Merge branch 'main' into stages/prompt/dry-run

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	authentik/stages/prompt/stage.py
#	schema.yml

.dockerignore

@@ -5,6 +5,7 @@ dist/**
 build/**
 build_docs/**
 *Dockerfile
+**/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules

.github/workflows/ci-website.yml

@@ -41,32 +41,60 @@ jobs:
       - name: test
         working-directory: website/
         run: npm test
-  build:
+  build-container:
     runs-on: ubuntu-latest
-    name: ${{ matrix.job }}
-    strategy:
-      fail-fast: false
-      matrix:
-        job:
-          - build
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        run: npm ci
-      - name: build
-        working-directory: website/
-        run: npm run ${{ matrix.job }}
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.6.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/dev-docs
+      - name: Login to Container Registry
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Docker Image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          tags: ${{ steps.ev.outputs.imageTags }}
+          file: website/Dockerfile
+          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          platforms: linux/amd64,linux/arm64
+          context: .
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   ci-website-mark:
     if: always()
     needs:
       - lint
       - test
-      - build
+      - build-container
     runs-on: ubuntu-latest
     steps:
       - uses: re-actors/alls-green@release/v1

.github/workflows/release-publish.yml

@@ -20,6 +20,49 @@ jobs:
       release: true
       registry_dockerhub: true
       registry_ghcr: true
+  build-docs:
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.6.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/docs
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Docker Image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          tags: ${{ steps.ev.outputs.imageTags }}
+          file: website/Dockerfile
+          push: true
+          platforms: linux/amd64,linux/arm64
+          context: .
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: true
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
@@ -193,6 +236,6 @@ jobs:
           SENTRY_ORG: authentik-security-inc
           SENTRY_PROJECT: authentik
         with:
-          version: authentik@${{ steps.ev.outputs.version }}
+          release: authentik@${{ steps.ev.outputs.version }}
           sourcemaps: "./web/dist"
           url_prefix: "~/static/dist"

Dockerfile

@@ -1,26 +1,7 @@
 # syntax=docker/dockerfile:1
 
-# Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS website-builder
-
-ENV NODE_ENV=production
-
-WORKDIR /work/website
-
-RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
-    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
-    npm ci --include=dev
-
-COPY ./website /work/website/
-COPY ./blueprints /work/blueprints/
-COPY ./schema.yml /work/
-COPY ./SECURITY.md /work/
-
-RUN npm run build-bundled
-
-# Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS web-builder
+# Stage 1: Build webui
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -32,7 +13,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
     --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./package.json /work
@@ -43,7 +24,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build && \
     npm run build:sfe
 
-# Stage 3: Build go proxy
+# Stage 2: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
 
 ARG TARGETOS
@@ -68,8 +49,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@@ -80,7 +61,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
     go build -o /go/authentik ./cmd/server
 
-# Stage 4: MaxMind GeoIP
+# Stage 3: MaxMind GeoIP
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
@@ -93,9 +74,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     mkdir -p /usr/share/GeoIP && \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
-# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.10 AS uv
-# Stage 6: Base python image
+# Stage 4: Download uv
+FROM ghcr.io/astral-sh/uv:0.7.11 AS uv
+# Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
@@ -109,7 +90,7 @@ WORKDIR /ak-root/
 
 COPY --from=uv /uv /uvx /bin/
 
-# Stage 7: Python dependencies
+# Stage 6: Python dependencies
 FROM python-base AS python-deps
 
 ARG TARGETARCH
@@ -144,7 +125,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
     --mount=type=cache,target=/root/.cache/uv \
     uv sync --frozen --no-install-project --no-dev
 
-# Stage 8: Run
+# Stage 7: Run
 FROM python-base AS final-image
 
 ARG VERSION
@@ -187,9 +168,8 @@ COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=web-builder /work/web/dist/ /web/dist/
-COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=website-builder /work/website/build/ /website/help/
+COPY --from=node-builder /work/web/dist/ /web/dist/
+COPY --from=node-builder /work/web/authentik/ /web/authentik/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000

authentik/admin/api/version.py

@@ -1,6 +1,7 @@
 """authentik administration overview"""
 
 from django.core.cache import cache
+from django_tenants.utils import get_public_schema_name
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
@@ -13,6 +14,7 @@ from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
+from authentik.tenants.utils import get_current_tenant
 
 
 class VersionSerializer(PassiveSerializer):
@@ -35,6 +37,8 @@ class VersionSerializer(PassiveSerializer):
 
     def get_version_latest(self, _) -> str:
         """Get latest version from cache"""
+        if get_current_tenant().schema_name == get_public_schema_name():
+            return __version__
         version_in_cache = cache.get(VERSION_CACHE_KEY)
         if not version_in_cache:  # pragma: no cover
             update_latest_version.delay()

authentik/admin/apps.py

@@ -14,3 +14,19 @@ class AuthentikAdminConfig(ManagedAppConfig):
     label = "authentik_admin"
     verbose_name = "authentik Admin"
     default = True
+
+    @ManagedAppConfig.reconcile_global
+    def clear_update_notifications(self):
+        """Clear update notifications on startup if the notification was for the version
+        we're running now."""
+        from packaging.version import parse
+
+        from authentik.admin.tasks import LOCAL_VERSION
+        from authentik.events.models import EventAction, Notification
+
+        for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
+            if "new_version" not in notification.event.context:
+                continue
+            notification_version = notification.event.context["new_version"]
+            if LOCAL_VERSION >= parse(notification_version):
+                notification.delete()

authentik/admin/settings.py

@@ -1,6 +1,7 @@
 """authentik admin settings"""
 
 from celery.schedules import crontab
+from django_tenants.utils import get_public_schema_name
 
 from authentik.lib.utils.time import fqdn_rand
 
@@ -8,6 +9,7 @@ CELERY_BEAT_SCHEDULE = {
     "admin_latest_version": {
         "task": "authentik.admin.tasks.update_latest_version",
         "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
+        "tenant_schemas": [get_public_schema_name()],
         "options": {"queue": "authentik_scheduled"},
     }
 }

authentik/admin/tasks.py

@@ -1,7 +1,6 @@
 """authentik admin tasks"""
 
 from django.core.cache import cache
-from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
@@ -9,7 +8,7 @@ from structlog.stdlib import get_logger
 
 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.events.models import Event, EventAction, Notification
+from authentik.events.models import Event, EventAction
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
@@ -33,20 +32,6 @@ def _set_prom_info():
     )
 
 
-@CELERY_APP.task(
-    throws=(DatabaseError, ProgrammingError, InternalError),
-)
-def clear_update_notifications():
-    """Clear update notifications on startup if the notification was for the version
-    we're running now."""
-    for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
-        if "new_version" not in notification.event.context:
-            continue
-        notification_version = notification.event.context["new_version"]
-        if LOCAL_VERSION >= parse(notification_version):
-            notification.delete()
-
-
 @CELERY_APP.task(bind=True, base=SystemTask)
 @prefill_task
 def update_latest_version(self: SystemTask):

authentik/admin/tests/test_tasks.py

@@ -1,12 +1,12 @@
 """test admin tasks"""
 
+from django.apps import apps
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker
 
 from authentik.admin.tasks import (
     VERSION_CACHE_KEY,
-    clear_update_notifications,
     update_latest_version,
 )
 from authentik.events.models import Event, EventAction
@@ -72,12 +72,13 @@ class TestAdminTasks(TestCase):
 
     def test_clear_update_notifications(self):
         """Test clear of previous notification"""
+        admin_config = apps.get_app_config("authentik_admin")
         Event.objects.create(
             action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
         )
         Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
         Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
-        clear_update_notifications()
+        admin_config.clear_update_notifications()
         self.assertFalse(
             Event.objects.filter(
                 action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"

authentik/api/apps.py

@@ -1,12 +1,13 @@
 """authentik API AppConfig"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikAPIConfig(AppConfig):
+class AuthentikAPIConfig(ManagedAppConfig):
     """authentik API Config"""
 
     name = "authentik.api"
     label = "authentik_api"
     mountpoint = "api/"
     verbose_name = "authentik API"
+    default = True

authentik/blueprints/tests/test_managed_app_config.py

@@ -0,0 +1,14 @@
+from django.test import TestCase
+
+from authentik.blueprints.apps import ManagedAppConfig
+from authentik.enterprise.apps import EnterpriseConfig
+from authentik.lib.utils.reflection import get_apps
+
+
+class TestManagedAppConfig(TestCase):
+    def test_apps_use_managed_app_config(self):
+        for app in get_apps():
+            if app.name.startswith("authentik.enterprise"):
+                self.assertIn(EnterpriseConfig, app.__class__.__bases__)
+            else:
+                self.assertIn(ManagedAppConfig, app.__class__.__bases__)

authentik/brands/apps.py

@@ -1,9 +1,9 @@
 """authentik brands app"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikBrandsConfig(AppConfig):
+class AuthentikBrandsConfig(ManagedAppConfig):
     """authentik Brand app"""
 
     name = "authentik.brands"
@@ -12,3 +12,4 @@ class AuthentikBrandsConfig(AppConfig):
     mountpoints = {
         "authentik.brands.urls_root": "",
     }
+    default = True

authentik/core/templates/if/admin.html

@@ -10,7 +10,7 @@
 {% endblock %}
 
 {% block body %}
-<ak-message-container></ak-message-container>
+<ak-message-container alignment="bottom"></ak-message-container>
 <ak-interface-admin>
     <ak-loading></ak-loading>
 </ak-interface-admin>

authentik/policies/dummy/apps.py

@@ -1,11 +1,12 @@
 """Authentik policy dummy app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikPolicyDummyConfig(AppConfig):
+class AuthentikPolicyDummyConfig(ManagedAppConfig):
     """Authentik policy_dummy app config"""
 
     name = "authentik.policies.dummy"
     label = "authentik_policies_dummy"
     verbose_name = "authentik Policies.Dummy"
+    default = True

authentik/policies/event_matcher/apps.py

@@ -1,11 +1,12 @@
 """authentik Event Matcher policy app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikPoliciesEventMatcherConfig(AppConfig):
+class AuthentikPoliciesEventMatcherConfig(ManagedAppConfig):
     """authentik Event Matcher policy app config"""
 
     name = "authentik.policies.event_matcher"
     label = "authentik_policies_event_matcher"
     verbose_name = "authentik Policies.Event Matcher"
+    default = True

authentik/policies/expiry/apps.py

@@ -1,11 +1,12 @@
 """Authentik policy_expiry app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikPolicyExpiryConfig(AppConfig):
+class AuthentikPolicyExpiryConfig(ManagedAppConfig):
     """Authentik policy_expiry app config"""
 
     name = "authentik.policies.expiry"
     label = "authentik_policies_expiry"
     verbose_name = "authentik Policies.Expiry"
+    default = True

authentik/policies/expression/apps.py

@@ -1,11 +1,12 @@
 """Authentik policy_expression app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikPolicyExpressionConfig(AppConfig):
+class AuthentikPolicyExpressionConfig(ManagedAppConfig):
     """Authentik policy_expression app config"""
 
     name = "authentik.policies.expression"
     label = "authentik_policies_expression"
     verbose_name = "authentik Policies.Expression"
+    default = True

authentik/policies/geoip/apps.py

@@ -1,11 +1,12 @@
 """Authentik policy geoip app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikPolicyGeoIPConfig(AppConfig):
+class AuthentikPolicyGeoIPConfig(ManagedAppConfig):
     """Authentik policy_geoip app config"""
 
     name = "authentik.policies.geoip"
     label = "authentik_policies_geoip"
     verbose_name = "authentik Policies.GeoIP"
+    default = True

authentik/policies/password/apps.py

@@ -1,11 +1,12 @@
 """authentik Password policy app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikPoliciesPasswordConfig(AppConfig):
+class AuthentikPoliciesPasswordConfig(ManagedAppConfig):
     """authentik Password policy app config"""
 
     name = "authentik.policies.password"
     label = "authentik_policies_password"
     verbose_name = "authentik Policies.Password"
+    default = True

authentik/providers/ldap/apps.py

@@ -1,11 +1,12 @@
 """authentik ldap provider app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikProviderLDAPConfig(AppConfig):
+class AuthentikProviderLDAPConfig(ManagedAppConfig):
     """authentik ldap provider app config"""
 
     name = "authentik.providers.ldap"
     label = "authentik_providers_ldap"
     verbose_name = "authentik Providers.LDAP"
+    default = True

authentik/providers/proxy/apps.py

@@ -10,3 +10,11 @@ class AuthentikProviderProxyConfig(ManagedAppConfig):
     label = "authentik_providers_proxy"
     verbose_name = "authentik Providers.Proxy"
     default = True
+
+    @ManagedAppConfig.reconcile_tenant
+    def proxy_set_defaults(self):
+        from authentik.providers.proxy.models import ProxyProvider
+
+        for provider in ProxyProvider.objects.all():
+            provider.set_oauth_defaults()
+            provider.save()

authentik/providers/proxy/tasks.py

@@ -2,25 +2,13 @@
 
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
-from django.db import DatabaseError, InternalError, ProgrammingError
 
 from authentik.outposts.consumer import OUTPOST_GROUP
 from authentik.outposts.models import Outpost, OutpostType
 from authentik.providers.oauth2.id_token import hash_session_key
-from authentik.providers.proxy.models import ProxyProvider
 from authentik.root.celery import CELERY_APP
 
 
-@CELERY_APP.task(
-    throws=(DatabaseError, ProgrammingError, InternalError),
-)
-def proxy_set_defaults():
-    """Ensure correct defaults are set for all providers"""
-    for provider in ProxyProvider.objects.all():
-        provider.set_oauth_defaults()
-        provider.save()
-
-
 @CELERY_APP.task()
 def proxy_on_logout(session_id: str):
     """Update outpost instances connected to a single outpost"""

authentik/providers/radius/apps.py

@@ -1,11 +1,12 @@
 """authentik radius provider app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikProviderRadiusConfig(AppConfig):
+class AuthentikProviderRadiusConfig(ManagedAppConfig):
     """authentik radius provider app config"""
 
     name = "authentik.providers.radius"
     label = "authentik_providers_radius"
     verbose_name = "authentik Providers.Radius"
+    default = True

authentik/providers/saml/apps.py

@@ -1,12 +1,13 @@
 """authentik SAML IdP app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikProviderSAMLConfig(AppConfig):
+class AuthentikProviderSAMLConfig(ManagedAppConfig):
     """authentik SAML IdP app config"""
 
     name = "authentik.providers.saml"
     label = "authentik_providers_saml"
     verbose_name = "authentik Providers.SAML"
     mountpoint = "application/saml/"
+    default = True

authentik/recovery/apps.py

@@ -1,12 +1,13 @@
 """authentik Recovery app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikRecoveryConfig(AppConfig):
+class AuthentikRecoveryConfig(ManagedAppConfig):
     """authentik Recovery app config"""
 
     name = "authentik.recovery"
     label = "authentik_recovery"
     verbose_name = "authentik Recovery"
     mountpoint = "recovery/"
+    default = True

authentik/root/celery.py

@@ -98,13 +98,7 @@ def _get_startup_tasks_default_tenant() -> list[Callable]:
 
 def _get_startup_tasks_all_tenants() -> list[Callable]:
     """Get all tasks to be run on startup for all tenants"""
-    from authentik.admin.tasks import clear_update_notifications
-    from authentik.providers.proxy.tasks import proxy_set_defaults
-
-    return [
-        clear_update_notifications,
-        proxy_set_defaults,
-    ]
+    return []
 
 
 @worker_ready.connect

authentik/sources/plex/apps.py

@@ -1,11 +1,12 @@
 """authentik plex config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikSourcePlexConfig(AppConfig):
+class AuthentikSourcePlexConfig(ManagedAppConfig):
     """authentik source plex config"""
 
     name = "authentik.sources.plex"
     label = "authentik_sources_plex"
     verbose_name = "authentik Sources.Plex"
+    default = True

authentik/stages/authenticator/apps.py

@@ -1,11 +1,12 @@
 """Authenticator"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageAuthenticatorConfig(AppConfig):
+class AuthentikStageAuthenticatorConfig(ManagedAppConfig):
     """Authenticator App config"""
 
     name = "authentik.stages.authenticator"
     label = "authentik_stages_authenticator"
     verbose_name = "authentik Stages.Authenticator"
+    default = True

authentik/stages/authenticator_sms/apps.py

@@ -1,11 +1,12 @@
 """SMS"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageAuthenticatorSMSConfig(AppConfig):
+class AuthentikStageAuthenticatorSMSConfig(ManagedAppConfig):
     """SMS App config"""
 
     name = "authentik.stages.authenticator_sms"
     label = "authentik_stages_authenticator_sms"
     verbose_name = "authentik Stages.Authenticator.SMS"
+    default = True

authentik/stages/authenticator_totp/apps.py

@@ -1,11 +1,12 @@
 """TOTP"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageAuthenticatorTOTPConfig(AppConfig):
+class AuthentikStageAuthenticatorTOTPConfig(ManagedAppConfig):
     """TOTP App config"""
 
     name = "authentik.stages.authenticator_totp"
     label = "authentik_stages_authenticator_totp"
     verbose_name = "authentik Stages.Authenticator.TOTP"
+    default = True

authentik/stages/authenticator_validate/apps.py

@@ -1,11 +1,12 @@
 """Authenticator Validation Stage"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageAuthenticatorValidateConfig(AppConfig):
+class AuthentikStageAuthenticatorValidateConfig(ManagedAppConfig):
     """Authenticator Validation Stage"""
 
     name = "authentik.stages.authenticator_validate"
     label = "authentik_stages_authenticator_validate"
     verbose_name = "authentik Stages.Authenticator.Validate"
+    default = True

authentik/stages/captcha/apps.py

@@ -1,11 +1,12 @@
 """authentik captcha app"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageCaptchaConfig(AppConfig):
+class AuthentikStageCaptchaConfig(ManagedAppConfig):
     """authentik captcha app"""
 
     name = "authentik.stages.captcha"
     label = "authentik_stages_captcha"
     verbose_name = "authentik Stages.Captcha"
+    default = True

authentik/stages/consent/apps.py

@@ -1,11 +1,12 @@
 """authentik consent app"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageConsentConfig(AppConfig):
+class AuthentikStageConsentConfig(ManagedAppConfig):
     """authentik consent app"""
 
     name = "authentik.stages.consent"
     label = "authentik_stages_consent"
     verbose_name = "authentik Stages.Consent"
+    default = True

authentik/stages/deny/apps.py

@@ -1,11 +1,12 @@
 """authentik deny stage app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageDenyConfig(AppConfig):
+class AuthentikStageDenyConfig(ManagedAppConfig):
     """authentik deny stage config"""
 
     name = "authentik.stages.deny"
     label = "authentik_stages_deny"
     verbose_name = "authentik Stages.Deny"
+    default = True

authentik/stages/dummy/apps.py

@@ -1,11 +1,12 @@
 """authentik dummy stage config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageDummyConfig(AppConfig):
+class AuthentikStageDummyConfig(ManagedAppConfig):
     """authentik dummy stage config"""
 
     name = "authentik.stages.dummy"
     label = "authentik_stages_dummy"
     verbose_name = "authentik Stages.Dummy"
+    default = True

authentik/stages/identification/apps.py

@@ -1,11 +1,12 @@
 """authentik identification stage app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageIdentificationConfig(AppConfig):
+class AuthentikStageIdentificationConfig(ManagedAppConfig):
     """authentik identification stage config"""
 
     name = "authentik.stages.identification"
     label = "authentik_stages_identification"
     verbose_name = "authentik Stages.Identification"
+    default = True

authentik/stages/invitation/apps.py

@@ -1,11 +1,12 @@
 """authentik invitation stage app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageInvitationConfig(AppConfig):
+class AuthentikStageInvitationConfig(ManagedAppConfig):
     """authentik invitation stage config"""
 
     name = "authentik.stages.invitation"
     label = "authentik_stages_invitation"
     verbose_name = "authentik Stages.Invitation"
+    default = True

authentik/stages/password/apps.py

@@ -1,11 +1,12 @@
 """authentik core app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStagePasswordConfig(AppConfig):
+class AuthentikStagePasswordConfig(ManagedAppConfig):
     """authentik password stage config"""
 
     name = "authentik.stages.password"
     label = "authentik_stages_password"
     verbose_name = "authentik Stages.Password"
+    default = True

authentik/stages/prompt/apps.py

@@ -1,11 +1,12 @@
 """authentik prompt stage app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStagePromptConfig(AppConfig):
+class AuthentikStagePromptConfig(ManagedAppConfig):
     """authentik prompt stage config"""
 
     name = "authentik.stages.prompt"
     label = "authentik_stages_prompt"
     verbose_name = "authentik Stages.Prompt"
+    default = True

authentik/stages/prompt/stage.py

@@ -22,11 +22,12 @@ from rest_framework.serializers import ValidationError
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User
-from authentik.flows.challenge import Challenge, ChallengeResponse
+from authentik.flows.challenge import Challenge, ChallengeResponse, HttpChallengeResponse
 from authentik.flows.planner import FlowPlan
 from authentik.flows.stage import ChallengeStageView
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.models import PolicyBinding, PolicyBindingModel, PolicyEngineMode
+from authentik.policies.types import PolicyResult
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from authentik.stages.prompt.signals import password_validate
 
@@ -36,7 +37,7 @@ PLAN_CONTEXT_PROMPT = "prompt_data"
 class StagePromptSerializer(PassiveSerializer):
     """Serializer for a single Prompt field"""
 
-    field_key = CharField()
+    field_key = CharField(required=True)
     label = CharField(allow_blank=True)
     type = ChoiceField(choices=FieldTypes.choices)
     required = BooleanField()
@@ -47,21 +48,39 @@ class StagePromptSerializer(PassiveSerializer):
     choices = ListField(child=CharField(allow_blank=True), allow_empty=True, allow_null=True)
 
 
+class PromptChallengeMeta(PassiveSerializer):
+    """Additional context sent with the initial challenge, which might contain
+    info when doing dry-runs or other validation fails"""
+
+    field_key = CharField(required=True)
+
+
 class PromptChallenge(Challenge):
     """Initial challenge being sent, define fields"""
 
     fields = StagePromptSerializer(many=True)
+    meta = PromptChallengeMeta(many=True)
     component = CharField(default="ak-stage-prompt")
 
 
+class PromptChallengeResponseMeta(PassiveSerializer):
+    """Additional context sent back by the flow executor when submitting
+    the prompt stage"""
+
+    dry_run = BooleanField(required=True)
+
+
 class PromptChallengeResponse(ChallengeResponse):
     """Validate response, fields are dynamically created based
     on the stage"""
 
     stage_instance: PromptStage
+    validation_result: PolicyResult
 
     component = CharField(default="ak-stage-prompt")
 
+    meta = PromptChallengeResponseMeta()
+
     def __init__(self, *args, **kwargs):
         stage: PromptStage = kwargs.pop("stage_instance", None)
         plan: FlowPlan = kwargs.pop("plan", None)
@@ -145,11 +164,12 @@ class PromptChallengeResponse(ChallengeResponse):
         engine.request.context[PLAN_CONTEXT_PROMPT] = attrs
         engine.use_cache = False
         engine.build()
-        result = engine.result
-        if not result.passing:
-            raise ValidationError(list(result.messages))
+
+        self.validation_result = engine.result
+        if not self.validation_result.passing:
+            raise ValidationError(list(self.validation_result.messages))
         else:
-            for msg in result.messages:
+            for msg in self.validation_result.messages:
                 add_message(self.request, INFO, msg)
         return attrs
 
@@ -250,8 +270,17 @@ class PromptStageView(ChallengeStageView):
             user=self.get_pending_user(),
         )
 
-    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
-        if PLAN_CONTEXT_PROMPT not in self.executor.plan.context:
-            self.executor.plan.context[PLAN_CONTEXT_PROMPT] = {}
+    def challenge_dry_run(self, response: PromptChallengeResponse, result: PolicyResult) -> HttpResponse:
+        challenge = self.get_challenge()
+        # TODO update challenge.meta
+        return HttpChallengeResponse(challenge)
+
+    def challenge_valid(self, response: PromptChallengeResponse) -> HttpResponse:
+        if response.validated_data["meta"]["dry_run"]:
+            # If we get to this point, the serializer must have a .validation_result attribute
+            # as if any other validation fails, it would've raised a validation error
+            # which is handled in the challenge stage base class
+            return self.challenge_dry_run(response, response.validation_result)
+        self.executor.plan.context.setdefault(PLAN_CONTEXT_PROMPT, {})
         self.executor.plan.context[PLAN_CONTEXT_PROMPT].update(response.validated_data)
         return self.executor.stage_ok()

authentik/stages/redirect/apps.py

@@ -1,11 +1,12 @@
 """authentik redirect app"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageRedirectConfig(AppConfig):
+class AuthentikStageRedirectConfig(ManagedAppConfig):
     """authentik redirect app"""
 
     name = "authentik.stages.redirect"
     label = "authentik_stages_redirect"
     verbose_name = "authentik Stages.Redirect"
+    default = True

authentik/stages/user_delete/apps.py

@@ -1,11 +1,12 @@
 """authentik delete stage app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageUserDeleteConfig(AppConfig):
+class AuthentikStageUserDeleteConfig(ManagedAppConfig):
     """authentik delete stage config"""
 
     name = "authentik.stages.user_delete"
     label = "authentik_stages_user_delete"
     verbose_name = "authentik Stages.User Delete"
+    default = True

authentik/stages/user_login/apps.py

@@ -1,11 +1,12 @@
 """authentik login stage app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageUserLoginConfig(AppConfig):
+class AuthentikStageUserLoginConfig(ManagedAppConfig):
     """authentik login stage config"""
 
     name = "authentik.stages.user_login"
     label = "authentik_stages_user_login"
     verbose_name = "authentik Stages.User Login"
+    default = True

authentik/stages/user_logout/apps.py

@@ -1,11 +1,12 @@
 """authentik logout stage app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageUserLogoutConfig(AppConfig):
+class AuthentikStageUserLogoutConfig(ManagedAppConfig):
     """authentik logout stage config"""
 
     name = "authentik.stages.user_logout"
     label = "authentik_stages_user_logout"
     verbose_name = "authentik Stages.User Logout"
+    default = True

authentik/stages/user_write/apps.py

@@ -1,11 +1,12 @@
 """authentik write stage app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikStageUserWriteConfig(AppConfig):
+class AuthentikStageUserWriteConfig(ManagedAppConfig):
     """authentik write stage config"""
 
     name = "authentik.stages.user_write"
     label = "authentik_stages_user_write"
     verbose_name = "authentik Stages.User Write"
+    default = True

cmd/ldap/main.go

@@ -2,17 +2,13 @@ package main
 
 import (
 	"fmt"
-	"net/url"
 	"os"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
-	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/debug"
-	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/entrypoint"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/ldap"
 )
@@ -25,65 +21,15 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 
 var rootCmd = &cobra.Command{
-	Long:    helpMessage,
-	Version: constants.FullVersion(),
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		log.SetLevel(log.DebugLevel)
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-			DisableHTMLEscape: true,
-		})
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer()
-		akURL := config.Get().AuthentikHost
-		if akURL == "" {
-			fmt.Println("env AUTHENTIK_HOST not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-		akToken := config.Get().AuthentikToken
-		if akToken == "" {
-			fmt.Println("env AUTHENTIK_TOKEN not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		akURLActual, err := url.Parse(akURL)
+	Long:             helpMessage,
+	Version:          constants.FullVersion(),
+	PersistentPreRun: common.PreRun,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		err := entrypoint.OutpostMain("authentik.outpost.ldap", ldap.NewServer)
 		if err != nil {
-			fmt.Println(err)
 			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		ex := common.Init()
-		defer common.Defer()
-		go func() {
-			for {
-				<-ex
-				os.Exit(0)
-			}
-		}()
-
-		ac := ak.NewAPIController(*akURLActual, akToken)
-		if ac == nil {
-			os.Exit(1)
-		}
-		defer ac.Shutdown()
-
-		ac.Server = ldap.NewServer(ac)
-
-		err = ac.Start()
-		if err != nil {
-			log.WithError(err).Panic("Failed to run server")
-		}
-
-		for {
-			<-ex
 		}
+		return err
 	},
 }
 

cmd/proxy/main.go

@@ -2,17 +2,13 @@ package main
 
 import (
 	"fmt"
-	"net/url"
 	"os"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
-	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/debug"
-	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/entrypoint"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/proxyv2"
 )
@@ -28,65 +24,15 @@ Optionally, you can set these:
 - AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST`
 
 var rootCmd = &cobra.Command{
-	Long:    helpMessage,
-	Version: constants.FullVersion(),
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		log.SetLevel(log.DebugLevel)
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-			DisableHTMLEscape: true,
-		})
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer()
-		akURL := config.Get().AuthentikHost
-		if akURL == "" {
-			fmt.Println("env AUTHENTIK_HOST not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-		akToken := config.Get().AuthentikToken
-		if akToken == "" {
-			fmt.Println("env AUTHENTIK_TOKEN not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		akURLActual, err := url.Parse(akURL)
+	Long:             helpMessage,
+	Version:          constants.FullVersion(),
+	PersistentPreRun: common.PreRun,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		err := entrypoint.OutpostMain("authentik.outpost.proxy", proxyv2.NewProxyServer)
 		if err != nil {
-			fmt.Println(err)
 			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		ex := common.Init()
-		defer common.Defer()
-		go func() {
-			for {
-				<-ex
-				os.Exit(0)
-			}
-		}()
-
-		ac := ak.NewAPIController(*akURLActual, akToken)
-		if ac == nil {
-			os.Exit(1)
-		}
-		defer ac.Shutdown()
-
-		ac.Server = proxyv2.NewProxyServer(ac)
-
-		err = ac.Start()
-		if err != nil {
-			log.WithError(err).Panic("Failed to run server")
-		}
-
-		for {
-			<-ex
 		}
+		return err
 	},
 }
 

cmd/rac/main.go

@@ -2,16 +2,13 @@ package main
 
 import (
 	"fmt"
-	"net/url"
 	"os"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/debug"
-	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/entrypoint"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/rac"
 )
@@ -24,65 +21,15 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 
 var rootCmd = &cobra.Command{
-	Long:    helpMessage,
-	Version: constants.FullVersion(),
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		log.SetLevel(log.DebugLevel)
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-			DisableHTMLEscape: true,
-		})
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer()
-		akURL, found := os.LookupEnv("AUTHENTIK_HOST")
-		if !found {
-			fmt.Println("env AUTHENTIK_HOST not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-		akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
-		if !found {
-			fmt.Println("env AUTHENTIK_TOKEN not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		akURLActual, err := url.Parse(akURL)
+	Long:             helpMessage,
+	Version:          constants.FullVersion(),
+	PersistentPreRun: common.PreRun,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		err := entrypoint.OutpostMain("authentik.outpost.rac", rac.NewServer)
 		if err != nil {
-			fmt.Println(err)
 			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		ex := common.Init()
-		defer common.Defer()
-		go func() {
-			for {
-				<-ex
-				os.Exit(0)
-			}
-		}()
-
-		ac := ak.NewAPIController(*akURLActual, akToken)
-		if ac == nil {
-			os.Exit(1)
-		}
-		defer ac.Shutdown()
-
-		ac.Server = rac.NewServer(ac)
-
-		err = ac.Start()
-		if err != nil {
-			log.WithError(err).Panic("Failed to run server")
-		}
-
-		for {
-			<-ex
 		}
+		return err
 	},
 }
 

cmd/radius/main.go

@@ -2,16 +2,13 @@ package main
 
 import (
 	"fmt"
-	"net/url"
 	"os"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/debug"
-	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/entrypoint"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/radius"
 )
@@ -24,65 +21,15 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 
 var rootCmd = &cobra.Command{
-	Long:    helpMessage,
-	Version: constants.FullVersion(),
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		log.SetLevel(log.DebugLevel)
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-			DisableHTMLEscape: true,
-		})
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer()
-		akURL, found := os.LookupEnv("AUTHENTIK_HOST")
-		if !found {
-			fmt.Println("env AUTHENTIK_HOST not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-		akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
-		if !found {
-			fmt.Println("env AUTHENTIK_TOKEN not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		akURLActual, err := url.Parse(akURL)
+	Long:             helpMessage,
+	Version:          constants.FullVersion(),
+	PersistentPreRun: common.PreRun,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		err := entrypoint.OutpostMain("authentik.outpost.radius", radius.NewServer)
 		if err != nil {
-			fmt.Println(err)
 			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		ex := common.Init()
-		defer common.Defer()
-		go func() {
-			for {
-				<-ex
-				os.Exit(0)
-			}
-		}()
-
-		ac := ak.NewAPIController(*akURLActual, akToken)
-		if ac == nil {
-			os.Exit(1)
-		}
-		defer ac.Shutdown()
-
-		ac.Server = radius.NewServer(ac)
-
-		err = ac.Start()
-		if err != nil {
-			log.WithError(err).Panic("Failed to run server")
-		}
-
-		for {
-			<-ex
 		}
+		return err
 	},
 }
 

cmd/server/server.go

@@ -22,21 +22,12 @@ import (
 )
 
 var rootCmd = &cobra.Command{
-	Use:     "authentik",
-	Short:   "Start authentik instance",
-	Version: constants.FullVersion(),
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		log.SetLevel(log.DebugLevel)
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-			DisableHTMLEscape: true,
-		})
-	},
+	Use:              "authentik",
+	Short:            "Start authentik instance",
+	Version:          constants.FullVersion(),
+	PersistentPreRun: common.PreRun,
 	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer()
+		debug.EnableDebugServer("authentik.core")
 		l := log.WithField("logger", "authentik.root")
 
 		if config.Get().ErrorReporting.Enabled {
@@ -99,7 +90,7 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) {
 		})
 
 		srv := proxyv2.NewProxyServer(ac)
-		ws.ProxyServer = srv
+		ws.ProxyServer = srv.(*proxyv2.ProxyServer)
 		ac.Server = srv
 		l.Debug("attempting to start outpost")
 		err := ac.StartBackgroundTasks()

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/gorilla/securecookie v1.1.2
 	github.com/gorilla/sessions v1.4.0
 	github.com/gorilla/websocket v1.5.3
+	github.com/grafana/pyroscope-go v1.2.2
 	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
@@ -27,7 +28,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025041.4
+	goauthentik.io/api/v3 v3.2025060.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.14.0
@@ -58,8 +59,10 @@ require (
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/grafana/pyroscope-go/godeltaprof v0.1.8 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect

go.sum

@@ -178,6 +178,10 @@ github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2e
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/grafana/pyroscope-go v1.2.2 h1:uvKCyZMD724RkaCEMrSTC38Yn7AnFe8S2wiAIYdDPCE=
+github.com/grafana/pyroscope-go v1.2.2/go.mod h1:zzT9QXQAp2Iz2ZdS216UiV8y9uXJYQiGE1q8v1FyhqU=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.8 h1:iwOtYXeeVSAeYefJNaxDytgjKtUuKQbJqgAIjlnicKg=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.8/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -262,6 +266,8 @@ github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -290,8 +296,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025041.4 h1:cGqzWYnUHrWDoaXWDpIL/kWnX9sFrIhkYDye0P0OEAo=
-goauthentik.io/api/v3 v3.2025041.4/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025060.1 h1:H/TDuroJlQicuxrWEnLcO3lzQaHuR28xrUb1L2362Vo=
+goauthentik.io/api/v3 v3.2025060.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/common/prerun.go

@@ -0,0 +1,17 @@
+package common
+
+import (
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func PreRun(cmd *cobra.Command, args []string) {
+	log.SetLevel(log.DebugLevel)
+	log.SetFormatter(&log.JSONFormatter{
+		FieldMap: log.FieldMap{
+			log.FieldKeyMsg:  "event",
+			log.FieldKeyTime: "timestamp",
+		},
+		DisableHTMLEscape: true,
+	})
+}

internal/debug/debug.go

@@ -5,19 +5,24 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/pprof"
+	"os"
+	"runtime"
 
 	"github.com/gorilla/mux"
+	"github.com/grafana/pyroscope-go"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/utils/web"
 )
 
-func EnableDebugServer() {
-	l := log.WithField("logger", "authentik.go_debugger")
+var l = log.WithField("logger", "authentik.debugger.go")
+
+func EnableDebugServer(appName string) {
 	if !config.Get().Debug {
 		return
 	}
 	h := mux.NewRouter()
+	enablePyroscope(appName)
 	h.HandleFunc("/debug/pprof/", pprof.Index)
 	h.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
 	h.HandleFunc("/debug/pprof/profile", pprof.Profile)
@@ -54,3 +59,38 @@ func EnableDebugServer() {
 		}
 	}()
 }
+
+func enablePyroscope(appName string) {
+	p, pok := os.LookupEnv("AUTHENTIK_PYROSCOPE_HOST")
+	if !pok {
+		return
+	}
+	l.Debug("Enabling pyroscope")
+	runtime.SetMutexProfileFraction(5)
+	runtime.SetBlockProfileRate(5)
+	hostname, err := os.Hostname()
+	if err != nil {
+		panic(err)
+	}
+	_, err = pyroscope.Start(pyroscope.Config{
+		ApplicationName: appName,
+		ServerAddress:   p,
+		Logger:          pyroscope.StandardLogger,
+		Tags:            map[string]string{"hostname": hostname},
+		ProfileTypes: []pyroscope.ProfileType{
+			pyroscope.ProfileCPU,
+			pyroscope.ProfileAllocObjects,
+			pyroscope.ProfileAllocSpace,
+			pyroscope.ProfileInuseObjects,
+			pyroscope.ProfileInuseSpace,
+			pyroscope.ProfileGoroutines,
+			pyroscope.ProfileMutexCount,
+			pyroscope.ProfileMutexDuration,
+			pyroscope.ProfileBlockCount,
+			pyroscope.ProfileBlockDuration,
+		},
+	})
+	if err != nil {
+		panic(err)
+	}
+}

internal/outpost/ak/api.go

@@ -135,6 +135,10 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 	return ac
 }
 
+func (a *APIController) Log() *log.Entry {
+	return a.logger
+}
+
 // Start Starts all handlers, non-blocking
 func (a *APIController) Start() error {
 	err := a.Server.Refresh()

internal/outpost/ak/entrypoint/entrypoint.go

@@ -0,0 +1,51 @@
+package entrypoint
+
+import (
+	"errors"
+	"net/url"
+	"os"
+
+	"goauthentik.io/internal/common"
+	"goauthentik.io/internal/config"
+	"goauthentik.io/internal/debug"
+	"goauthentik.io/internal/outpost/ak"
+)
+
+func OutpostMain(appName string, server func(ac *ak.APIController) ak.Outpost) error {
+	debug.EnableDebugServer(appName)
+	akURL := config.Get().AuthentikHost
+	if akURL == "" {
+		return errors.New("environment variable `AUTHENTIK_HOST` not set")
+	}
+	akToken := config.Get().AuthentikToken
+	if akToken == "" {
+		return errors.New("environment variable `AUTHENTIK_TOKEN` not set")
+	}
+
+	akURLActual, err := url.Parse(akURL)
+	if err != nil {
+		return err
+	}
+
+	ex := common.Init()
+	defer common.Defer()
+
+	ac := ak.NewAPIController(*akURLActual, akToken)
+	if ac == nil {
+		os.Exit(1)
+	}
+	defer ac.Shutdown()
+
+	ac.Server = server(ac)
+
+	err = ac.Start()
+	if err != nil {
+		ac.Log().WithError(err).Panic("Failed to run server")
+		return err
+	}
+
+	for {
+		<-ex
+		return nil
+	}
+}

internal/outpost/ak/global.go

@@ -48,20 +48,20 @@ func doGlobalSetup(outpost api.Outpost, globalConfig *api.Config) {
 	if globalConfig.ErrorReporting.Enabled {
 		if !initialSetup {
 			l.WithField("env", globalConfig.ErrorReporting.Environment).Debug("Error reporting enabled")
-		}
-		err := sentry.Init(sentry.ClientOptions{
-			Dsn:           globalConfig.ErrorReporting.SentryDsn,
-			Environment:   globalConfig.ErrorReporting.Environment,
-			EnableTracing: true,
-			TracesSampler: sentryutils.SamplerFunc(float64(globalConfig.ErrorReporting.TracesSampleRate)),
-			Release:       fmt.Sprintf("authentik@%s", constants.VERSION),
-			HTTPTransport: webutils.NewUserAgentTransport(constants.UserAgentOutpost(), http.DefaultTransport),
-			IgnoreErrors: []string{
-				http.ErrAbortHandler.Error(),
-			},
-		})
-		if err != nil {
-			l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
+			err := sentry.Init(sentry.ClientOptions{
+				Dsn:           globalConfig.ErrorReporting.SentryDsn,
+				Environment:   globalConfig.ErrorReporting.Environment,
+				EnableTracing: true,
+				TracesSampler: sentryutils.SamplerFunc(float64(globalConfig.ErrorReporting.TracesSampleRate)),
+				Release:       fmt.Sprintf("authentik@%s", constants.VERSION),
+				HTTPTransport: webutils.NewUserAgentTransport(constants.UserAgentOutpost(), http.DefaultTransport),
+				IgnoreErrors: []string{
+					http.ErrAbortHandler.Error(),
+				},
+			})
+			if err != nil {
+				l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
+			}
 		}
 	}
 

internal/outpost/ldap/ldap.go

@@ -26,7 +26,7 @@ type LDAPServer struct {
 	providers   []*ProviderInstance
 }
 
-func NewServer(ac *ak.APIController) *LDAPServer {
+func NewServer(ac *ak.APIController) ak.Outpost {
 	ls := &LDAPServer{
 		log:       log.WithField("logger", "authentik.outpost.ldap"),
 		ac:        ac,

internal/outpost/proxyv2/application/claims.go

@@ -3,6 +3,7 @@ package application
 type ProxyClaims struct {
 	UserAttributes  map[string]interface{} `json:"user_attributes"`
 	BackendOverride string                 `json:"backend_override"`
+	HostHeader      string                 `json:"host_header"`
 	IsSuperuser     bool                   `json:"is_superuser"`
 }
 

internal/outpost/proxyv2/application/mode_proxy.go

@@ -74,13 +74,18 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 		r.URL.Scheme = ou.Scheme
 		r.URL.Host = ou.Host
 		claims := a.getClaimsFromSession(r)
-		if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
-			u, err := url.Parse(claims.Proxy.BackendOverride)
-			if err != nil {
-				a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override")
-			} else {
-				r.URL.Scheme = u.Scheme
-				r.URL.Host = u.Host
+		if claims != nil && claims.Proxy != nil {
+			if claims.Proxy.BackendOverride != "" {
+				u, err := url.Parse(claims.Proxy.BackendOverride)
+				if err != nil {
+					a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override")
+				} else {
+					r.URL.Scheme = u.Scheme
+					r.URL.Host = u.Host
+				}
+			}
+			if claims.Proxy.HostHeader != "" {
+				r.Host = claims.Proxy.HostHeader
 			}
 		}
 		a.log.WithField("upstream_url", r.URL.String()).Trace("final upstream url")

internal/outpost/proxyv2/proxyv2.go

@@ -35,7 +35,7 @@ type ProxyServer struct {
 	akAPI       *ak.APIController
 }
 
-func NewProxyServer(ac *ak.APIController) *ProxyServer {
+func NewProxyServer(ac *ak.APIController) ak.Outpost {
 	l := log.WithField("logger", "authentik.outpost.proxyv2")
 	defaultCert, err := crypto.GenerateSelfSignedCert()
 	if err != nil {

internal/outpost/rac/rac.go

@@ -23,7 +23,7 @@ type RACServer struct {
 	conns map[string]connection.Connection
 }
 
-func NewServer(ac *ak.APIController) *RACServer {
+func NewServer(ac *ak.APIController) ak.Outpost {
 	rs := &RACServer{
 		log:   log.WithField("logger", "authentik.outpost.rac"),
 		ac:    ac,

internal/outpost/radius/radius.go

@@ -34,7 +34,7 @@ type RadiusServer struct {
 	providers []*ProviderInstance
 }
 
-func NewServer(ac *ak.APIController) *RadiusServer {
+func NewServer(ac *ak.APIController) ak.Outpost {
 	rs := &RadiusServer{
 		log:       log.WithField("logger", "authentik.outpost.radius"),
 		ac:        ac,

internal/utils/web/http_tracing.go

@@ -2,7 +2,6 @@ package web
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 
 	"github.com/getsentry/sentry-go"
@@ -20,7 +19,7 @@ func NewTracingTransport(ctx context.Context, inner http.RoundTripper) *tracingT
 func (tt *tracingTransport) RoundTrip(r *http.Request) (*http.Response, error) {
 	span := sentry.StartSpan(tt.ctx, "authentik.go.http_request")
 	r.Header.Set("sentry-trace", span.ToSentryTrace())
-	span.Description = fmt.Sprintf("%s %s", r.Method, r.URL.String())
+	span.Description = r.Method + " " + r.URL.String()
 	span.SetTag("url", r.URL.String())
 	span.SetTag("method", r.Method)
 	defer span.Finish()

internal/web/static.go

@@ -31,8 +31,6 @@ func (ws *WebServer) configureStatic() {
 		return h
 	}
 
-	helpHandler := http.FileServer(http.Dir("./website/help/"))
-
 	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/static/dist/").Handler(pathStripper(
 		distFs,
 		"static/dist/",
@@ -78,13 +76,6 @@ func (ws *WebServer) configureStatic() {
 		))
 	}
 
-	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/help/").Handler(pathStripper(
-		helpHandler,
-		config.Get().Web.Path,
-		"/if/help/",
-	))
-	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/help").Handler(http.RedirectHandler(fmt.Sprintf("%sif/help/", config.Get().Web.Path), http.StatusMovedPermanently))
-
 	staticRouter.PathPrefix(config.Get().Web.Path).Path("/robots.txt").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header()["Content-Type"] = []string{"text/plain"}
 		rw.WriteHeader(200)

locale/fr/LC_MESSAGES/django.po

@@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-06-04 00:12+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@@ -1065,8 +1065,8 @@ msgstr "Synchronisation des groupes"
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
-msgid "Syncing page {page} of groups"
-msgstr "Synchronisation de la page {page} de groupes"
+msgid "Syncing page {page} of {object_type}"
+msgstr "Synchronisation de la page {page} de {object_type}"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Dropping mutating request due to dry run"
@@ -2475,6 +2475,10 @@ msgstr "Préfixe DN groupes"
 msgid "Consider Objects matching this filter to be Users."
 msgstr "Les objets appliqués à ce filtre seront des utilisateurs."
 
+#: authentik/sources/ldap/models.py
+msgid "Attribute which matches the value of `group_membership_field`."
+msgstr "Attribut qui correspond à la valeur de `group_membership_field`."
+
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr "Champ qui contient les membres d'un groupe."
@@ -3875,10 +3879,6 @@ msgstr "Étapes de connexion utilisateur"
 msgid "No Pending user to login."
 msgstr "Pas d'utilisateurs en attente à connecter."
 
-#: authentik/stages/user_login/stage.py
-msgid "Successfully logged in!"
-msgstr "Connexion réussie !"
-
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr "Étape de déconnexion utlisateur"

locale/zh-Hans/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-06-04 00:12+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -976,16 +976,16 @@ msgstr "开始全量提供程序同步"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing users"
-msgstr ""
+msgstr "正在同步用户"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing groups"
-msgstr ""
+msgstr "正在同步组"
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
-msgid "Syncing page {page} of groups"
-msgstr "正在同步群组页面 {page}"
+msgid "Syncing page {page} of {object_type}"
+msgstr "正在同步 {object_type} 页面 {page}"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Dropping mutating request due to dry run"
@@ -2259,6 +2259,10 @@ msgstr "额外的组 DN"
 msgid "Consider Objects matching this filter to be Users."
 msgstr "将与此筛选器匹配的对象视为用户。"
 
+#: authentik/sources/ldap/models.py
+msgid "Attribute which matches the value of `group_membership_field`."
+msgstr "匹配 `group_membership_field` 值的属性。"
+
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr "包含组成员的字段。"
@@ -2292,7 +2296,7 @@ msgstr "基于用户属性而非组属性查询组成员身份。这允许在 Fr
 msgid ""
 "Delete authentik users and groups which were previously supplied by this "
 "source, but are now missing from it."
-msgstr ""
+msgstr "删除之前由此源提供，但现已缺失的用户和组。"
 
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
@@ -2313,7 +2317,7 @@ msgstr "LDAP 源属性映射"
 #: authentik/sources/ldap/models.py
 msgid ""
 "Unique ID used while checking if this object still exists in the directory."
-msgstr ""
+msgstr "检查此对象是否仍在目录中时使用的唯一 ID。"
 
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
@@ -2695,7 +2699,7 @@ msgstr "组 SAML 源连接"
 #: authentik/sources/saml/views.py
 #, python-brace-format
 msgid "Continue to {source_name}"
-msgstr ""
+msgstr "继续前往 {source_name}"
 
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
@@ -3065,7 +3069,7 @@ msgstr "用户同意授权"
 
 #: authentik/stages/consent/stage.py
 msgid "Invalid consent token, re-showing prompt"
-msgstr ""
+msgstr "无效的同意令牌，将重新显示输入"
 
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
@@ -3085,11 +3089,11 @@ msgstr "虚拟阶段"
 
 #: authentik/stages/email/flow.py
 msgid "Continue to confirm this email address."
-msgstr ""
+msgstr "继续以确认电子邮件地址。"
 
 #: authentik/stages/email/flow.py
 msgid "Link was already used, please request a new link."
-msgstr ""
+msgstr "链接已被使用，请申请一个新链接。"
 
 #: authentik/stages/email/models.py
 msgid "Password Reset"
@@ -3560,10 +3564,6 @@ msgstr "用户登录阶段"
 msgid "No Pending user to login."
 msgstr "没有待定用户可以登录。"
 
-#: authentik/stages/user_login/stage.py
-msgid "Successfully logged in!"
-msgstr "已成功登录！"
-
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr "用户登出阶段"

locale/zh_CN/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-06-04 00:12+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -983,8 +983,8 @@ msgstr "正在同步组"
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
-msgid "Syncing page {page} of groups"
-msgstr "正在同步群组页面 {page}"
+msgid "Syncing page {page} of {object_type}"
+msgstr "正在同步 {object_type} 页面 {page}"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Dropping mutating request due to dry run"
@@ -2258,6 +2258,10 @@ msgstr "额外的组 DN"
 msgid "Consider Objects matching this filter to be Users."
 msgstr "将与此筛选器匹配的对象视为用户。"
 
+#: authentik/sources/ldap/models.py
+msgid "Attribute which matches the value of `group_membership_field`."
+msgstr "匹配 `group_membership_field` 值的属性。"
+
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr "包含组成员的字段。"
@@ -3559,10 +3563,6 @@ msgstr "用户登录阶段"
 msgid "No Pending user to login."
 msgstr "没有待定用户可以登录。"
 
-#: authentik/stages/user_login/stage.py
-msgid "Successfully logged in!"
-msgstr "已成功登录！"
-
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr "用户登出阶段"

packages/docusaurus-config/css/root.css

@@ -9,7 +9,7 @@
     --ifm-color-primary-lighter: #fd7159;
     --ifm-color-primary-lightest: #fe9786;
 
-    --ifm-hover-overlay: hsl(0deg 0% 100% / 25%);
+    --ifm-color-primary-inverse: var(--white);
 
-    --ifm-color-content: hsl(216 35% 3%);
+    --ifm-hover-overlay: hsl(0deg 0% 100% / 25%);
 }

packages/docusaurus-config/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/docusaurus-config",
-    "version": "1.1.0",
+    "version": "2.0.0",
     "description": "authentik's Docusaurus config",
     "license": "MIT",
     "scripts": {
@@ -20,12 +20,12 @@
         "prism-react-renderer": "^2.4.1"
     },
     "devDependencies": {
-        "@docusaurus/theme-common": "^3.7.0",
-        "@docusaurus/theme-search-algolia": "^3.7.0",
-        "@docusaurus/types": "^3.7.0",
-        "@goauthentik/prettier-config": "^1.0.1",
-        "@goauthentik/tsconfig": "^1.0.1",
-        "@types/react": "^19.1.5",
+        "@docusaurus/theme-common": "^3.8.0",
+        "@docusaurus/theme-search-algolia": "^3.8.0",
+        "@docusaurus/types": "^3.8.0",
+        "@goauthentik/prettier-config": "^2.0.0",
+        "@goauthentik/tsconfig": "^1.0.4",
+        "@types/react": "^19.1.6",
         "@types/react-dom": "^19.1.5",
         "prettier": "^3.5.3",
         "react": "^19.1.0",
@@ -33,14 +33,14 @@
         "typescript": "^5.8.3"
     },
     "peerDependencies": {
-        "@docusaurus/theme-common": "^3.7.0",
-        "@docusaurus/theme-search-algolia": "^3.7.0",
-        "@docusaurus/types": "^3.7.0",
+        "@docusaurus/theme-common": "^3.8.0",
+        "@docusaurus/theme-search-algolia": "^3.8.0",
+        "@docusaurus/types": "^3.8.0",
         "react": "^18.0.0 || ^19.0.0",
         "react-dom": "^18.0.0 || ^19.0.0"
     },
     "engines": {
-        "node": ">=20.11"
+        "node": ">=22"
     },
     "types": "./out/index.d.ts",
     "files": [

pyproject.toml

@@ -13,7 +13,7 @@ dependencies = [
     "dacite==1.9.2",
     "deepmerge==2.0",
     "defusedxml==0.7.1",
-    "django==5.1.9",
+    "django==5.1.10",
     "django-countries==7.6.1",
     "django-cte==1.3.3",
     "django-filter==25.1",
@@ -61,7 +61,7 @@ dependencies = [
     "setproctitle==1.3.6",
     "structlog==25.4.0",
     "swagger-spec-validator==3.0.4",
-    "tenant-schemas-celery==4.0.1",
+    "tenant-schemas-celery==3.0.0",
     "twilio==9.6.2",
     "ua-parser==1.0.1",
     "unidecode==1.4.0",

schema.yml

@@ -55884,8 +55884,33 @@ components:
           type: array
           items:
             $ref: '#/components/schemas/StagePrompt'
+        meta:
+          type: array
+          items:
+            $ref: '#/components/schemas/PromptChallengeMeta'
       required:
       - fields
+      - meta
+    PromptChallengeMeta:
+      type: object
+      description: |-
+        Additional context sent with the initial challenge, which might contain
+        info when doing dry-runs or other validation fails
+      properties:
+        field_key:
+          type: string
+      required:
+      - field_key
+    PromptChallengeResponseMetaRequest:
+      type: object
+      description: |-
+        Additional context sent back by the flow executor when submitting
+        the prompt stage
+      properties:
+        dry_run:
+          type: boolean
+      required:
+      - dry_run
     PromptChallengeResponseRequest:
       type: object
       description: |-
@@ -55896,6 +55921,10 @@ components:
           type: string
           minLength: 1
           default: ak-stage-prompt
+        meta:
+          $ref: '#/components/schemas/PromptChallengeResponseMetaRequest'
+      required:
+      - meta
       additionalProperties: {}
     PromptRequest:
       type: object

tests/e2e/proxy_forward_auth/traefik_single/config-static.yaml

@@ -1,4 +1,4 @@
-# yaml-language-server: $schema=https://json.schemastore.org/traefik-v2.json
+# yaml-language-server: $schema=https://json.schemastore.org/traefik-v3.json
 api:
   insecure: true
   debug: true

tests/e2e/test_flows_authenticators_webauthn.py

@@ -0,0 +1,97 @@
+"""test flow with WebAuthn Stage"""
+
+from selenium.webdriver.common.virtual_authenticator import (
+    Protocol,
+    Transport,
+    VirtualAuthenticatorOptions,
+)
+
+from authentik.blueprints.tests import apply_blueprint
+from authentik.stages.authenticator_webauthn.models import (
+    AuthenticatorWebAuthnStage,
+    WebAuthnDevice,
+)
+from tests.e2e.test_flows_login_sfe import login_sfe
+from tests.e2e.utils import SeleniumTestCase, retry
+
+
+class TestFlowsAuthenticatorWebAuthn(SeleniumTestCase):
+    """test flow with WebAuthn Stage"""
+
+    host = "localhost"
+
+    def register(self):
+        options = VirtualAuthenticatorOptions(
+            protocol=Protocol.CTAP2,
+            transport=Transport.INTERNAL,
+            has_resident_key=True,
+            has_user_verification=True,
+            is_user_verified=True,
+        )
+        self.driver.add_virtual_authenticator(options)
+
+        self.driver.get(self.url("authentik_core:if-flow", flow_slug="default-authentication-flow"))
+        self.login()
+
+        self.wait_for_url(self.if_user_url("/library"))
+        self.assert_user(self.user)
+
+        self.driver.get(
+            self.url(
+                "authentik_flows:configure",
+                stage_uuid=AuthenticatorWebAuthnStage.objects.first().stage_uuid,
+            )
+        )
+
+        self.wait_for_url(self.if_user_url("/library"))
+        self.assertTrue(WebAuthnDevice.objects.filter(user=self.user, confirmed=True).exists())
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint("default/flow-default-authenticator-webauthn-setup.yaml")
+    def test_webauthn_setup(self):
+        """Test WebAuthn setup"""
+        self.register()
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint("default/flow-default-authenticator-webauthn-setup.yaml")
+    def test_webauthn_authenticate(self):
+        """Test WebAuthn authentication"""
+        self.register()
+        self.driver.delete_all_cookies()
+
+        self.driver.get(self.url("authentik_core:if-flow", flow_slug="default-authentication-flow"))
+        self.login()
+
+        self.wait_for_url(self.if_user_url("/library"))
+
+        self.assert_user(self.user)
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint("default/flow-default-authenticator-webauthn-setup.yaml")
+    def test_webauthn_authenticate_sfe(self):
+        """Test WebAuthn authentication (SFE)"""
+        self.register()
+        self.driver.delete_all_cookies()
+
+        self.driver.get(
+            self.url(
+                "authentik_core:if-flow",
+                flow_slug="default-authentication-flow",
+                query={"sfe": True},
+            )
+        )
+        login_sfe(self.driver, self.user)
+        self.wait_for_url(self.if_user_url("/library"))
+        self.assert_user(self.user)

tests/e2e/test_flows_login_sfe.py

@@ -4,34 +4,35 @@ from time import sleep
 
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.remote.webdriver import WebDriver
 
 from authentik.blueprints.tests import apply_blueprint
+from authentik.core.models import User
 from tests.e2e.utils import SeleniumTestCase, retry
 
 
+def login_sfe(driver: WebDriver, user: User):
+    """Do entire login flow adjusted for SFE"""
+    flow_executor = driver.find_element(By.ID, "flow-sfe-container")
+    identification_stage = flow_executor.find_element(By.ID, "ident-form")
+
+    identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").click()
+    identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
+        user.username
+    )
+    identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
+        Keys.ENTER
+    )
+
+    password_stage = flow_executor.find_element(By.ID, "password-form")
+    password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(user.username)
+    password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
+    sleep(1)
+
+
 class TestFlowsLoginSFE(SeleniumTestCase):
     """test default login flow"""
 
-    def login(self):
-        """Do entire login flow adjusted for SFE"""
-        flow_executor = self.driver.find_element(By.ID, "flow-sfe-container")
-        identification_stage = flow_executor.find_element(By.ID, "ident-form")
-
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").click()
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
-            self.user.username
-        )
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
-            Keys.ENTER
-        )
-
-        password_stage = flow_executor.find_element(By.ID, "password-form")
-        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
-            self.user.username
-        )
-        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
-        sleep(1)
-
     @retry()
     @apply_blueprint(
         "default/flow-default-authentication-flow.yaml",
@@ -46,6 +47,6 @@ class TestFlowsLoginSFE(SeleniumTestCase):
                 query={"sfe": True},
             )
         )
-        self.login()
+        login_sfe(self.driver, self.user)
         self.wait_for_url(self.if_user_url("/library"))
         self.assert_user(self.user)

uv.lock

@@ -274,7 +274,7 @@ requires-dist = [
     { name = "dacite", specifier = "==1.9.2" },
     { name = "deepmerge", specifier = "==2.0" },
     { name = "defusedxml", specifier = "==0.7.1" },
-    { name = "django", specifier = "==5.1.9" },
+    { name = "django", specifier = "==5.1.10" },
     { name = "django-countries", specifier = "==7.6.1" },
     { name = "django-cte", specifier = "==1.3.3" },
     { name = "django-filter", specifier = "==25.1" },
@@ -322,7 +322,7 @@ requires-dist = [
     { name = "setproctitle", specifier = "==1.3.6" },
     { name = "structlog", specifier = "==25.4.0" },
     { name = "swagger-spec-validator", specifier = "==3.0.4" },
-    { name = "tenant-schemas-celery", specifier = "==4.0.1" },
+    { name = "tenant-schemas-celery", specifier = "==3.0.0" },
     { name = "twilio", specifier = "==9.6.2" },
     { name = "ua-parser", specifier = "==1.0.1" },
     { name = "unidecode", specifier = "==1.4.0" },
@@ -968,16 +968,16 @@ wheels = [
 
 [[package]]
 name = "django"
-version = "5.1.9"
+version = "5.1.10"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "asgiref" },
     { name = "sqlparse" },
     { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/10/08/2e6f05494b3fc0a3c53736846034f882b82ee6351791a7815bbb45715d79/django-5.1.9.tar.gz", hash = "sha256:565881bdd0eb67da36442e9ac788bda90275386b549070d70aee86327781a4fc", size = 10710887, upload-time = "2025-05-07T14:06:45.257Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/73/ca/1c724be89e603eb8b5587ea24c63a8c30094c8ff4d990780b5033ee15c40/django-5.1.10.tar.gz", hash = "sha256:73e5d191421d177803dbd5495d94bc7d06d156df9561f4eea9e11b4994c07137", size = 10714538, upload-time = "2025-06-04T13:53:18.805Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/e1/d1/d8b6b8250b84380d5a123e099ad3298a49407d81598faa13b43a2c6d96d7/django-5.1.9-py3-none-any.whl", hash = "sha256:2fd1d4a0a66a5ba702699eb692e75b0d828b73cc2f4e1fc4b6a854a918967411", size = 8277363, upload-time = "2025-05-07T14:06:37.426Z" },
+    { url = "https://files.pythonhosted.org/packages/9e/fc/80dc741ba0acb3241aac1213d7272c573d52d8a62ec2c69e9b3bef1547f2/django-5.1.10-py3-none-any.whl", hash = "sha256:19c9b771e9cf4de91101861aadd2daaa159bcf10698ca909c5755c88e70ccb84", size = 8277457, upload-time = "2025-06-04T13:53:07.676Z" },
 ]
 
 [[package]]
@@ -3087,14 +3087,14 @@ wheels = [
 
 [[package]]
 name = "tenant-schemas-celery"
-version = "4.0.1"
+version = "3.0.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "celery" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/19/f8/cf055bf171b5d83d6fe96f1840fba90d3d274be2b5c35cd21b873302b128/tenant_schemas_celery-4.0.1.tar.gz", hash = "sha256:8b8f055fcd82aa53274c09faf88653a935241518d93b86ab2d43a3df3b70c7f8", size = 18870, upload-time = "2025-04-22T18:23:51.061Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/d0/fe/cfe19eb7cc3ad8e39d7df7b7c44414bf665b6ac6660c998eb498f89d16c6/tenant_schemas_celery-3.0.0.tar.gz", hash = "sha256:6be3ae1a5826f262f0f3dd343c6a85a34a1c59b89e04ae37de018f36562fed55", size = 15954, upload-time = "2024-05-19T11:16:41.837Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/e9/a8/fd663c461550d6fedfb24e987acc1557ae5b6615ca08fc6c70dbaaa88aa5/tenant_schemas_celery-4.0.1-py3-none-any.whl", hash = "sha256:d06a3ff6956db3a95168ce2051b7bff2765f9ce0d070e14df92f07a2b60ae0a0", size = 21364, upload-time = "2025-04-22T18:23:49.899Z" },
+    { url = "https://files.pythonhosted.org/packages/db/2c/376e1e641ad08b374c75d896468a7be2e6906ce3621fd0c9f9dc09ff1963/tenant_schemas_celery-3.0.0-py3-none-any.whl", hash = "sha256:ca0f69e78ef698eb4813468231df5a0ab6a660c08e657b65f5ac92e16887eec8", size = 18108, upload-time = "2024-05-19T11:16:39.92Z" },
 ]
 
 [[package]]

web/packages/sfe/src/index.ts

@@ -403,6 +403,9 @@ class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge>
     }
 
     render() {
+        if (this.challenge.deviceChallenges.length === 1) {
+            this.deviceChallenge = this.challenge.deviceChallenges[0];
+        }
         if (!this.deviceChallenge) {
             return this.renderChallengePicker();
         }
@@ -431,9 +434,7 @@ class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge>
                 ${
                     challenges.length > 0
                         ? "<p>Select an authentication method.</p>"
-                        : `
-                    <p>No compatible authentication method available</p>
-                    `
+                        : `<p>No compatible authentication method available</p>`
                 }
                 ${challenges
                     .map((challenge) => {

web/src/admin/AdminInterface/index.entrypoint.ts

@@ -56,18 +56,14 @@ export class AdminInterface extends WithCapabilitiesConfig(AuthenticatedInterfac
 
     protected readonly ws: WebsocketClient;
 
-    @property({
-        type: Object,
-        attribute: false,
-        reflect: false,
-    })
+    @property({ type: Object, attribute: false })
     public user?: SessionUser;
 
     @query("ak-about-modal")
     public aboutModal?: AboutModal;
 
     @property({ type: Boolean, reflect: true })
-    public sidebarOpen: boolean;
+    public sidebarOpen = false;
 
     @eventOptions({ passive: true })
     protected sidebarListener(event: CustomEvent<SidebarToggleEventDetail>) {

web/src/admin/DebugPage.ts

@@ -67,6 +67,17 @@ export class DebugPage extends AKElement {
                             >
                                 POST System
                             </button>
+                            <button
+                                class="pf-c-button pf-m-primary"
+                                @click=${() => {
+                                    showMessage({
+                                        level: MessageLevel.info,
+                                        message: `lorem ipsum ${Date.now()}`,
+                                    });
+                                }}
+                            >
+                                Message
+                            </button>
                         </div>
                     </div>
                 </div>

web/src/admin/admin-overview/AdminOverviewPage.ts

@@ -88,7 +88,6 @@ export class AdminOverviewPage extends AdminOverviewBase {
         return html`<ak-page-header
                 header=${this.user ? msg(str`Welcome, ${username || ""}.`) : msg("Welcome.")}
                 description=${msg("General system status")}
-                ?hasIcon=${false}
             >
             </ak-page-header>
             <section class="pf-c-page__main-section">

web/src/admin/admin-settings/AdminSettingsForm.ts

@@ -72,7 +72,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                 name="avatars"
                 label=${msg("Avatars")}
                 value="${ifDefined(this._settings?.avatars)}"
-                inputHint="code"
+                input-hint="code"
                 .bighelp=${html`
                     <p class="pf-c-form__helper-text">
                         ${msg(
@@ -159,7 +159,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
             <ak-text-input
                 name="eventRetention"
                 label=${msg("Event retention")}
-                inputHint="code"
+                input-hint="code"
                 required
                 value="${ifDefined(this._settings?.eventRetention)}"
                 .bighelp=${html`<p class="pf-c-form__helper-text">
@@ -237,7 +237,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
             <ak-text-input
                 name="defaultTokenDuration"
                 label=${msg("Default token duration")}
-                inputHint="code"
+                input-hint="code"
                 required
                 value="${ifDefined(this._settings?.defaultTokenDuration)}"
                 .bighelp=${html`<p class="pf-c-form__helper-text">

web/src/admin/applications/ApplicationCheckAccessForm.ts

@@ -93,11 +93,7 @@ export class ApplicationCheckAccessForm extends Form<{ forUser: number }> {
     }
 
     renderForm(): TemplateResult {
-        return html`<ak-form-element-horizontal
-                label=${msg("User")}
-                ?required=${true}
-                name="forUser"
-            >
+        return html`<ak-form-element-horizontal label=${msg("User")} required name="forUser">
                 <ak-search-select
                     .fetchObjects=${async (query?: string): Promise<User[]> => {
                         const args: CoreUsersListRequest = {

web/src/admin/applications/ApplicationForm.ts

@@ -136,7 +136,7 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
                 label=${msg("Slug")}
                 required
                 help=${msg("Internal application name used in URLs.")}
-                inputHint="code"
+                input-hint="code"
             ></ak-text-input>
             <ak-text-input
                 name="group"
@@ -145,7 +145,7 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
                 help=${msg(
                     "Optionally enter a group name. Applications with identical groups are shown grouped together.",
                 )}
-                inputHint="code"
+                input-hint="code"
             ></ak-text-input>
             <ak-provider-search-input
                 name="provider"
@@ -186,7 +186,7 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
                         help=${msg(
                             "If left empty, authentik will try to extract the launch URL based on the selected provider.",
                         )}
-                        inputHint="code"
+                        input-hint="code"
                     ></ak-text-input>
                     <ak-switch-input
                         name="openInNewTab"

web/src/admin/applications/ApplicationViewPage.ts

@@ -99,7 +99,6 @@ export class ApplicationViewPage extends AKElement {
         return html`<ak-page-header
                 header=${this.application?.name || msg("Loading")}
                 description=${ifDefined(this.application?.metaPublisher)}
-                .iconImage=${true}
             >
                 <ak-app-icon
                     size=${PFSize.Medium}

web/src/admin/applications/ProviderSelectModal.ts

@@ -20,7 +20,7 @@ export class ProviderSelectModal extends TableModal<Provider> {
     }
 
     @property({ type: Boolean })
-    backchannel?: boolean;
+    backchannel = false;
 
     @property()
     confirm!: (selectedItems: Provider[]) => Promise<unknown>;

web/src/admin/applications/components/ak-backchannel-input.ts

@@ -57,7 +57,7 @@ export class AkBackchannelProvidersInput extends AKElement {
     render() {
         const renderOneChip = (provider: Provider) =>
             html`<ak-chip
-                .removable=${true}
+                removable
                 value=${ifDefined(provider.pk)}
                 @remove=${this.remover(provider)}
                 >${provider.name}</ak-chip
@@ -66,7 +66,7 @@ export class AkBackchannelProvidersInput extends AKElement {
         return html`
             <ak-form-element-horizontal label=${this.label} name=${this.name}>
                 <div class="pf-c-input-group">
-                    <ak-provider-select-table ?backchannel=${true} .confirm=${this.confirm}>
+                    <ak-provider-select-table backchannel .confirm=${this.confirm}>
                         <button slot="trigger" class="pf-c-button pf-m-control" type="button">
                             ${this.tooltip ? this.tooltip : nothing}
                             <i class="fas fa-plus" aria-hidden="true"></i>

web/src/admin/applications/entitlements/ApplicationEntitlementForm.ts

@@ -54,7 +54,7 @@ export class ApplicationEntitlementForm extends ModelForm<ApplicationEntitlement
     }
 
     renderForm(): TemplateResult {
-        return html` <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
+        return html` <ak-form-element-horizontal label=${msg("Name")} required name="name">
                 <input
                     type="text"
                     value="${this.instance?.name ?? ""}"
@@ -62,11 +62,7 @@ export class ApplicationEntitlementForm extends ModelForm<ApplicationEntitlement
                     required
                 />
             </ak-form-element-horizontal>
-            <ak-form-element-horizontal
-                label=${msg("Attributes")}
-                ?required=${false}
-                name="attributes"
-            >
+            <ak-form-element-horizontal label=${msg("Attributes")} name="attributes">
                 <ak-codemirror
                     mode=${CodeMirrorMode.YAML}
                     value="${YAML.stringify(this.instance?.attributes ?? {})}"

web/src/admin/applications/wizard/steps/ak-application-wizard-application-step.ts

@@ -128,7 +128,7 @@ export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
                     ?invalid=${errors.slug ?? this.errors.has("slug")}
                     .errorMessages=${this.errorMessages("slug")}
                     help=${msg("Internal application name used in URLs.")}
-                    inputHint="code"
+                    input-hint="code"
                 ></ak-slug-input>
                 <ak-text-input
                     name="group"
@@ -138,7 +138,7 @@ export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
                     help=${msg(
                         "Optionally enter a group name. Applications with identical groups are shown grouped together.",
                     )}
-                    inputHint="code"
+                    input-hint="code"
                 ></ak-text-input>
                 <ak-radio-input
                     label=${msg("Policy engine mode")}
@@ -161,7 +161,7 @@ export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
                             help=${msg(
                                 "If left empty, authentik will try to extract the launch URL based on the selected provider.",
                             )}
-                            inputHint="code"
+                            input-hint="code"
                         ></ak-text-input>
                         <ak-switch-input
                             name="openInNewTab"

web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-rac.ts

@@ -37,7 +37,7 @@ export class ApplicationWizardRACProviderForm extends ApplicationWizardProviderF
                 <ak-form-element-horizontal
                     name="authorizationFlow"
                     label=${msg("Authorization flow")}
-                    ?required=${true}
+                    required
                 >
                     <ak-flow-search
                         flowType=${FlowsInstancesListDesignationEnum.Authorization}
@@ -57,10 +57,10 @@ export class ApplicationWizardRACProviderForm extends ApplicationWizardProviderF
                     help=${msg(
                         "Determines how long a session lasts before being disconnected and requiring re-authorization.",
                     )}
-                    inputHint="code"
+                    input-hint="code"
                 ></ak-text-input>
 
-                <ak-form-group .expanded=${true}>
+                <ak-form-group expanded>
                     <span slot="header"> ${msg("Protocol settings")} </span>
                     <div slot="body" class="pf-c-form">
                         <ak-form-element-horizontal

web/src/admin/blueprints/BlueprintForm.ts

@@ -65,7 +65,7 @@ export class BlueprintForm extends ModelForm<BlueprintInstance, string> {
     }
 
     renderForm(): TemplateResult {
-        return html` <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
+        return html` <ak-form-element-horizontal label=${msg("Name")} required name="name">
                 <input
                     type="text"
                     value="${ifDefined(this.instance?.name)}"
@@ -133,7 +133,7 @@ export class BlueprintForm extends ModelForm<BlueprintInstance, string> {
                                   .selected=${(item: BlueprintFile): boolean => {
                                       return this.instance?.path === item.path;
                                   }}
-                                  ?blankable=${true}
+                                  blankable
                               >
                               </ak-search-select>
                           </ak-form-element-horizontal>`

web/src/admin/brands/BrandForm.ts

@@ -134,7 +134,7 @@ export class BrandForm extends ModelForm<Brand, string> {
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal
                         label=${msg("Default flow background")}
-                        ?required=${true}
+                        required
                         name="brandingDefaultFlowBackground"
                     >
                         <input

web/src/admin/common/ak-core-group-search.ts

@@ -95,7 +95,7 @@ export class CoreGroupSearch extends CustomListenerElement(AKElement) {
                 .value=${renderValue}
                 .selected=${this.selected}
                 @ak-change=${this.handleSearchUpdate}
-                ?blankable=${true}
+                blankable
             >
             </ak-search-select>
         `;

web/src/admin/common/ak-crypto-certificate-search.ts

@@ -120,7 +120,7 @@ export class AkCryptoCertificateSearch extends CustomListenerElement(AKElement)
                 .value=${renderValue}
                 .selected=${this.selected}
                 @ak-change=${this.handleSearchUpdate}
-                ?blankable=${true}
+                blankable
             >
             </ak-search-select>
         `;

web/src/admin/common/ak-flow-search/ak-flow-search.stories.ts

@@ -110,7 +110,7 @@ export const Default = () =>
     container(
         html` <ak-form-element-horizontal
             label=${msg("Authorization flow")}
-            ?required=${true}
+            required
             name="authorizationFlow"
         >
             <ak-flow-search
@@ -124,7 +124,7 @@ export const WithInitialValue = () =>
     container(
         html` <ak-form-element-horizontal
             label=${msg("Authorization flow")}
-            ?required=${true}
+            required
             name="authorizationFlow"
         >
             <ak-flow-search

web/src/admin/crypto/CertificateGenerateForm.ts

@@ -29,7 +29,7 @@ export class CertificateKeyPairForm extends Form<CertificateGenerationRequest> {
         return html`<ak-form-element-horizontal
                 label=${msg("Common Name")}
                 name="commonName"
-                ?required=${true}
+                required
             >
                 <input type="text" class="pf-c-form-control" required />
             </ak-form-element-horizontal>
@@ -39,18 +39,10 @@ export class CertificateKeyPairForm extends Form<CertificateGenerationRequest> {
                     ${msg("Optional, comma-separated SubjectAlt Names.")}
                 </p>
             </ak-form-element-horizontal>
-            <ak-form-element-horizontal
-                label=${msg("Validity days")}
-                name="validityDays"
-                ?required=${true}
-            >
+            <ak-form-element-horizontal label=${msg("Validity days")} name="validityDays" required>
                 <input class="pf-c-form-control" type="number" value="365" />
             </ak-form-element-horizontal>
-            <ak-form-element-horizontal
-                label=${msg("Private key Algorithm")}
-                ?required=${true}
-                name="alg"
-            >
+            <ak-form-element-horizontal label=${msg("Private key Algorithm")} required name="alg">
                 <ak-radio
                     .options=${[
                         {

web/src/admin/crypto/CertificateKeyPairForm.ts

@@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import "@goauthentik/components/ak-private-textarea-input.js";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@@ -37,7 +38,7 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
     }
 
     renderForm(): TemplateResult {
-        return html` <ak-form-element-horizontal label=${msg("Name")} name="name" ?required=${true}>
+        return html` <ak-form-element-horizontal label=${msg("Name")} name="name" required>
                 <input
                     type="text"
                     value="${ifDefined(this.instance?.name)}"
@@ -45,37 +46,24 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
                     required
                 />
             </ak-form-element-horizontal>
-            <ak-form-element-horizontal
+            <ak-private-textarea-input
                 label=${msg("Certificate")}
                 name="certificateData"
-                ?writeOnly=${this.instance !== undefined}
-                ?required=${true}
-            >
-                <textarea
-                    autocomplete="off"
-                    spellcheck="false"
-                    class="pf-c-form-control pf-m-monospace"
-                    placeholder="-----BEGIN CERTIFICATE-----"
-                    required
-                ></textarea>
-                <p class="pf-c-form__helper-text">${msg("PEM-encoded Certificate data.")}</p>
-            </ak-form-element-horizontal>
-            <ak-form-element-horizontal
-                name="keyData"
-                ?writeOnly=${this.instance !== undefined}
+                input-hint="code"
+                placeholder="-----BEGIN CERTIFICATE-----"
+                required
+                ?revealed=${this.instance === undefined}
+                help=${msg("PEM-encoded Certificate data.")}
+            ></ak-private-textarea-input>
+            <ak-private-textarea-input
                 label=${msg("Private Key")}
-            >
-                <textarea
-                    autocomplete="off"
-                    class="pf-c-form-control pf-m-monospace"
-                    spellcheck="false"
-                ></textarea>
-                <p class="pf-c-form__helper-text">
-                    ${msg(
-                        "Optional Private Key. If this is set, you can use this keypair for encryption.",
-                    )}
-                </p>
-            </ak-form-element-horizontal>`;
+                name="keyData"
+                input-hint="code"
+                ?revealed=${this.instance === undefined}
+                help=${msg(
+                    "Optional Private Key. If this is set, you can use this keypair for encryption.",
+                )}
+            ></ak-private-textarea-input>`;
     }
 }