
    "authentik.enterprise.stages.source",
 ]

--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
@ -1,82 +0,0 @@
-"""AuthenticatorEndpointGDTCStage API Views"""
-
-from django_filters.rest_framework.backends import DjangoFilterBackend
-from rest_framework import mixins
-from rest_framework.filters import OrderingFilter, SearchFilter
-from rest_framework.permissions import IsAdminUser
-from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import GenericViewSet, ModelViewSet
-from structlog.stdlib import get_logger
-
-from authentik.api.authorization import OwnerFilter, OwnerPermissions
-from authentik.core.api.used_by import UsedByMixin
-from authentik.enterprise.api import EnterpriseRequiredMixin
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
-    AuthenticatorEndpointGDTCStage,
-    EndpointDevice,
-)
-from authentik.flows.api.stages import StageSerializer
-
-LOGGER = get_logger()
-
-
-class AuthenticatorEndpointGDTCStageSerializer(EnterpriseRequiredMixin, StageSerializer):
-    """AuthenticatorEndpointGDTCStage Serializer"""
-
-    class Meta:
-        model = AuthenticatorEndpointGDTCStage
-        fields = StageSerializer.Meta.fields + [
-            "configure_flow",
-            "friendly_name",
-            "credentials",
-        ]
-
-
-class AuthenticatorEndpointGDTCStageViewSet(UsedByMixin, ModelViewSet):
-    """AuthenticatorEndpointGDTCStage Viewset"""
-
-    queryset = AuthenticatorEndpointGDTCStage.objects.all()
-    serializer_class = AuthenticatorEndpointGDTCStageSerializer
-    filterset_fields = [
-        "name",
-        "configure_flow",
-    ]
-    search_fields = ["name"]
-    ordering = ["name"]
-
-
-class EndpointDeviceSerializer(ModelSerializer):
-    """Serializer for Endpoint authenticator devices"""
-
-    class Meta:
-        model = EndpointDevice
-        fields = ["pk", "name"]
-        depth = 2
-
-
-class EndpointDeviceViewSet(
-    mixins.RetrieveModelMixin,
-    mixins.ListModelMixin,
-    UsedByMixin,
-    GenericViewSet,
-):
-    """Viewset for Endpoint authenticator devices"""
-
-    queryset = EndpointDevice.objects.all()
-    serializer_class = EndpointDeviceSerializer
-    search_fields = ["name"]
-    filterset_fields = ["name"]
-    ordering = ["name"]
-    permission_classes = [OwnerPermissions]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-
-
-class EndpointAdminDeviceViewSet(ModelViewSet):
-    """Viewset for Endpoint authenticator devices (for admins)"""
-
-    permission_classes = [IsAdminUser]
-    queryset = EndpointDevice.objects.all()
-    serializer_class = EndpointDeviceSerializer
-    search_fields = ["name"]
-    filterset_fields = ["name"]
-    ordering = ["name"]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/apps.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/apps.py
@ -1,13 +0,0 @@
-"""authentik Endpoint app config"""
-
-from authentik.enterprise.apps import EnterpriseConfig
-
-
-class AuthentikStageAuthenticatorEndpointConfig(EnterpriseConfig):
-    """authentik endpoint config"""
-
-    name = "authentik.enterprise.stages.authenticator_endpoint_gdtc"
-    label = "authentik_stages_authenticator_endpoint_gdtc"
-    verbose_name = "authentik Enterprise.Stages.Authenticator.Endpoint GDTC"
-    default = True
-    mountpoint = "endpoint/gdtc/"
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0001_initial.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0001_initial.py
@ -1,115 +0,0 @@
-# Generated by Django 5.0.9 on 2024-10-22 11:40
-
-import django.db.models.deletion
-import uuid
-from django.conf import settings
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ("authentik_flows", "0027_auto_20231028_1424"),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="AuthenticatorEndpointGDTCStage",
-            fields=[
-                (
-                    "stage_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_flows.stage",
-                    ),
-                ),
-                ("friendly_name", models.TextField(null=True)),
-                ("credentials", models.JSONField()),
-                (
-                    "configure_flow",
-                    models.ForeignKey(
-                        blank=True,
-                        help_text="Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage.",
-                        null=True,
-                        on_delete=django.db.models.deletion.SET_NULL,
-                        to="authentik_flows.flow",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Endpoint Authenticator Google Device Trust Connector Stage",
-                "verbose_name_plural": "Endpoint Authenticator Google Device Trust Connector Stages",
-            },
-            bases=("authentik_flows.stage", models.Model),
-        ),
-        migrations.CreateModel(
-            name="EndpointDevice",
-            fields=[
-                ("created", models.DateTimeField(auto_now_add=True)),
-                ("last_updated", models.DateTimeField(auto_now=True)),
-                (
-                    "name",
-                    models.CharField(
-                        help_text="The human-readable name of this device.", max_length=64
-                    ),
-                ),
-                (
-                    "confirmed",
-                    models.BooleanField(default=True, help_text="Is this device ready for use?"),
-                ),
-                ("last_used", models.DateTimeField(null=True)),
-                ("uuid", models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                (
-                    "host_identifier",
-                    models.TextField(
-                        help_text="A unique identifier for the endpoint device, usually the device serial number",
-                        unique=True,
-                    ),
-                ),
-                ("data", models.JSONField()),
-                (
-                    "user",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Endpoint Device",
-                "verbose_name_plural": "Endpoint Devices",
-            },
-        ),
-        migrations.CreateModel(
-            name="EndpointDeviceConnection",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
-                    ),
-                ),
-                ("attributes", models.JSONField()),
-                (
-                    "device",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="authentik_stages_authenticator_endpoint_gdtc.endpointdevice",
-                    ),
-                ),
-                (
-                    "stage",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
-                    ),
-                ),
-            ],
-        ),
-    ]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/init.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/init.py
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
@ -1,101 +0,0 @@
-"""Endpoint stage"""
-
-from uuid import uuid4
-
-from django.contrib.auth import get_user_model
-from django.db import models
-from django.utils.translation import gettext_lazy as _
-from google.oauth2.service_account import Credentials
-from rest_framework.serializers import BaseSerializer, Serializer
-
-from authentik.core.types import UserSettingSerializer
-from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
-from authentik.flows.stage import StageView
-from authentik.lib.models import SerializerModel
-from authentik.stages.authenticator.models import Device
-
-
-class AuthenticatorEndpointGDTCStage(ConfigurableStage, FriendlyNamedStage, Stage):
-    """Setup Google Chrome Device-trust connection"""
-
-    credentials = models.JSONField()
-
-    def google_credentials(self):
-        return {
-            "credentials": Credentials.from_service_account_info(
-                self.credentials, scopes=["https://www.googleapis.com/auth/verifiedaccess"]
-            ),
-        }
-
-    @property
-    def serializer(self) -> type[BaseSerializer]:
-        from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
-            AuthenticatorEndpointGDTCStageSerializer,
-        )
-
-        return AuthenticatorEndpointGDTCStageSerializer
-
-    @property
-    def view(self) -> type[StageView]:
-        from authentik.enterprise.stages.authenticator_endpoint_gdtc.stage import (
-            AuthenticatorEndpointStageView,
-        )
-
-        return AuthenticatorEndpointStageView
-
-    @property
-    def component(self) -> str:
-        return "ak-stage-authenticator-endpoint-gdtc-form"
-
-    def ui_user_settings(self) -> UserSettingSerializer | None:
-        return UserSettingSerializer(
-            data={
-                "title": self.friendly_name or str(self._meta.verbose_name),
-                "component": "ak-user-settings-authenticator-endpoint",
-            }
-        )
-
-    def __str__(self) -> str:
-        return f"Endpoint Authenticator Google Device Trust Connector Stage {self.name}"
-
-    class Meta:
-        verbose_name = _("Endpoint Authenticator Google Device Trust Connector Stage")
-        verbose_name_plural = _("Endpoint Authenticator Google Device Trust Connector Stages")
-
-
-class EndpointDevice(SerializerModel, Device):
-    """Endpoint Device for a single user"""
-
-    uuid = models.UUIDField(primary_key=True, default=uuid4)
-    host_identifier = models.TextField(
-        unique=True,
-        help_text="A unique identifier for the endpoint device, usually the device serial number",
-    )
-
-    user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
-    data = models.JSONField()
-
-    @property
-    def serializer(self) -> Serializer:
-        from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
-            EndpointDeviceSerializer,
-        )
-
-        return EndpointDeviceSerializer
-
-    def __str__(self):
-        return str(self.name) or str(self.user_id)
-
-    class Meta:
-        verbose_name = _("Endpoint Device")
-        verbose_name_plural = _("Endpoint Devices")
-
-
-class EndpointDeviceConnection(models.Model):
-    device = models.ForeignKey(EndpointDevice, on_delete=models.CASCADE)
-    stage = models.ForeignKey(AuthenticatorEndpointGDTCStage, on_delete=models.CASCADE)
-
-    attributes = models.JSONField()
-
-    def __str__(self) -> str:
-        return f"Endpoint device connection {self.device_id} to {self.stage_id}"
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
@ -1,32 +0,0 @@
-from django.http import HttpResponse
-from django.urls import reverse
-from django.utils.translation import gettext_lazy as _
-
-from authentik.flows.challenge import (
-    Challenge,
-    ChallengeResponse,
-    FrameChallenge,
-    FrameChallengeResponse,
-)
-from authentik.flows.stage import ChallengeStageView
-
-
-class AuthenticatorEndpointStageView(ChallengeStageView):
-    """Endpoint stage"""
-
-    response_class = FrameChallengeResponse
-
-    def get_challenge(self, *args, **kwargs) -> Challenge:
-        return FrameChallenge(
-            data={
-                "component": "xak-flow-frame",
-                "url": self.request.build_absolute_uri(
-                    reverse("authentik_stages_authenticator_endpoint_gdtc:chrome")
-                ),
-                "loading_overlay": True,
-                "loading_text": _("Verifying your browser..."),
-            }
-        )
-
-    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
-        return self.executor.stage_ok()
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/templates/stages/authenticator_endpoint/google_chrome_dtc.html
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/templates/stages/authenticator_endpoint/google_chrome_dtc.html
@ -1,9 +0,0 @@
-<html>
-<script>
-  window.parent.postMessage({
-    message: "submit",
-    source: "goauthentik.io",
-    context: "flow-executor"
-  });
-</script>
-</html>
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/urls.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/urls.py
@ -1,26 +0,0 @@
-"""API URLs"""
-
-from django.urls import path
-
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
-    AuthenticatorEndpointGDTCStageViewSet,
-    EndpointAdminDeviceViewSet,
-    EndpointDeviceViewSet,
-)
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.views.dtc import (
-    GoogleChromeDeviceTrustConnector,
-)
-
-urlpatterns = [
-    path("chrome/", GoogleChromeDeviceTrustConnector.as_view(), name="chrome"),
-]
-
-api_urlpatterns = [
-    ("authenticators/endpoint", EndpointDeviceViewSet),
-    (
-        "authenticators/admin/endpoint",
-        EndpointAdminDeviceViewSet,
-        "admin-endpointdevice",
-    ),
-    ("stages/authenticator/endpoint_gdtc", AuthenticatorEndpointGDTCStageViewSet),
-]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/init.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/init.py
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
@ -1,84 +0,0 @@
-from json import dumps, loads
-from typing import Any
-
-from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
-from django.template.response import TemplateResponse
-from django.urls import reverse
-from django.views import View
-from googleapiclient.discovery import build
-
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
-    AuthenticatorEndpointGDTCStage,
-    EndpointDevice,
-    EndpointDeviceConnection,
-)
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
-from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
-
-# Header we get from chrome that initiates verified access
-HEADER_DEVICE_TRUST = "X-Device-Trust"
-# Header we send to the client with the challenge
-HEADER_ACCESS_CHALLENGE = "X-Verified-Access-Challenge"
-# Header we get back from the client that we verify with google
-HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
-# Header value for x-device-trust that initiates the flow
-DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
-
-
-class GoogleChromeDeviceTrustConnector(View):
-    """Google Chrome Device-trust connector based endpoint authenticator"""
-
-    def get_flow_plan(self) -> FlowPlan:
-        flow_plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
-        return flow_plan
-
-    def setup(self, request: HttpRequest, *args: Any, **kwargs: Any) -> None:
-        super().setup(request, *args, **kwargs)
-        stage: AuthenticatorEndpointGDTCStage = self.get_flow_plan().bindings[0].stage
-        self.google_client = build(
-            "verifiedaccess",
-            "v2",
-            cache_discovery=False,
-            **stage.google_credentials(),
-        )
-
-    def get(self, request: HttpRequest) -> HttpResponse:
-        x_device_trust = request.headers.get(HEADER_DEVICE_TRUST)
-        x_access_challenge_response = request.headers.get(HEADER_ACCESS_CHALLENGE_RESPONSE)
-        if x_device_trust == "VerifiedAccess" and x_access_challenge_response is None:
-            challenge = self.google_client.challenge().generate().execute()
-            res = HttpResponseRedirect(
-                self.request.build_absolute_uri(
-                    reverse("authentik_stages_authenticator_endpoint_gdtc:chrome")
-                )
-            )
-            res[HEADER_ACCESS_CHALLENGE] = dumps(challenge)
-            return res
-        if x_access_challenge_response:
-            response = (
-                self.google_client.challenge()
-                .verify(body=loads(x_access_challenge_response))
-                .execute()
-            )
-            # Remove deprecated string representation of deviceSignals
-            response.pop("deviceSignal", None)
-            flow_plan: FlowPlan = self.get_flow_plan()
-            device, _ = EndpointDevice.objects.update_or_create(
-                host_identifier=response["deviceSignals"]["serialNumber"],
-                user=flow_plan.context.get(PLAN_CONTEXT_PENDING_USER),
-                defaults={"name": response["deviceSignals"]["hostname"], "data": response},
-            )
-            EndpointDeviceConnection.objects.update_or_create(
-                device=device,
-                stage=flow_plan.bindings[0].stage,
-                defaults={
-                    "attributes": response,
-                },
-            )
-            flow_plan.context.setdefault(PLAN_CONTEXT_METHOD, "trusted_endpoint")
-            flow_plan.context.setdefault(PLAN_CONTEXT_METHOD_ARGS, {})
-            flow_plan.context[PLAN_CONTEXT_METHOD_ARGS].setdefault("endpoints", [])
-            flow_plan.context[PLAN_CONTEXT_METHOD_ARGS]["endpoints"].append(response)
-            request.session[SESSION_KEY_PLAN] = flow_plan
-        return TemplateResponse(request, "stages/authenticator_endpoint/google_chrome_dtc.html")
--- a/authentik/events/context_processors/asn.py
+++ b/authentik/events/context_processors/asn.py
@ -50,7 +50,7 @@ class ASNContextProcessor(MMDBContextProcessor):
        """Wrapper for Reader.asn"""
        with start_span(
            op="authentik.events.asn.asn",
-            name=ip_address,
+            description=ip_address,
        ):
            if not self.configured():
                return None
--- a/authentik/events/context_processors/geoip.py
+++ b/authentik/events/context_processors/geoip.py
@ -51,7 +51,7 @@ class GeoIPContextProcessor(MMDBContextProcessor):
        """Wrapper for Reader.city"""
        with start_span(
            op="authentik.events.geo.city",
-            name=ip_address,
+            description=ip_address,
        ):
            if not self.configured():
                return None
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -60,7 +60,7 @@ def default_event_duration():
    """Default duration an Event is saved.
    This is used as a fallback when no brand is available"""
    try:
-        tenant = get_current_tenant(only=["event_retention"])
+        tenant = get_current_tenant()
        return now() + timedelta_from_string(tenant.event_retention)
    except Tenant.DoesNotExist:
        return now() + timedelta(days=365)
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -1,16 +1,13 @@
 """authentik events signal listener"""

-from importlib import import_module
 from typing import Any

-from django.conf import settings
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
-from rest_framework.request import Request

-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import User
 from authentik.core.signals import login_failed, password_changed
 from authentik.events.apps import SYSTEM_TASK_STATUS
 from authentik.events.models import Event, EventAction, SystemTask
@ -26,7 +23,6 @@ from authentik.stages.user_write.signals import user_write
 from authentik.tenants.utils import get_current_tenant

 SESSION_LOGIN_EVENT = "login_event"
-_session_engine = import_module(settings.SESSION_ENGINE)


@receiver(user_logged_in)
@ -47,20 +43,11 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
            kwargs[PLAN_CONTEXT_OUTPOST] = flow_plan.context[PLAN_CONTEXT_OUTPOST]
    event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user)
    request.session[SESSION_LOGIN_EVENT] = event
-    request.session.save()


-def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | None) -> Event | None:
+def get_login_event(request: HttpRequest) -> Event | None:
    """Wrapper to get login event that can be mocked in tests"""
-    session = None
-    if not request_or_session:
-        return None
-    if isinstance(request_or_session, HttpRequest | Request):
-        session = request_or_session.session
-    if isinstance(request_or_session, AuthenticatedSession):
-        SessionStore = _session_engine.SessionStore
-        session = SessionStore(request_or_session.session_key)
-    return session.get(SESSION_LOGIN_EVENT, None)
+    return request.session.get(SESSION_LOGIN_EVENT, None)


@receiver(user_logged_out)
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -8,7 +8,7 @@ from uuid import UUID
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.http import JsonResponse
-from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField
+from rest_framework.fields import CharField, ChoiceField, DictField
 from rest_framework.request import Request

 from authentik.core.api.utils import PassiveSerializer
@ -110,21 +110,8 @@ class FlowErrorChallenge(Challenge):
 class AccessDeniedChallenge(WithUserInfoChallenge):
    """Challenge when a flow's active stage calls `stage_invalid()`."""

-    component = CharField(default="ak-stage-access-denied")
-
    error_message = CharField(required=False)
-
-
-class SessionEndChallenge(WithUserInfoChallenge):
-    """Challenge for ending a session"""
-
-    component = CharField(default="ak-stage-session-end")
-
-    application_name = CharField(required=False)
-    application_launch_url = CharField(required=False)
-
-    invalidation_flow_url = CharField(required=False)
-    brand_name = CharField(required=True)
+    component = CharField(default="ak-stage-access-denied")


 class PermissionDict(TypedDict):
@ -160,20 +147,6 @@ class AutoSubmitChallengeResponse(ChallengeResponse):
    component = CharField(default="ak-stage-autosubmit")


-class FrameChallenge(Challenge):
-    """Challenge type to render a frame"""
-
-    component = CharField(default="xak-flow-frame")
-    url = CharField()
-    loading_overlay = BooleanField(default=False)
-    loading_text = CharField()
-
-
-class FrameChallengeResponse(ChallengeResponse):
-
-    component = CharField(default="xak-flow-frame")
-
-
 class DataclassEncoder(DjangoJSONEncoder):
    """Convert any dataclass to json"""

--- a/authentik/flows/migrations/0027_auto_20231028_1424.py
+++ b/authentik/flows/migrations/0027_auto_20231028_1424.py
@ -6,18 +6,20 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor


 def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from guardian.conf import settings as guardian_settings
+    from guardian.shortcuts import get_anonymous_user

    Flow = apps.get_model("authentik_flows", "Flow")
    User = apps.get_model("authentik_core", "User")

    db_alias = schema_editor.connection.alias

-    users = (
-        User.objects.using(db_alias)
-        .exclude(username="akadmin")
-        .exclude(username=guardian_settings.ANONYMOUS_USER_NAME)
-    )
+    users = User.objects.using(db_alias).exclude(username="akadmin")
+    try:
+        users = users.exclude(pk=get_anonymous_user().pk)
+
+    except Exception:  # nosec
+        pass
+
    if users.exists():
        Flow.objects.using(db_alias).filter(slug="initial-setup").update(
            authentication="require_superuser"
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -107,9 +107,7 @@ class Stage(SerializerModel):


 def in_memory_stage(view: type["StageView"], **kwargs) -> Stage:
-    """Creates an in-memory stage instance, based on a `view` as view.
-    Any key-word arguments are set as attributes on the stage object,
-    accessible via `self.executor.current_stage`."""
+    """Creates an in-memory stage instance, based on a `view` as view."""
    stage = Stage()
    # Because we can't pickle a locally generated function,
    # we set the view as a separate property and reference a generic function
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -166,7 +166,7 @@ class FlowPlanner:
    def plan(self, request: HttpRequest, default_context: dict[str, Any] | None = None) -> FlowPlan:
        """Check each of the flows' policies, check policies for each stage with PolicyBinding
        and return ordered list"""
-        with start_span(op="authentik.flow.planner.plan", name=self.flow.slug) as span:
+        with start_span(op="authentik.flow.planner.plan", description=self.flow.slug) as span:
            span: Span
            span.set_data("flow", self.flow)
            span.set_data("request", request)
@ -233,7 +233,7 @@ class FlowPlanner:
        with (
            start_span(
                op="authentik.flow.planner.build_plan",
-                name=self.flow.slug,
+                description=self.flow.slug,
            ) as span,
            HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug).time(),
        ):
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -13,7 +13,7 @@ from rest_framework.request import Request
 from sentry_sdk import start_span
 from structlog.stdlib import BoundLogger, get_logger

-from authentik.core.models import Application, User
+from authentik.core.models import User
 from authentik.flows.challenge import (
    AccessDeniedChallenge,
    Challenge,
@ -21,7 +21,6 @@ from authentik.flows.challenge import (
    ContextualFlowInfo,
    HttpChallengeResponse,
    RedirectChallenge,
-    SessionEndChallenge,
    WithUserInfoChallenge,
 )
 from authentik.flows.exceptions import StageInvalidException
@ -126,7 +125,7 @@ class ChallengeStageView(StageView):
            with (
                start_span(
                    op="authentik.flow.stage.challenge_invalid",
-                    name=self.__class__.__name__,
+                    description=self.__class__.__name__,
                ),
                HIST_FLOWS_STAGE_TIME.labels(
                    stage_type=self.__class__.__name__, method="challenge_invalid"
@ -136,7 +135,7 @@ class ChallengeStageView(StageView):
        with (
            start_span(
                op="authentik.flow.stage.challenge_valid",
-                name=self.__class__.__name__,
+                description=self.__class__.__name__,
            ),
            HIST_FLOWS_STAGE_TIME.labels(
                stage_type=self.__class__.__name__, method="challenge_valid"
@ -162,7 +161,7 @@ class ChallengeStageView(StageView):
        with (
            start_span(
                op="authentik.flow.stage.get_challenge",
-                name=self.__class__.__name__,
+                description=self.__class__.__name__,
            ),
            HIST_FLOWS_STAGE_TIME.labels(
                stage_type=self.__class__.__name__, method="get_challenge"
@ -175,7 +174,7 @@ class ChallengeStageView(StageView):
                return self.executor.stage_invalid()
        with start_span(
            op="authentik.flow.stage._get_challenge",
-            name=self.__class__.__name__,
+            description=self.__class__.__name__,
        ):
            if not hasattr(challenge, "initial_data"):
                challenge.initial_data = {}
@ -231,7 +230,7 @@ class ChallengeStageView(StageView):
        return HttpChallengeResponse(challenge_response)


-class AccessDeniedStage(ChallengeStageView):
+class AccessDeniedChallengeView(ChallengeStageView):
    """Used internally by FlowExecutor's stage_invalid()"""

    error_message: str | None
@ -269,31 +268,3 @@ class RedirectStage(ChallengeStageView):

    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        return HttpChallengeResponse(self.get_challenge())
-
-
-class SessionEndStage(ChallengeStageView):
-    """Stage inserted when a flow is used as invalidation flow. By default shows actions
-    that the user is likely to take after signing out of a provider."""
-
-    def get_challenge(self, *args, **kwargs) -> Challenge:
-        application: Application | None = self.executor.plan.context.get(PLAN_CONTEXT_APPLICATION)
-        data = {
-            "component": "ak-stage-session-end",
-            "brand_name": self.request.brand.branding_title,
-        }
-        if application:
-            data["application_name"] = application.name
-            data["application_launch_url"] = application.get_launch_url(self.get_pending_user())
-        if self.request.brand.flow_invalidation:
-            data["invalidation_flow_url"] = reverse(
-                "authentik_core:if-flow",
-                kwargs={
-                    "flow_slug": self.request.brand.flow_invalidation.slug,
-                },
-            )
-        return SessionEndChallenge(data=data)
-
-    # This can never be reached since this challenge is created on demand and only the
-    # .get() method is called
-    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:  # pragma: no cover
-        return self.executor.cancel()
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -18,7 +18,7 @@ window.authentik.flow = {
 {% endblock %}

 {% block head %}
-<script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/flow/FlowInterface-%v.js" %}
 <style>
 :root {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@ -46,7 +46,6 @@ class TestFlowInspector(APITestCase):
            res.content,
            {
                "allow_show_password": False,
-                "captcha_stage": None,
                "component": "ak-stage-identification",
                "flow_info": {
                    "background": flow.background_url,
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -54,7 +54,7 @@ from authentik.flows.planner import (
    FlowPlan,
    FlowPlanner,
 )
-from authentik.flows.stage import AccessDeniedStage, StageView
+from authentik.flows.stage import AccessDeniedChallengeView, StageView
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
@ -153,7 +153,7 @@ class FlowExecutorView(APIView):
        return plan

    def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
-        with start_span(op="authentik.flow.executor.dispatch", name=self.flow.slug) as span:
+        with start_span(op="authentik.flow.executor.dispatch", description=self.flow.slug) as span:
            span.set_data("authentik Flow", self.flow.slug)
            get_params = QueryDict(request.GET.get(QS_QUERY, ""))
            if QS_KEY_TOKEN in get_params:
@ -273,7 +273,7 @@ class FlowExecutorView(APIView):
            with (
                start_span(
                    op="authentik.flow.executor.stage",
-                    name=class_path,
+                    description=class_path,
                ) as span,
                HIST_FLOW_EXECUTION_STAGE_TIME.labels(
                    method=request.method.upper(),
@ -324,7 +324,7 @@ class FlowExecutorView(APIView):
            with (
                start_span(
                    op="authentik.flow.executor.stage",
-                    name=class_path,
+                    description=class_path,
                ) as span,
                HIST_FLOW_EXECUTION_STAGE_TIME.labels(
                    method=request.method.upper(),
@ -441,7 +441,7 @@ class FlowExecutorView(APIView):
            )
            return self.restart_flow(keep_context)
        self.cancel()
-        challenge_view = AccessDeniedStage(self, error_message)
+        challenge_view = AccessDeniedChallengeView(self, error_message)
        challenge_view.request = self.request
        return to_stage_response(self.request, challenge_view.get(self.request))

--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -1,4 +1,4 @@
-# update website/docs/install-config/configuration/configuration.mdx
+# update website/docs/installation/configuration.mdx
 # This is the default configuration file
 postgresql:
  host: localhost
@ -105,10 +105,6 @@ ldap:
  tls:
    ciphers: null

-sources:
-  kerberos:
-    task_timeout_hours: 2
-
 reputation:
  expiry: 86400

--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -21,14 +21,7 @@ class DebugSession(Session):

    def send(self, req: PreparedRequest, *args, **kwargs):
        request_id = str(uuid4())
-        LOGGER.debug(
-            "HTTP request sent",
-            uid=request_id,
-            url=req.url,
-            method=req.method,
-            headers=req.headers,
-            body=req.body,
-        )
+        LOGGER.debug("HTTP request sent", uid=request_id, path=req.path_url, headers=req.headers)
        resp = super().send(req, *args, **kwargs)
        LOGGER.debug(
            "HTTP response received",
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
 class OutpostConfig:
    """Configuration an outpost uses to configure it self"""

-    # update website/docs/add-secure-apps/outposts/_config.md
+    # update website/docs/outposts/_config.md

    authentik_host: str = ""
    authentik_host_insecure: bool = False
--- a/authentik/policies/engine.py
+++ b/authentik/policies/engine.py
@ -113,7 +113,7 @@ class PolicyEngine:
        with (
            start_span(
                op="authentik.policy.engine.build",
-                name=self.__pbm,
+                description=self.__pbm,
            ) as span,
            HIST_POLICIES_ENGINE_TOTAL_TIME.labels(
                obj_type=class_to_path(self.__pbm.__class__),
--- a/authentik/policies/event_matcher/models.py
+++ b/authentik/policies/event_matcher/models.py
@ -108,7 +108,7 @@ class EventMatcherPolicy(Policy):
                result=result,
            )
            matches.append(result)
-        passing = all(x.passing for x in matches)
+        passing = any(x.passing for x in matches)
        messages = chain(*[x.messages for x in matches])
        result = PolicyResult(passing, *messages)
        result.source_results = matches
--- a/authentik/policies/event_matcher/tests.py
+++ b/authentik/policies/event_matcher/tests.py
@ -77,24 +77,11 @@ class TestEventMatcherPolicy(TestCase):
        request = PolicyRequest(get_anonymous_user())
        request.context["event"] = event
        policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(
-            client_ip="1.2.3.5", app="foo"
+            client_ip="1.2.3.5", app="bar"
        )
        response = policy.passes(request)
        self.assertFalse(response.passing)

-    def test_multiple(self):
-        """Test multiple"""
-        event = Event.new(EventAction.LOGIN)
-        event.app = "foo"
-        event.client_ip = "1.2.3.4"
-        request = PolicyRequest(get_anonymous_user())
-        request.context["event"] = event
-        policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(
-            client_ip="1.2.3.4", app="foo"
-        )
-        response = policy.passes(request)
-        self.assertTrue(response.passing)
-
    def test_invalid(self):
        """Test passing event"""
        request = PolicyRequest(get_anonymous_user())
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -89,10 +89,6 @@ class PasswordPolicy(Policy):

    def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
        """Check static rules"""
-        error_message = self.error_message
-        if error_message == "":
-            error_message = _("Invalid password.")
-
        if len(password) < self.length_min:
            LOGGER.debug("password failed", check="static", reason="length")
            return PolicyResult(False, self.error_message)
--- a/authentik/providers/ldap/api.py
+++ b/authentik/providers/ldap/api.py
@ -87,7 +87,6 @@ class LDAPOutpostConfigSerializer(ModelSerializer):

    application_slug = SerializerMethodField()
    bind_flow_slug = CharField(source="authorization_flow.slug")
-    unbind_flow_slug = SerializerMethodField()

    def get_application_slug(self, instance: LDAPProvider) -> str:
        """Prioritise backchannel slug over direct application slug"""
@ -95,16 +94,6 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
            return instance.backchannel_application.slug
        return instance.application.slug

-    def get_unbind_flow_slug(self, instance: LDAPProvider) -> str | None:
-        """Get slug for unbind flow, defaulting to brand's default flow."""
-        flow = instance.invalidation_flow
-        if not flow and "request" in self.context:
-            request = self.context.get("request")
-            flow = request.brand.flow_invalidation
-        if not flow:
-            return None
-        return flow.slug
-
    class Meta:
        model = LDAPProvider
        fields = [
@ -112,7 +101,6 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
            "name",
            "base_dn",
            "bind_flow_slug",
-            "unbind_flow_slug",
            "application_slug",
            "certificate",
            "tls_server_name",
@ -159,10 +147,7 @@ class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet):
        access_response = PolicyResult(result.passing)
        response = self.LDAPCheckAccessSerializer(
            instance={
-                "has_search_permission": (
-                    request.user.has_perm("search_full_directory", provider)
-                    or request.user.has_perm("authentik_providers_ldap.search_full_directory")
-                ),
+                "has_search_permission": request.user.has_perm("search_full_directory", provider),
                "access": access_response,
            }
        )
--- a/authentik/providers/oauth2/api/providers.py
+++ b/authentik/providers/oauth2/api/providers.py
@ -1,18 +1,15 @@
 """OAuth2Provider API Views"""

 from copy import copy
-from re import compile
-from re import error as RegexError

 from django.urls import reverse
 from django.utils import timezone
-from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ChoiceField
+from rest_framework.fields import CharField
 from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -23,39 +20,13 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
 from authentik.core.models import Provider
 from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    OAuth2Provider,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
 from authentik.rbac.decorators import permission_required


-class RedirectURISerializer(PassiveSerializer):
-    """A single allowed redirect URI entry"""
-
-    matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
-    url = CharField()
-
-
 class OAuth2ProviderSerializer(ProviderSerializer):
    """OAuth2Provider Serializer"""

-    redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
-
-    def validate_redirect_uris(self, data: list) -> list:
-        for entry in data:
-            if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
-                url = entry.get("url")
-                try:
-                    compile(url)
-                except RegexError:
-                    raise ValidationError(
-                        _("Invalid Regex Pattern: {url}".format(url=url))
-                    ) from None
-        return data
-
    class Meta:
        model = OAuth2Provider
        fields = ProviderSerializer.Meta.fields + [
@ -68,7 +39,6 @@ class OAuth2ProviderSerializer(ProviderSerializer):
            "refresh_token_validity",
            "include_claims_in_id_token",
            "signing_key",
-            "encryption_key",
            "redirect_uris",
            "sub_mode",
            "property_mappings",
@ -108,6 +78,7 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
        "refresh_token_validity",
        "include_claims_in_id_token",
        "signing_key",
+        "redirect_uris",
        "sub_mode",
        "property_mappings",
        "issuer_mode",
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from authentik.events.models import Event, EventAction
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.views import bad_request_message
-from authentik.providers.oauth2.models import GrantTypes, RedirectURI
+from authentik.providers.oauth2.models import GrantTypes


 class OAuth2Error(SentryIgnoredException):
@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
    )

    provided_uri: str
-    allowed_uris: list[RedirectURI]
+    allowed_uris: list[str]

-    def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
+    def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None:
        super().__init__()
        self.provided_uri = provided_uri
        self.allowed_uris = allowed_uris
--- a/authentik/providers/oauth2/id_token.py
+++ b/authentik/providers/oauth2/id_token.py
@ -1,7 +1,6 @@
 """id_token utils"""

 from dataclasses import asdict, dataclass, field
-from hashlib import sha256
 from typing import TYPE_CHECKING, Any

 from django.db import models
@ -24,13 +23,8 @@ if TYPE_CHECKING:
    from authentik.providers.oauth2.models import BaseGrantModel, OAuth2Provider


-def hash_session_key(session_key: str) -> str:
-    """Hash the session key for inclusion in JWTs as `sid`"""
-    return sha256(session_key.encode("ascii")).hexdigest()
-
-
 class SubModes(models.TextChoices):
-    """Mode after which 'sub' attribute is generated, for compatibility reasons"""
+    """Mode after which 'sub' attribute is generateed, for compatibility reasons"""

    HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID")
    USER_ID = "user_id", _("Based on user ID")
@ -57,8 +51,7 @@ class IDToken:
    and potentially other requested Claims. The ID Token is represented as a
    JSON Web Token (JWT) [JWT].

-    https://openid.net/specs/openid-connect-core-1_0.html#IDToken
-    https://www.iana.org/assignments/jwt/jwt.xhtml"""
+    https://openid.net/specs/openid-connect-core-1_0.html#IDToken"""

    # Issuer, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.1
    iss: str | None = None
@ -86,8 +79,6 @@ class IDToken:
    nonce: str | None = None
    # Access Token hash value, http://openid.net/specs/openid-connect-core-1_0.html
    at_hash: str | None = None
-    # Session ID, https://openid.net/specs/openid-connect-frontchannel-1_0.html#ClaimsContents
-    sid: str | None = None

    claims: dict[str, Any] = field(default_factory=dict)

@ -125,11 +116,9 @@ class IDToken:
        now = timezone.now()
        id_token.iat = int(now.timestamp())
        id_token.auth_time = int(token.auth_time.timestamp())
-        if token.session:
-            id_token.sid = hash_session_key(token.session.session_key)

        # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
-        auth_event = get_login_event(token.session)
+        auth_event = get_login_event(request)
        if auth_event:
            # Also check which method was used for authentication
            method = auth_event.context.get(PLAN_CONTEXT_METHOD, "")
--- a/authentik/providers/oauth2/migrations/0007_auto_20201016_1107_squashed_0017_alter_oauth2provider_token_validity.py
+++ b/authentik/providers/oauth2/migrations/0007_auto_20201016_1107_squashed_0017_alter_oauth2provider_token_validity.py
@ -3,7 +3,6 @@
 import django.db.models.deletion
 from django.apps.registry import Apps
 from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 import authentik.lib.utils.time

@ -15,7 +14,7 @@ scope_uid_map = {
 }


-def set_managed_flag(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+def set_managed_flag(apps: Apps, schema_editor):
    ScopeMapping = apps.get_model("authentik_providers_oauth2", "ScopeMapping")
    db_alias = schema_editor.connection.alias
    for mapping in ScopeMapping.objects.using(db_alias).filter(name__startswith="Autogenerated "):
--- a/authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
@ -11,16 +11,13 @@ class Migration(migrations.Migration):
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]

-    # Original preserved
-    # See https://github.com/goauthentik/authentik/issues/11874
-    # operations = [
-    #     migrations.AddIndex(
-    #         model_name="accesstoken",
-    #         index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
-    #     ),
-    #     migrations.AddIndex(
-    #         model_name="refreshtoken",
-    #         index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
-    #     ),
-    # ]
-    operations = []
+    operations = [
+        migrations.AddIndex(
+            model_name="accesstoken",
+            index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="refreshtoken",
+            index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
+        ),
+    ]
--- a/authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
@ -11,24 +11,21 @@ class Migration(migrations.Migration):
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]

-    # Original preserved
-    # See https://github.com/goauthentik/authentik/issues/11874
-    # operations = [
-    #     migrations.RemoveIndex(
-    #         model_name="accesstoken",
-    #         name="authentik_p_token_4bc870_idx",
-    #     ),
-    #     migrations.RemoveIndex(
-    #         model_name="refreshtoken",
-    #         name="authentik_p_token_1a841f_idx",
-    #     ),
-    #     migrations.AddIndex(
-    #         model_name="accesstoken",
-    #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
-    #     ),
-    #     migrations.AddIndex(
-    #         model_name="refreshtoken",
-    #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
-    #     ),
-    # ]
-    operations = []
+    operations = [
+        migrations.RemoveIndex(
+            model_name="accesstoken",
+            name="authentik_p_token_4bc870_idx",
+        ),
+        migrations.RemoveIndex(
+            model_name="refreshtoken",
+            name="authentik_p_token_1a841f_idx",
+        ),
+        migrations.AddIndex(
+            model_name="accesstoken",
+            index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="refreshtoken",
+            index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
+        ),
+    ]
--- a/authentik/providers/oauth2/migrations/0021_oauth2provider_encryption_key_and_more.py
+++ b/authentik/providers/oauth2/migrations/0021_oauth2provider_encryption_key_and_more.py
@ -1,42 +0,0 @@
-# Generated by Django 5.0.9 on 2024-10-16 14:53
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
-        (
-            "authentik_providers_oauth2",
-            "0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="oauth2provider",
-            name="encryption_key",
-            field=models.ForeignKey(
-                help_text="Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_NULL,
-                related_name="oauth2provider_encryption_key_set",
-                to="authentik_crypto.certificatekeypair",
-                verbose_name="Encryption Key",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="oauth2provider",
-            name="signing_key",
-            field=models.ForeignKey(
-                help_text="Key used to sign the tokens.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_NULL,
-                related_name="oauth2provider_signing_key_set",
-                to="authentik_crypto.certificatekeypair",
-                verbose_name="Signing Key",
-            ),
-        ),
-    ]
--- a/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py
+++ b/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py
@ -1,113 +0,0 @@
-# Generated by Django 5.0.9 on 2024-10-23 13:38
-
-from hashlib import sha256
-import django.db.models.deletion
-from django.db import migrations, models
-from django.apps.registry import Apps
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-from authentik.lib.migrations import progress_bar
-
-
-def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    AuthenticatedSession = apps.get_model("authentik_core", "authenticatedsession")
-    AuthorizationCode = apps.get_model("authentik_providers_oauth2", "authorizationcode")
-    AccessToken = apps.get_model("authentik_providers_oauth2", "accesstoken")
-    RefreshToken = apps.get_model("authentik_providers_oauth2", "refreshtoken")
-    db_alias = schema_editor.connection.alias
-
-    print(f"\nFetching session keys, this might take a couple of minutes...")
-    session_ids = {}
-    for session in progress_bar(AuthenticatedSession.objects.using(db_alias).all()):
-        session_ids[sha256(session.session_key.encode("ascii")).hexdigest()] = session.session_key
-    for model in [AuthorizationCode, AccessToken, RefreshToken]:
-        print(
-            f"\nAdding session to {model._meta.verbose_name}, this might take a couple of minutes..."
-        )
-        for code in progress_bar(model.objects.using(db_alias).all()):
-            if code.session_id_old not in session_ids:
-                continue
-            code.session = (
-                AuthenticatedSession.objects.using(db_alias)
-                .filter(session_key=session_ids[code.session_id_old])
-                .first()
-            )
-            code.save()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
-        ("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"),
-    ]
-
-    operations = [
-        migrations.RenameField(
-            model_name="accesstoken",
-            old_name="session_id",
-            new_name="session_id_old",
-        ),
-        migrations.RenameField(
-            model_name="authorizationcode",
-            old_name="session_id",
-            new_name="session_id_old",
-        ),
-        migrations.RenameField(
-            model_name="refreshtoken",
-            old_name="session_id",
-            new_name="session_id_old",
-        ),
-        migrations.AddField(
-            model_name="accesstoken",
-            name="session",
-            field=models.ForeignKey(
-                default=None,
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                to="authentik_core.authenticatedsession",
-            ),
-        ),
-        migrations.AddField(
-            model_name="authorizationcode",
-            name="session",
-            field=models.ForeignKey(
-                default=None,
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                to="authentik_core.authenticatedsession",
-            ),
-        ),
-        migrations.AddField(
-            model_name="devicetoken",
-            name="session",
-            field=models.ForeignKey(
-                default=None,
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                to="authentik_core.authenticatedsession",
-            ),
-        ),
-        migrations.AddField(
-            model_name="refreshtoken",
-            name="session",
-            field=models.ForeignKey(
-                default=None,
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                to="authentik_core.authenticatedsession",
-            ),
-        ),
-        migrations.RunPython(migrate_session),
-        migrations.RemoveField(
-            model_name="accesstoken",
-            name="session_id_old",
-        ),
-        migrations.RemoveField(
-            model_name="authorizationcode",
-            name="session_id_old",
-        ),
-        migrations.RemoveField(
-            model_name="refreshtoken",
-            name="session_id_old",
-        ),
-    ]
--- a/authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py
+++ b/authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py
@ -1,31 +0,0 @@
-# Generated by Django 5.0.9 on 2024-10-31 14:28
-
-import django.contrib.postgres.indexes
-from django.conf import settings
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
-        ("authentik_providers_oauth2", "0022_remove_accesstoken_session_id_and_more"),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-    ]
-
-    operations = [
-        migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_f99422_idx;"),
-        migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_a1d921_idx;"),
-        migrations.AddIndex(
-            model_name="accesstoken",
-            index=django.contrib.postgres.indexes.HashIndex(
-                fields=["token"], name="authentik_p_token_e00883_hash"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="refreshtoken",
-            index=django.contrib.postgres.indexes.HashIndex(
-                fields=["token"], name="authentik_p_token_32e2b7_hash"
-            ),
-        ),
-    ]
--- a/authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py
+++ b/authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py
@ -1,49 +0,0 @@
-# Generated by Django 5.0.9 on 2024-11-04 12:56
-from dataclasses import asdict
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-from django.db import migrations, models
-
-
-def migrate_redirect_uris(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from authentik.providers.oauth2.models import RedirectURI, RedirectURIMatchingMode
-
-    OAuth2Provider = apps.get_model("authentik_providers_oauth2", "oauth2provider")
-
-    db_alias = schema_editor.connection.alias
-    for provider in OAuth2Provider.objects.using(db_alias).all():
-        uris = []
-        for old in provider.old_redirect_uris.split("\n"):
-            mode = RedirectURIMatchingMode.STRICT
-            if old == "*" or old == ".*":
-                mode = RedirectURIMatchingMode.REGEX
-            uris.append(asdict(RedirectURI(mode, url=old)))
-        provider._redirect_uris = uris
-        provider.save()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_oauth2", "0023_alter_accesstoken_refreshtoken_use_hash_index"),
-    ]
-
-    operations = [
-        migrations.RenameField(
-            model_name="oauth2provider",
-            old_name="redirect_uris",
-            new_name="old_redirect_uris",
-        ),
-        migrations.AddField(
-            model_name="oauth2provider",
-            name="_redirect_uris",
-            field=models.JSONField(default=dict, verbose_name="Redirect URIs"),
-        ),
-        migrations.RunPython(migrate_redirect_uris, lambda *args: ...),
-        migrations.RemoveField(
-            model_name="oauth2provider",
-            name="old_redirect_uris",
-        ),
-    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -3,7 +3,7 @@
 import base64
 import binascii
 import json
-from dataclasses import asdict, dataclass
+from dataclasses import asdict
 from functools import cached_property
 from hashlib import sha256
 from typing import Any
@ -12,29 +12,18 @@ from urllib.parse import urlparse, urlunparse
 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
-from dacite import Config
 from dacite.core import from_dict
-from django.contrib.postgres.indexes import HashIndex
 from django.db import models
 from django.http import HttpRequest
 from django.templatetags.static import static
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
-from jwcrypto.common import json_encode
-from jwcrypto.jwe import JWE
-from jwcrypto.jwk import JWK
 from jwt import encode
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

 from authentik.brands.models import WebfingerProvider
-from authentik.core.models import (
-    AuthenticatedSession,
-    ExpiringModel,
-    PropertyMapping,
-    Provider,
-    User,
-)
+from authentik.core.models import ExpiringModel, PropertyMapping, Provider, User
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_code_fixed_length, generate_id, generate_key
 from authentik.lib.models import SerializerModel
@ -78,25 +67,11 @@ class IssuerMode(models.TextChoices):
    """Configure how the `iss` field is created."""

    GLOBAL = "global", _("Same identifier is used for all providers")
-    PER_PROVIDER = (
-        "per_provider",
-        _("Each provider has a different issuer, based on the application slug."),
+    PER_PROVIDER = "per_provider", _(
+        "Each provider has a different issuer, based on the application slug."
    )


-class RedirectURIMatchingMode(models.TextChoices):
-    STRICT = "strict", _("Strict URL comparison")
-    REGEX = "regex", _("Regular Expression URL matching")
-
-
-@dataclass
-class RedirectURI:
-    """A single redirect URI entry"""
-
-    matching_mode: RedirectURIMatchingMode
-    url: str
-
-
 class ResponseTypes(models.TextChoices):
    """Response Type required by the client."""

@ -171,9 +146,11 @@ class OAuth2Provider(WebfingerProvider, Provider):
        verbose_name=_("Client Secret"),
        default=generate_client_secret,
    )
-    _redirect_uris = models.JSONField(
-        default=dict,
+    redirect_uris = models.TextField(
+        default="",
+        blank=True,
        verbose_name=_("Redirect URIs"),
+        help_text=_("Enter each URI on a new line."),
    )

    include_claims_in_id_token = models.BooleanField(
@ -229,19 +206,9 @@ class OAuth2Provider(WebfingerProvider, Provider):
        verbose_name=_("Signing Key"),
        on_delete=models.SET_NULL,
        null=True,
-        help_text=_("Key used to sign the tokens."),
-        related_name="oauth2provider_signing_key_set",
-    )
-    encryption_key = models.ForeignKey(
-        CertificateKeyPair,
-        verbose_name=_("Encryption Key"),
-        on_delete=models.SET_NULL,
-        null=True,
        help_text=_(
-            "Key used to encrypt the tokens. When set, "
-            "tokens will be encrypted and returned as JWEs."
+            "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
        ),
-        related_name="oauth2provider_encryption_key_set",
    )

    jwks_sources = models.ManyToManyField(
@ -284,33 +251,12 @@ class OAuth2Provider(WebfingerProvider, Provider):
        except Provider.application.RelatedObjectDoesNotExist:
            return None

-    @property
-    def redirect_uris(self) -> list[RedirectURI]:
-        uris = []
-        for entry in self._redirect_uris:
-            uris.append(
-                from_dict(
-                    RedirectURI,
-                    entry,
-                    config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
-                )
-            )
-        return uris
-
-    @redirect_uris.setter
-    def redirect_uris(self, value: list[RedirectURI]):
-        cleansed = []
-        for entry in value:
-            cleansed.append(asdict(entry))
-        self._redirect_uris = cleansed
-
    @property
    def launch_url(self) -> str | None:
        """Guess launch_url based on first redirect_uri"""
-        redirects = self.redirect_uris
-        if len(redirects) < 1:
+        if self.redirect_uris == "":
            return None
-        main_url = redirects[0].url
+        main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
        try:
            launch_url = urlparse(main_url)._replace(path="")
            return urlunparse(launch_url)
@ -341,27 +287,7 @@ class OAuth2Provider(WebfingerProvider, Provider):
        if self.signing_key:
            headers["kid"] = self.signing_key.kid
        key, alg = self.jwt_key
-        encoded = encode(payload, key, algorithm=alg, headers=headers)
-        if self.encryption_key:
-            return self.encrypt(encoded)
-        return encoded
-
-    def encrypt(self, raw: str) -> str:
-        """Encrypt JWT"""
-        key = JWK.from_pem(self.encryption_key.certificate_data.encode())
-        jwe = JWE(
-            raw,
-            json_encode(
-                {
-                    "alg": "RSA-OAEP-256",
-                    "enc": "A256CBC-HS512",
-                    "typ": "JWE",
-                    "kid": self.encryption_key.kid,
-                }
-            ),
-        )
-        jwe.add_recipient(key)
-        return jwe.serialize(compact=True)
+        return encode(payload, key, algorithm=alg, headers=headers)

    def webfinger(self, resource: str, request: HttpRequest):
        return {
@ -394,9 +320,7 @@ class BaseGrantModel(models.Model):
    revoked = models.BooleanField(default=False)
    _scope = models.TextField(default="", verbose_name=_("Scopes"))
    auth_time = models.DateTimeField(verbose_name="Authentication time")
-    session = models.ForeignKey(
-        AuthenticatedSession, null=True, on_delete=models.SET_DEFAULT, default=None
-    )
+    session_id = models.CharField(default="", blank=True)

    class Meta:
        abstract = True
@ -453,7 +377,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):

    class Meta:
        indexes = [
-            HashIndex(fields=["token"]),
+            models.Index(fields=["token", "provider"]),
        ]
        verbose_name = _("OAuth2 Access Token")
        verbose_name_plural = _("OAuth2 Access Tokens")
@ -499,7 +423,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):

    class Meta:
        indexes = [
-            HashIndex(fields=["token"]),
+            models.Index(fields=["token", "provider"]),
        ]
        verbose_name = _("OAuth2 Refresh Token")
        verbose_name_plural = _("OAuth2 Refresh Tokens")
@ -534,9 +458,6 @@ class DeviceToken(ExpiringModel):
    device_code = models.TextField(default=generate_key)
    user_code = models.TextField(default=generate_code_fixed_length)
    _scope = models.TextField(default="", verbose_name=_("Scopes"))
-    session = models.ForeignKey(
-        AuthenticatedSession, null=True, on_delete=models.SET_DEFAULT, default=None
-    )

    @property
    def scope(self) -> list[str]:
--- a/authentik/providers/oauth2/signals.py
+++ b/authentik/providers/oauth2/signals.py
@ -1,3 +1,5 @@
+from hashlib import sha256
+
 from django.contrib.auth.signals import user_logged_out
 from django.dispatch import receiver
 from django.http import HttpRequest
@ -11,4 +13,5 @@ def user_logged_out_oauth_access_token(sender, request: HttpRequest, user: User,
    """Revoke access tokens upon user logout"""
    if not request.session or not request.session.session_key:
        return
-    AccessToken.objects.filter(user=user, session__session_key=request.session.session_key).delete()
+    hashed_session_key = sha256(request.session.session_key.encode("ascii")).hexdigest()
+    AccessToken.objects.filter(user=user, session_id=hashed_session_key).delete()
--- a/authentik/providers/oauth2/tests/test_api.py
+++ b/authentik/providers/oauth2/tests/test_api.py
@ -10,13 +10,7 @@ from rest_framework.test import APITestCase
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import (
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping


 class TestAPI(APITestCase):
@ -27,7 +21,7 @@ class TestAPI(APITestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
        self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
@ -56,29 +50,9 @@ class TestAPI(APITestCase):
    @skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
    def test_launch_url(self):
        """Test launch_url"""
-        self.provider.redirect_uris = [
-            RedirectURI(
-                RedirectURIMatchingMode.REGEX,
-                "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/",
-            ),
-        ]
+        self.provider.redirect_uris = (
+            "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n"
+        )
        self.provider.save()
        self.provider.refresh_from_db()
        self.assertIsNone(self.provider.launch_url)
-
-    def test_validate_redirect_uris(self):
-        """Test redirect_uris API"""
-        response = self.client.post(
-            reverse("authentik_api:oauth2provider-list"),
-            data={
-                "name": generate_id(),
-                "authorization_flow": create_test_flow().pk,
-                "invalidation_flow": create_test_flow().pk,
-                "redirect_uris": [
-                    {"matching_mode": "strict", "url": "http://goauthentik.io"},
-                    {"matching_mode": "regex", "url": "**"},
-                ],
-            },
-        )
-        self.assertJSONEqual(response.content, {"redirect_uris": ["Invalid Regex Pattern: **"]})
-        self.assertEqual(response.status_code, 400)
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -19,8 +19,6 @@ from authentik.providers.oauth2.models import (
    AuthorizationCode,
    GrantTypes,
    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -41,7 +39,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
@ -66,7 +64,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
@ -86,7 +84,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -108,7 +106,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
+            redirect_uris="data:local.invalid",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
@ -127,7 +125,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[],
+            redirect_uris="",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -142,7 +140,7 @@ class TestAuthorize(OAuthTestCase):
        )
        OAuthAuthorizationParams.from_request(request)
        provider.refresh_from_db()
-        self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
+        self.assertEqual(provider.redirect_uris, "+")

    def test_invalid_redirect_uri_regex(self):
        """test missing/invalid redirect URI"""
@ -150,7 +148,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
+            redirect_uris="http://local.invalid?",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -172,7 +170,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
+            redirect_uris="+",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -215,7 +213,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -303,7 +301,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -345,7 +343,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -414,73 +412,6 @@ class TestAuthorize(OAuthTestCase):
                delta=5,
            )

-    @apply_blueprint("system/providers-oauth2.yaml")
-    def test_full_implicit_enc(self):
-        """Test full authorization with encryption"""
-        flow = create_test_flow()
-        provider: OAuth2Provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
-            signing_key=self.keypair,
-            encryption_key=self.keypair,
-        )
-        provider.property_mappings.set(
-            ScopeMapping.objects.filter(
-                managed__in=[
-                    "goauthentik.io/providers/oauth2/scope-openid",
-                    "goauthentik.io/providers/oauth2/scope-email",
-                    "goauthentik.io/providers/oauth2/scope-profile",
-                ]
-            )
-        )
-        provider.property_mappings.add(
-            ScopeMapping.objects.create(
-                name=generate_id(), scope_name="test", expression="""return {"sub": "foo"}"""
-            )
-        )
-        Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        with patch(
-            "authentik.providers.oauth2.id_token.get_login_event",
-            MagicMock(
-                return_value=Event(
-                    action=EventAction.LOGIN,
-                    context={PLAN_CONTEXT_METHOD: "password"},
-                    created=now(),
-                )
-            ),
-        ):
-            # Step 1, initiate params and get redirect to flow
-            self.client.get(
-                reverse("authentik_providers_oauth2:authorize"),
-                data={
-                    "response_type": "id_token",
-                    "client_id": "test",
-                    "state": state,
-                    "scope": "openid test",
-                    "redirect_uri": "http://localhost",
-                    "nonce": generate_id(),
-                },
-            )
-            response = self.client.get(
-                reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-            )
-            self.assertEqual(response.status_code, 200)
-            token: AccessToken = AccessToken.objects.filter(user=user).first()
-            expires = timedelta_from_string(provider.access_token_validity).total_seconds()
-            jwt = self.validate_jwe(token, provider)
-            self.assertEqual(jwt["amr"], ["pwd"])
-            self.assertEqual(jwt["sub"], "foo")
-            self.assertAlmostEqual(
-                jwt["exp"] - now().timestamp(),
-                expires,
-                delta=5,
-            )
-
    def test_full_fragment_code(self):
        """Test full authorization"""
        flow = create_test_flow()
@ -488,7 +419,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -543,7 +474,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id=generate_id(),
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -601,7 +532,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id=generate_id(),
            authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
--- a/authentik/providers/oauth2/tests/test_device_init.py
+++ b/authentik/providers/oauth2/tests/test_device_init.py
@ -3,7 +3,6 @@
 from urllib.parse import urlencode

 from django.urls import reverse
-from rest_framework.test import APIClient

 from authentik.core.models import Application, Group
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
@ -35,10 +34,7 @@ class TesOAuth2DeviceInit(OAuthTestCase):
        self.brand.flow_device_code = self.device_flow
        self.brand.save()

-        self.api_client = APIClient()
-        self.api_client.force_login(self.user)
-
-    def test_device_init_get(self):
+    def test_device_init(self):
        """Test device init"""
        res = self.client.get(reverse("authentik_providers_oauth2_root:device-login"))
        self.assertEqual(res.status_code, 302)
@ -52,76 +48,6 @@ class TesOAuth2DeviceInit(OAuthTestCase):
            ),
        )

-    def test_device_init_post(self):
-        """Test device init"""
-        res = self.api_client.get(reverse("authentik_providers_oauth2_root:device-login"))
-        self.assertEqual(res.status_code, 302)
-        self.assertEqual(
-            res.url,
-            reverse(
-                "authentik_core:if-flow",
-                kwargs={
-                    "flow_slug": self.device_flow.slug,
-                },
-            ),
-        )
-        res = self.api_client.get(
-            reverse(
-                "authentik_api:flow-executor",
-                kwargs={
-                    "flow_slug": self.device_flow.slug,
-                },
-            ),
-        )
-        self.assertEqual(res.status_code, 200)
-        self.assertJSONEqual(
-            res.content,
-            {
-                "component": "ak-provider-oauth2-device-code",
-                "flow_info": {
-                    "background": "/static/dist/assets/images/flow_background.jpg",
-                    "cancel_url": "/flows/-/cancel/",
-                    "layout": "stacked",
-                    "title": self.device_flow.title,
-                },
-            },
-        )
-
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            authorization_flow=create_test_flow(),
-        )
-        Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        token = DeviceToken.objects.create(
-            provider=provider,
-        )
-
-        res = self.api_client.post(
-            reverse(
-                "authentik_api:flow-executor",
-                kwargs={
-                    "flow_slug": self.device_flow.slug,
-                },
-            ),
-            data={
-                "component": "ak-provider-oauth2-device-code",
-                "code": token.user_code,
-            },
-        )
-        self.assertEqual(res.status_code, 200)
-        self.assertJSONEqual(
-            res.content,
-            {
-                "component": "xak-flow-redirect",
-                "to": reverse(
-                    "authentik_core:if-flow",
-                    kwargs={
-                        "flow_slug": provider.authorization_flow.slug,
-                    },
-                ),
-            },
-        )
-
    def test_no_flow(self):
        """Test no flow"""
        self.brand.flow_device_code = None
--- a/authentik/providers/oauth2/tests/test_introspect.py
+++ b/authentik/providers/oauth2/tests/test_introspect.py
@ -11,14 +11,7 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    IDToken,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    RefreshToken,
-)
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
 from authentik.providers.oauth2.tests.utils import OAuthTestCase


@ -30,7 +23,7 @@ class TesOAuth2Introspection(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        self.app = Application.objects.create(
@ -125,7 +118,7 @@ class TesOAuth2Introspection(OAuthTestCase):
        provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
--- a/authentik/providers/oauth2/tests/test_jwks.py
+++ b/authentik/providers/oauth2/tests/test_jwks.py
@ -13,7 +13,7 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.crypto.builder import PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.oauth2.tests.utils import OAuthTestCase

 TEST_CORDS_CERT = """
@ -49,7 +49,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=create_test_cert(),
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
@ -68,7 +68,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
        response = self.client.get(
@ -82,7 +82,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
@ -93,24 +93,6 @@ class TestJWKS(OAuthTestCase):
        self.assertEqual(len(body["keys"]), 1)
        PyJWKSet.from_dict(body)

-    def test_enc(self):
-        """Test with JWE"""
-        provider = OAuth2Provider.objects.create(
-            name="test",
-            client_id="test",
-            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
-            signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
-            encryption_key=create_test_cert(PrivateKeyAlg.ECDSA),
-        )
-        app = Application.objects.create(name="test", slug="test", provider=provider)
-        response = self.client.get(
-            reverse("authentik_providers_oauth2:jwks", kwargs={"application_slug": app.slug})
-        )
-        body = json.loads(response.content.decode())
-        self.assertEqual(len(body["keys"]), 2)
-        PyJWKSet.from_dict(body)
-
    def test_ecdsa_coords_mismatched(self):
        """Test JWKS request with ES256"""
        cert = CertificateKeyPair.objects.create(
@ -122,7 +104,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=cert,
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
--- a/authentik/providers/oauth2/tests/test_revoke.py
+++ b/authentik/providers/oauth2/tests/test_revoke.py
@ -10,14 +10,7 @@ from django.utils import timezone
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    IDToken,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    RefreshToken,
-)
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
 from authentik.providers.oauth2.tests.utils import OAuthTestCase


@ -29,7 +22,7 @@ class TesOAuth2Revoke(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
            signing_key=create_test_cert(),
        )
        self.app = Application.objects.create(
--- a/authentik/providers/oauth2/tests/test_token.py
+++ b/authentik/providers/oauth2/tests/test_token.py
@ -22,8 +22,6 @@ from authentik.providers.oauth2.models import (
    AccessToken,
    AuthorizationCode,
    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
    RefreshToken,
    ScopeMapping,
 )
@ -44,7 +42,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://TestServer")],
+            redirect_uris="http://TestServer",
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -71,7 +69,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -92,7 +90,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -120,7 +118,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        # Needs to be assigned to an application for iss to be set
@ -154,43 +152,13 @@ class TestToken(OAuthTestCase):
        )
        self.validate_jwt(access, provider)

-    def test_auth_code_enc(self):
-        """test request param"""
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
-            signing_key=self.keypair,
-            encryption_key=self.keypair,
-        )
-        # Needs to be assigned to an application for iss to be set
-        self.app.provider = provider
-        self.app.save()
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        user = create_test_admin_user()
-        code = AuthorizationCode.objects.create(
-            code="foobar", provider=provider, user=user, auth_time=timezone.now()
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                "redirect_uri": "http://local.invalid",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertEqual(response.status_code, 200)
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
-        self.validate_jwe(access, provider)
-
    @apply_blueprint("system/providers-oauth2.yaml")
    def test_refresh_token_view(self):
        """test request param"""
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -252,7 +220,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -310,7 +278,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ken Sternberg	1c9e4652f9	Updating version required by SFE.	2024-09-30 09:35:59 -07:00
Ken Sternberg	079ed7bf4c	Merge branch 'main' into web/bug/fix-wdio-and-lint * main: core: bump goauthentik.io/api/v3 from 3.2024082.1 to 3.2024083.1 (#11555) website: bump @types/react from 18.3.9 to 18.3.10 in /website (#11556) core: bump watchdog from 5.0.2 to 5.0.3 (#11557) core: bump uvicorn from 0.30.6 to 0.31.0 (#11558) core: bump psycopg from 3.2.2 to 3.2.3 (#11559) web: bump the storybook group across 1 directory with 7 updates (#11560) web: bump the rollup group across 2 directories with 4 updates (#11561) web: bump the wdio group across 2 directories with 5 updates (#11562) web: bump chromedriver from 129.0.0 to 129.0.1 in /tests/wdio (#11563) web: bump @types/node from 22.7.3 to 22.7.4 in /web (#11564) web: bump rapidoc from 9.3.6 to 9.3.7 in /web (#11565) web: bump knip from 5.30.5 to 5.30.6 in /web (#11566) website/docs: update wording for events that occur when too many users exist (#11547)	2024-09-30 08:52:42 -07:00
Ken Sternberg	430278712f	Merge branch 'main' into web/bug/fix-wdio-and-lint * main: providers/oauth2: improve indexes on tokens (#11543) web: bump API Client version (#11544) release: 2024.8.3 (#11542)	2024-09-27 08:48:54 -07:00
Ken Sternberg	2aad79b5db	Forgot to run prettier.	2024-09-27 08:45:11 -07:00
Ken Sternberg	0fcf1ebf94	web: small fixes for wdio and lint PLEASE Stop trying to upgrade WebdriverIO following Dependabot's instructions. The changes between wdio8 and wdio9 are extensive enough to require a lot more manual intervention. The unit tests fail in wdio 9, with the testbed driver Wdio uses to compile content to push to the browser ([vite](https://vitejs.dev) complaining: ``` 2024-09-27T15:30:03.672Z WARN @wdio/browser-runner:vite: warning: Unrecognized default export in file /Users/ken/projects/dev/web/node_modules/@patternfly/patternfly/components/Dropdown/dropdown.css Plugin: postcss-lit File: /Users/ken/projects/dev/web/node_modules/@patternfly/patternfly/components/Dropdown/dropdown.css [0-6] 2024-09-27T15:30:04.083Z INFO webdriver: BIDI COMMAND script.callFunction {"functionDeclaration":"<Function[976 bytes]>","awaitPromise":true,"arguments":[],"target":{"context":"8E608E6D13E355DFFC28112C236B73AF"}} [0-6] Error: Test failed due to following error(s): - ak-search-select.test.ts: The requested module '/src/common/styles/authentik.css' does not provide an export named 'default': SyntaxError: The requested module '/src/common/styles/authentik.css' does not provide an export named 'default' ``` So until we can figure out why the Vite installation isn't liking our CSS import scheme, we'll have to soldier on with what we have. At least with Wdio 8, we get: ``` Spec Files: 7 passed, 7 total (100% completed) in 00:00:19 ```	2024-09-27 08:42:22 -07:00
Ken Sternberg	ed7c1b9b3e	package-lock.json update	2024-09-27 07:52:45 -07:00
Ken Sternberg	e71e875056	Merge branch 'main' into web/bug/fix-wdio-and-lint * main: website: update release notes for 2024.8.3 and 2024.6.5 (#11541) website/docs: added a Docs banner to announce new docs structure (#11525) security: fix CVE-2024-47070 (#11536) security: fix CVE-2024-47077 (#11535) sources/ldap: fix ms_ad userAccountControl not checking for lockout (#11532) web: Fix missing integrity fields in package-lock.json (#11509) core, web: update translations (#11527) core: bump ruff from 0.6.7 to 0.6.8 (#11528) web: bump the wdio group across 2 directories with 3 updates (#11529) web: bump @patternfly/elements from 4.0.1 to 4.0.2 in /web (#11530) web: bump @types/node from 22.7.2 to 22.7.3 in /web (#11531)	2024-09-27 07:50:30 -07:00
Ken Sternberg	705f096e3f	web: small fixes for wdio and lint - Roll back another dependabot breaking change, this time to WebdriverIO - Remove the redundant scripts wrapping ESLint for Precommit mode. Access to those modes is available through the flags to the `./web/scripts/eslint.mjs` script. - Remove SonarJS checks until SonarJS is ESLint 9 compatible. - Minor nitpicking.	2024-09-26 14:23:03 -07:00