root: deny unauthenticated websocket messages consumer

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.0
+current_version = 2025.2.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/workflows/_reusable-docker-build-single.yaml

@@ -40,7 +40,7 @@ jobs:
       attestations: write
     steps:
       - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.4.0
+      - uses: docker/setup-qemu-action@v3.5.0
       - uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables

.github/workflows/ci-outpost.yml

@@ -82,7 +82,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.5.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

.github/workflows/release-publish.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.5.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

.github/workflows/translation-extract-compile.yml

@@ -19,15 +19,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
+        if: ${{ github.event_name != 'pull_request' }}
         uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v4
+        if: ${{ github.event_name != 'pull_request' }}
         with:
           token: ${{ steps.generate_token.outputs.token }}
+      - uses: actions/checkout@v4
+        if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
+      - name: Generate API
+        run: make gen-client-ts
       - name: run extract
         run: |
           poetry run make i18n-extract

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.2.0"
+__version__ = "2025.2.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/core/templates/base/header_js.html

@@ -11,6 +11,7 @@
         build: "{{ build }}",
         api: {
             base: "{{ base_url }}",
+            relBase: "{{ base_url_rel }}",
         },
     };
     window.addEventListener("DOMContentLoaded", function () {

authentik/core/views/interface.py

@@ -53,6 +53,7 @@ class InterfaceView(TemplateView):
         kwargs["build"] = get_build_hash()
         kwargs["url_kwargs"] = self.kwargs
         kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
+        kwargs["base_url_rel"] = CONFIG.get("web.path", "/")
         return super().get_context_data(**kwargs)
 
 

authentik/flows/challenge.py

@@ -8,7 +8,13 @@ from uuid import UUID
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.http import JsonResponse
-from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    ChoiceField,
+    DictField,
+    ListField,
+)
 from rest_framework.request import Request
 
 from authentik.core.api.utils import PassiveSerializer
@@ -39,6 +45,12 @@ class ErrorDetailSerializer(PassiveSerializer):
     code = CharField()
 
 
+class MessageSerializer(PassiveSerializer):
+    message = CharField()
+    level = CharField()
+    tags = ListField(child=CharField())
+
+
 class ContextualFlowInfo(PassiveSerializer):
     """Contextual flow information for a challenge"""
 
@@ -55,6 +67,7 @@ class Challenge(PassiveSerializer):
     flow_info = ContextualFlowInfo(required=False)
     component = CharField(default="")
 
+    messages = ListField(child=MessageSerializer(), allow_empty=True, required=False)
     response_errors = DictField(
         child=ErrorDetailSerializer(many=True), allow_empty=True, required=False
     )
@@ -170,7 +183,6 @@ class FrameChallenge(Challenge):
 
 
 class FrameChallengeResponse(ChallengeResponse):
-
     component = CharField(default="xak-flow-frame")
 
 

authentik/flows/stage.py

@@ -4,6 +4,7 @@ from typing import TYPE_CHECKING
 
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
+from django.contrib.messages import get_messages
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.http.response import HttpResponse
@@ -21,6 +22,7 @@ from authentik.flows.challenge import (
     ChallengeResponse,
     ContextualFlowInfo,
     HttpChallengeResponse,
+    MessageSerializer,
     RedirectChallenge,
     SessionEndChallenge,
     WithUserInfoChallenge,
@@ -191,6 +193,22 @@ class ChallengeStageView(StageView):
                 )
                 flow_info.is_valid()
                 challenge.initial_data["flow_info"] = flow_info.data
+            if "messages" not in challenge.initial_data and not isinstance(
+                challenge, RedirectStage
+            ):
+                messages = MessageSerializer(
+                    data=[
+                        {
+                            "message": message.message,
+                            "level": message.level_tag,
+                            "tags": message.tags,
+                        }
+                        for message in get_messages(self.request)
+                    ],
+                    many=True,
+                )
+                messages.is_valid()
+                challenge.initial_data["messages"] = messages.data
             if isinstance(challenge, WithUserInfoChallenge):
                 # If there's a pending user, update the `username` field
                 # this field is only used by password managers.

authentik/flows/tests/test_inspector.py

@@ -55,6 +55,7 @@ class TestFlowInspector(APITestCase):
                     "layout": "stacked",
                 },
                 "flow_designation": "authentication",
+                "messages": [],
                 "password_fields": False,
                 "primary_action": "Log in",
                 "sources": [],

authentik/providers/oauth2/tests/test_device_init.py

@@ -88,6 +88,7 @@ class TesOAuth2DeviceInit(OAuthTestCase):
                     "layout": "stacked",
                     "title": self.device_flow.title,
                 },
+                "messages": [],
             },
         )
 

authentik/root/messages/consumer.py

@@ -1,5 +1,6 @@
 """websocket Message consumer"""
 
+from channels.exceptions import DenyConnection
 from channels.generic.websocket import JsonWebsocketConsumer
 from django.core.cache import cache
 
@@ -13,6 +14,8 @@ class MessageConsumer(JsonWebsocketConsumer):
     session_key: str
 
     def connect(self):
+        if not self.scope["user"].is_authenticated():
+            raise DenyConnection()
         self.accept()
         self.session_key = self.scope["session"].session_key
         if not self.session_key:

authentik/root/messages/storage.py

@@ -7,7 +7,6 @@ from django.contrib.messages.storage.session import SessionStorage
 from django.core.cache import cache
 from django.http.request import HttpRequest
 
-SESSION_KEY = "_messages"
 CACHE_PREFIX = "goauthentik.io/root/messages_"
 
 

authentik/stages/authenticator_email/tests.py

@@ -300,9 +300,11 @@ class TestAuthenticatorEmailStage(FlowTestCase):
             )
             self.assertEqual(response.status_code, 200)
             self.assertTrue(device.confirmed)
-            # Session key should be removed after device is saved
-            device.save()
-            self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, self.client.session)
+            # Get a fresh session to check if the key was removed
+            session = self.client.session
+            session.save()
+            session.load()
+            self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, session)
 
     def test_model_properties_and_methods(self):
         """Test model properties"""

authentik/stages/email/stage.py

@@ -145,9 +145,9 @@ class EmailStageView(ChallengeStageView):
                 user.save()
             return self.executor.stage_ok()
         if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
-            self.logger.debug("No pending user")
-            messages.error(self.request, _("No pending user."))
-            return self.executor.stage_invalid()
+            message = _("No pending user")
+            self.logger.debug(message)
+            return self.executor.stage_invalid(message)
         # Check if we've already sent the initial e-mail
         if PLAN_CONTEXT_EMAIL_SENT not in self.executor.plan.context:
             try:

authentik/stages/email/tasks.py

@@ -12,6 +12,7 @@ from structlog.stdlib import get_logger
 
 from authentik.events.models import Event, EventAction, TaskStatus
 from authentik.events.system_tasks import SystemTask
+from authentik.lib.utils.reflection import class_to_path, path_to_class
 from authentik.root.celery import CELERY_APP
 from authentik.stages.authenticator_email.models import AuthenticatorEmailStage
 from authentik.stages.email.models import EmailStage
@@ -32,9 +33,10 @@ def send_mails(
         Celery group promise for the email sending tasks
     """
     tasks = []
-    stage_class = stage.__class__
+    # Use the class path instead of the class itself for serialization
+    stage_class_path = class_to_path(stage.__class__)
     for message in messages:
-        tasks.append(send_mail.s(message.__dict__, stage_class, str(stage.pk)))
+        tasks.append(send_mail.s(message.__dict__, stage_class_path, str(stage.pk)))
     lazy_group = group(*tasks)
     promise = lazy_group()
     return promise
@@ -61,7 +63,7 @@ def get_email_body(email: EmailMultiAlternatives) -> str:
 def send_mail(
     self: SystemTask,
     message: dict[Any, Any],
-    stage_class: EmailStage | AuthenticatorEmailStage = EmailStage,
+    stage_class_path: str | None = None,
     email_stage_pk: str | None = None,
 ):
     """Send Email for Email Stage. Retries are scheduled automatically."""
@@ -69,9 +71,10 @@ def send_mail(
     message_id = make_msgid(domain=DNS_NAME)
     self.set_uid(slugify(message_id.replace(".", "_").replace("@", "_")))
     try:
-        if not email_stage_pk:
-            stage: EmailStage | AuthenticatorEmailStage = stage_class(use_global_settings=True)
+        if not stage_class_path or not email_stage_pk:
+            stage = EmailStage(use_global_settings=True)
         else:
+            stage_class = path_to_class(stage_class_path)
             stages = stage_class.objects.filter(pk=email_stage_pk)
             if not stages.exists():
                 self.set_status(

authentik/stages/email/tests/test_tasks.py

@@ -0,0 +1,58 @@
+"""Test email stage tasks"""
+
+from unittest.mock import patch
+
+from django.core.mail import EmailMultiAlternatives
+from django.test import TestCase
+
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.utils.reflection import class_to_path
+from authentik.stages.authenticator_email.models import AuthenticatorEmailStage
+from authentik.stages.email.models import EmailStage
+from authentik.stages.email.tasks import get_email_body, send_mails
+
+
+class TestEmailTasks(TestCase):
+    """Test email stage tasks"""
+
+    def setUp(self):
+        self.user = create_test_admin_user()
+        self.stage = EmailStage.objects.create(
+            name="test-email",
+            use_global_settings=True,
+        )
+        self.auth_stage = AuthenticatorEmailStage.objects.create(
+            name="test-auth-email",
+            use_global_settings=True,
+        )
+
+    def test_get_email_body_html(self):
+        """Test get_email_body with HTML alternative"""
+        message = EmailMultiAlternatives()
+        message.body = "plain text"
+        message.attach_alternative("<p>html content</p>", "text/html")
+        self.assertEqual(get_email_body(message), "<p>html content</p>")
+
+    def test_get_email_body_plain(self):
+        """Test get_email_body with plain text only"""
+        message = EmailMultiAlternatives()
+        message.body = "plain text"
+        self.assertEqual(get_email_body(message), "plain text")
+
+    def test_send_mails_email_stage(self):
+        """Test send_mails with EmailStage"""
+        message = EmailMultiAlternatives()
+        with patch("authentik.stages.email.tasks.send_mail") as mock_send:
+            send_mails(self.stage, message)
+            mock_send.s.assert_called_once_with(
+                message.__dict__, class_to_path(EmailStage), str(self.stage.pk)
+            )
+
+    def test_send_mails_authenticator_stage(self):
+        """Test send_mails with AuthenticatorEmailStage"""
+        message = EmailMultiAlternatives()
+        with patch("authentik.stages.email.tasks.send_mail") as mock_send:
+            send_mails(self.auth_stage, message)
+            mock_send.s.assert_called_once_with(
+                message.__dict__, class_to_path(AuthenticatorEmailStage), str(self.auth_stage.pk)
+            )

authentik/stages/user_delete/stage.py

@@ -1,6 +1,5 @@
 """Delete stage logic"""
 
-from django.contrib import messages
 from django.contrib.auth import logout
 from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
@@ -17,9 +16,8 @@ class UserDeleteStageView(StageView):
         user = self.get_pending_user()
         if not user.is_authenticated:
             message = _("No Pending User.")
-            messages.error(request, message)
             self.logger.debug(message)
-            return self.executor.stage_invalid()
+            return self.executor.stage_invalid(message)
         logout(self.request)
         user.delete()
         self.logger.debug("Deleted user", user=user)

authentik/stages/user_login/stage.py

@@ -81,9 +81,8 @@ class UserLoginStageView(ChallengeStageView):
         """Attach the currently pending user to the current session"""
         if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
             message = _("No Pending user to login.")
-            messages.error(request, message)
             self.logger.debug(message)
-            return self.executor.stage_invalid()
+            return self.executor.stage_invalid(message)
         backend = self.executor.plan.context.get(
             PLAN_CONTEXT_AUTHENTICATION_BACKEND, BACKEND_INBUILT
         )

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.2.0 Blueprint schema",
+    "title": "authentik 2025.2.1 Blueprint schema",
     "required": [
         "version",
         "entries"

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
     restart: unless-stopped
     command: server
     environment:
@@ -54,7 +54,7 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
     restart: unless-stopped
     command: worker
     environment:

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2025.2.0"
+const VERSION = "2025.2.1"

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1000.3",
+                "aws-cdk": "^2.1001.0",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1000.3",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1000.3.tgz",
-            "integrity": "sha512-y0sU603gGWpVTwqDw9MKVHg3e1t49Mvve6t3YDOvjeKY195Vu6dgHlHjW4h8n1vX04r49NKfpoApG60V8sMbdw==",
+            "version": "2.1001.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1001.0.tgz",
+            "integrity": "sha512-Wp6fKNXcxBm+f8U1GkLV4gEgqq1pu5uwyDCMBg7ZB/6CtP+PsD/mPhuKyMULNWucDvYN8oy70XLOkMnxa3NWFw==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1000.3",
+        "aws-cdk": "^2.1001.0",
         "cross-env": "^7.0.3"
     }
 }

lifecycle/aws/template.yaml

@@ -26,7 +26,7 @@ Parameters:
     Description: authentik Docker image
   AuthentikVersion:
     Type: String
-    Default: 2025.2.0
+    Default: 2025.2.1
     Description: authentik Docker image tag
   AuthentikServerCPU:
     Type: Number

locale/fr/LC_MESSAGES/django.po

@@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@@ -129,6 +129,10 @@ msgstr "L'utilisateur n'a pas accès à l'application."
 msgid "Extra description not available"
 msgstr "Description supplémentaire indisponible"
 
+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr "Impossible de définir le groupe en tant que parent de lui-même."
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -177,6 +181,14 @@ msgstr "Ajouter un utilisateur au groupe"
 msgid "Remove user from group"
 msgstr "Retirer l'utilisateur du groupe"
 
+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr "Activer le statut super-utilisateur"
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr "Désactiver le statut super-utilisateur"
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "Nom d'affichage de l'utilisateur"
@@ -553,61 +565,6 @@ msgstr "Mappage de propriété Microsoft Entra"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Mappages de propriété Microsoft Entra"
 
-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr ""
-"Détermine la durée de la session. La valeur par défaut de 0 signifie que la "
-"session dure jusqu'à la fermeture du navigateur. (Format : "
-"hours=-1;minutes=-2;seconds=-3)"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr ""
-"Si activé, les jetons de connexion seront supprimés lors de la déconnexion."
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "Fournisseur RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "Fournisseurs RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "Point de terminaison RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "Points de terminaison RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "Mappage de propriété fournisseur RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "Mappages de propriété fournisseur RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "Jeton de connexion RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "Jeton de connexions RAC"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "Limite maximum de connection atteinte."
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "(Vous êtes déjà connecté dans un autre onglet/une autre fenêtre)"
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -715,6 +672,7 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Webhook Slack (ou Discord)"
 
 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "Courriel"
 
@@ -1219,6 +1177,16 @@ msgstr ""
 msgid "Client IP is not in an allowed country."
 msgstr "L'IP du client ne fait pas partie d'un pays autorisé."
 
+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr ""
+"La distance par rapport à l'authentification précédente est supérieure au "
+"seuil."
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr "La distance est plus grande que possible."
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "Politique GeoIP"
@@ -1825,6 +1793,60 @@ msgstr "Fournisseur Proxy"
 msgid "Proxy Providers"
 msgstr "Fournisseur de Proxy"
 
+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+"Détermine la durée de la session. La valeur par défaut de 0 signifie que la "
+"session dure jusqu'à la fermeture du navigateur. (Format : "
+"hours=-1;minutes=-2;seconds=-3)"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr ""
+"Si activé, les jetons de connexion seront supprimés lors de la déconnexion."
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "Fournisseur RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "Fournisseurs RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "Point de terminaison RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "Points de terminaison RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "Mappage de propriété fournisseur RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "Mappages de propriété fournisseur RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "Jeton de connexion RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "Jeton de connexions RAC"
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "Limite maximum de connection atteinte."
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "(Vous êtes déjà connecté dans un autre onglet/une autre fenêtre)"
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr ""
@@ -2741,6 +2763,112 @@ msgstr "Appareil Duo"
 msgid "Duo Devices"
 msgstr "Appareils Duo"
 
+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr "OTP Courriel"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr ""
+"Si activé, les paramètres globaux de connexion courriel seront utilisés et "
+"les paramètres de connexion ci-dessous seront ignorés."
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr ""
+"Durée de validité du jeton envoyé (Format : hours=3,minutes=17,seconds=300)."
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr "Étape de configuration de l'authentificateur courriel"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr "Étapes de configuration de l'authentificateur courriel"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "Une erreur s'est produite lors de la modélisation du couriel"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr "Équipement courriel"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr "Équipements courriel"
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "Le Code ne correspond pas"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr "Courriel invalide"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      Salut %(username)s,\n"
+"     "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+"\n"
+"          Code MFA envoyé par courriel.\n"
+"          "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+"\n"
+"    Si vous n'avez pas demandé ce code, veuillez ignorer ce courriel. Le code ci-dessus est valid pendant %(expires)s.\n"
+"    "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "Bonjour %(username)s,"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+"\n"
+"Code MFA envoyé par e-mail\n"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+"\n"
+"Si vous n'avez pas demandé ce code, veuillez ignorer ce courriel. Le code ci-dessus est valid pendant %(expires)s.\n"
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@@ -2778,11 +2906,6 @@ msgstr "Appareil SMS"
 msgid "SMS Devices"
 msgstr "Appareils SMS"
 
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "Le Code ne correspond pas"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "Numéro de téléphone invalide"
@@ -3021,14 +3144,6 @@ msgstr "Réinitialiser le Mot de Passe"
 msgid "Account Confirmation"
 msgstr "Confirmation du Compte"
 
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr ""
-"Si activé, les paramètres globaux de connexion courriel seront utilisés et "
-"les paramètres de connexion ci-dessous seront ignorés."
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "Activer les utilisateurs à la complétion de l'étape."
@@ -3045,10 +3160,6 @@ msgstr "Étape Email"
 msgid "Email Stages"
 msgstr "Étape Email"
 
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "Une erreur s'est produite lors de la modélisation du couriel"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "Email vérifié avec succès."
@@ -3133,17 +3244,6 @@ msgstr ""
 "\n"
 "Cet email a été envoyé depuis le transport de notification %(name)s.\n"
 
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      Salut %(username)s,\n"
-"     "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -3165,11 +3265,6 @@ msgstr ""
 "    Si vous n'avez pas requis de changement de mot de passe, veuillez ignorer cet e-mail. Le lien ci-dessus est valide pendant %(expires)s.\n"
 "    "
 
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "Bonjour %(username)s,"
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"

locale/zh-Hans/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -118,6 +118,10 @@ msgstr "用户没有访问此应用程序的权限。"
 msgid "Extra description not available"
 msgstr "额外描述不可用"
 
+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr "无法设置组自身为父级。"
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -162,6 +166,14 @@ msgstr "添加用户到组"
 msgid "Remove user from group"
 msgstr "从组中删除用户"
 
+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr "启用超级用户状态"
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr "禁用超级用户状态"
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "用户的显示名称。"
@@ -510,57 +522,6 @@ msgstr "Microsoft Entra 提供程序映射"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Microsoft Entra 提供程序映射"
 
-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr "启用时，连接令牌将会在断开连接时被删除。"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "RAC 提供程序"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "RAC 提供程序"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "RAC 端点"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "RAC 端点"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "RAC 连接令牌"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "RAC 连接令牌"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "已达到最大连接数。"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "（您已经在另一个标签页/窗口连接了）"
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -662,6 +623,7 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Slack Webhook（Slack/Discord）"
 
 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "电子邮箱"
 
@@ -1119,6 +1081,14 @@ msgstr "GeoIP：无法在城市数据库中找到客户端 IP。"
 msgid "Client IP is not in an allowed country."
 msgstr "客户端 IP 不在受允许的地区。"
 
+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr "与上一次身份验证的距离超过阈值。"
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr "距离大幅超过可能值。"
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "GeoIP 策略"
@@ -1668,6 +1638,56 @@ msgstr "代理提供程序"
 msgid "Proxy Providers"
 msgstr "代理提供程序"
 
+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr "启用时，连接令牌将会在断开连接时被删除。"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "RAC 提供程序"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "RAC 提供程序"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "RAC 端点"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "RAC 端点"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "RAC 连接令牌"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "RAC 连接令牌"
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "已达到最大连接数。"
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "（您已经在另一个标签页/窗口连接了）"
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr "用于哈希处理数据包的客户端服务端共享密钥。"
@@ -2521,6 +2541,109 @@ msgstr "Duo 设备"
 msgid "Duo Devices"
 msgstr "Duo 设备"
 
+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr "电子邮件 OTP"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr "发出令牌有效的时间（格式：hours=3,minutes=17,seconds=300）。"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr "电子邮件身份验证器设置阶段"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr "电子邮件身份验证器设置阶段"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "渲染电子邮件模板时发生异常"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr "电子邮件设备"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr "电子邮件设备"
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "代码不匹配"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr "无效电子邮件"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      %(username)s 您好，\n"
+"      "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+"\n"
+"          电子邮件 MFA 代码。\n"
+"          "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+"\n"
+"    如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
+"    "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "您好 %(username)s，"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+"\n"
+"电子邮件 MFA 代码\n"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+"\n"
+"如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@@ -2553,11 +2676,6 @@ msgstr "短信设备"
 msgid "SMS Devices"
 msgstr "短信设备"
 
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "代码不匹配"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "无效电话号码"
@@ -2780,12 +2898,6 @@ msgstr "密码重置"
 msgid "Account Confirmation"
 msgstr "账户确认"
 
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "完成阶段后激活用户。"
@@ -2802,10 +2914,6 @@ msgstr "电子邮件阶段"
 msgid "Email Stages"
 msgstr "电子邮件阶段"
 
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "渲染电子邮件模板时发生异常"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "已成功验证电子邮件。"
@@ -2886,17 +2994,6 @@ msgstr ""
 "\n"
 "此邮件由通知递送 %(name)s 发送。\n"
 
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      %(username)s 您好，\n"
-"      "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -2918,11 +3015,6 @@ msgstr ""
 "    如果您没有请求更改密码，请忽略此电子邮件。上面的链接在 %(expires)s 内有效。\n"
 "    "
 
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "您好 %(username)s，"
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"

locale/zh_CN/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -117,6 +117,10 @@ msgstr "用户没有访问此应用程序的权限。"
 msgid "Extra description not available"
 msgstr "额外描述不可用"
 
+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr "无法设置组自身为父级。"
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -161,6 +165,14 @@ msgstr "添加用户到组"
 msgid "Remove user from group"
 msgstr "从组中删除用户"
 
+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr "启用超级用户状态"
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr "禁用超级用户状态"
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "用户的显示名称。"
@@ -509,57 +521,6 @@ msgstr "Microsoft Entra 提供程序映射"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Microsoft Entra 提供程序映射"
 
-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr "启用时，连接令牌将会在断开连接时被删除。"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "RAC 提供程序"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "RAC 提供程序"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "RAC 端点"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "RAC 端点"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "RAC 连接令牌"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "RAC 连接令牌"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "已达到最大连接数。"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "（您已经在另一个标签页/窗口连接了）"
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -661,6 +622,7 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Slack Webhook（Slack/Discord）"
 
 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "电子邮箱"
 
@@ -1118,6 +1080,14 @@ msgstr "GeoIP：无法在城市数据库中找到客户端 IP。"
 msgid "Client IP is not in an allowed country."
 msgstr "客户端 IP 不在受允许的地区。"
 
+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr "与上一次身份验证的距离超过阈值。"
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr "距离大幅超过可能值。"
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "GeoIP 策略"
@@ -1667,6 +1637,56 @@ msgstr "代理提供程序"
 msgid "Proxy Providers"
 msgstr "代理提供程序"
 
+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr "启用时，连接令牌将会在断开连接时被删除。"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "RAC 提供程序"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "RAC 提供程序"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "RAC 端点"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "RAC 端点"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "RAC 连接令牌"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "RAC 连接令牌"
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "已达到最大连接数。"
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "（您已经在另一个标签页/窗口连接了）"
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr "在客户端和服务端之间共享密钥以哈希数据包。"
@@ -2520,6 +2540,109 @@ msgstr "Duo 设备"
 msgid "Duo Devices"
 msgstr "Duo 设备"
 
+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr "电子邮件 OTP"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr "发出令牌有效的时间（格式：hours=3,minutes=17,seconds=300）。"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr "电子邮件身份验证器设置阶段"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr "电子邮件身份验证器设置阶段"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "渲染电子邮件模板时发生异常"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr "电子邮件设备"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr "电子邮件设备"
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "代码不匹配"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr "无效电子邮件"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      %(username)s 您好，\n"
+"      "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+"\n"
+"          电子邮件 MFA 代码。\n"
+"          "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+"\n"
+"    如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
+"    "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "您好 %(username)s，"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+"\n"
+"电子邮件 MFA 代码\n"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+"\n"
+"如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@@ -2552,11 +2675,6 @@ msgstr "短信设备"
 msgid "SMS Devices"
 msgstr "短信设备"
 
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "代码不匹配"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "无效电话号码"
@@ -2779,12 +2897,6 @@ msgstr "密码重置"
 msgid "Account Confirmation"
 msgstr "账户确认"
 
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "完成阶段后激活用户。"
@@ -2801,10 +2913,6 @@ msgstr "电子邮件阶段"
 msgid "Email Stages"
 msgstr "电子邮件阶段"
 
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "渲染电子邮件模板时发生异常"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "已成功验证电子邮件。"
@@ -2885,17 +2993,6 @@ msgstr ""
 "\n"
 "此邮件由通知递送 %(name)s 发送。\n"
 
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      %(username)s 您好，\n"
-"      "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -2917,11 +3014,6 @@ msgstr ""
 "    如果您没有请求更改密码，请忽略此电子邮件。上面的链接在 %(expires)s 内有效。\n"
 "    "
 
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "您好 %(username)s，"
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.2.0",
+    "version": "2025.2.1",
     "private": true
 }

poetry.lock

@@ -392,13 +392,13 @@ typeguard = ">=2.13.3,<4.3.0"
 
 [[package]]
 name = "aws-cdk-lib"
-version = "2.180.0"
+version = "2.181.0"
 description = "Version 2 of the AWS Cloud Development Kit library"
 optional = false
 python-versions = "~=3.8"
 files = [
-    {file = "aws_cdk_lib-2.180.0-py3-none-any.whl", hash = "sha256:5700a84dc4c2c6d323e596119fb4100e66aef6265a4d984bbe2e9341174d048b"},
-    {file = "aws_cdk_lib-2.180.0.tar.gz", hash = "sha256:28ba2c75bd55886eb5e686c58be656c9ab29b895f774f9129eaa3255ffcd6b42"},
+    {file = "aws_cdk_lib-2.181.0-py3-none-any.whl", hash = "sha256:717b1c9fab00924b3c6ef1a6febb4d8816b822e07879da2dd0422c3339436219"},
+    {file = "aws_cdk_lib-2.181.0.tar.gz", hash = "sha256:f532acd18ba209727fdde7c6f12bc1e3265b59dd0d24de8b6efb743e541504a2"},
 ]
 
 [package.dependencies]
@@ -1944,13 +1944,13 @@ grpcio-gcp = ["grpcio-gcp (>=0.2.2,<1.0.dev0)"]
 
 [[package]]
 name = "google-api-python-client"
-version = "2.161.0"
+version = "2.162.0"
 description = "Google API Client Library for Python"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "google_api_python_client-2.161.0-py2.py3-none-any.whl", hash = "sha256:9476a5a4f200bae368140453df40f9cda36be53fa7d0e9a9aac4cdb859a26448"},
-    {file = "google_api_python_client-2.161.0.tar.gz", hash = "sha256:324c0cce73e9ea0a0d2afd5937e01b7c2d6a4d7e2579cdb6c384f9699d6c9f37"},
+    {file = "google_api_python_client-2.162.0-py2.py3-none-any.whl", hash = "sha256:49365fa4f7795fe81a747f5544d6528ea94314fa59664e0ea1005f603facf1ec"},
+    {file = "google_api_python_client-2.162.0.tar.gz", hash = "sha256:5f8bc934a5b6eea73a7d12d999e6585c1823179f48340234acb385e2502e735a"},
 ]
 
 [package.dependencies]
@@ -3126,13 +3126,13 @@ dev = ["bumpver", "isort", "mypy", "pylint", "pytest", "yapf"]
 
 [[package]]
 name = "msgraph-sdk"
-version = "1.21.0"
+version = "1.22.0"
 description = "The Microsoft Graph Python SDK"
 optional = false
 python-versions = ">=3.9"
 files = [
-    {file = "msgraph_sdk-1.21.0-py3-none-any.whl", hash = "sha256:d8564b3d76a0c76960af94b916fc6ab3af2d11d2263ab08fafb136c334f66c0e"},
-    {file = "msgraph_sdk-1.21.0.tar.gz", hash = "sha256:f45db4c1bffb22e0b54876defd06d582291f7ca2e737f0ab519e43a18cf90df4"},
+    {file = "msgraph_sdk-1.22.0-py3-none-any.whl", hash = "sha256:6fc6a8c230750d1fa4a91c862f02f526000725294c3d756a18438c0e5d4be365"},
+    {file = "msgraph_sdk-1.22.0.tar.gz", hash = "sha256:4c3e91091c4ac1a90d6babc0226ed6b15afb2d9ae12121ded632877ab29e8ac8"},
 ]
 
 [package.dependencies]

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2025.2.0"
+version = "2025.2.1"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2025.2.0
+  version: 2025.2.1
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -39432,6 +39432,10 @@ components:
         component:
           type: string
           default: ak-stage-access-denied
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -39546,6 +39550,10 @@ components:
         component:
           type: string
           default: ak-source-oauth-apple
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -39873,6 +39881,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-duo
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40032,6 +40044,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-email
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40288,6 +40304,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-sms
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40451,6 +40471,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-static
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40572,6 +40596,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-totp
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40799,6 +40827,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-validate
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40852,6 +40884,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-webauthn
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -41001,6 +41037,10 @@ components:
         component:
           type: string
           default: ak-stage-autosubmit
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -41264,6 +41304,10 @@ components:
         component:
           type: string
           default: ak-stage-captcha
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -41663,6 +41707,10 @@ components:
         component:
           type: string
           default: ak-stage-consent
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -42464,6 +42512,10 @@ components:
         component:
           type: string
           default: ak-stage-dummy
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -42666,6 +42718,10 @@ components:
         component:
           type: string
           default: ak-stage-email
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -43593,6 +43649,10 @@ components:
         component:
           type: string
           default: ak-stage-flow-error
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -43921,6 +43981,10 @@ components:
         component:
           type: string
           default: xak-flow-frame
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -44731,6 +44795,10 @@ components:
         component:
           type: string
           default: ak-stage-identification
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -46324,6 +46392,22 @@ components:
       - strict
       - regex
       type: string
+    Message:
+      type: object
+      description: Base serializer class which doesn't implement create/update methods
+      properties:
+        message:
+          type: string
+        level:
+          type: string
+        tags:
+          type: array
+          items:
+            type: string
+      required:
+      - level
+      - message
+      - tags
     Metadata:
       type: object
       description: Serializer for blueprint metadata
@@ -47209,6 +47293,10 @@ components:
         component:
           type: string
           default: ak-provider-oauth2-device-code
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -47237,6 +47325,10 @@ components:
         component:
           type: string
           default: ak-provider-oauth2-device-code-finish
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -49387,6 +49479,10 @@ components:
         component:
           type: string
           default: ak-stage-password
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -52942,6 +53038,10 @@ components:
         component:
           type: string
           default: ak-source-plex
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -53467,6 +53567,10 @@ components:
         component:
           type: string
           default: ak-stage-prompt
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -54663,6 +54767,10 @@ components:
         component:
           type: string
           default: xak-flow-redirect
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -56528,6 +56636,10 @@ components:
         component:
           type: string
           default: ak-stage-session-end
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -56662,6 +56774,10 @@ components:
         component:
           type: string
           default: xak-flow-shell
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -57943,6 +58059,10 @@ components:
         component:
           type: string
           default: ak-stage-user-login
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:

web/package-lock.json

@@ -23,7 +23,7 @@
                 "@floating-ui/dom": "^1.6.11",
                 "@formatjs/intl-listformat": "^7.5.7",
                 "@fortawesome/fontawesome-free": "^6.6.0",
-                "@goauthentik/api": "^2025.2.0-1740418530",
+                "@goauthentik/api": "^2025.2.1-1740653734",
                 "@lit-labs/ssr": "^3.2.2",
                 "@lit/context": "^1.1.2",
                 "@lit/localize": "^0.12.2",
@@ -1814,9 +1814,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2025.2.0-1740418530",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.2.0-1740418530.tgz",
-            "integrity": "sha512-vFoIzmEuQ7sbWxIEFP7l7OwEMt8M9TqvxScyv0liQSgGd/xanc2W/R+JuOdhq9ePrCfXa1YcmuZtT41HZXFP6g=="
+            "version": "2025.2.1-1740653734",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.2.1-1740653734.tgz",
+            "integrity": "sha512-GRxBt52lgZOvEu7l9DN1lj0L2Q9KUiftrC9MWfaz3dIlw1s+kKzic/NTTlB7AaEsRqw7+i10aI6GkiKAErw2VA=="
         },
         "node_modules/@goauthentik/web": {
             "resolved": "",

web/package.json

@@ -11,7 +11,7 @@
         "@floating-ui/dom": "^1.6.11",
         "@formatjs/intl-listformat": "^7.5.7",
         "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2025.2.0-1740418530",
+        "@goauthentik/api": "^2025.2.1-1740653734",
         "@lit-labs/ssr": "^3.2.2",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2025.2.0";
+export const VERSION = "2025.2.1";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/elements/ak-dual-select/ak-dual-select-provider.ts

@@ -1,5 +1,6 @@
 import { AkControlElement } from "@goauthentik/elements/AkControlElement.js";
 import { debounce } from "@goauthentik/elements/utils/debounce";
+import { CustomListenerElement } from "@goauthentik/elements/utils/eventEmitter";
 
 import { msg } from "@lit/localize";
 import { PropertyValues, html } from "lit";
@@ -11,11 +12,6 @@ import type { Pagination } from "@goauthentik/api";
 
 import "./ak-dual-select";
 import { AkDualSelect } from "./ak-dual-select";
-import {
-    DualSelectChangeEvent,
-    DualSelectPaginatorNavEvent,
-    DualSelectSearchEvent,
-} from "./events";
 import type { DataProvider, DualSelectPair } from "./types";
 
 /**
@@ -30,7 +26,7 @@ import type { DataProvider, DualSelectPair } from "./types";
  */
 
 @customElement("ak-dual-select-provider")
-export class AkDualSelectProvider extends AkControlElement {
+export class AkDualSelectProvider extends CustomListenerElement(AkControlElement) {
     /** A function that takes a page and returns the DualSelectPair[] collection with which to update
      * the "Available" pane.
      *
@@ -90,9 +86,9 @@ export class AkDualSelectProvider extends AkControlElement {
         this.onNav = this.onNav.bind(this);
         this.onChange = this.onChange.bind(this);
         this.onSearch = this.onSearch.bind(this);
-        this.addEventListener(DualSelectPaginatorNavEvent.eventName, this.onNav);
-        this.addEventListener(DualSelectSearchEvent.eventName, this.onSearch);
-        this.addEventListener(DualSelectChangeEvent.eventName, this.onChange);
+        this.addCustomListener("ak-pagination-nav-to", this.onNav);
+        this.addCustomListener("ak-dual-select-change", this.onChange);
+        this.addCustomListener("ak-dual-select-search", this.onSearch);
     }
 
     willUpdate(changedProperties: PropertyValues<this>) {
@@ -126,16 +122,26 @@ export class AkDualSelectProvider extends AkControlElement {
         this.isLoading = false;
     }
 
-    onNav(event: DualSelectPaginatorNavEvent) {
-        this.fetch(event.page);
+    onNav(event: Event) {
+        if (!(event instanceof CustomEvent)) {
+            throw new Error(`Expecting a CustomEvent for navigation, received ${event} instead`);
+        }
+        this.fetch(event.detail);
     }
 
-    onChange(event: DualSelectChangeEvent) {
-        this.selected = this.internalSelected = event.selected;
+    onChange(event: Event) {
+        if (!(event instanceof CustomEvent)) {
+            throw new Error(`Expecting a CustomEvent for change, received ${event} instead`);
+        }
+        this.internalSelected = event.detail.value;
+        this.selected = this.internalSelected;
     }
 
-    onSearch(event: DualSelectSearchEvent) {
-        this.doSearch(event.search);
+    onSearch(event: Event) {
+        if (!(event instanceof CustomEvent)) {
+            throw new Error(`Expecting a CustomEvent for change, received ${event} instead`);
+        }
+        this.doSearch(event.detail);
     }
 
     doSearch(search: string) {

web/src/elements/ak-dual-select/ak-dual-select.ts

@@ -1,5 +1,8 @@
 import { AKElement } from "@goauthentik/elements/Base";
-import { match } from "ts-pattern";
+import {
+    CustomEmitterElement,
+    CustomListenerElement,
+} from "@goauthentik/elements/utils/eventEmitter";
 
 import { msg, str } from "@lit/localize";
 import { PropertyValues, html, nothing } from "lit";
@@ -20,13 +23,15 @@ import { AkDualSelectSelectedPane } from "./components/ak-dual-select-selected-p
 import "./components/ak-pagination";
 import "./components/ak-search-bar";
 import {
-    DualSelectChangeEvent,
-    DualSelectMoveRequestEvent,
-    DualSelectPanelSearchEvent,
-    DualSelectSearchEvent,
-    DualSelectUpdateEvent,
-} from "./events";
-import type { BasePagination, DualSelectPair } from "./types";
+    EVENT_ADD_ALL,
+    EVENT_ADD_ONE,
+    EVENT_ADD_SELECTED,
+    EVENT_DELETE_ALL,
+    EVENT_REMOVE_ALL,
+    EVENT_REMOVE_ONE,
+    EVENT_REMOVE_SELECTED,
+} from "./constants";
+import type { BasePagination, DualSelectPair, SearchbarEvent } from "./types";
 
 function alphaSort([_k1, v1, s1]: DualSelectPair, [_k2, v2, s2]: DualSelectPair) {
     const [l, r] = [s1 !== undefined ? s1 : v1, s2 !== undefined ? s2 : v2];
@@ -55,7 +60,7 @@ const keyfinder =
         k === key;
 
 @customElement("ak-dual-select")
-export class AkDualSelect extends AKElement {
+export class AkDualSelect extends CustomEmitterElement(CustomListenerElement(AKElement)) {
     static get styles() {
         return styles;
     }
@@ -91,9 +96,21 @@ export class AkDualSelect extends AKElement {
         super();
         this.handleMove = this.handleMove.bind(this);
         this.handleSearch = this.handleSearch.bind(this);
-        this.addEventListener(DualSelectMoveRequestEvent.eventName, this.handleMove);
-        this.addEventListener(DualSelectUpdateEvent.eventName, () => this.requestUpdate());
-        this.addEventListener(DualSelectPanelSearchEvent.eventName, this.handleSearch);
+        [
+            EVENT_ADD_ALL,
+            EVENT_ADD_SELECTED,
+            EVENT_DELETE_ALL,
+            EVENT_REMOVE_ALL,
+            EVENT_REMOVE_SELECTED,
+            EVENT_ADD_ONE,
+            EVENT_REMOVE_ONE,
+        ].forEach((eventName: string) => {
+            this.addCustomListener(eventName, (event: Event) => this.handleMove(eventName, event));
+        });
+        this.addCustomListener("ak-dual-select-move", () => {
+            this.requestUpdate();
+        });
+        this.addCustomListener("ak-search", this.handleSearch);
     }
 
     willUpdate(changedProperties: PropertyValues<this>) {
@@ -106,17 +123,47 @@ export class AkDualSelect extends AKElement {
         }
     }
 
-    handleMove(event: DualSelectMoveRequestEvent) {
-        match(event.move)
-            .with("add-all", () => this.addAllVisible())
-            .with("add-one", () => this.addOne(event.key))
-            .with("add-selected", () => this.addSelected())
-            .with("delete-all", () => this.removeAll())
-            .with("remove-all", () => this.removeAllVisible())
-            .with("remove-one", () => this.removeOne(event.key))
-            .with("remove-selected", () => this.removeSelected())
-            .exhaustive();
-        this.dispatchEvent(new DualSelectChangeEvent(this.value));
+    handleMove(eventName: string, event: Event) {
+        if (!(event instanceof CustomEvent)) {
+            throw new Error(`Expected move event here, got ${eventName}`);
+        }
+
+        switch (eventName) {
+            case EVENT_ADD_SELECTED: {
+                this.addSelected();
+                break;
+            }
+            case EVENT_REMOVE_SELECTED: {
+                this.removeSelected();
+                break;
+            }
+            case EVENT_ADD_ALL: {
+                this.addAllVisible();
+                break;
+            }
+            case EVENT_REMOVE_ALL: {
+                this.removeAllVisible();
+                break;
+            }
+            case EVENT_DELETE_ALL: {
+                this.removeAll();
+                break;
+            }
+            case EVENT_ADD_ONE: {
+                this.addOne(event.detail);
+                break;
+            }
+            case EVENT_REMOVE_ONE: {
+                this.removeOne(event.detail);
+                break;
+            }
+
+            default:
+                throw new Error(
+                    `AkDualSelect.handleMove received unknown event type: ${eventName}`,
+                );
+        }
+        this.dispatchCustomEvent("ak-dual-select-change", { value: this.value });
         event.stopPropagation();
     }
 
@@ -135,10 +182,7 @@ export class AkDualSelect extends AKElement {
         this.availablePane.value!.clearMove();
     }
 
-    addOne(key?: string) {
-        if (!key) {
-            return;
-        }
+    addOne(key: string) {
         const requested = this.options.find(keyfinder(key));
         if (requested && !this.selected.find(keyfinder(requested[0]))) {
             this.selected = [...this.selected, requested];
@@ -163,10 +207,7 @@ export class AkDualSelect extends AKElement {
         this.selectedPane.value!.clearMove();
     }
 
-    removeOne(key?: string) {
-        if (!key) {
-            return;
-        }
+    removeOne(key: string) {
         this.selected = this.selected.filter(([k]) => k !== key);
     }
 
@@ -182,18 +223,18 @@ export class AkDualSelect extends AKElement {
         this.selectedPane.value!.clearMove();
     }
 
-    handleSearch(event: DualSelectPanelSearchEvent) {
-        switch (event.source) {
+    handleSearch(event: SearchbarEvent) {
+        switch (event.detail.source) {
             case "ak-dual-list-available-search":
-                return this.handleAvailableSearch(event.filterOn);
+                return this.handleAvailableSearch(event.detail.value);
             case "ak-dual-list-selected-search":
-                return this.handleSelectedSearch(event.filterOn);
+                return this.handleSelectedSearch(event.detail.value);
         }
         event.stopPropagation();
     }
 
     handleAvailableSearch(value: string) {
-        this.dispatchEvent(new DualSelectSearchEvent(value));
+        this.dispatchCustomEvent("ak-dual-select-search", value);
     }
 
     handleSelectedSearch(value: string) {

web/src/elements/ak-dual-select/components/ak-dual-select-available-pane.ts

@@ -1,19 +1,26 @@
-import { bound } from "@goauthentik/elements/decorators/bound";
+import { AKElement } from "@goauthentik/elements/Base";
+import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 
 import { html, nothing } from "lit";
-import { customElement, property } from "lit/decorators.js";
+import { customElement, property, state } from "lit/decorators.js";
 import { classMap } from "lit/directives/class-map.js";
 import { map } from "lit/directives/map.js";
 
-import { availablePaneStyles } from "./styles.css";
+import { availablePaneStyles, listStyles } from "./styles.css";
+import PFButton from "@patternfly/patternfly/components/Button/button.css";
+import PFDualListSelector from "@patternfly/patternfly/components/DualListSelector/dual-list-selector.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
-import {
-    DualSelectMoveAvailableEvent,
-    DualSelectMoveRequestEvent,
-    DualSelectUpdateEvent,
-} from "../events";
+import { EVENT_ADD_ONE } from "../constants";
 import type { DualSelectPair } from "../types";
-import { AkDualSelectAbstractPane } from "./ak-dual-select-pane";
+
+const styles = [PFBase, PFButton, PFDualListSelector, listStyles, availablePaneStyles];
+
+const hostAttributes = [
+    ["aria-labelledby", "dual-list-selector-available-pane-status"],
+    ["aria-multiselectable", "true"],
+    ["role", "listbox"],
+];
 
 /**
  * @element ak-dual-select-available-panel
@@ -33,9 +40,9 @@ import { AkDualSelectAbstractPane } from "./ak-dual-select-pane";
  *
  */
 @customElement("ak-dual-select-available-pane")
-export class AkDualSelectAvailablePane extends AkDualSelectAbstractPane {
+export class AkDualSelectAvailablePane extends CustomEmitterElement(AKElement) {
     static get styles() {
-        return [...AkDualSelectAbstractPane.styles, availablePaneStyles];
+        return styles;
     }
 
     /* The array of key/value pairs this pane is currently showing */
@@ -49,31 +56,68 @@ export class AkDualSelectAvailablePane extends AkDualSelectAbstractPane {
     @property({ type: Object })
     readonly selected: Set<string> = new Set();
 
-    @bound
+    /* This is the only mutator for this object. It collects the list of objects the user has
+     * clicked on *in this pane*. It is explicitly marked as "public" to emphasize that the parent
+     * orchestrator for the dual-select widget can and will access it to get the list of keys to be
+     * moved (removed) if the user so requests.
+     *
+     */
+    @state()
+    public toMove: Set<string> = new Set();
+
+    constructor() {
+        super();
+        this.onClick = this.onClick.bind(this);
+        this.onMove = this.onMove.bind(this);
+    }
+
+    connectedCallback() {
+        super.connectedCallback();
+        hostAttributes.forEach(([attr, value]) => {
+            if (!this.hasAttribute(attr)) {
+                this.setAttribute(attr, value);
+            }
+        });
+    }
+
+    clearMove() {
+        this.toMove = new Set();
+    }
+
     onClick(key: string) {
         if (this.selected.has(key)) {
             return;
         }
-        this.move(key);
-        this.dispatchEvent(new DualSelectMoveAvailableEvent(this.moveable.sort()));
-        this.dispatchEvent(new DualSelectUpdateEvent());
+        if (this.toMove.has(key)) {
+            this.toMove.delete(key);
+        } else {
+            this.toMove.add(key);
+        }
+        this.dispatchCustomEvent(
+            "ak-dual-select-available-move-changed",
+            Array.from(this.toMove.values()).sort(),
+        );
+        this.dispatchCustomEvent("ak-dual-select-move");
         // Necessary because updating a map won't trigger a state change
         this.requestUpdate();
     }
 
-    @bound
     onMove(key: string) {
         this.toMove.delete(key);
-        this.dispatchEvent(new DualSelectMoveRequestEvent("add-one", key));
+        this.dispatchCustomEvent(EVENT_ADD_ONE, key);
         this.requestUpdate();
     }
 
+    get moveable() {
+        return Array.from(this.toMove.values());
+    }
+
     // DO NOT use `Array.map()` instead of Lit's `map()` function. Lit's `map()` is object-aware and
     // will not re-arrange or reconstruct the list automatically if the actual sources do not
     // change; this allows the available pane to illustrate selected items with the checkmark
     // without causing the list to scroll back up to the top.
 
-    override render() {
+    render() {
         return html`
             <div class="pf-c-dual-list-selector__menu">
                 <ul class="pf-c-dual-list-selector__list">

web/src/elements/ak-dual-select/components/ak-dual-select-controls.ts

@@ -1,4 +1,5 @@
 import { AKElement } from "@goauthentik/elements/Base";
+import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 
 import { msg } from "@lit/localize";
 import { css, html, nothing } from "lit";
@@ -7,7 +8,13 @@ import { customElement, property } from "lit/decorators.js";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
-import { DualSelectMoveRequestEvent, type MoveEventType } from "../events";
+import {
+    EVENT_ADD_ALL,
+    EVENT_ADD_SELECTED,
+    EVENT_DELETE_ALL,
+    EVENT_REMOVE_ALL,
+    EVENT_REMOVE_SELECTED,
+} from "../constants";
 
 const styles = [
     PFBase,
@@ -40,7 +47,7 @@ const styles = [
  */
 
 @customElement("ak-dual-select-controls")
-export class AkDualSelectControls extends AKElement {
+export class AkDualSelectControls extends CustomEmitterElement(AKElement) {
     static get styles() {
         return styles;
     }
@@ -89,11 +96,11 @@ export class AkDualSelectControls extends AKElement {
         this.onClick = this.onClick.bind(this);
     }
 
-    onClick(eventName: MoveEventType) {
-        this.dispatchEvent(new DualSelectMoveRequestEvent(eventName));
+    onClick(eventName: string) {
+        this.dispatchCustomEvent(eventName);
     }
 
-    renderButton(label: string, event: MoveEventType, active: boolean, direction: string) {
+    renderButton(label: string, event: string, active: boolean, direction: string) {
         return html`
             <div class="pf-c-dual-list-selector__controls-item">
                 <button
@@ -114,18 +121,23 @@ export class AkDualSelectControls extends AKElement {
     render() {
         return html`
             <div class="ak-dual-list-selector__controls">
-                ${this.renderButton(msg("Add"), "add-selected", this.addActive, "fa-angle-right")}
+                ${this.renderButton(
+                    msg("Add"),
+                    EVENT_ADD_SELECTED,
+                    this.addActive,
+                    "fa-angle-right",
+                )}
                 ${this.selectAll
                     ? html`
                           ${this.renderButton(
                               msg("Add All Available"),
-                              "add-all",
+                              EVENT_ADD_ALL,
                               this.addAllActive,
                               "fa-angle-double-right",
                           )}
                           ${this.renderButton(
                               msg("Remove All Available"),
-                              "remove-all",
+                              EVENT_REMOVE_ALL,
                               this.removeAllActive,
                               "fa-angle-double-left",
                           )}
@@ -133,14 +145,14 @@ export class AkDualSelectControls extends AKElement {
                     : nothing}
                 ${this.renderButton(
                     msg("Remove"),
-                    "remove-selected",
+                    EVENT_REMOVE_SELECTED,
                     this.removeActive,
                     "fa-angle-left",
                 )}
                 ${this.deleteAll
                     ? html`${this.renderButton(
                           msg("Remove All"),
-                          "delete-all",
+                          EVENT_DELETE_ALL,
                           this.enableDeleteAll,
                           "fa-times",
                       )}`

web/src/elements/ak-dual-select/components/ak-dual-select-pane.ts

@@ -1,75 +0,0 @@
-import { AKElement } from "@goauthentik/elements/Base";
-
-import { TemplateResult } from "lit";
-import { state } from "lit/decorators.js";
-
-import { listStyles } from "./styles.css";
-import PFButton from "@patternfly/patternfly/components/Button/button.css";
-import PFDualListSelector from "@patternfly/patternfly/components/DualListSelector/dual-list-selector.css";
-import PFBase from "@patternfly/patternfly/patternfly-base.css";
-
-const styles = [PFBase, PFButton, PFDualListSelector, listStyles];
-
-const hostAttributes = [
-    ["aria-labelledby", "dual-list-selector-selected-pane-status"],
-    ["aria-multiselectable", "true"],
-    ["role", "listbox"],
-];
-
-/**
- * @element ak-dual-select-panel
- *
- * The "selected options" or "right" pane in a dual-list multi-select.  It receives from its parent
- * a list of the selected options, and maintains an internal list of objects selected to move.
- *
- * @fires ak-dual-select-selected-move-changed - When the list of "to move" entries changed.
- * Includes the current `toMove` content.
- *
- * @fires ak-dual-select-remove-one - Double-click with the element clicked on.
- *
- * It is not expected that the `ak-dual-select-selected-move-changed` will be used; instead, the
- * attribute will be read by the parent when a control is clicked.
- *
- */
-export abstract class AkDualSelectAbstractPane extends AKElement {
-    static get styles() {
-        return styles;
-    }
-
-    /*
-     * This is the only mutator for this object. It collects the list of objects the user has
-     * clicked on *in this pane*. It is explicitly marked as "public" to emphasize that the parent
-     * orchestrator for the dual-select widget can and will access it to get the list of keys to be
-     * moved (removed) if the user so requests.
-     *
-     */
-    @state()
-    public toMove: Set<string> = new Set();
-
-    connectedCallback() {
-        super.connectedCallback();
-        hostAttributes.forEach(([attr, value]) => {
-            if (!this.hasAttribute(attr)) {
-                this.setAttribute(attr, value);
-            }
-        });
-    }
-
-    clearMove() {
-        this.toMove = new Set();
-    }
-
-    move(key: string) {
-        if (this.toMove.has(key)) {
-            this.toMove.delete(key);
-        } else {
-            this.toMove.add(key);
-        }
-    }
-
-    get moveable() {
-        return Array.from(this.toMove.values());
-    }
-
-    abstract render(): TemplateResult;
-}

web/src/elements/ak-dual-select/components/ak-dual-select-selected-pane.ts

@@ -1,19 +1,26 @@
-import { bound } from "@goauthentik/elements/decorators/bound";
+import { AKElement } from "@goauthentik/elements/Base";
+import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 
 import { html } from "lit";
-import { customElement, property } from "lit/decorators.js";
+import { customElement, property, state } from "lit/decorators.js";
 import { classMap } from "lit/directives/class-map.js";
 import { map } from "lit/directives/map.js";
 
-import { selectedPaneStyles } from "./styles.css";
+import { listStyles, selectedPaneStyles } from "./styles.css";
+import PFButton from "@patternfly/patternfly/components/Button/button.css";
+import PFDualListSelector from "@patternfly/patternfly/components/DualListSelector/dual-list-selector.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
-import {
-    DualSelectMoveRequestEvent,
-    DualSelectMoveSelectedEvent,
-    DualSelectUpdateEvent,
-} from "../events";
+import { EVENT_REMOVE_ONE } from "../constants";
 import type { DualSelectPair } from "../types";
-import { AkDualSelectAbstractPane } from "./ak-dual-select-pane";
+
+const styles = [PFBase, PFButton, PFDualListSelector, listStyles, selectedPaneStyles];
+
+const hostAttributes = [
+    ["aria-labelledby", "dual-list-selector-selected-pane-status"],
+    ["aria-multiselectable", "true"],
+    ["role", "listbox"],
+];
 
 /**
  * @element ak-dual-select-available-panel
@@ -31,32 +38,70 @@ import { AkDualSelectAbstractPane } from "./ak-dual-select-pane";
  *
  */
 @customElement("ak-dual-select-selected-pane")
-export class AkDualSelectSelectedPane extends AkDualSelectAbstractPane {
+export class AkDualSelectSelectedPane extends CustomEmitterElement(AKElement) {
     static get styles() {
-        return [...AkDualSelectAbstractPane.styles, selectedPaneStyles];
+        return styles;
     }
 
     /* The array of key/value pairs that are in the selected list.  ALL of them. */
     @property({ type: Array })
     readonly selected: DualSelectPair[] = [];
 
-    @bound
+    /*
+     * This is the only mutator for this object. It collects the list of objects the user has
+     * clicked on *in this pane*. It is explicitly marked as "public" to emphasize that the parent
+     * orchestrator for the dual-select widget can and will access it to get the list of keys to be
+     * moved (removed) if the user so requests.
+     *
+     */
+    @state()
+    public toMove: Set<string> = new Set();
+
+    constructor() {
+        super();
+        this.onClick = this.onClick.bind(this);
+        this.onMove = this.onMove.bind(this);
+    }
+
+    connectedCallback() {
+        super.connectedCallback();
+        hostAttributes.forEach(([attr, value]) => {
+            if (!this.hasAttribute(attr)) {
+                this.setAttribute(attr, value);
+            }
+        });
+    }
+
+    clearMove() {
+        this.toMove = new Set();
+    }
+
     onClick(key: string) {
-        this.move(key);
-        this.dispatchEvent(new DualSelectMoveSelectedEvent(this.moveable.sort()));
-        this.dispatchEvent(new DualSelectUpdateEvent());
+        if (this.toMove.has(key)) {
+            this.toMove.delete(key);
+        } else {
+            this.toMove.add(key);
+        }
+        this.dispatchCustomEvent(
+            "ak-dual-select-selected-move-changed",
+            Array.from(this.toMove.values()).sort(),
+        );
+        this.dispatchCustomEvent("ak-dual-select-move");
         // Necessary because updating a map won't trigger a state change
         this.requestUpdate();
     }
 
-    @bound
     onMove(key: string) {
         this.toMove.delete(key);
-        this.dispatchEvent(new DualSelectMoveRequestEvent("remove-one", key));
+        this.dispatchCustomEvent(EVENT_REMOVE_ONE, key);
         this.requestUpdate();
     }
 
-    override render() {
+    get moveable() {
+        return Array.from(this.toMove.values());
+    }
+
+    render() {
         return html`
             <div class="pf-c-dual-list-selector__menu">
                 <ul class="pf-c-dual-list-selector__list">

web/src/elements/ak-dual-select/components/ak-pagination.ts

@@ -1,4 +1,5 @@
 import { AKElement } from "@goauthentik/elements/Base";
+import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 
 import { msg, str } from "@lit/localize";
 import { css, html, nothing } from "lit";
@@ -8,7 +9,6 @@ import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFPagination from "@patternfly/patternfly/components/Pagination/pagination.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
-import { DualSelectPaginatorNavEvent } from "../events";
 import type { BasePagination } from "../types";
 
 const styles = [
@@ -27,7 +27,7 @@ const styles = [
 ];
 
 @customElement("ak-pagination")
-export class AkPagination extends AKElement {
+export class AkPagination extends CustomEmitterElement(AKElement) {
     static get styles() {
         return styles;
     }
@@ -41,7 +41,7 @@ export class AkPagination extends AKElement {
     }
 
     onClick(nav: number | undefined) {
-        this.dispatchEvent(new DualSelectPaginatorNavEvent(nav ?? 0));
+        this.dispatchCustomEvent("ak-pagination-nav-to", nav ?? 0);
     }
 
     render() {

web/src/elements/ak-dual-select/components/ak-search-bar.ts

@@ -1,4 +1,5 @@
 import { AKElement } from "@goauthentik/elements/Base";
+import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 
 import { html } from "lit";
 import { customElement, property } from "lit/decorators.js";
@@ -8,12 +9,12 @@ import type { Ref } from "lit/directives/ref.js";
 import { globalVariables, searchStyles } from "./search.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
-import { DualSelectPanelSearchEvent } from "../events";
+import type { SearchbarEvent } from "../types";
 
 const styles = [PFBase, globalVariables, searchStyles];
 
 @customElement("ak-search-bar")
-export class AkSearchbar extends AKElement {
+export class AkSearchbar extends CustomEmitterElement(AKElement) {
     static get styles() {
         return styles;
     }
@@ -39,7 +40,10 @@ export class AkSearchbar extends AKElement {
         if (this.input.value) {
             this.value = this.input.value.value;
         }
-        this.dispatchEvent(new DualSelectPanelSearchEvent(this.name, this.value));
+        this.dispatchCustomEvent<SearchbarEvent>("ak-search", {
+            source: this.name,
+            value: this.value,
+        });
     }
 
     render() {

web/src/elements/ak-dual-select/events.ts

@@ -1,112 +0,0 @@
-import { DualSelectPair } from "./types";
-
-// Handled by the Server layer provider
-
-// Request to provide a different page of the paginated results in the "available" panel.
-export class DualSelectPaginatorNavEvent extends Event {
-    static readonly eventName = "ak-dual-select-paginator-nav";
-    constructor(public page: number = 0) {
-        super(DualSelectPaginatorNavEvent.eventName, { bubbles: true, composed: true });
-    }
-}
-
-// Request to provide a filtered collection for the "available" panel via a search string
-export class DualSelectSearchEvent extends Event {
-    static readonly eventName = "ak-dual-select-search";
-    constructor(public search: string) {
-        super(DualSelectSearchEvent.eventName, { bubbles: true, composed: true });
-    }
-}
-
-// Request to update the "selected" list in the provider
-export class DualSelectChangeEvent extends Event {
-    static readonly eventName = "ak-dual-select-change";
-    constructor(public selected: DualSelectPair[]) {
-        super(DualSelectChangeEvent.eventName, { bubbles: true, composed: true });
-    }
-}
-
-// Paginator and specific item events
-
-export const moveEvents = [
-    "add-all",
-    "add-one",
-    "add-selected",
-    "delete-all",
-    "remove-all",
-    "remove-one",
-    "remove-selected",
-] as const;
-
-export type MoveEventType = (typeof moveEvents)[number];
-
-// Request to add or remove all, some, or just one item from the "selected" panel
-export class DualSelectMoveRequestEvent extends Event {
-    static readonly eventName = "ak-dual-select-request-move";
-    constructor(
-        public move: MoveEventType,
-        public key?: string,
-    ) {
-        super(DualSelectMoveRequestEvent.eventName, { bubbles: true, composed: true });
-    }
-}
-
-// Update events
-
-// Request to update the viewset
-export class DualSelectUpdateEvent extends Event {
-    static readonly eventName = "ak-dual-select-update";
-    constructor() {
-        super(DualSelectUpdateEvent.eventName, { bubbles: true, composed: true });
-    }
-}
-
-interface DualSelectMoveChangedEvent {
-    keys: string[];
-}
-
-// Request to update the list of "marked for move" items in the "available" panel
-export class DualSelectMoveAvailableEvent extends Event implements DualSelectMoveChangedEvent {
-    static readonly eventName = "ak-dual-select-move-available";
-    constructor(public keys: string[]) {
-        super(DualSelectMoveAvailableEvent.eventName, { bubbles: true, composed: true });
-    }
-}
-
-// Request to update the list of "marked for move" items in the "selected" panel
-export class DualSelectMoveSelectedEvent extends Event implements DualSelectMoveChangedEvent {
-    static readonly eventName = "ak-dual-select-move-selected";
-    constructor(public keys: string[]) {
-        super(DualSelectMoveSelectedEvent.eventName, { bubbles: true, composed: true });
-    }
-}
-
-// Request to update either panel with a Filter
-export class DualSelectPanelSearchEvent extends Event {
-    static readonly eventName = "ak-dual-select-panel-search";
-    constructor(
-        public source: string,
-        public filterOn: string,
-    ) {
-        super(DualSelectPanelSearchEvent.eventName, { bubbles: true, composed: true });
-    }
-}
-
-declare global {
-    interface HTMLElementEventMap {
-        [DualSelectUpdateEvent.eventName]: DualSelectUpdateEvent;
-        [DualSelectMoveAvailableEvent.eventName]: DualSelectMoveAvailableEvent;
-        [DualSelectMoveSelectedEvent.eventName]: DualSelectMoveSelectedEvent;
-        [DualSelectMoveRequestEvent.eventName]: DualSelectMoveRequestEvent;
-        [DualSelectPaginatorNavEvent.eventName]: DualSelectPaginatorNavEvent;
-        [DualSelectSearchEvent.eventName]: DualSelectSearchEvent;
-        [DualSelectChangeEvent.eventName]: DualSelectChangeEvent;
-        [DualSelectPanelSearchEvent.eventName]: DualSelectPanelSearchEvent;
-    }
-
-    interface WindowEventMap {
-        [DualSelectMoveRequestEvent.eventName]: DualSelectMoveRequestEvent;
-        [DualSelectPaginatorNavEvent.eventName]: DualSelectPaginatorNavEvent;
-        [DualSelectMoveSelectedEvent.eventName]: DualSelectMoveSelectedEvent;
-    }
-}

web/src/elements/ak-dual-select/stories/ak-dual-select-available-pane.stories.ts

@@ -6,7 +6,6 @@ import { TemplateResult, html } from "lit";
 
 import "../components/ak-dual-select-available-pane";
 import { AkDualSelectAvailablePane } from "../components/ak-dual-select-available-pane";
-import { DualSelectMoveSelectedEvent } from "../events";
 import "./sb-host-provider";
 
 const metadata: Meta<AkDualSelectAvailablePane> = {
@@ -54,15 +53,15 @@ const container = (testItem: TemplateResult) =>
     </div>`;
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-const handleMoveChanged = (result: DualSelectMoveSelectedEvent) => {
+const handleMoveChanged = (result: any) => {
     const target = document.querySelector("#action-button-message-pad");
     target!.innerHTML = "";
-    result.keys.forEach((key: string) => {
+    result.detail.forEach((key: string) => {
         target!.append(new DOMParser().parseFromString(`<li>${key}</li>`, "text/xml").firstChild!);
     });
 };
 
-window.addEventListener(DualSelectMoveSelectedEvent.eventName, handleMoveChanged);
+window.addEventListener("ak-dual-select-available-move-changed", handleMoveChanged);
 
 type Story = StoryObj;
 

web/src/elements/ak-dual-select/stories/ak-dual-select-controls.stories.ts

@@ -5,7 +5,6 @@ import { TemplateResult, html } from "lit";
 
 import "../components/ak-dual-select-controls";
 import { AkDualSelectControls } from "../components/ak-dual-select-controls";
-import { DualSelectMoveRequestEvent } from "../events";
 
 const metadata: Meta<AkDualSelectControls> = {
     title: "Elements / Dual Select / Control Panel",
@@ -60,9 +59,10 @@ const displayMessage = (result: any) => {
     target!.appendChild(doc.firstChild!);
 };
 
-window.addEventListener(DualSelectMoveRequestEvent.eventName, (ev: DualSelectMoveRequestEvent) =>
-    displayMessage(ev.move.toString()),
-);
+window.addEventListener("ak-dual-select-add", () => displayMessage("add"));
+window.addEventListener("ak-dual-select-remove", () => displayMessage("remove"));
+window.addEventListener("ak-dual-select-add-all", () => displayMessage("add all"));
+window.addEventListener("ak-dual-select-remove-all", () => displayMessage("remove all"));
 
 type Story = StoryObj;
 

web/src/elements/ak-dual-select/stories/ak-dual-select-master.stories.ts

@@ -9,7 +9,6 @@ import { Pagination } from "@goauthentik/api";
 
 import "../ak-dual-select";
 import { AkDualSelect } from "../ak-dual-select";
-import { DualSelectPaginatorNavEvent } from "../events";
 import type { DualSelectPair } from "../types";
 
 const goodForYouRaw = `
@@ -84,11 +83,11 @@ export class AkSbFruity extends LitElement {
             totalPages: Math.ceil(this.options.length / this.pageLength),
         };
         this.onNavigation = this.onNavigation.bind(this);
-        this.addEventListener(DualSelectPaginatorNavEvent.eventName, this.onNavigation);
+        this.addEventListener("ak-pagination-nav-to", this.onNavigation);
     }
 
-    onNavigation(evt: DualSelectPaginatorNavEvent) {
-        const current = evt.page;
+    onNavigation(evt: Event) {
+        const current: number = (evt as CustomEvent).detail;
         const index = current - 1;
         if (index * this.pageLength > this.options.length) {
             console.warn(

web/src/elements/ak-dual-select/stories/ak-dual-select-selected-pane.stories.ts

@@ -6,7 +6,6 @@ import { TemplateResult, html } from "lit";
 
 import "../components/ak-dual-select-selected-pane";
 import { AkDualSelectSelectedPane } from "../components/ak-dual-select-selected-pane";
-import { DualSelectMoveSelectedEvent } from "../events";
 import "./sb-host-provider";
 
 const metadata: Meta<AkDualSelectSelectedPane> = {
@@ -51,15 +50,15 @@ const container = (testItem: TemplateResult) =>
     </div>`;
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-const handleMoveChanged = (result: DualSelectMoveSelectedEvent) => {
+const handleMoveChanged = (result: any) => {
     const target = document.querySelector("#action-button-message-pad");
     target!.innerHTML = "";
-    result.keys.forEach((key: string) => {
+    result.detail.forEach((key: string) => {
         target!.append(new DOMParser().parseFromString(`<li>${key}</li>`, "text/xml").firstChild!);
     });
 };
 
-window.addEventListener(DualSelectMoveSelectedEvent.eventName, handleMoveChanged);
+window.addEventListener("ak-dual-select-selected-move-changed", handleMoveChanged);
 
 type Story = StoryObj;
 

web/src/elements/ak-dual-select/stories/ak-pagination.stories.ts

@@ -5,7 +5,6 @@ import { TemplateResult, html } from "lit";
 
 import "../components/ak-pagination";
 import { AkPagination } from "../components/ak-pagination";
-import { DualSelectPaginatorNavEvent } from "../events";
 
 const metadata: Meta<AkPagination> = {
     title: "Elements / Dual Select / Pagination Control",
@@ -44,18 +43,18 @@ const container = (testItem: TemplateResult) =>
     </div>`;
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-const handleMoveChanged = (result: DualSelectPaginatorNavEvent) => {
+const handleMoveChanged = (result: any) => {
     console.debug(result);
     const target = document.querySelector("#action-button-message-pad");
     target!.append(
         new DOMParser().parseFromString(
-            `<li>Request to move to page ${result.page}</li>`,
+            `<li>Request to move to page ${result.detail}</li>`,
             "text/xml",
         ).firstChild!,
     );
 };
 
-window.addEventListener(DualSelectPaginatorNavEvent.eventName, handleMoveChanged);
+window.addEventListener("ak-pagination-nav-to", handleMoveChanged);
 
 type Story = StoryObj;
 

web/src/elements/ak-dual-select/types.ts

@@ -29,3 +29,10 @@ export type DataProvision = {
 };
 
 export type DataProvider = (page: number, search?: string) => Promise<DataProvision>;
+
+export interface SearchbarEvent extends CustomEvent {
+    detail: {
+        source: string;
+        value: string;
+    };
+}

web/src/flow/FlowExecutor.ts

@@ -5,12 +5,13 @@ import {
     TITLE_DEFAULT,
 } from "@goauthentik/common/constants";
 import { globalAK } from "@goauthentik/common/global";
+import { MessageLevel } from "@goauthentik/common/messages";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { first } from "@goauthentik/common/utils";
-import { WebsocketClient } from "@goauthentik/common/ws";
 import { Interface } from "@goauthentik/elements/Interface";
 import "@goauthentik/elements/LoadingOverlay";
 import "@goauthentik/elements/ak-locale-context";
+import { showMessage } from "@goauthentik/elements/messages/MessageContainer";
 import { DefaultBrand } from "@goauthentik/elements/sidebar/SidebarBrand";
 import { themeImage } from "@goauthentik/elements/utils/images";
 import "@goauthentik/flow/components/ak-brand-footer";
@@ -44,6 +45,7 @@ import {
     FlowErrorChallenge,
     FlowLayoutEnum,
     FlowsApi,
+    Message,
     ResponseError,
     ShellChallenge,
     UiThemeEnum,
@@ -83,8 +85,6 @@ export class FlowExecutor extends Interface implements StageHost {
     @state()
     flowInfo?: ContextualFlowInfo;
 
-    ws: WebsocketClient;
-
     static get styles(): CSSResult[] {
         return [PFBase, PFLogin, PFDrawer, PFButton, PFTitle, PFList, PFBackgroundImage].concat(css`
             :host {
@@ -174,7 +174,6 @@ export class FlowExecutor extends Interface implements StageHost {
 
     constructor() {
         super();
-        this.ws = new WebsocketClient();
         const inspector = new URL(window.location.toString()).searchParams.get("inspector");
         if (inspector === "" || inspector === "open") {
             this.inspectorOpen = true;
@@ -233,6 +232,7 @@ export class FlowExecutor extends Interface implements StageHost {
             if (this.challenge.flowInfo) {
                 this.flowInfo = this.challenge.flowInfo;
             }
+            this.showMessages(this.challenge.messages);
             return !this.challenge.responseErrors;
         } catch (exc: unknown) {
             this.errorMessage(exc as Error | ResponseError | FetchError);
@@ -265,6 +265,7 @@ export class FlowExecutor extends Interface implements StageHost {
             if (this.challenge.flowInfo) {
                 this.flowInfo = this.challenge.flowInfo;
             }
+            this.showMessages(this.challenge.messages);
         } catch (exc: unknown) {
             // Catch JSON or Update errors
             this.errorMessage(exc as Error | ResponseError | FetchError);
@@ -273,6 +274,15 @@ export class FlowExecutor extends Interface implements StageHost {
         }
     }
 
+    showMessages(messages: Array<Message> | undefined) {
+        for (const message of (messages ??= [])) {
+            showMessage({
+                level: message.level as MessageLevel,
+                message: message.message,
+            });
+        }
+    }
+
     async errorMessage(error: Error | ResponseError | FetchError): Promise<void> {
         let body = "";
         if (error instanceof FetchError) {

web/src/flow/FlowInterface.ts

@@ -1,4 +1,3 @@
-import "@goauthentik/elements/messages/MessageContainer";
 import "@goauthentik/flow/FlowExecutor";
 // Statically import some stages to speed up load speed
 import "@goauthentik/flow/stages/access_denied/AccessDeniedStage";

web/xliff/fr.xlf

@@ -6572,7 +6572,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
       </trans-unit>
       <trans-unit id="s0e516232f2ab4e04">
         <source>Tokens sent via SMS.</source>
-        <target>Jeton envoyé par SMS</target>
+        <target>Jetons envoyés par SMS.</target>
         
       </trans-unit>
       <trans-unit id="s6ae0d087036e6d6d">
@@ -9047,7 +9047,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
   <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-  <target>Applications externes qui utilisent <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> comme fournisseur d'identité en utilisant des protocoles comme OAuth2 et SAML. Toutes les applications sont affichées ici, même celles auxquelles vous n'avez pas accès.</target>
+  <target>Applications externes qui utilisent <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> comme fournisseur d'identité en utilisant des protocoles comme OAuth2 et SAML. Toutes les applications sont affichées ici, même celles auxquelles vous n'avez pas accès.</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
   <source>Strict</source>
@@ -9485,93 +9485,123 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
   <source>Create a new application and configure a provider for it.</source>
+  <target>Créer une nouvelle application et configurer un fournisseur pour celle-ci.</target>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
   <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+  <target>L'utilisation de ce formulaire ne créera qu'une application. Afin de vous authentifier auprès de l'application, vous devrez l'associer manuellement à un fournisseur.</target>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
   <source>Distance settings</source>
+  <target>Réglages de distance</target>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
   <source>Check historical distance of logins</source>
+  <target>Vérifier l'historique de distance des connexions</target>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
   <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+  <target>Lorsque cette option est activée, les données GeoIP de la demande de politique sont comparées au nombre spécifié de connexions historiques.</target>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
   <source>Maximum distance</source>
+  <target>Distance maximale</target>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
   <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+  <target>Distance maximale autorisée pour une tentative de connexion en kilomètres.</target>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
   <source>Distance tolerance</source>
+  <target>Tolérance de distance</target>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
   <source>Tolerance in checking for distances in kilometers.</source>
+  <target>Tolérance de vérification des distances en kilomètres.</target>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
   <source>Historical Login Count</source>
+  <target>Nombre de connexions historiques</target>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
   <source>Amount of previous login events to check against.</source>
+  <target>Nombre d'événements de connexion précédents à vérifier.</target>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
   <source>Check impossible travel</source>
+  <target>Vérifier les déplacements impossibles</target>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
   <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+  <target>Lorsque cette option est activée, les données GeoIP de la demande de politique sont comparées au nombre spécifié de connexions historiques et si le voyage aurait été possible dans le laps de temps écoulé depuis l'événement précédent.</target>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
   <source>Impossible travel tolerance</source>
+  <target>Tolérance de déplacement impossible</target>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
   <source>Static rule settings</source>
+  <target>Paramètres de règle statique</target>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
   <source>Create with Provider</source>
+  <target>Créer avec un fournisseur</target>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
   <source>Email address the verification email will be sent from.</source>
+  <target>Adresse courriel depuis laquelle le courriel de vérification sera envoyé.</target>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
   <source>Stage used to configure an email-based authenticator.</source>
+  <target>Étape utilisée pour configurer un authentificateur courriel.</target>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
   <source>Use global connection settings</source>
+  <target>Utiliser les paramètres de connexion globaux</target>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
   <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+  <target>Si activé, les paramètres globaux de connexion courriel seront utilisés et les paramètres de connexion ci-dessous seront ignorés.</target>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
   <source>Subject of the verification email.</source>
+  <target>Objet du courriel de vérification.</target>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
   <source>Token expiration</source>
+  <target>Expiration du jeton</target>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
   <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+  <target>Durée de validité du jeton envoyé (Format : hours=3,minutes=17,seconds=300).</target>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
   <source>Email-based Authenticators</source>
+  <target>Authenticatificateurs basé sur courriel</target>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
   <source>Caps Lock is enabled.</source>
+  <target>La touche Verr Maj est activée.</target>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
   <source>Configure your email</source>
+  <target>Configurer votre courriel</target>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
   <source>Please enter your email address.</source>
+  <target>Veuillez entrer votre adresse courriel.</target>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
   <source>Please enter the code you received via email</source>
+  <target>Veuillez entrer le code que vous avez reçu par courriel</target>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
   <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+  <target>Un code vous a été envoyé par courriel<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></target>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
   <source>Tokens sent via email.</source>
+  <target>Jetons envoyés par courriel.</target>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-Hans.xlf

@@ -1,4 +1,4 @@
-<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
   <file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
     <body>
       <trans-unit id="s4caed5b7a7e5d89b">
@@ -596,9 +596,9 @@
         
       </trans-unit>
       <trans-unit id="saa0e2675da69651b">
-        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
-        <target>未找到 URL "
-        <x id="0" equiv-text="${this.url}"/>"。</target>
+        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
+        <target>未找到 URL &quot;
+        <x id="0" equiv-text="${this.url}"/>&quot;。</target>
         
       </trans-unit>
       <trans-unit id="s58cd9c2fe836d9c6">
@@ -1715,8 +1715,8 @@
         
       </trans-unit>
       <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
-        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
+        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
         
       </trans-unit>
       <trans-unit id="s0410779cb47de312">
@@ -2864,8 +2864,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>包含组成员的字段。请注意，如果使用 "memberUid" 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
+        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <target>包含组成员的字段。请注意，如果使用 &quot;memberUid&quot; 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
         
       </trans-unit>
       <trans-unit id="s026555347e589f0e">
@@ -3783,10 +3783,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
         <target>您确定要更新
-        <x id="0" equiv-text="${this.objectLabel}"/>"
-        <x id="1" equiv-text="${this.obj?.name}"/>" 吗？</target>
+        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
+        <x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗？</target>
         
       </trans-unit>
       <trans-unit id="sc92d7cfb6ee1fec6">
@@ -4857,7 +4857,7 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sdf1d8edef27236f0">
-        <source>A "roaming" authenticator, like a YubiKey</source>
+        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
         <target>像 YubiKey 这样的“漫游”身份验证器</target>
         
       </trans-unit>
@@ -5226,7 +5226,7 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
+        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
         <target>如果设置时长大于 0，用户可以选择“保持登录”选项，这将使用户的会话延长此处设置的时间。</target>
         
       </trans-unit>
@@ -7521,7 +7521,7 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>成功创建用户并添加到组 <x id="0" equiv-text="${this.group.name}"/></target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
+  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
   <target>此用户将会被添加到组 &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;。</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@@ -8815,7 +8815,7 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>同步组</target>
 </trans-unit>
 <trans-unit id="s2d5f69929bb7221d">
-  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
+  <source><x id="0" equiv-text="${p.name}"/> (&quot;<x id="1" equiv-text="${p.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${p.type}"/>)</source>
   <target><x id="0" equiv-text="${p.name}"/>（&amp;quot;<x id="1" equiv-text="${p.fieldKey}"/>&amp;quot;，类型为 <x id="2" equiv-text="${p.type}"/>）</target>
 </trans-unit>
 <trans-unit id="s25bacc19d98b444e">
@@ -9048,7 +9048,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
   <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
+  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
   <source>Strict</source>
@@ -9063,8 +9063,8 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>授权流程成功后有效的重定向 URI。还可以在此处为隐式流程指定任何来源。</target>
 </trans-unit>
 <trans-unit id="s4c49d27de60a532b">
-  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
-  <target>要允许任何重定向 URI，请设置模式为正则表达式，并将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
+  <source>To allow any redirect URI, set the mode to Regex and the value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
+  <target>要允许任何重定向 URI，请设置模式为正则表达式，并将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
 </trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
   <source>Federated OIDC Sources</source>
@@ -9486,94 +9486,124 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
   <source>Create a new application and configure a provider for it.</source>
+  <target>创建一个应用程序并为它配置提供程序。</target>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
   <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+  <target>此表单只会创建应用程序。要设置此应用程序的身份验证，您需要手动为它配对一个提供程序。</target>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
   <source>Distance settings</source>
+  <target>距离设置</target>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
   <source>Check historical distance of logins</source>
+  <target>检查历史登录距离</target>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
   <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+  <target>启用此选项时，策略请求的 GeoIP 数据会用来与指定数量的历史登录比较。</target>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
   <source>Maximum distance</source>
+  <target>最大距离</target>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
   <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+  <target>允许登录请求的最大距离，单位为千米。</target>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
   <source>Distance tolerance</source>
+  <target>距离误差</target>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
   <source>Tolerance in checking for distances in kilometers.</source>
+  <target>检查距离时允许的误差，单位为千米。</target>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
   <source>Historical Login Count</source>
+  <target>历史登录次数</target>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
   <source>Amount of previous login events to check against.</source>
+  <target>检查指定次数的历史登录事件。</target>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
   <source>Check impossible travel</source>
+  <target>检查不可能的行程</target>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
   <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+  <target>启用此选项时，策略请求的 GeoIP 数据会用来与指定数量的历史登录比较，以及自上次活动以来移动的距离是否可能在该时段内完成。</target>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
   <source>Impossible travel tolerance</source>
+  <target>不可能行程的误差</target>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
   <source>Static rule settings</source>
+  <target>静态规则设置</target>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
   <source>Create with Provider</source>
+  <target>以提供程序创建</target>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
   <source>Email address the verification email will be sent from.</source>
+  <target>用于发送验证邮件的电子邮件地址。</target>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
   <source>Stage used to configure an email-based authenticator.</source>
+  <target>用来配置基于电子邮件的身份验证器的阶段。</target>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
   <source>Use global connection settings</source>
+  <target>使用全局连接设置</target>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
   <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+  <target>启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。</target>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
   <source>Subject of the verification email.</source>
+  <target>验证邮件的主题。</target>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
   <source>Token expiration</source>
+  <target>令牌过期时间</target>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
   <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+  <target>发出令牌有效的时间（格式：hours=3,minutes=17,seconds=300）。</target>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
   <source>Email-based Authenticators</source>
+  <target>基于电子邮件的身份验证器</target>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
   <source>Caps Lock is enabled.</source>
+  <target>大写锁定已启用。</target>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
   <source>Configure your email</source>
+  <target>配置您的电子邮件</target>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
   <source>Please enter your email address.</source>
+  <target>请输入您的电子邮件地址。</target>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
   <source>Please enter the code you received via email</source>
+  <target>请输入您通过电子邮件收到的代码</target>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
   <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+  <target>一份代码已通过电子邮件地址 <x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/> 发送给您</target>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
   <source>Tokens sent via email.</source>
+  <target>通过电子邮件发送的令牌。</target>
 </trans-unit>
     </body>
   </file>
-</xliff>
+</xliff>

web/xliff/zh_CN.xlf

@@ -9047,8 +9047,8 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>此选项配置流程执行器页面上的页脚链接。URL 限为 Web 和电子邮件地址。如果名称留空，则显示 URL 自身。</target>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
   <source>Strict</source>
@@ -9483,6 +9483,126 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s47b7ce63a543564c">
   <source>Fewer details</source>
   <target>显示更少</target>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+  <target>创建一个应用程序并为它配置提供程序。</target>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+  <target>此表单只会创建应用程序。要设置此应用程序的身份验证，您需要手动为它配对一个提供程序。</target>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+  <target>距离设置</target>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+  <target>检查历史登录距离</target>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+  <target>启用此选项时，策略请求的 GeoIP 数据会用来与指定数量的历史登录比较。</target>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+  <target>最大距离</target>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+  <target>允许登录请求的最大距离，单位为千米。</target>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+  <target>距离误差</target>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+  <target>检查距离时允许的误差，单位为千米。</target>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+  <target>历史登录次数</target>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+  <target>检查指定次数的历史登录事件。</target>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+  <target>检查不可能的行程</target>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+  <target>启用此选项时，策略请求的 GeoIP 数据会用来与指定数量的历史登录比较，以及自上次活动以来移动的距离是否可能在该时段内完成。</target>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+  <target>不可能行程的误差</target>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+  <target>静态规则设置</target>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+  <target>以提供程序创建</target>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+  <target>用于发送验证邮件的电子邮件地址。</target>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+  <target>用来配置基于电子邮件的身份验证器的阶段。</target>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+  <target>使用全局连接设置</target>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+  <target>启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。</target>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+  <target>验证邮件的主题。</target>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+  <target>令牌过期时间</target>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+  <target>发出令牌有效的时间（格式：hours=3,minutes=17,seconds=300）。</target>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+  <target>基于电子邮件的身份验证器</target>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+  <target>大写锁定已启用。</target>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+  <target>配置您的电子邮件</target>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+  <target>请输入您的电子邮件地址。</target>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+  <target>请输入您通过电子邮件收到的代码</target>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+  <target>一份代码已通过电子邮件地址 <x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/> 发送给您</target>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
+  <target>通过电子邮件发送的令牌。</target>
 </trans-unit>
     </body>
   </file>

website/docs/add-secure-apps/providers/rac/index.md

@@ -1,6 +1,5 @@
 ---
 title: Remote Access Control (RAC) Provider
-authentik_enterprise: true
 ---
 
 :::info

website/docs/add-secure-apps/providers/ssf/create-ssf-provider.md

@@ -1,5 +1,8 @@
 ---
 title: Configure an SSF provider
+authentik_version: "2025.2.0"
+authentik_enterprise: true
+authentik_preview: true
 ---
 
 The workflow to implement an SSF provider as a [backchannel provider](../../applications/manage_apps#backchannel-providers) for an application/provider pair is as follows:

website/docs/add-secure-apps/providers/ssf/index.md

@@ -1,12 +1,11 @@
 ---
 title: Shared Signals Framework (SSF) Provider
 sidebar_label: SSF Provider
+authentik_version: "2025.2.0"
+authentik_enterprise: true
+authentik_preview: true
 ---
 
-<span class="badge badge--preview">Preview</span>
-<span class="badge badge--version">authentik 2025.2+</span>
-&nbsp;
-
 Shared Signals Framework (SSF) is a common standard for sharing asynchronous real-time security signals and events across multiple applications and an identity provider. The framework is a collection of standards and communication processes, documented in a [specification](https://openid.net/specs/openid-sharedsignals-framework-1_0-ID3.html). SSF leverages the APIs of the application and the IdP, using privacy-protected, secure webhooks.
 
 ## About Shared Signals Framework

website/docs/releases/2025/v2025.2.md

@@ -161,6 +161,13 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.2
 - web/components: ak-number-input: add support for min (#12703)
 - web/flows: fix `login` / `log in` inconsistency (#12526)
 
+## Fixed in 2025.2.1
+
+- core: add pre-hydrated relative URL (cherry-pick #13243) (#13246)
+- stages/authenticator_email: Email Authenticator Stage Documentation (cherry-pick #12853) (#13218)
+- stages/authenticator_email: fix session cleanup test b (cherry-pick #13264) (#13276)
+- stages/email: Fix email stage serialization (cherry-pick #13256) (#13273)
+
 ## API Changes
 
 #### What's New

website/integrations/services/netbox/index.md

@@ -44,10 +44,10 @@ REMOTE_AUTH_ENABLED='true'
 REMOTE_AUTH_BACKEND='social_core.backends.open_id_connect.OpenIdConnectAuth'
 
 # python-social-auth config
-SOCIAL_AUTH_OIDC_ENDPOINT='https://authentik.company/application/o/<Application slug>/'
+SOCIAL_AUTH_OIDC_OIDC_ENDPOINT='https://authentik.company/application/o/<Application slug>/'
 SOCIAL_AUTH_OIDC_KEY='<Client ID>'
 SOCIAL_AUTH_OIDC_SECRET='<Client Secret>'
-SOCIAL_AUTH_OIDC_SCOPE = ["openid", "profile", "email", "roles"]
+SOCIAL_AUTH_OIDC_SCOPE=openid profile email roles
 LOGOUT_REDIRECT_URL='https://authentik.company/application/o/<Application slug>/end-session/'
 ```
 
@@ -61,10 +61,10 @@ from os import environ
 #############
 
 # python-social-auth configuration
-SOCIAL_AUTH_OIDC_ENDPOINT = environ.get('SOCIAL_AUTH_OIDC_ENDPOINT')
+SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = environ.get('SOCIAL_AUTH_OIDC_OIDC_ENDPOINT')
 SOCIAL_AUTH_OIDC_KEY = environ.get('SOCIAL_AUTH_OIDC_KEY')
 SOCIAL_AUTH_OIDC_SECRET = environ.get('SOCIAL_AUTH_OIDC_SECRET')
-SOCIAL_AUTH_OIDC_SCOPE = ["openid", "profile", "email", "roles"]
+SOCIAL_AUTH_OIDC_SCOPE = environ.get('SOCIAL_AUTH_OIDC_SCOPE').split(' ')
 LOGOUT_REDIRECT_URL = environ.get('LOGOUT_REDIRECT_URL')
 
 

website/integrations/services/plesk/index.md

@@ -0,0 +1,85 @@
+---
+title: Integrate with Plesk
+sidebar_label: Plesk
+---
+
+# Integrate with Plesk
+
+<span class="badge badge--secondary">Support level: Community</span>
+
+## What is Plesk
+
+> Plesk is a web hosting platform with a control panel that helps manage servers, applications, and websites through a comprehensive graphical user interface. It provides tools for web professionals, IT administrators, and hosting companies to simplify the process of hosting and managing websites.
+>
+> -- https://www.plesk.com
+
+:::note
+This documentation lists only the settings that you need to change from their default values. Changes other than those mentioned in this guide can cause issues accessing your application.
+:::
+
+:::caution
+This integration works only with additional administrator accounts. It does not affect the main administrator account or customer accounts. The integration includes security measures such as strict token validation and secure OAuth implementation.
+:::
+
+## Preparation
+
+Replace these placeholders in the guide with your values:
+
+- `plesk.company`: The FQDN of your Plesk installation
+- `authentik.company`: The FQDN of your authentik installation
+
+## authentik configuration
+
+1. In the Admin interface, navigate to **Applications** > **Providers** to create an OAuth2/OpenID provider with these settings:
+
+    - **Name**: Plesk
+    - **Redirect URI**: <kbd>https://<em>plesk.company</em>/modules/oauth/public/login.php</kbd>
+    - **Signing Key**: Select any available key
+
+2. Create an application using the provider that you just created:
+    - Navigate to **Applications** > **Applications**.
+    - Create a new application and configure it to use the provider from step 1.
+    - Optionally, apply access restrictions to the application.
+    - Set the **Launch URL** to <kbd>https://<em>plesk.company</em></kbd>.
+
+## Plesk configuration
+
+1. Install the OAuth login extension:
+
+    - Log in to your Plesk installation.
+    - Navigate to **Extensions** in the left sidebar.
+    - Select **Extensions Catalog**.
+    - Search for "OAuth login".
+    - Click **Install** next to the OAuth login extension.
+
+2. Enable and configure OAuth authentication:
+
+    - After installation, select **Extensions** > **OAuth Login** in the left sidebar.
+    - Enable OAuth authentication using the toggle switch in the main configuration panel.
+
+3. In the same panel, configure these OAuth settings:
+
+    - **Client ID**: Enter the Client ID from your authentik provider
+    - **Client Secret**: Enter the Client Secret from your authentik provider
+    - **Callback Host**: Enter your Plesk FQDN (example: <kbd>https://<em>plesk.company</em></kbd>)
+    - **Authorize URL**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
+    - **Token URL**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
+    - **Userinfo URL**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
+    - **Scopes**: `openid,profile,email`
+    - **Login Button Text**: Set your preferred text (example: "Log in with authentik")
+
+    ![Plesk OAuth Login Settings](plesk-oauth-settings.png)
+
+4. Click **Save** to apply the settings.
+
+## Verify the configuration
+
+To confirm that authentik is properly configured with Plesk:
+
+1. Log out of Plesk.
+2. Look for the OAuth login button on the login page.
+3. Click the OAuth login button.
+4. Verify that you are redirected to authentik for authentication.
+5. After successful authentication, confirm that you can log in to your Plesk administrator account.
+
+![Plesk Login Page with OAuth Button](plesk-login-page.png)

website/package.json

@@ -27,8 +27,8 @@
         "@mdx-js/react": "^3.1.0",
         "clsx": "^2.1.1",
         "disqus-react": "^1.1.6",
-        "docusaurus-plugin-openapi-docs": "^4.3.5",
-        "docusaurus-theme-openapi-docs": "^4.3.5",
+        "docusaurus-plugin-openapi-docs": "4.3.4",
+        "docusaurus-theme-openapi-docs": "4.3.4",
         "postcss": "^8.5.3",
         "prism-react-renderer": "^2.4.1",
         "react": "^18.3.1",

website/sidebarsIntegrations.js

@@ -89,6 +89,7 @@ module.exports = {
                         "services/netbox/index",
                         "services/pgadmin/index",
                         "services/phpipam/index",
+                        "services/plesk/index",
                         "services/powerdns-admin/index",
                         "services/proftpd/index",
                         "services/qnap-nas/index",