diff --git a/Makefile b/Makefile
index 47eed18b7..dbe0462f4 100644
--- a/Makefile
+++ b/Makefile
@@ -1,20 +1,15 @@
 all: lint-fix lint coverage gen
 
-test-full:
-	coverage run manage.py test --failfast -v 3 .
-	coverage html
-	coverage report
-
 test-integration:
 	k3d cluster create || exit 0
 	k3d kubeconfig write -o ~/.kube/config --overwrite
-	coverage run manage.py test --failfast -v 3 tests/integration
+	coverage run manage.py test -v 3 tests/integration
 
 test-e2e:
-	coverage run manage.py test --failfast -v 3 tests/e2e
+	coverage run manage.py test -v 3 tests/e2e
 
 coverage:
-	coverage run manage.py test --failfast -v 3 authentik
+	coverage run manage.py test -v 3 authentik
 	coverage html
 	coverage report
 
diff --git a/Pipfile b/Pipfile
index 7dcb084a0..e322c1d71 100644
--- a/Pipfile
+++ b/Pipfile
@@ -6,6 +6,9 @@ verify_ssl = true
 [packages]
 boto3 = "*"
 celery = "*"
+channels = "*"
+channels-redis = "*"
+dacite = "*"
 defusedxml = "*"
 django = "*"
 django-cors-middleware = "*"
@@ -15,37 +18,32 @@ django-guardian = "*"
 django-model-utils = "*"
 django-otp = "*"
 django-prometheus = "*"
-django-recaptcha = "*"
 django-redis = "*"
-djangorestframework = "*"
 django-storages = "*"
+djangorestframework = "*"
 djangorestframework-guardian = "*"
+docker = "*"
 drf_yasg2 = "*"
 facebook-sdk = "*"
+geoip2 = "*"
+gunicorn = "*"
+kubernetes = "*"
 ldap3 = "*"
 lxml = "*"
 packaging = "*"
 psycopg2-binary = "*"
 pycryptodome = "*"
 pyjwkest = "*"
-uvicorn = {extras = ["standard"],version = "*"}
-gunicorn = "*"
 pyyaml = "*"
-qrcode = "*"
 requests-oauthlib = "*"
 sentry-sdk = "*"
 service_identity = "*"
 structlog = "*"
 swagger-spec-validator = "*"
 urllib3 = {extras = ["secure"],version = "*"}
-dacite = "*"
-channels = "*"
-channels-redis = "*"
-kubernetes = "*"
-docker = "*"
-xmlsec = "*"
-geoip2 = "*"
+uvicorn = {extras = ["standard"],version = "*"}
 webauthn = "*"
+xmlsec = "*"
 
 [requires]
 python_version = "3.9"
@@ -57,8 +55,7 @@ black = "==20.8b1"
 bumpversion = "*"
 colorama = "*"
 coverage = "*"
-django-debug-toolbar = "*"
-pylint = "*"
+pylint = "<=2.6.0"
 pylint-django = "*"
 selenium = "*"
 prospector = "*"
diff --git a/Pipfile.lock b/Pipfile.lock
index edc7f3208..1b2df6e8c 100644
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -1,7 +1,7 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "933685b75680e3a06d2f523239d848b14d1507d385de42401863f4fb6345366c"
+            "sha256": "88f986d5c35e42ee1890acc2510b99507d268f8d6b0d3ab5abe8d37c53706379"
         },
         "pipfile-spec": 6,
         "requires": {
@@ -56,6 +56,7 @@
                 "sha256:fbd3b5e18d34683decc00d9a360179ac1e7a320a5fee10ab8053ffd6deab76e0",
                 "sha256:feb24ff1226beeb056e247cf2e24bba5232519efb5645121c4aea5b6ad74c1f2"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==3.7.4"
         },
         "aioredis": {
@@ -70,6 +71,7 @@
                 "sha256:1e759a7f202d910939de6eca45c23a107f6b71111f41d1282c648e9ac3d21901",
                 "sha256:affdd263d8b8eb3c98170b78bf83867cdb6a14901d586e00ddb65bfe2f0c4e60"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==5.0.5"
         },
         "asgiref": {
@@ -77,6 +79,7 @@
                 "sha256:5ee950735509d04eb673bd7f7120f8fa1c9e2df495394992c73234d526907e17",
                 "sha256:7162a3cb30ab0609f1a4c95938fd73e8604f63bdba516a7f7d64b83ff09478f0"
             ],
+            "markers": "python_version >= '3.5'",
             "version": "==3.3.1"
         },
         "async-timeout": {
@@ -84,6 +87,7 @@
                 "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f",
                 "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3"
             ],
+            "markers": "python_full_version >= '3.5.3'",
             "version": "==3.0.1"
         },
         "attrs": {
@@ -91,6 +95,7 @@
                 "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
                 "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==20.3.0"
         },
         "autobahn": {
@@ -98,6 +103,7 @@
                 "sha256:884f79c50fdc55ade2c315946a9caa145e8b10075eee9d2c2594ea5e8f5226aa",
                 "sha256:bf7a9d302a34d0f719d43c57f65ca1f2f5c982dd6ea0c11e1e190ef6f43710fe"
             ],
+            "markers": "python_version >= '3.7'",
             "version": "==21.2.2"
         },
         "automat": {
@@ -127,6 +133,7 @@
                 "sha256:48350c0524fafcc6f1cf792a80080eeaf282c4ceed016e9296f1ebfda7c34fb3",
                 "sha256:dd95871cf8a418ab730a219f2bfc301c98f2d9d0a294e43f51715bdd4aedd4cd"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
             "version": "==1.20.16"
         },
         "cachetools": {
@@ -134,6 +141,7 @@
                 "sha256:1d9d5f567be80f7c07d765e21b814326d78c61eb0c3a637dffc0e5d1796cb2e2",
                 "sha256:f469e29e7aa4cff64d8de4aad95ce76de8ea1125a16c68e0d93f65c3c3dc92e9"
             ],
+            "markers": "python_version ~= '3.5'",
             "version": "==4.2.1"
         },
         "cbor2": {
@@ -227,6 +235,7 @@
                 "sha256:d2b5255c7c6349bc1bd1e59e08cd12acbbd63ce649f2588755783aa94dfb6b1a",
                 "sha256:dacca89f4bfadd5de3d7489b7c8a566eee0d3676333fbb50030263894c38c0dc"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
             "version": "==7.1.2"
         },
         "click-didyoumean": {
@@ -300,6 +309,7 @@
                 "sha256:0052c9887600c57054a5867d4b0240159fa009faa3bcf6a1627271d9cdcb005a",
                 "sha256:c22b692707f514de9013651ecb687f2abe4f35cf6fe292ece634e9f1737bc7e3"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==3.0.1"
         },
         "defusedxml": {
@@ -373,13 +383,6 @@
             "index": "pypi",
             "version": "==2.1.0"
         },
-        "django-recaptcha": {
-            "hashes": [
-                "sha256:567784963fd5400feaf92e8951d8dbbbdb4b4c48a76e225d4baa63a2c9d2cd8c"
-            ],
-            "index": "pypi",
-            "version": "==2.0.6"
-        },
         "django-redis": {
             "hashes": [
                 "sha256:1133b26b75baa3664164c3f44b9d5d133d1b8de45d94d79f38d1adc5b1d502e5",
@@ -440,6 +443,7 @@
             "hashes": [
                 "sha256:b1bead90b70cf6ec3f0710ae53a525360fa360d306a86583adc6bf83a4db537d"
             ],
+            "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==0.18.2"
         },
         "geoip2": {
@@ -455,6 +459,7 @@
                 "sha256:d3640ea61ee025d5af00e3ffd82ba0a06dd99724adaf50bdd52f49daf29f3f65",
                 "sha256:da5218cbf33b8461d7661d6b4ad91c12c0107e2767904d5e3ae6408031d5463e"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
             "version": "==1.27.0"
         },
         "gunicorn": {
@@ -470,6 +475,7 @@
                 "sha256:36a3cb8c0a032f56e2da7084577878a035d3b61d104230d4bd49c0c6b555a9c6",
                 "sha256:47222cb6067e4a307d535814917cd98fd0a57b6788ce715755fa2b6c28b56042"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==0.12.0"
         },
         "hiredis": {
@@ -521,6 +527,7 @@
                 "sha256:e64be68255234bb489a574c4f2f8df7029c98c81ec4d160d6cd836e7f0679390",
                 "sha256:e82d6b930e02e80e5109b678c663a9ed210680ded81c1abaf54635d88d1da298"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==1.1.0"
         },
         "httptools": {
@@ -566,6 +573,7 @@
                 "sha256:1a29730d366e996aaacffb2f1f1cb9593dc38e2ddd30c91250c6dde09ea9b417",
                 "sha256:f38b2b640938a4f35ade69ac3d053042959b62a0f1076a5bbaa1b9526605a8a2"
             ],
+            "markers": "python_version >= '3.5'",
             "version": "==0.5.1"
         },
         "itypes": {
@@ -580,6 +588,7 @@
                 "sha256:03e47ad063331dd6a3f04a43eddca8a966a26ba0c5b7207a9a9e4e08f1b29419",
                 "sha256:a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
             "version": "==2.11.3"
         },
         "jmespath": {
@@ -587,6 +596,7 @@
                 "sha256:b85d0567b8666149a93172712e68920734333c0ce7e89b78b3e987f71e5ed4f9",
                 "sha256:cdf6525904cc597730141d61b36f2e4b8ecc257c420fa2f4549bac2c2d0cb72f"
             ],
+            "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==0.10.0"
         },
         "jsonschema": {
@@ -601,6 +611,7 @@
                 "sha256:6dc509178ac4269b0e66ab4881f70a2035c33d3a622e20585f965986a5182006",
                 "sha256:f4965fba0a4718d47d470beeb5d6446e3357a62402b16c510b6a2f251e05ac3c"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==5.0.2"
         },
         "kubernetes": {
@@ -613,8 +624,11 @@
         },
         "ldap3": {
             "hashes": [
+                "sha256:c1df41d89459be6f304e0ceec4b00fdea533dbbcd83c802b1272dcdb94620b57",
+                "sha256:4139c91f0eef9782df7b77c8cbc6243086affcb6a8a249b768a9658438e5da59",
                 "sha256:18c3ee656a6775b9b0d60f7c6c5b094d878d1d90fc03d56731039f0a4b546a91",
-                "sha256:c1df41d89459be6f304e0ceec4b00fdea533dbbcd83c802b1272dcdb94620b57"
+                "sha256:8c949edbad2be8a03e719ba48bd6779f327ec156929562814b3e84ab56889c8c",
+                "sha256:afc6fc0d01f02af82cd7bfabd3bbfd5dc96a6ae91e97db0a2dab8a0f1b436056"
             ],
             "index": "pypi",
             "version": "==2.9"
@@ -717,12 +731,14 @@
                 "sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be",
                 "sha256:feb7b34d6325451ef96bc0e36e1a6c0c1c64bc1fbec4b854f4529e51887b1621"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==1.1.1"
         },
         "maxminddb": {
             "hashes": [
                 "sha256:47e86a084dd814fac88c99ea34ba3278a74bc9de5a25f4b815b608798747c7dc"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==2.0.3"
         },
         "msgpack": {
@@ -798,6 +814,7 @@
                 "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281",
                 "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==5.1.0"
         },
         "oauthlib": {
@@ -805,6 +822,7 @@
                 "sha256:bee41cc35fcca6e988463cacc3bcb8a96224f470ca547e697b604cc697b2f889",
                 "sha256:df884cd6cbe20e32633f1db1072e9356f53638e4361bef4e8b03c9127c9328ea"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==3.1.0"
         },
         "packaging": {
@@ -827,6 +845,7 @@
                 "sha256:0fa02fa80363844a4ab4b8d6891f62dd0645ba672723130423ca4037b80c1974",
                 "sha256:62c811e46bd09130fb11ab759012a4ae385ce4fb2073442d1898867a824183bd"
             ],
+            "markers": "python_full_version >= '3.6.1'",
             "version": "==3.0.16"
         },
         "psycopg2-binary": {
@@ -872,15 +891,37 @@
         },
         "pyasn1": {
             "hashes": [
+                "sha256:fec3e9d8e36808a28efb59b489e4528c10ad0f480e57dcc32b4de5c9d8c9fdf3",
+                "sha256:aef77c9fb94a3ac588e87841208bdec464471d9871bd5050a287cc9a475cd0ba",
+                "sha256:08c3c53b75eaa48d71cf8c710312316392ed40899cb34710d092e96745a358b7",
+                "sha256:0458773cfe65b153891ac249bcf1b5f8f320b7c2ce462151f8fa74de8934becf",
+                "sha256:99fcc3c8d804d1bc6d9a099921e39d827026409a58f2a720dcdb89374ea0c776",
+                "sha256:78fa6da68ed2727915c4767bb386ab32cdba863caa7dbe473eaae45f9959da86",
+                "sha256:7ab8a544af125fb704feadb008c99a88805126fb525280b2270bb25cc1d78a12",
+                "sha256:6e7545f1a61025a4e58bb336952c5061697da694db1cae97b116e9c46abcf7c8",
+                "sha256:5c9414dcfede6e441f7e8f81b43b34e834731003427e5b09e4e00e3172a10f00",
+                "sha256:e89bf84b5437b532b0803ba5c9a5e054d21fec423a89952a74f87fa2c9b7bce2",
+                "sha256:03840c999ba71680a131cfaee6fab142e1ed9bbd9c693e285cc6aca0d555e576",
                 "sha256:39c7e2ec30515947ff4e87fb6f456dfc6e84857d34be479c9d4a4ba4bf46aa5d",
-                "sha256:aef77c9fb94a3ac588e87841208bdec464471d9871bd5050a287cc9a475cd0ba"
+                "sha256:014c0e9976956a08139dc0712ae195324a75e142284d5f87f1a87ee1b068a359"
             ],
             "version": "==0.4.8"
         },
         "pyasn1-modules": {
             "hashes": [
-                "sha256:905f84c712230b2c592c19470d3ca8d552de726050d1d1716282a1f6146be65e",
-                "sha256:a50b808ffeb97cb3601dd25981f6b016cbb3d31fbf57a8b8a87428e6158d0c74"
+                "sha256:a99324196732f53093a84c4369c996713eb8c89d360a496b599fb1a9c47fc3eb",
+                "sha256:b80486a6c77252ea3a3e9b1e360bc9cf28eaac41263d173c032581ad2f20fe45",
+                "sha256:fe0644d9ab041506b62782e92b06b8c68cca799e1a9636ec398675459e031405",
+                "sha256:a50b808ffeb97cb3601dd25981f6b016cbb3d31fbf57a8b8a87428e6158d0c74",
+                "sha256:f39edd8c4ecaa4556e989147ebf219227e2cd2e8a43c7e7fcb1f1c18c5fd6a3d",
+                "sha256:0845a5582f6a02bb3e1bde9ecfc4bfcae6ec3210dd270522fee602365430c3f8",
+                "sha256:426edb7a5e8879f1ec54a1864f16b882c2837bfd06eee62f2c982315ee2473ed",
+                "sha256:65cebbaffc913f4fe9e4808735c95ea22d7a7775646ab690518c056784bc21b4",
+                "sha256:0fe1b68d1e486a1ed5473f1302bd991c1611d319bba158e98b106ff86e1d7199",
+                "sha256:c29a5e5cc7a3f05926aff34e097e84f8589cd790ce0ed41b67aed6857b26aafd",
+                "sha256:15b7c67fabc7fc240d87fb9aabf999cf82311a6d6fb2c70d00d3d0604878c811",
+                "sha256:cbac4bc38d117f2a49aeedec4407d23e8866ea4ac27ff2cf7fb3e5b570df19e0",
+                "sha256:905f84c712230b2c592c19470d3ca8d552de726050d1d1716282a1f6146be65e"
             ],
             "version": "==0.2.8"
         },
@@ -889,6 +930,7 @@
                 "sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0",
                 "sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==2.20"
         },
         "pycryptodome": {
@@ -960,6 +1002,7 @@
                 "sha256:f933ecf4cb736c7af60a6a533db2bf569717f2318b265f92907acff1db43bc34",
                 "sha256:fc9c55dc1ed57db76595f2d19a479fc1c3a1be2c9da8de798a93d286c5f65f38"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
             "version": "==3.10.1"
         },
         "pyhamcrest": {
@@ -967,6 +1010,7 @@
                 "sha256:412e00137858f04bde0729913874a48485665f2d36fe9ee449f26be864af9316",
                 "sha256:7ead136e03655af85069b6f47b23eb7c3e5c221aa9f022a4fbb499f5b7308f29"
             ],
+            "markers": "python_version >= '3.5'",
             "version": "==2.0.2"
         },
         "pyjwkest": {
@@ -988,12 +1032,14 @@
                 "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
                 "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
             ],
+            "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==2.4.7"
         },
         "pyrsistent": {
             "hashes": [
                 "sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e"
             ],
+            "markers": "python_version >= '3.5'",
             "version": "==0.17.3"
         },
         "python-dateutil": {
@@ -1001,6 +1047,7 @@
                 "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
                 "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==2.8.1"
         },
         "python-dotenv": {
@@ -1044,19 +1091,12 @@
             "index": "pypi",
             "version": "==5.4.1"
         },
-        "qrcode": {
-            "hashes": [
-                "sha256:3996ee560fc39532910603704c82980ff6d4d5d629f9c3f25f34174ce8606cf5",
-                "sha256:505253854f607f2abf4d16092c61d4e9d511a3b4392e60bff957a68592b04369"
-            ],
-            "index": "pypi",
-            "version": "==6.1"
-        },
         "redis": {
             "hashes": [
                 "sha256:0e7e0cfca8660dea8b7d5cd8c4f6c5e29e11f31158c0b0ae91a397f00e5a05a2",
                 "sha256:432b788c4530cfe16d8d943a09d40ca6c16149727e4afe8c2c9d5580c59d9f24"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
             "version": "==3.5.3"
         },
         "requests": {
@@ -1064,10 +1104,12 @@
                 "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
                 "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
             "version": "==2.25.1"
         },
         "requests-oauthlib": {
             "hashes": [
+                "sha256:fa6c47b933f01060936d87ae9327fead68768b69c6c9ea2109c48be30f2d4dbc",
                 "sha256:7f71572defaecd16372f9006f33c2ec8c077c3cfa6f5911a9a90202beb513f3d",
                 "sha256:b4261601a71fd721a8bd6d7aa1cc1d6a8a93b4a9f5e96626f8e4d91e8beeaa6a"
             ],
@@ -1117,6 +1159,7 @@
                 "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
                 "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==1.15.0"
         },
         "sqlparse": {
@@ -1124,6 +1167,7 @@
                 "sha256:017cde379adbd6a1f15a61873f43e8274179378e95ef3fede90b5aa64d304ed0",
                 "sha256:0f91fd2e829c44362cbcfab3e9ae12e22badaa8a29ad5ff599f9ec109f0454e8"
             ],
+            "markers": "python_version >= '3.5'",
             "version": "==0.4.1"
         },
         "structlog": {
@@ -1171,6 +1215,7 @@
                 "sha256:f058bd0168271de4dcdc39845b52dd0a4a2fecf5f1246335f13f5e96eaebb467",
                 "sha256:f3c19e5bd42bbe4bf345704ad7c326c74d3fd7a1b3844987853bef180be638d4"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
             "version": "==20.3.0"
         },
         "txaio": {
@@ -1178,6 +1223,7 @@
                 "sha256:7d6f89745680233f1c4db9ddb748df5e88d2a7a37962be174c0fd04c8dba1dc8",
                 "sha256:c16b55f9a67b2419cfdf8846576e2ec9ba94fe6978a83080c352a80db31c93fb"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==21.2.1"
         },
         "typing-extensions": {
@@ -1193,6 +1239,7 @@
                 "sha256:07620c3f3f8eed1f12600845892b0e036a2420acf513c53f7de0abd911a5894f",
                 "sha256:5af8ad10cec94f215e3f48112de2022e1d5a37ed427fbd88652fa908f2ab7cae"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==3.0.1"
         },
         "urllib3": {
@@ -1237,6 +1284,7 @@
                 "sha256:4c9dceab6f76ed92105027c49c823800dd33cacce13bdedc5b914e3514b7fb30",
                 "sha256:7d3b1624a953da82ef63462013bbd271d3eb75751489f9807598e8f340bd637e"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==5.0.0"
         },
         "watchgod": {
@@ -1354,6 +1402,7 @@
                 "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a",
                 "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==1.6.3"
         },
         "zope.interface": {
@@ -1411,6 +1460,7 @@
                 "sha256:f37d45fab14ffef9d33a0dc3bc59ce0c5313e2253323312d47739192da94f5fd",
                 "sha256:f44906f70205d456d503105023041f1e63aece7623b31c390a0103db4de17537"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
             "version": "==5.2.0"
         }
     },
@@ -1422,18 +1472,12 @@
             ],
             "version": "==1.4.4"
         },
-        "asgiref": {
-            "hashes": [
-                "sha256:5ee950735509d04eb673bd7f7120f8fa1c9e2df495394992c73234d526907e17",
-                "sha256:7162a3cb30ab0609f1a4c95938fd73e8604f63bdba516a7f7d64b83ff09478f0"
-            ],
-            "version": "==3.3.1"
-        },
         "astroid": {
             "hashes": [
                 "sha256:4c17cea3e592c21b6e222f673868961bad77e1f985cb1694ed077475a89229c1",
                 "sha256:d8506842a3faf734b81599c8b98dcc423de863adcc1999248480b18bd31a0f38"
             ],
+            "markers": "python_version >= '3.5'",
             "version": "==2.4.1"
         },
         "attrs": {
@@ -1441,6 +1485,7 @@
                 "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
                 "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==20.3.0"
         },
         "autopep8": {
@@ -1471,6 +1516,7 @@
                 "sha256:37f927ea17cde7ae2d7baf832f8e80ce3777624554a653006c9144f8017fe410",
                 "sha256:762cb2bfad61f4ec8e2bdf452c7c267416f8c70dd9ecb1653fd0bbb01fa936e6"
             ],
+            "markers": "python_version >= '3.5'",
             "version": "==1.0.1"
         },
         "bumpversion": {
@@ -1486,6 +1532,7 @@
                 "sha256:d2b5255c7c6349bc1bd1e59e08cd12acbbd63ce649f2588755783aa94dfb6b1a",
                 "sha256:dacca89f4bfadd5de3d7489b7c8a566eee0d3676333fbb50030263894c38c0dc"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
             "version": "==7.1.2"
         },
         "colorama": {
@@ -1551,22 +1598,6 @@
             "index": "pypi",
             "version": "==5.4"
         },
-        "django": {
-            "hashes": [
-                "sha256:32ce792ee9b6a0cbbec340123e229ac9f765dff8c2a4ae9247a14b2ba3a365a7",
-                "sha256:baf099db36ad31f970775d0be5587cc58a6256a6771a44eb795b554d45f211b8"
-            ],
-            "index": "pypi",
-            "version": "==3.1.7"
-        },
-        "django-debug-toolbar": {
-            "hashes": [
-                "sha256:84e2607d900dbd571df0a2acf380b47c088efb787dce9805aefeb407341961d2",
-                "sha256:9e5a25d0c965f7e686f6a8ba23613ca9ca30184daa26487706d4829f5cfb697a"
-            ],
-            "index": "pypi",
-            "version": "==3.2"
-        },
         "dodgy": {
             "hashes": [
                 "sha256:28323cbfc9352139fdd3d316fa17f325cc0e9ac74438cbba51d70f9b48f86c3a",
@@ -1579,6 +1610,7 @@
                 "sha256:749dbbd6bfd0cf1318af27bf97a14e28e5ff548ef8e5b1566ccfb25a11e7c839",
                 "sha256:aadae8761ec651813c24be05c6f7b4680857ef6afaae4651a4eccaef97ce6c3b"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==3.8.4"
         },
         "flake8-polyfill": {
@@ -1593,6 +1625,7 @@
                 "sha256:91f36bfb1ab7949b3b40e23736db18231bf7593edada2ba5c3a174a7b23657ac",
                 "sha256:c9e1f2d0db7ddb9a704c2a0217be31214e91a4fe1dea1efad19ae42ba0c285c9"
             ],
+            "markers": "python_version >= '3.4'",
             "version": "==4.0.5"
         },
         "gitpython": {
@@ -1600,6 +1633,7 @@
                 "sha256:8621a7e777e276a5ec838b59280ba5272dd144a18169c36c903d8b38b99f750a",
                 "sha256:c5347c81d232d9b8e7f47b68a83e5dc92e7952127133c5f2df9133f2c75a1b29"
             ],
+            "markers": "python_version >= '3.4'",
             "version": "==3.1.13"
         },
         "iniconfig": {
@@ -1614,6 +1648,7 @@
                 "sha256:54da7e92468955c4fceacd0c86bd0ec997b0e1ee80d97f67c35a78b719dccab1",
                 "sha256:6e811fcb295968434526407adb8796944f1988c5b65e8139058f2014cbe100fd"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==4.3.21"
         },
         "lazy-object-proxy": {
@@ -1640,6 +1675,7 @@
                 "sha256:efa1909120ce98bbb3777e8b6f92237f5d5c8ea6758efea36a473e1d38f7d3e4",
                 "sha256:f3900e8a5de27447acbf900b4750b0ddfd7ec1ea7fbaf11dfa911141bc522af0"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==1.4.3"
         },
         "mccabe": {
@@ -1676,6 +1712,7 @@
                 "sha256:5fad80b613c402d5b7df7bd84812548b2a61e9977387a80a5fc5c396492b13c9",
                 "sha256:b236cde0ac9a6aedd5e3c34517b423cd4fd97ef723849da6b0d2231142d89c00"
             ],
+            "markers": "python_version >= '2.6'",
             "version": "==5.5.1"
         },
         "pep8-naming": {
@@ -1690,6 +1727,7 @@
                 "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0",
                 "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==0.13.1"
         },
         "prospector": {
@@ -1704,6 +1742,7 @@
                 "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3",
                 "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==1.10.0"
         },
         "pycodestyle": {
@@ -1711,6 +1750,7 @@
                 "sha256:2295e7b2f6b5bd100585ebcb1f616591b652db8a741695b3d8f5d28bdc934367",
                 "sha256:c58a7d2815e0e8d7972bf1803331fb0152f867bd89adf8a01dfd55085434192e"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==2.6.0"
         },
         "pydocstyle": {
@@ -1718,6 +1758,7 @@
                 "sha256:19b86fa8617ed916776a11cd8bc0197e5b9856d5433b777f51a3defe13075325",
                 "sha256:aca749e190a01726a4fb472dd4ef23b5c9da7b9205c0a7857c06533de13fd678"
             ],
+            "markers": "python_version >= '3.5'",
             "version": "==5.1.1"
         },
         "pyflakes": {
@@ -1725,6 +1766,7 @@
                 "sha256:0d94e0e05a19e57a99444b6ddcf9a6eb2e5c68d3ca1e98e90707af8152c90a92",
                 "sha256:35b2d75ee967ea93b55750aa9edbbf72813e06a66ba54438df2cfac9e3c27fc8"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==2.2.0"
         },
         "pylint": {
@@ -1767,6 +1809,7 @@
                 "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
                 "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
             ],
+            "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==2.4.7"
         },
         "pytest": {
@@ -1785,13 +1828,6 @@
             "index": "pypi",
             "version": "==4.1.0"
         },
-        "pytz": {
-            "hashes": [
-                "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da",
-                "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798"
-            ],
-            "version": "==2021.1"
-        },
         "pyyaml": {
             "hashes": [
                 "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf",
@@ -1890,6 +1926,7 @@
                 "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
                 "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==1.15.0"
         },
         "smmap": {
@@ -1897,6 +1934,7 @@
                 "sha256:7bfcf367828031dc893530a29cb35eb8c8f2d7c8f2d0989354d75d24c8573714",
                 "sha256:84c2751ef3072d4f6b2785ec7ee40244c6f45eb934d9e543e2c51f1bd3d54c50"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==3.0.5"
         },
         "snowballstemmer": {
@@ -1906,18 +1944,12 @@
             ],
             "version": "==2.1.0"
         },
-        "sqlparse": {
-            "hashes": [
-                "sha256:017cde379adbd6a1f15a61873f43e8274179378e95ef3fede90b5aa64d304ed0",
-                "sha256:0f91fd2e829c44362cbcfab3e9ae12e22badaa8a29ad5ff599f9ec109f0454e8"
-            ],
-            "version": "==0.4.1"
-        },
         "stevedore": {
             "hashes": [
                 "sha256:3a5bbd0652bf552748871eaa73a4a8dc2899786bc497a2aa1fcb4dcdb0debeee",
                 "sha256:50d7b78fbaf0d04cd62411188fa7eedcb03eb7f4c4b37005615ceebe582aa82a"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==3.3.0"
         },
         "toml": {
@@ -1925,6 +1957,7 @@
                 "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b",
                 "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"
             ],
+            "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==0.10.2"
         },
         "typed-ast": {
diff --git a/authentik/admin/tests/test_api.py b/authentik/admin/tests/test_api.py
index 5b4d66933..870c45c11 100644
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@@ -1,8 +1,8 @@
 """test admin api"""
 from json import loads
 
-from django.shortcuts import reverse
 from django.test import TestCase
+from django.urls import reverse
 
 from authentik import __version__
 from authentik.core.models import Group, User
diff --git a/authentik/admin/tests/test_generated.py b/authentik/admin/tests/test_generated.py
index 5f9399a07..af63fe1ed 100644
--- a/authentik/admin/tests/test_generated.py
+++ b/authentik/admin/tests/test_generated.py
@@ -3,8 +3,8 @@ from importlib import import_module
 from typing import Callable
 
 from django.forms import ModelForm
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.urls.exceptions import NoReverseMatch
 
 from authentik.admin.urls import urlpatterns
diff --git a/authentik/admin/views/certificate_key_pair.py b/authentik/admin/views/certificate_key_pair.py
index 1e2ea400a..046abd802 100644
--- a/authentik/admin/views/certificate_key_pair.py
+++ b/authentik/admin/views/certificate_key_pair.py
@@ -5,6 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http.response import HttpResponse
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from django.views.generic import UpdateView
 from django.views.generic.edit import FormView
@@ -33,7 +34,7 @@ class CertificateKeyPairCreateView(
     permission_required = "authentik_crypto.add_certificatekeypair"
 
     template_name = "generic/create.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created Certificate-Key Pair")
 
 
@@ -50,7 +51,7 @@ class CertificateKeyPairGenerateView(
     permission_required = "authentik_crypto.add_certificatekeypair"
 
     template_name = "administration/certificatekeypair/generate.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully generated Certificate-Key Pair")
 
     def form_valid(self, form: CertificateKeyPairGenerateForm) -> HttpResponse:
@@ -77,7 +78,7 @@ class CertificateKeyPairUpdateView(
     permission_required = "authentik_crypto.change_certificatekeypair"
 
     template_name = "generic/update.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully updated Certificate-Key Pair")
 
 
@@ -90,5 +91,5 @@ class CertificateKeyPairDeleteView(
     permission_required = "authentik_crypto.delete_certificatekeypair"
 
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted Certificate-Key Pair")
diff --git a/authentik/admin/views/flows.py b/authentik/admin/views/flows.py
index 9cfa6ffd2..25855db33 100644
--- a/authentik/admin/views/flows.py
+++ b/authentik/admin/views/flows.py
@@ -6,6 +6,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from django.views.generic import DetailView, FormView, UpdateView
 from guardian.mixins import PermissionRequiredMixin
@@ -36,7 +37,7 @@ class FlowCreateView(
     permission_required = "authentik_flows.add_flow"
 
     template_name = "generic/create.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created Flow")
 
 
@@ -53,7 +54,7 @@ class FlowUpdateView(
     permission_required = "authentik_flows.change_flow"
 
     template_name = "generic/update.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully updated Flow")
 
 
@@ -64,7 +65,7 @@ class FlowDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageV
     permission_required = "authentik_flows.delete_flow"
 
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted Flow")
 
 
@@ -104,7 +105,7 @@ class FlowImportView(LoginRequiredMixin, FormView):
 
     form_class = FlowImportForm
     template_name = "administration/flow/import.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
 
     def dispatch(self, request, *args, **kwargs):
         if not request.user.is_superuser:
diff --git a/authentik/admin/views/groups.py b/authentik/admin/views/groups.py
index 74a77b5f1..d50bc708f 100644
--- a/authentik/admin/views/groups.py
+++ b/authentik/admin/views/groups.py
@@ -4,6 +4,7 @@ from django.contrib.auth.mixins import (
     PermissionRequiredMixin as DjangoPermissionRequiredMixin,
 )
 from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from django.views.generic import UpdateView
 from guardian.mixins import PermissionRequiredMixin
@@ -27,7 +28,7 @@ class GroupCreateView(
     permission_required = "authentik_core.add_group"
 
     template_name = "generic/create.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created Group")
 
 
@@ -44,7 +45,7 @@ class GroupUpdateView(
     permission_required = "authentik_core.change_group"
 
     template_name = "generic/update.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully updated Group")
 
 
@@ -55,5 +56,5 @@ class GroupDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessage
     permission_required = "authentik_flows.delete_group"
 
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted Group")
diff --git a/authentik/admin/views/outposts_service_connections.py b/authentik/admin/views/outposts_service_connections.py
index 442690bed..e82ffabbd 100644
--- a/authentik/admin/views/outposts_service_connections.py
+++ b/authentik/admin/views/outposts_service_connections.py
@@ -4,6 +4,7 @@ from django.contrib.auth.mixins import (
     PermissionRequiredMixin as DjangoPermissionRequiredMixin,
 )
 from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from guardian.mixins import PermissionRequiredMixin
 
@@ -27,7 +28,7 @@ class OutpostServiceConnectionCreateView(
     permission_required = "authentik_outposts.add_outpostserviceconnection"
 
     template_name = "generic/create.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created Outpost Service Connection")
 
 
@@ -43,7 +44,7 @@ class OutpostServiceConnectionUpdateView(
     permission_required = "authentik_outposts.change_outpostserviceconnection"
 
     template_name = "generic/update.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully updated Outpost Service Connection")
 
 
@@ -56,5 +57,5 @@ class OutpostServiceConnectionDeleteView(
     permission_required = "authentik_outposts.delete_outpostserviceconnection"
 
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted Outpost Service Connection")
diff --git a/authentik/admin/views/policies.py b/authentik/admin/views/policies.py
index bb18a3502..85a246b0e 100644
--- a/authentik/admin/views/policies.py
+++ b/authentik/admin/views/policies.py
@@ -7,6 +7,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http import HttpResponse
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from django.views.generic import FormView
 from django.views.generic.detail import DetailView
@@ -34,7 +35,7 @@ class PolicyCreateView(
     permission_required = "authentik_policies.add_policy"
 
     template_name = "generic/create.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created Policy")
 
 
@@ -50,7 +51,7 @@ class PolicyUpdateView(
     permission_required = "authentik_policies.change_policy"
 
     template_name = "generic/update.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully updated Policy")
 
 
@@ -61,7 +62,7 @@ class PolicyDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessag
     permission_required = "authentik_policies.delete_policy"
 
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted Policy")
 
 
diff --git a/authentik/admin/views/policies_bindings.py b/authentik/admin/views/policies_bindings.py
index 336f0dd64..2626a0f99 100644
--- a/authentik/admin/views/policies_bindings.py
+++ b/authentik/admin/views/policies_bindings.py
@@ -7,6 +7,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.db.models import Max
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from django.views.generic import UpdateView
 from guardian.mixins import PermissionRequiredMixin
@@ -30,7 +31,7 @@ class PolicyBindingCreateView(
     form_class = PolicyBindingForm
 
     template_name = "generic/create.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created PolicyBinding")
 
     def get_initial(self) -> dict[str, Any]:
@@ -63,7 +64,7 @@ class PolicyBindingUpdateView(
     form_class = PolicyBindingForm
 
     template_name = "generic/update.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully updated PolicyBinding")
 
 
@@ -76,5 +77,5 @@ class PolicyBindingDeleteView(
     permission_required = "authentik_policies.delete_policybinding"
 
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted PolicyBinding")
diff --git a/authentik/admin/views/stages.py b/authentik/admin/views/stages.py
index 049b591e4..b63b2fcef 100644
--- a/authentik/admin/views/stages.py
+++ b/authentik/admin/views/stages.py
@@ -4,6 +4,7 @@ from django.contrib.auth.mixins import (
     PermissionRequiredMixin as DjangoPermissionRequiredMixin,
 )
 from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from guardian.mixins import PermissionRequiredMixin
 
@@ -27,7 +28,7 @@ class StageCreateView(
     template_name = "generic/create.html"
     permission_required = "authentik_flows.add_stage"
 
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created Stage")
 
 
@@ -42,7 +43,7 @@ class StageUpdateView(
     model = Stage
     permission_required = "authentik_flows.update_application"
     template_name = "generic/update.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully updated Stage")
 
 
@@ -52,5 +53,5 @@ class StageDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessage
     model = Stage
     template_name = "generic/delete.html"
     permission_required = "authentik_flows.delete_stage"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted Stage")
diff --git a/authentik/admin/views/stages_bindings.py b/authentik/admin/views/stages_bindings.py
index e8376e6b3..b1038eb1f 100644
--- a/authentik/admin/views/stages_bindings.py
+++ b/authentik/admin/views/stages_bindings.py
@@ -7,6 +7,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.db.models import Max
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from django.views.generic import UpdateView
 from guardian.mixins import PermissionRequiredMixin
@@ -30,7 +31,7 @@ class StageBindingCreateView(
     form_class = FlowStageBindingForm
 
     template_name = "generic/create.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created StageBinding")
 
     def get_initial(self) -> dict[str, Any]:
@@ -61,7 +62,7 @@ class StageBindingUpdateView(
     form_class = FlowStageBindingForm
 
     template_name = "generic/update.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully updated StageBinding")
 
 
@@ -74,5 +75,5 @@ class StageBindingDeleteView(
     permission_required = "authentik_flows.delete_flowstagebinding"
 
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted FlowStageBinding")
diff --git a/authentik/admin/views/stages_invitations.py b/authentik/admin/views/stages_invitations.py
index 3e87247cc..f792c875d 100644
--- a/authentik/admin/views/stages_invitations.py
+++ b/authentik/admin/views/stages_invitations.py
@@ -5,6 +5,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http import HttpResponseRedirect
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from guardian.mixins import PermissionRequiredMixin
 
@@ -27,7 +28,7 @@ class InvitationCreateView(
     permission_required = "authentik_stages_invitation.add_invitation"
 
     template_name = "generic/create.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created Invitation")
 
     def form_valid(self, form):
@@ -46,5 +47,5 @@ class InvitationDeleteView(
     permission_required = "authentik_stages_invitation.delete_invitation"
 
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted Invitation")
diff --git a/authentik/admin/views/stages_prompts.py b/authentik/admin/views/stages_prompts.py
index d61b04850..a9ab27668 100644
--- a/authentik/admin/views/stages_prompts.py
+++ b/authentik/admin/views/stages_prompts.py
@@ -4,6 +4,7 @@ from django.contrib.auth.mixins import (
     PermissionRequiredMixin as DjangoPermissionRequiredMixin,
 )
 from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from django.views.generic import UpdateView
 from guardian.mixins import PermissionRequiredMixin
@@ -27,7 +28,7 @@ class PromptCreateView(
     permission_required = "authentik_stages_prompt.add_prompt"
 
     template_name = "generic/create.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created Prompt")
 
 
@@ -44,7 +45,7 @@ class PromptUpdateView(
     permission_required = "authentik_stages_prompt.change_prompt"
 
     template_name = "generic/update.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully updated Prompt")
 
 
@@ -55,5 +56,5 @@ class PromptDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessag
     permission_required = "authentik_stages_prompt.delete_prompt"
 
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted Prompt")
diff --git a/authentik/admin/views/tokens.py b/authentik/admin/views/tokens.py
index 0dc6ce311..966189227 100644
--- a/authentik/admin/views/tokens.py
+++ b/authentik/admin/views/tokens.py
@@ -1,5 +1,6 @@
 """authentik Token administration"""
 from django.contrib.auth.mixins import LoginRequiredMixin
+from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
 from guardian.mixins import PermissionRequiredMixin
 
@@ -14,5 +15,5 @@ class TokenDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessage
     permission_required = "authentik_core.delete_token"
 
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted Token")
diff --git a/authentik/admin/views/users.py b/authentik/admin/views/users.py
index 379a8c641..cd521cd03 100644
--- a/authentik/admin/views/users.py
+++ b/authentik/admin/views/users.py
@@ -7,7 +7,8 @@ from django.contrib.auth.mixins import (
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http import HttpRequest, HttpResponse
 from django.http.response import HttpResponseRedirect
-from django.shortcuts import redirect, reverse
+from django.shortcuts import redirect
+from django.urls import reverse_lazy
 from django.utils.http import urlencode
 from django.utils.translation import gettext as _
 from django.views.generic import DetailView, UpdateView
@@ -32,7 +33,7 @@ class UserCreateView(
     permission_required = "authentik_core.add_user"
 
     template_name = "generic/create.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully created User")
 
 
@@ -51,7 +52,7 @@ class UserUpdateView(
     # By default the object's name is user which is used by other checks
     context_object_name = "object"
     template_name = "generic/update.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully updated User")
 
 
@@ -64,7 +65,7 @@ class UserDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageV
     # By default the object's name is user which is used by other checks
     context_object_name = "object"
     template_name = "generic/delete.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully deleted User")
 
 
@@ -79,7 +80,7 @@ class UserDisableView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessage
     # By default the object's name is user which is used by other checks
     context_object_name = "object"
     template_name = "administration/user/disable.html"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully disabled User")
 
     def delete(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
@@ -100,7 +101,7 @@ class UserEnableView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
 
     # By default the object's name is user which is used by other checks
     context_object_name = "object"
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
     success_message = _("Successfully enabled User")
 
     def get(self, request: HttpRequest, *args, **kwargs):
@@ -124,7 +125,7 @@ class UserPasswordResetView(LoginRequiredMixin, PermissionRequiredMixin, DetailV
         )
         querystring = urlencode({"token": token.key})
         link = request.build_absolute_uri(
-            reverse("authentik_flows:default-recovery") + f"?{querystring}"
+            reverse_lazy("authentik_flows:default-recovery") + f"?{querystring}"
         )
         messages.success(
             request, _("Password reset link: <pre>%(link)s</pre>" % {"link": link})
diff --git a/authentik/admin/views/utils.py b/authentik/admin/views/utils.py
index f17b1b354..28fa1a08c 100644
--- a/authentik/admin/views/utils.py
+++ b/authentik/admin/views/utils.py
@@ -4,6 +4,7 @@ from typing import Any
 from django.contrib import messages
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http import Http404
+from django.urls import reverse_lazy
 from django.views.generic import DeleteView, UpdateView
 
 from authentik.lib.utils.reflection import all_subclasses
@@ -13,7 +14,7 @@ from authentik.lib.views import CreateAssignPermView
 class DeleteMessageView(SuccessMessageMixin, DeleteView):
     """DeleteView which shows `self.success_message` on successful deletion"""
 
-    success_url = "/"
+    success_url = reverse_lazy("authentik_core:shell")
 
     def delete(self, request, *args, **kwargs):
         messages.success(self.request, self.success_message)
diff --git a/authentik/api/v2/urls.py b/authentik/api/v2/urls.py
index a96cc1c6f..df1bd26eb 100644
--- a/authentik/api/v2/urls.py
+++ b/authentik/api/v2/urls.py
@@ -26,6 +26,7 @@ from authentik.events.api.notification_transport import NotificationTransportVie
 from authentik.flows.api.bindings import FlowStageBindingViewSet
 from authentik.flows.api.flows import FlowViewSet
 from authentik.flows.api.stages import StageViewSet
+from authentik.flows.views import FlowExecutorView
 from authentik.outposts.api.outpost_service_connections import (
     DockerServiceConnectionViewSet,
     KubernetesServiceConnectionViewSet,
@@ -175,4 +176,9 @@ urlpatterns = [
         name="schema-swagger-ui",
     ),
     path("redoc/", SchemaView.with_ui("redoc", cache_timeout=0), name="schema-redoc"),
+    path(
+        "flows/executor/<slug:flow_slug>/",
+        FlowExecutorView.as_view(),
+        name="flow-executor",
+    ),
 ] + router.urls
diff --git a/authentik/core/api/propertymappings.py b/authentik/core/api/propertymappings.py
index 147ba44fe..2a58331c0 100644
--- a/authentik/core/api/propertymappings.py
+++ b/authentik/core/api/propertymappings.py
@@ -1,5 +1,5 @@
 """PropertyMapping API Views"""
-from django.shortcuts import reverse
+from django.urls import reverse
 from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.decorators import action
 from rest_framework.request import Request
diff --git a/authentik/core/api/providers.py b/authentik/core/api/providers.py
index ff58a206f..bbee513f9 100644
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@@ -1,5 +1,5 @@
 """Provider API Views"""
-from django.shortcuts import reverse
+from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.decorators import action
diff --git a/authentik/core/api/sources.py b/authentik/core/api/sources.py
index 0e0c6bf9d..66cf1f087 100644
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@@ -1,5 +1,5 @@
 """Source API Views"""
-from django.shortcuts import reverse
+from django.urls import reverse
 from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.decorators import action
 from rest_framework.request import Request
diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py
index 573e04cd1..41186aee5 100644
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -2,28 +2,20 @@
 from drf_yasg2.utils import swagger_auto_schema
 from guardian.utils import get_anonymous_user
 from rest_framework.decorators import action
+from rest_framework.fields import CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import (
-    BooleanField,
-    ModelSerializer,
-    SerializerMethodField,
-)
+from rest_framework.serializers import BooleanField, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.models import User
-from authentik.lib.templatetags.authentik_utils import avatar
 
 
 class UserSerializer(ModelSerializer):
     """User Serializer"""
 
     is_superuser = BooleanField(read_only=True)
-    avatar = SerializerMethodField()
-
-    def get_avatar(self, user: User) -> str:
-        """Add user's avatar as URL"""
-        return avatar(user)
+    avatar = CharField(read_only=True)
 
     class Meta:
 
diff --git a/authentik/core/models.py b/authentik/core/models.py
index ac88f594b..d806be2e2 100644
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -1,7 +1,8 @@
 """authentik core models"""
 from datetime import timedelta
-from hashlib import sha256
+from hashlib import md5, sha256
 from typing import Any, Optional, Type
+from urllib.parse import urlencode
 from uuid import uuid4
 
 from django.conf import settings
@@ -11,7 +12,9 @@ from django.db import models
 from django.db.models import Q, QuerySet
 from django.forms import ModelForm
 from django.http import HttpRequest
+from django.templatetags.static import static
 from django.utils.functional import cached_property
+from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from guardian.mixins import GuardianUserMixin
@@ -23,6 +26,7 @@ from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.signals import password_changed
 from authentik.core.types import UILoginButton
 from authentik.flows.models import Flow
+from authentik.lib.config import CONFIG
 from authentik.lib.models import CreatedUpdatedModel, SerializerModel
 from authentik.managed.models import ManagedModel
 from authentik.policies.models import PolicyBindingModel
@@ -31,6 +35,9 @@ LOGGER = get_logger()
 USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
 USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
 
+GRAVATAR_URL = "https://secure.gravatar.com"
+DEFAULT_AVATAR = static("dist/assets/images/user_default.png")
+
 
 def default_token_duration():
     """Default duration a Token is valid"""
@@ -126,6 +133,25 @@ class User(GuardianUserMixin, AbstractUser):
         """Generate a globall unique UID, based on the user ID and the hashed secret key"""
         return sha256(f"{self.id}-{settings.SECRET_KEY}".encode("ascii")).hexdigest()
 
+    @property
+    def avatar(self) -> str:
+        """Get avatar, depending on authentik.avatar setting"""
+        mode = CONFIG.raw.get("authentik").get("avatars")
+        if mode == "none":
+            return DEFAULT_AVATAR
+        if mode == "gravatar":
+            parameters = [
+                ("s", "158"),
+                ("r", "g"),
+            ]
+            # gravatar uses md5 for their URLs, so md5 can't be avoided
+            mail_hash = md5(self.email.encode("utf-8")).hexdigest()  # nosec
+            gravatar_url = (
+                f"{GRAVATAR_URL}/avatar/{mail_hash}?{urlencode(parameters, doseq=True)}"
+            )
+            return escape(gravatar_url)
+        raise ValueError(f"Invalid avatar mode {mode}")
+
     class Meta:
 
         permissions = (
diff --git a/authentik/core/templates/base/skeleton.html b/authentik/core/templates/base/skeleton.html
index da5ef7786..5944f4160 100644
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@@ -16,7 +16,6 @@
         <link rel="stylesheet" type="text/css" href="{% static 'dist/fontawesome.min.css' %}?v={{ ak_version }}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}?v={{ ak_version }}">
         <script src="{% url 'javascript-catalog' %}?v={{ ak_version }}"></script>
-        <script src="{% static 'dist/main.js' %}?v={{ ak_version }}" type="module"></script>
         {% block head %}
         {% endblock %}
     </head>
diff --git a/authentik/core/templates/generic/autosubmit_form.html b/authentik/core/templates/generic/autosubmit_form.html
deleted file mode 100644
index b7254b437..000000000
--- a/authentik/core/templates/generic/autosubmit_form.html
+++ /dev/null
@@ -1,31 +0,0 @@
-{% extends "login/base.html" %}
-
-{% load authentik_utils %}
-{% load i18n %}
-
-{% block title %}
-{{ title }}
-{% endblock %}
-
-{% block card %}
-<form method="POST" action="{{ url }}" autosubmit>
-    {% csrf_token %}
-    {% for key, value in attrs.items %}
-    <input type="hidden" name="{{ key }}" value="{{ value }}">
-    {% endfor %}
-    <div class="pf-c-form__group pf-u-display-flex pf-u-justify-content-center">
-        <div class="pf-c-form__group-control">
-            <span class="pf-c-spinner" role="progressbar" aria-valuetext="Loading...">
-                <span class="pf-c-spinner__clipper"></span>
-                <span class="pf-c-spinner__lead-ball"></span>
-                <span class="pf-c-spinner__tail-ball"></span>
-            </span>
-        </div>
-    </div>
-    <div class="pf-c-form__group pf-m-action">
-        <div class="pf-c-form__actions">
-            <button class="pf-c-button pf-m-primary pf-m-block" type="submit">{% trans 'Continue' %}</button>
-        </div>
-    </div>
-</form>
-{% endblock %}
diff --git a/authentik/core/templates/library.html b/authentik/core/templates/library.html
deleted file mode 100644
index fa69e07a9..000000000
--- a/authentik/core/templates/library.html
+++ /dev/null
@@ -1,53 +0,0 @@
-{% load i18n %}
-
-<main role="main" class="pf-c-page__main" tabindex="-1" id="main-content">
-    <section class="pf-c-page__main-section pf-m-light">
-        <div class="pf-c-content">
-            <h1>
-                <i class="pf-icon pf-icon-applications"></i>
-                {% trans 'Applications' %}
-            </h1>
-        </div>
-    </section>
-    <section class="pf-c-page__main-section">
-        {% if applications %}
-        <div class="pf-l-gallery pf-m-gutter">
-            {% for app in applications %}
-            <a href="{{ app.get_launch_url }}" class="pf-c-card pf-m-hoverable pf-m-compact ak-root-link">
-                <div class="pf-c-card__header">
-                    {% if app.meta_icon %}
-                    <img class="app-icon pf-c-avatar" src="{{ app.meta_icon.url }}" alt="{% trans 'Application Icon' %}">
-                    {% else %}
-                    <i class="pf-icon pf-icon-arrow"></i>
-                    {% endif %}
-                </div>
-                <div class="pf-c-card__title">
-                    <p id="card-1-check-label">{{ app.name }}</p>
-                    <div class="pf-c-content">
-                        <small>{{ app.meta_publisher }}</small>
-                    </div>
-                </div>
-                <div class="pf-c-card__body">
-                    {% trans app.meta_description|truncatewords:35 %}
-                </div>
-            </a>
-            {% endfor %}
-        </div>
-        {% else %}
-        <div class="pf-c-empty-state pf-m-full-height">
-            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
-                <h1 class="pf-c-title pf-m-lg">{% trans 'No Applications available.' %}</h1>
-                <div class="pf-c-empty-state__body">
-                    {% trans "Either no applications are defined, or you don't have access to any." %}
-                </div>
-                {% if perms.authentik_core.add_application %}
-                <a href="{% url 'authentik_admin:application-create' %}" class="pf-c-button pf-m-primary" type="button">
-                    {% trans 'Create Application' %}
-                </a>
-                {% endif %}
-            </div>
-        </div>
-        {% endif %}
-    </section>
-</main>
diff --git a/authentik/core/templates/login/base.html b/authentik/core/templates/login/base.html
index f4f979996..e25da38ec 100644
--- a/authentik/core/templates/login/base.html
+++ b/authentik/core/templates/login/base.html
@@ -28,10 +28,8 @@
         {% for source in sources %}
         <li class="pf-c-login__main-footer-links-item">
             <a href="{{ source.url }}" class="pf-c-login__main-footer-links-item-link">
-                {% if source.icon_path %}
-                <img src="{% static source.icon_path %}" alt="{{ source.name }}">
-                {% elif source.icon_url %}
-                <img src="icon_url" alt="{{ source.name }}">
+                {% if source.icon_url %}
+                <img src="{{ source.icon_url }}" alt="{{ source.name }}">
                 {% else %}
                 <i class="pf-icon pf-icon-arrow" title="{{ source.name }}"></i>
                 {% endif %}
diff --git a/authentik/core/templates/login/form.html b/authentik/core/templates/login/form.html
deleted file mode 100644
index f03fdd3c2..000000000
--- a/authentik/core/templates/login/form.html
+++ /dev/null
@@ -1,19 +0,0 @@
-{% extends 'login/base.html' %}
-
-{% load static %}
-{% load i18n %}
-
-{% block card %}
-<form method="POST" class="pf-c-form">
-    {% block above_form %}
-    {% endblock %}
-
-    {% include 'partials/form.html' %}
-
-    {% block beneath_form %}
-    {% endblock %}
-    <div class="pf-c-form__group pf-m-action">
-        <button class="pf-c-button pf-m-primary pf-m-block" type="submit">{% trans primary_action %}</button>
-    </div>
-</form>
-{% endblock %}
diff --git a/authentik/core/templates/login/form_with_user.html b/authentik/core/templates/login/form_with_user.html
deleted file mode 100644
index 59f70b4f1..000000000
--- a/authentik/core/templates/login/form_with_user.html
+++ /dev/null
@@ -1,18 +0,0 @@
-{% extends 'login/form.html' %}
-
-{% load i18n %}
-{% load authentik_utils %}
-
-{% block above_form %}
-<div class="pf-c-form__group">
-    <div class="form-control-static">
-        <div class="left">
-            <img class="pf-c-avatar" src="{% avatar user %}" alt="">
-            {{ user.username }}
-        </div>
-        <div class="right">
-            <a href="{% url 'authentik_flows:cancel' %}">{% trans 'Not you?' %}</a>
-        </div>
-    </div>
-</div>
-{% endblock %}
diff --git a/authentik/core/templates/login/loading.html b/authentik/core/templates/login/loading.html
deleted file mode 100644
index fd6ca02e2..000000000
--- a/authentik/core/templates/login/loading.html
+++ /dev/null
@@ -1,24 +0,0 @@
-{% extends 'login/base.html' %}
-
-{% load static %}
-{% load i18n %}
-{% load authentik_utils %}
-
-{% block title %}
-{% trans title %}
-{% endblock %}
-
-{% block head %}
-<meta http-equiv="refresh" content="0; url={{ target_url }}" />
-{% endblock %}
-
-{% block card %}
-<header class="login-pf-header">
-  <h1>{% trans title %}</h1>
-</header>
-<form>
-  <div class="form-group">
-    <div class="spinner spinner-lg"></div>
-  </div>
-</form>
-{% endblock %}
diff --git a/authentik/core/templates/partials/form.html b/authentik/core/templates/partials/form.html
index be6358093..4a3b81c4c 100644
--- a/authentik/core/templates/partials/form.html
+++ b/authentik/core/templates/partials/form.html
@@ -3,7 +3,7 @@
 
 {% csrf_token %}
 {% if form.non_field_errors %}
-<div class="pf-c-form__group has-error">
+<div class="pf-c-form__group">
     <p class="pf-c-form__helper-text pf-m-error">
         {{ form.non_field_errors }}
     </p>
@@ -13,7 +13,7 @@
 {% if field.field.widget|fieldtype == 'HiddenInput' %}
     {{ field }}
 {% else %}
-<div class="pf-c-form__group {% if field.errors %} has-error {% endif %}">
+<div class="pf-c-form__group">
     {% if field.field.widget|fieldtype == 'RadioSelect' %}
         <label class="pf-c-form__label" {% if field.field.required %}class="required" {% endif %}
             for="{{ field.name }}-{{ forloop.counter0 }}">
diff --git a/authentik/core/templates/partials/pagination.html b/authentik/core/templates/partials/pagination.html
deleted file mode 100644
index 87c2ae354..000000000
--- a/authentik/core/templates/partials/pagination.html
+++ /dev/null
@@ -1,42 +0,0 @@
-{% load i18n %}
-{% load authentik_utils %}
-
-<div class="pf-c-toolbar__item pf-m-pagination ">
-    <div class="pf-c-pagination pf-m-compact pf-m-hidden pf-m-visible-on-md">
-        <div class="pf-c-pagination pf-m-compact pf-m-compact pf-m-hidden pf-m-visible-on-md">
-            <div class="pf-c-options-menu">
-                <div class="pf-c-options-menu__toggle pf-m-text pf-m-plain">
-                    <span class="pf-c-options-menu__toggle-text">
-                        {% blocktrans with start_index=page_obj.start_index end_index=page_obj.end_index total_items=paginator.count %}
-                            {{ start_index }} - {{ end_index }} of {{ total_items }}
-                        {% endblocktrans %}
-                    </span>
-                </div>
-            </div>
-            <nav class="pf-c-pagination__nav" aria-label="Pagination">
-                <div class="pf-c-pagination__nav-control pf-m-prev">
-                    <a class="pf-c-button pf-m-plain"
-                        {% if page_obj.has_previous %}
-                        href="{{ request.path }}?{% query_transform page=page_obj.previous_page_number %}"
-                        {% else %}
-                        disabled
-                        {% endif %}
-                        aria-label="{% trans 'Go to previous page' %}">
-                        <i class="fas fa-angle-left" aria-hidden="true"></i>
-                    </a>
-                </div>
-                <div class="pf-c-pagination__nav-control pf-m-next">
-                    <a class="pf-c-button pf-m-plain"
-                        {% if page_obj.has_next %}
-                        href="{{ request.path }}?{% query_transform page=page_obj.next_page_number %}"
-                        {% else %}
-                        disabled
-                        {% endif %}
-                        aria-label="{% trans 'Go to next page' %}">
-                        <i class="fas fa-angle-right" aria-hidden="true"></i>
-                    </a>
-                </div>
-            </nav>
-        </div>
-    </div>
-</div>
diff --git a/authentik/core/templates/partials/toolbar_search.html b/authentik/core/templates/partials/toolbar_search.html
deleted file mode 100644
index aac4c9f30..000000000
--- a/authentik/core/templates/partials/toolbar_search.html
+++ /dev/null
@@ -1,13 +0,0 @@
-
-<div class="pf-c-toolbar__group pf-m-filter-group">
-    <div class="pf-c-toolbar__item pf-m-search-filter">
-        <form class="pf-c-input-group" method="GET">
-            {# include page data for pagination #}
-            <input type="hidden" name="page" value="{{ page_obj.number }}">
-            <input class="pf-c-form-control" name="search" type="search" placeholder="Search..." value="{{ request.GET.search }}">
-            <button class="pf-c-button pf-m-control" type="submit">
-                <i class="fas fa-search" aria-hidden="true"></i>
-            </button>
-        </form>
-    </div>
-</div>
diff --git a/authentik/core/templates/shell.html b/authentik/core/templates/shell.html
index 4d4ff3b66..131719097 100644
--- a/authentik/core/templates/shell.html
+++ b/authentik/core/templates/shell.html
@@ -1,5 +1,11 @@
 {% extends "base/skeleton.html" %}
 
+{% load static %}
+
+{% block head %}
+<script src="{% static 'dist/main.js' %}?v={{ ak_version }}" type="module"></script>
+{% endblock %}
+
 {% block body %}
 <ak-interface-admin></ak-interface-admin>
 {% endblock %}
diff --git a/authentik/core/templates/user/token_list.html b/authentik/core/templates/user/token_list.html
deleted file mode 100644
index c51b6b760..000000000
--- a/authentik/core/templates/user/token_list.html
+++ /dev/null
@@ -1,100 +0,0 @@
-{% load i18n %}
-
-<div class="pf-c-card">
-    <div class="pf-c-card__header pf-c-title pf-m-md">
-        <p>{% trans "Tokens can be used to access authentik's API." %}</p>
-    </div>
-    {% if object_list %}
-    <div class="pf-c-toolbar">
-        <div class="pf-c-toolbar__content">
-            {% include 'partials/toolbar_search.html' %}
-            <div class="pf-c-toolbar__bulk-select">
-                <ak-modal-button href="{% url 'authentik_core:user-tokens-create' %}">
-                    <ak-spinner-button slot="trigger" class="pf-m-primary">
-                        {% trans 'Create' %}
-                    </ak-spinner-button>
-                    <div slot="modal"></div>
-                </ak-modal-button>
-            </div>
-            {% include 'partials/pagination.html' %}
-        </div>
-    </div>
-    <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
-        <thead>
-            <tr role="row">
-                <th role="columnheader" scope="col">{% trans 'Identifier' %}</th>
-                <th role="columnheader" scope="col">{% trans 'Expires?' %}</th>
-                <th role="columnheader" scope="col">{% trans 'Expiry Date' %}</th>
-                <th role="columnheader" scope="col">{% trans 'Description' %}</th>
-                <th role="cell"></th>
-            </tr>
-        </thead>
-        <tbody role="rowgroup">
-            {% for token in object_list %}
-            <tr role="row">
-                <th role="columnheader">
-                    <div>{{ token.identifier }}</div>
-                </th>
-                <td role="cell">
-                    <span>
-                        {{ token.expiring|yesno:"Yes,No" }}
-                    </span>
-                </td>
-                <td role="cell">
-                    <span>
-                        {% if not token.expiring %}
-                        -
-                        {% else %}
-                        {{ token.expires }}
-                        {% endif %}
-                    </span>
-                </td>
-                <td role="cell">
-                    <span>
-                        {{ token.description }}
-                    </span>
-                </td>
-                <td>
-                    <ak-modal-button href="{% url 'authentik_core:user-tokens-update' identifier=token.identifier %}">
-                        <ak-spinner-button slot="trigger" class="pf-m-secondary">
-                            {% trans 'Edit' %}
-                        </ak-spinner-button>
-                        <div slot="modal"></div>
-                    </ak-modal-button>
-                    <ak-modal-button href="{% url 'authentik_core:user-tokens-delete' identifier=token.identifier %}">
-                        <ak-spinner-button slot="trigger" class="pf-m-danger">
-                            {% trans 'Delete' %}
-                        </ak-spinner-button>
-                        <div slot="modal"></div>
-                    </ak-modal-button>
-                    <ak-token-copy-button identifier="{{ token.identifier }}">
-                        {% trans 'Copy token' %}
-                    </ak-token-copy-button>
-                </td>
-            </tr>
-            {% endfor %}
-        </tbody>
-    </table>
-    <div class="pf-c-pagination pf-m-bottom">
-        {% include 'partials/pagination.html' %}
-    </div>
-    {% else %}
-    <div class="pf-c-empty-state">
-        <div class="pf-c-empty-state__content">
-            <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
-            <h1 class="pf-c-title pf-m-lg">
-                {% trans 'No Tokens.' %}
-            </h1>
-            <div class="pf-c-empty-state__body">
-                {% trans 'Currently no tokens exist. Click the button below to create one.' %}
-            </div>
-            <ak-modal-button href="{% url 'authentik_core:user-tokens-create' %}">
-                <ak-spinner-button slot="trigger" class="pf-m-primary">
-                    {% trans 'Create' %}
-                </ak-spinner-button>
-                <div slot="modal"></div>
-            </ak-modal-button>
-        </div>
-    </div>
-    {% endif %}
-</div>
diff --git a/authentik/core/tests/test_impersonation.py b/authentik/core/tests/test_impersonation.py
index 4c18483b3..cce520c17 100644
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@@ -1,6 +1,6 @@
 """impersonation tests"""
-from django.shortcuts import reverse
 from django.test.testcases import TestCase
+from django.urls import reverse
 
 from authentik.core.models import User
 
diff --git a/authentik/core/tests/test_views_overview.py b/authentik/core/tests/test_views_overview.py
index cd2a1c1a0..e6eafdc75 100644
--- a/authentik/core/tests/test_views_overview.py
+++ b/authentik/core/tests/test_views_overview.py
@@ -2,8 +2,8 @@
 import string
 from random import SystemRandom
 
-from django.shortcuts import reverse
 from django.test import TestCase
+from django.urls import reverse
 
 from authentik.core.models import User
 
@@ -28,9 +28,3 @@ class TestOverviewViews(TestCase):
         self.assertEqual(
             self.client.get(reverse("authentik_core:shell")).status_code, 200
         )
-
-    def test_overview(self):
-        """Test overview"""
-        self.assertEqual(
-            self.client.get(reverse("authentik_core:overview")).status_code, 200
-        )
diff --git a/authentik/core/tests/test_views_user.py b/authentik/core/tests/test_views_user.py
index d55edd38c..63a8cef94 100644
--- a/authentik/core/tests/test_views_user.py
+++ b/authentik/core/tests/test_views_user.py
@@ -2,8 +2,8 @@
 import string
 from random import SystemRandom
 
-from django.shortcuts import reverse
 from django.test import TestCase
+from django.urls import reverse
 
 from authentik.core.models import User
 
diff --git a/authentik/core/types.py b/authentik/core/types.py
index 4dd249682..1f9ff8223 100644
--- a/authentik/core/types.py
+++ b/authentik/core/types.py
@@ -2,6 +2,10 @@
 from dataclasses import dataclass
 from typing import Optional
 
+from django.db.models.base import Model
+from rest_framework.fields import CharField
+from rest_framework.serializers import Serializer
+
 
 @dataclass
 class UILoginButton:
@@ -13,8 +17,19 @@ class UILoginButton:
     # URL Which Button points to
     url: str
 
-    # Icon name, ran through django's static
-    icon_path: Optional[str] = None
-
     # Icon URL, used as-is
     icon_url: Optional[str] = None
+
+
+class UILoginButtonSerializer(Serializer):
+    """Serializer for Login buttons of sources"""
+
+    name = CharField()
+    url = CharField()
+    icon_url = CharField()
+
+    def create(self, validated_data: dict) -> Model:
+        return Model()
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        return Model()
diff --git a/authentik/core/urls.py b/authentik/core/urls.py
index f24a27e69..e51c01e68 100644
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@@ -1,7 +1,7 @@
 """authentik URL Configuration"""
 from django.urls import path
 
-from authentik.core.views import impersonate, library, shell, user
+from authentik.core.views import impersonate, shell, user
 
 urlpatterns = [
     path("", shell.ShellView.as_view(), name="shell"),
@@ -23,8 +23,6 @@ urlpatterns = [
         user.TokenDeleteView.as_view(),
         name="user-tokens-delete",
     ),
-    # Libray
-    path("library", library.LibraryView.as_view(), name="overview"),
     # Impersonation
     path(
         "-/impersonation/<int:user_id>/",
diff --git a/authentik/core/views/library.py b/authentik/core/views/library.py
deleted file mode 100644
index 0d7984cfc..000000000
--- a/authentik/core/views/library.py
+++ /dev/null
@@ -1,23 +0,0 @@
-"""authentik library view"""
-
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.views.generic import TemplateView
-
-from authentik.core.models import Application
-from authentik.policies.engine import PolicyEngine
-
-
-class LibraryView(LoginRequiredMixin, TemplateView):
-    """Overview for logged in user, incase user opens authentik directly
-    and is not being forwarded"""
-
-    template_name = "library.html"
-
-    def get_context_data(self, **kwargs):
-        kwargs["applications"] = []
-        for application in Application.objects.all().order_by("name"):
-            engine = PolicyEngine(application, self.request.user, self.request)
-            engine.build()
-            if engine.passing:
-                kwargs["applications"].append(application)
-        return super().get_context_data(**kwargs)
diff --git a/authentik/events/tests/test_api.py b/authentik/events/tests/test_api.py
index f13d86116..7a2812e02 100644
--- a/authentik/events/tests/test_api.py
+++ b/authentik/events/tests/test_api.py
@@ -1,6 +1,6 @@
 """Event API tests"""
 
-from django.shortcuts import reverse
+from django.urls import reverse
 from rest_framework.test import APITestCase
 
 from authentik.core.models import User
diff --git a/authentik/events/tests/test_middleware.py b/authentik/events/tests/test_middleware.py
index f30c93e51..ed91193cf 100644
--- a/authentik/events/tests/test_middleware.py
+++ b/authentik/events/tests/test_middleware.py
@@ -1,6 +1,6 @@
 """Event Middleware tests"""
 
-from django.shortcuts import reverse
+from django.urls import reverse
 from rest_framework.test import APITestCase
 
 from authentik.core.models import Application, User
diff --git a/authentik/flows/api/stages.py b/authentik/flows/api/stages.py
index 661a6e537..2ea926899 100644
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@@ -1,5 +1,5 @@
 """Flow Stage API Views"""
-from django.shortcuts import reverse
+from django.urls import reverse
 from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.decorators import action
 from rest_framework.request import Request
diff --git a/authentik/flows/challenge.py b/authentik/flows/challenge.py
new file mode 100644
index 000000000..9f45da474
--- /dev/null
+++ b/authentik/flows/challenge.py
@@ -0,0 +1,109 @@
+"""Challenge helpers"""
+from enum import Enum
+from typing import TYPE_CHECKING, Optional
+
+from django.db.models.base import Model
+from django.http import JsonResponse
+from rest_framework.fields import ChoiceField, DictField
+from rest_framework.serializers import CharField, Serializer
+
+from authentik.flows.transfer.common import DataclassEncoder
+
+if TYPE_CHECKING:
+    from authentik.flows.stage import StageView
+
+
+class ChallengeTypes(Enum):
+    """Currently defined challenge types"""
+
+    native = "native"
+    shell = "shell"
+    redirect = "redirect"
+
+
+class ErrorDetailSerializer(Serializer):
+    """Serializer for rest_framework's error messages"""
+
+    string = CharField()
+    code = CharField()
+
+    def create(self, validated_data: dict) -> Model:
+        return Model()
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        return Model()
+
+
+class Challenge(Serializer):
+    """Challenge that gets sent to the client based on which stage
+    is currently active"""
+
+    type = ChoiceField(choices=list(ChallengeTypes))
+    component = CharField(required=False)
+    title = CharField(required=False)
+
+    response_errors = DictField(
+        child=ErrorDetailSerializer(many=True), allow_empty=False, required=False
+    )
+
+    def create(self, validated_data: dict) -> Model:
+        return Model()
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        return Model()
+
+
+class RedirectChallenge(Challenge):
+    """Challenge type to redirect the client"""
+
+    to = CharField()
+
+
+class ShellChallenge(Challenge):
+    """Legacy challenge type to render HTML as-is"""
+
+    body = CharField()
+
+
+class WithUserInfoChallenge(Challenge):
+    """Challenge base which shows some user info"""
+
+    pending_user = CharField()
+    pending_user_avatar = CharField()
+
+
+class PermissionSerializer(Serializer):
+    """Permission used for consent"""
+
+    name = CharField()
+    id = CharField()
+
+    def create(self, validated_data: dict) -> Model:
+        return Model()
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        return Model()
+
+
+class ChallengeResponse(Serializer):
+    """Base class for all challenge responses"""
+
+    stage: Optional["StageView"]
+
+    def __init__(self, instance, data, **kwargs):
+        self.stage = kwargs.pop("stage", None)
+        super().__init__(instance=instance, data=data, **kwargs)
+
+    def create(self, validated_data: dict) -> Model:
+        return Model()
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        return Model()
+
+
+class HttpChallengeResponse(JsonResponse):
+    """Subclass of JsonResponse that uses the `DataclassEncoder`"""
+
+    def __init__(self, challenge, **kwargs) -> None:
+        # pyright: reportGeneralTypeIssues=false
+        super().__init__(challenge.data, encoder=DataclassEncoder, **kwargs)
diff --git a/authentik/flows/migrations/0008_default_flows.py b/authentik/flows/migrations/0008_default_flows.py
index 50b27bb40..6bb0a0feb 100644
--- a/authentik/flows/migrations/0008_default_flows.py
+++ b/authentik/flows/migrations/0008_default_flows.py
@@ -5,7 +5,7 @@ from django.db import migrations
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 from authentik.flows.models import FlowDesignation
-from authentik.stages.identification.models import Templates, UserFields
+from authentik.stages.identification.models import UserFields
 
 
 def create_default_authentication_flow(
@@ -26,7 +26,6 @@ def create_default_authentication_flow(
         name="default-authentication-identification",
         defaults={
             "user_fields": [UserFields.E_MAIL, UserFields.USERNAME],
-            "template": Templates.DEFAULT_LOGIN,
         },
     )
 
diff --git a/authentik/flows/models.py b/authentik/flows/models.py
index 3a0acbe08..45f0f61ba 100644
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@@ -23,6 +23,7 @@ class NotConfiguredAction(models.TextChoices):
     """Decides how the FlowExecutor should proceed when a stage isn't configured"""
 
     SKIP = "skip"
+    DENY = "deny"
     # CONFIGURE = "configure"
 
 
diff --git a/authentik/flows/stage.py b/authentik/flows/stage.py
index f6014e186..c55524191 100644
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@@ -1,45 +1,116 @@
 """authentik stage Base view"""
-from collections import namedtuple
-from typing import Any
-
+from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
-from django.utils.translation import gettext_lazy as _
-from django.views.generic import TemplateView
+from django.http.request import QueryDict
+from django.http.response import HttpResponse
+from django.views.generic.base import View
+from structlog.stdlib import get_logger
 
+from authentik.core.models import DEFAULT_AVATAR, User
+from authentik.flows.challenge import (
+    Challenge,
+    ChallengeResponse,
+    HttpChallengeResponse,
+    WithUserInfoChallenge,
+)
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.views import FlowExecutorView
 
 PLAN_CONTEXT_PENDING_USER_IDENTIFIER = "pending_user_identifier"
-
-FakeUser = namedtuple("User", ["username", "email"])
+LOGGER = get_logger()
 
 
-class StageView(TemplateView):
+class StageView(View):
     """Abstract Stage, inherits TemplateView but can be combined with FormView"""
 
-    template_name = "login/form_with_user.html"
-
     executor: FlowExecutorView
 
     request: HttpRequest = None
 
-    def __init__(self, executor: FlowExecutorView):
+    def __init__(self, executor: FlowExecutorView, **kwargs):
         self.executor = executor
+        super().__init__(**kwargs)
 
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["title"] = self.executor.flow.title
-        # Either show the matched User object or show what the user entered,
-        # based on what the earlier stage (mostly IdentificationStage) set.
-        # _USER_IDENTIFIER overrides the first User, as PENDING_USER is used for
-        # other things besides the form display
-        if PLAN_CONTEXT_PENDING_USER in self.executor.plan.context:
-            kwargs["user"] = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+    def get_pending_user(self) -> User:
+        """Either show the matched User object or show what the user entered,
+        based on what the earlier stage (mostly IdentificationStage) set.
+        _USER_IDENTIFIER overrides the first User, as PENDING_USER is used for
+        other things besides the form display.
+
+        If no user is pending, returns request.user"""
         if PLAN_CONTEXT_PENDING_USER_IDENTIFIER in self.executor.plan.context:
-            kwargs["user"] = FakeUser(
+            return User(
                 username=self.executor.plan.context.get(
                     PLAN_CONTEXT_PENDING_USER_IDENTIFIER
                 ),
                 email="",
             )
-        kwargs["primary_action"] = _("Continue")
-        return super().get_context_data(**kwargs)
+        if PLAN_CONTEXT_PENDING_USER in self.executor.plan.context:
+            return self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+        return self.request.user
+
+
+class ChallengeStageView(StageView):
+    """Stage view which response with a challenge"""
+
+    response_class = ChallengeResponse
+
+    def get_response_instance(self, data: QueryDict) -> ChallengeResponse:
+        """Return the response class type"""
+        return self.response_class(None, data=data, stage=self)
+
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Return a challenge for the frontend to solve"""
+        challenge = self._get_challenge(*args, **kwargs)
+        if not challenge.is_valid():
+            LOGGER.warning(challenge.errors)
+        return HttpChallengeResponse(challenge)
+
+    # pylint: disable=unused-argument
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Handle challenge response"""
+        challenge: ChallengeResponse = self.get_response_instance(data=request.POST)
+        if not challenge.is_valid():
+            return self.challenge_invalid(challenge)
+        return self.challenge_valid(challenge)
+
+    def _get_challenge(self, *args, **kwargs) -> Challenge:
+        challenge = self.get_challenge(*args, **kwargs)
+        if "title" not in challenge.initial_data:
+            challenge.initial_data["title"] = self.executor.flow.title
+        if isinstance(challenge, WithUserInfoChallenge):
+            # If there's a pending user, update the `username` field
+            # this field is only used by password managers.
+            # If there's no user set, an error is raised later.
+            if user := self.get_pending_user():
+                challenge.initial_data["pending_user"] = user.username
+            challenge.initial_data["pending_user_avatar"] = DEFAULT_AVATAR
+            if not isinstance(user, AnonymousUser):
+                challenge.initial_data["pending_user_avatar"] = user.avatar
+        return challenge
+
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        """Return the challenge that the client should solve"""
+        raise NotImplementedError
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        """Callback when the challenge has the correct format"""
+        raise NotImplementedError
+
+    def challenge_invalid(self, response: ChallengeResponse) -> HttpResponse:
+        """Callback when the challenge has the incorrect format"""
+        challenge_response = self._get_challenge()
+        full_errors = {}
+        for field, errors in response.errors.items():
+            for error in errors:
+                full_errors.setdefault(field, [])
+                full_errors[field].append(
+                    {
+                        "string": str(error),
+                        "code": error.code,
+                    }
+                )
+        challenge_response.initial_data["response_errors"] = full_errors
+        if not challenge_response.is_valid():
+            LOGGER.warning(challenge_response.errors)
+        return HttpChallengeResponse(challenge_response)
diff --git a/authentik/flows/templates/flows/shell.html b/authentik/flows/templates/flows/shell.html
index 2d23dbe17..0619493f5 100644
--- a/authentik/flows/templates/flows/shell.html
+++ b/authentik/flows/templates/flows/shell.html
@@ -6,27 +6,15 @@
 {% block head %}
 {{ block.super }}
 <style>
-.ak-loading,
-.pf-c-login__main >iframe {
-    display: flex;
-    height: 100%;
-    width: 100%;
-    justify-content: center;
-    align-items: center;
-}
-.ak-hidden {
-    display: none
-}
 .pf-c-background-image::before {
     background-image: url("{{ background_url }}");
     background-position: center;
 }
 </style>
+<script src="{% static 'dist/flow.js' %}?v={{ ak_version }}" type="module"></script>
 {% endblock %}
 
 {% block main_container %}
-<ak-flow-shell-card
-    class="pf-c-login__main"
-    flowBodyUrl="{{ exec_url }}">
-</ak-flow-shell-card>
+<ak-flow-executor class="pf-c-login__main" flowSlug="{{ flow_slug }}">
+</ak-flow-executor>
 {% endblock %}
diff --git a/authentik/flows/tests/test_api.py b/authentik/flows/tests/test_api.py
index f242b95e8..e211b7118 100644
--- a/authentik/flows/tests/test_api.py
+++ b/authentik/flows/tests/test_api.py
@@ -1,5 +1,5 @@
 """API flow tests"""
-from django.shortcuts import reverse
+from django.urls import reverse
 from rest_framework.test import APITestCase
 
 from authentik.core.models import User
diff --git a/authentik/flows/tests/test_planner.py b/authentik/flows/tests/test_planner.py
index 415f773f7..9eb60a112 100644
--- a/authentik/flows/tests/test_planner.py
+++ b/authentik/flows/tests/test_planner.py
@@ -4,8 +4,8 @@ from unittest.mock import MagicMock, Mock, PropertyMock, patch
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.core.cache import cache
 from django.http import HttpRequest
-from django.shortcuts import reverse
 from django.test import RequestFactory, TestCase
+from django.urls import reverse
 from guardian.shortcuts import get_anonymous_user
 
 from authentik.core.models import User
@@ -43,7 +43,7 @@ class TestFlowPlanner(TestCase):
             designation=FlowDesignation.AUTHENTICATION,
         )
         request = self.request_factory.get(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
         request.user = get_anonymous_user()
 
@@ -63,7 +63,7 @@ class TestFlowPlanner(TestCase):
             designation=FlowDesignation.AUTHENTICATION,
         )
         request = self.request_factory.get(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
         request.user = get_anonymous_user()
 
@@ -83,7 +83,7 @@ class TestFlowPlanner(TestCase):
             target=flow, stage=DummyStage.objects.create(name="dummy"), order=0
         )
         request = self.request_factory.get(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
         request.user = get_anonymous_user()
 
@@ -112,7 +112,7 @@ class TestFlowPlanner(TestCase):
 
         user = User.objects.create(username="test-user")
         request = self.request_factory.get(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
         request.user = user
         planner = FlowPlanner(flow)
@@ -136,7 +136,7 @@ class TestFlowPlanner(TestCase):
         )
 
         request = self.request_factory.get(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
         request.user = get_anonymous_user()
 
@@ -167,7 +167,7 @@ class TestFlowPlanner(TestCase):
         PolicyBinding.objects.create(policy=false_policy, target=binding2, order=0)
 
         request = self.request_factory.get(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
         request.user = get_anonymous_user()
 
diff --git a/authentik/flows/tests/test_views.py b/authentik/flows/tests/test_views.py
index a89bea69e..0c59dbf77 100644
--- a/authentik/flows/tests/test_views.py
+++ b/authentik/flows/tests/test_views.py
@@ -2,12 +2,13 @@
 from unittest.mock import MagicMock, PropertyMock, patch
 
 from django.http import HttpRequest, HttpResponse
-from django.shortcuts import reverse
 from django.test import TestCase
 from django.test.client import RequestFactory
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import User
+from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
@@ -62,9 +63,7 @@ class TestFlowExecutor(TestCase):
         cancel_mock = MagicMock()
         with patch("authentik.flows.views.FlowExecutorView.cancel", cancel_mock):
             response = self.client.get(
-                reverse(
-                    "authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}
-                ),
+                reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
             )
             self.assertEqual(response.status_code, 302)
             self.assertEqual(cancel_mock.call_count, 2)
@@ -87,7 +86,7 @@ class TestFlowExecutor(TestCase):
 
         CONFIG.update_from_dict({"domain": "testserver"})
         response = self.client.get(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
         self.assertEqual(response.status_code, 200)
         self.assertIsInstance(response, AccessDeniedResponse)
@@ -107,7 +106,7 @@ class TestFlowExecutor(TestCase):
 
         CONFIG.update_from_dict({"domain": "testserver"})
         response = self.client.get(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, reverse("authentik_core:shell"))
@@ -126,7 +125,7 @@ class TestFlowExecutor(TestCase):
 
         CONFIG.update_from_dict({"domain": "testserver"})
         dest = "/unique-string"
-        url = reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug})
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
         response = self.client.get(url + f"?{NEXT_ARG_NAME}={dest}")
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, reverse("authentik_core:shell"))
@@ -146,7 +145,7 @@ class TestFlowExecutor(TestCase):
         )
 
         exec_url = reverse(
-            "authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}
+            "authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}
         )
         # First Request, start planning, renders form
         response = self.client.get(exec_url)
@@ -196,7 +195,7 @@ class TestFlowExecutor(TestCase):
         ):
 
             exec_url = reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}
             )
             # First request, run the planner
             response = self.client.get(exec_url)
@@ -250,7 +249,7 @@ class TestFlowExecutor(TestCase):
         ):
 
             exec_url = reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}
             )
             # First request, run the planner
             response = self.client.get(exec_url)
@@ -284,7 +283,7 @@ class TestFlowExecutor(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
     def test_reevaluate_keep(self):
@@ -317,7 +316,7 @@ class TestFlowExecutor(TestCase):
         ):
 
             exec_url = reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}
             )
             # First request, run the planner
             response = self.client.get(exec_url)
@@ -361,7 +360,7 @@ class TestFlowExecutor(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
     def test_reevaluate_remove_consecutive(self):
@@ -401,12 +400,19 @@ class TestFlowExecutor(TestCase):
         ):
 
             exec_url = reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}
             )
             # First request, run the planner
             response = self.client.get(exec_url)
             self.assertEqual(response.status_code, 200)
-            self.assertIn("dummy1", force_str(response.content))
+            self.assertJSONEqual(
+                force_str(response.content),
+                {
+                    "type": ChallengeTypes.native.value,
+                    "component": "",
+                    "title": binding.stage.name,
+                },
+            )
 
             plan: FlowPlan = self.client.session[SESSION_KEY_PLAN]
 
@@ -429,7 +435,14 @@ class TestFlowExecutor(TestCase):
         # but it won't save it, hence we cant' check the plan
         response = self.client.get(exec_url)
         self.assertEqual(response.status_code, 200)
-        self.assertIn("dummy4", force_str(response.content))
+        self.assertJSONEqual(
+            force_str(response.content),
+            {
+                "type": ChallengeTypes.native.value,
+                "component": "",
+                "title": binding4.stage.name,
+            },
+        )
 
         # fourth request, this confirms the last stage (dummy4)
         # We do this request without the patch, so the policy results in false
@@ -437,7 +450,7 @@ class TestFlowExecutor(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
     def test_stageview_user_identifier(self):
@@ -455,7 +468,7 @@ class TestFlowExecutor(TestCase):
 
         user = User.objects.create(username="test-user")
         request = self.request_factory.get(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
         request.user = user
         planner = FlowPlanner(flow)
@@ -468,4 +481,4 @@ class TestFlowExecutor(TestCase):
         executor.flow = flow
 
         stage_view = StageView(executor)
-        self.assertEqual(ident, stage_view.get_context_data()["user"].username)
+        self.assertEqual(ident, stage_view.get_pending_user().username)
diff --git a/authentik/flows/tests/test_views_helper.py b/authentik/flows/tests/test_views_helper.py
index 3a5af523f..c42fcdc66 100644
--- a/authentik/flows/tests/test_views_helper.py
+++ b/authentik/flows/tests/test_views_helper.py
@@ -1,6 +1,6 @@
 """flow views tests"""
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.flows.planner import FlowPlan
diff --git a/authentik/flows/transfer/common.py b/authentik/flows/transfer/common.py
index c3cd629d0..30b3b3bbb 100644
--- a/authentik/flows/transfer/common.py
+++ b/authentik/flows/transfer/common.py
@@ -1,5 +1,6 @@
 """transfer common classes"""
 from dataclasses import asdict, dataclass, field, is_dataclass
+from enum import Enum
 from typing import Any
 from uuid import UUID
 
@@ -74,6 +75,8 @@ class DataclassEncoder(DjangoJSONEncoder):
             return asdict(o)
         if isinstance(o, UUID):
             return str(o)
+        if isinstance(o, Enum):
+            return o.value
         return super().default(o)  # pragma: no cover
 
 
diff --git a/authentik/flows/urls.py b/authentik/flows/urls.py
index ad440097a..2c94ff3f4 100644
--- a/authentik/flows/urls.py
+++ b/authentik/flows/urls.py
@@ -1,12 +1,12 @@
 """flow urls"""
 from django.urls import path
+from django.views.decorators.csrf import ensure_csrf_cookie
 
 from authentik.flows.models import FlowDesignation
 from authentik.flows.views import (
     CancelView,
     ConfigureFlowInitView,
     FlowExecutorShellView,
-    FlowExecutorView,
     ToDefaultFlow,
 )
 
@@ -42,8 +42,9 @@ urlpatterns = [
         ConfigureFlowInitView.as_view(),
         name="configure",
     ),
-    path("b/<slug:flow_slug>/", FlowExecutorView.as_view(), name="flow-executor"),
     path(
-        "<slug:flow_slug>/", FlowExecutorShellView.as_view(), name="flow-executor-shell"
+        "<slug:flow_slug>/",
+        ensure_csrf_cookie(FlowExecutorShellView.as_view()),
+        name="flow-executor-shell",
     ),
 ]
diff --git a/authentik/flows/views.py b/authentik/flows/views.py
index a2af680c7..626dfe005 100644
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@@ -3,14 +3,8 @@ from traceback import format_tb
 from typing import Any, Optional
 
 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.http import (
-    Http404,
-    HttpRequest,
-    HttpResponse,
-    HttpResponseRedirect,
-    JsonResponse,
-)
-from django.shortcuts import get_object_or_404, redirect, reverse
+from django.http import Http404, HttpRequest, HttpResponse, HttpResponseRedirect
+from django.shortcuts import get_object_or_404, redirect
 from django.template.response import TemplateResponse
 from django.utils.decorators import method_decorator
 from django.views.decorators.clickjacking import xframe_options_sameorigin
@@ -19,6 +13,12 @@ from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.core.models import USER_ATTRIBUTE_DEBUG
 from authentik.events.models import cleanse_dict
+from authentik.flows.challenge import (
+    ChallengeTypes,
+    HttpChallengeResponse,
+    RedirectChallenge,
+    ShellChallenge,
+)
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.models import ConfigurableStage, Flow, FlowDesignation, Stage
 from authentik.flows.planner import (
@@ -176,7 +176,7 @@ class FlowExecutorView(View):
                 reamining=len(self.plan.stages),
             )
             return redirect_with_qs(
-                "authentik_flows:flow-executor", self.request.GET, **self.kwargs
+                "authentik_api:flow-executor", self.request.GET, **self.kwargs
             )
         # User passed all stages
         self._logger.debug(
@@ -246,9 +246,7 @@ class FlowExecutorShellView(TemplateView):
     def get_context_data(self, **kwargs) -> dict[str, Any]:
         flow: Flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
         kwargs["background_url"] = flow.background.url
-        kwargs["exec_url"] = reverse(
-            "authentik_flows:flow-executor", kwargs=self.kwargs
-        )
+        kwargs["flow_slug"] = flow.slug
         self.request.session[SESSION_KEY_GET] = self.request.GET
         return kwargs
 
@@ -292,16 +290,30 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
     if isinstance(source, HttpResponseRedirect) or source.status_code == 302:
         redirect_url = source["Location"]
         if request.path != redirect_url:
-            return JsonResponse({"type": "redirect", "to": redirect_url})
+            return HttpChallengeResponse(
+                RedirectChallenge(
+                    {"type": ChallengeTypes.redirect, "to": str(redirect_url)}
+                )
+            )
         return source
     if isinstance(source, TemplateResponse):
-        return JsonResponse(
-            {"type": "template", "body": source.render().content.decode("utf-8")}
+        return HttpChallengeResponse(
+            ShellChallenge(
+                {
+                    "type": ChallengeTypes.shell,
+                    "body": source.render().content.decode("utf-8"),
+                }
+            )
         )
     # Check for actual HttpResponse (without isinstance as we dont want to check inheritance)
     if source.__class__ == HttpResponse:
-        return JsonResponse(
-            {"type": "template", "body": source.content.decode("utf-8")}
+        return HttpChallengeResponse(
+            ShellChallenge(
+                {
+                    "type": ChallengeTypes.shell,
+                    "body": source.content.decode("utf-8"),
+                }
+            )
         )
     return source
 
diff --git a/authentik/lib/templates/lib/arrayfield.html b/authentik/lib/templates/lib/arrayfield.html
deleted file mode 100644
index cba450c33..000000000
--- a/authentik/lib/templates/lib/arrayfield.html
+++ /dev/null
@@ -1,17 +0,0 @@
-{% load authentik_utils %}
-
-{% spaceless %}
-<div class="dynamic-array-widget">
-    {% for widget in widget.subwidgets %}
-    <div class="array-item input-group">
-        {% include widget.template_name %}
-        <div class="input-group-btn">
-            <button class="array-remove btn btn-danger" type="button">
-                <span class="pficon-delete"></span>
-            </button>
-        </div>
-    </div>
-    {% endfor %}
-    <div><button type="button" class="add-array-item btn btn-default">Add another</button></div>
-</div>
-{% endspaceless %}
diff --git a/authentik/lib/templatetags/authentik_utils.py b/authentik/lib/templatetags/authentik_utils.py
index ef20652a1..40fc8ef31 100644
--- a/authentik/lib/templatetags/authentik_utils.py
+++ b/authentik/lib/templatetags/authentik_utils.py
@@ -1,25 +1,15 @@
 """authentik lib Templatetags"""
-from hashlib import md5
-from urllib.parse import urlencode
 
 from django import template
 from django.db.models import Model
-from django.http.request import HttpRequest
 from django.template import Context
-from django.templatetags.static import static
-from django.utils.html import escape, mark_safe
 from structlog.stdlib import get_logger
 
-from authentik.core.models import User
-from authentik.lib.config import CONFIG
 from authentik.lib.utils.urls import is_url_absolute
 
 register = template.Library()
 LOGGER = get_logger()
 
-GRAVATAR_URL = "https://secure.gravatar.com"
-DEFAULT_AVATAR = static("authentik/user_default.png")
-
 
 @register.simple_tag(takes_context=True)
 def back(context: Context) -> str:
@@ -46,38 +36,12 @@ def fieldtype(field):
     return field.__class__.__name__
 
 
-@register.simple_tag
-def config(path, default=""):
-    """Get a setting from the database. Returns default is setting doesn't exist."""
-    return CONFIG.y(path, default)
-
-
 @register.filter(name="css_class")
 def css_class(field, css):
     """Add css class to form field"""
     return field.as_widget(attrs={"class": css})
 
 
-@register.simple_tag
-def avatar(user: User) -> str:
-    """Get avatar, depending on authentik.avatar setting"""
-    mode = CONFIG.raw.get("authentik").get("avatars")
-    if mode == "none":
-        return DEFAULT_AVATAR
-    if mode == "gravatar":
-        parameters = [
-            ("s", "158"),
-            ("r", "g"),
-        ]
-        # gravatar uses md5 for their URLs, so md5 can't be avoided
-        mail_hash = md5(user.email.encode("utf-8")).hexdigest()  # nosec
-        gravatar_url = (
-            f"{GRAVATAR_URL}/avatar/{mail_hash}?{urlencode(parameters, doseq=True)}"
-        )
-        return escape(gravatar_url)
-    raise ValueError(f"Invalid avatar mode {mode}")
-
-
 @register.filter
 def verbose_name(obj) -> str:
     """Return Object's Verbose Name"""
@@ -94,21 +58,3 @@ def form_verbose_name(obj) -> str:
     if not obj:
         return ""
     return verbose_name(obj._meta.model)
-
-
-@register.filter
-def doc(obj) -> str:
-    """Return docstring of object"""
-    return mark_safe(obj.__doc__.replace("\n", "<br>"))
-
-
-@register.simple_tag(takes_context=True)
-def query_transform(context: Context, **kwargs) -> str:
-    """Append objects to the current querystring"""
-    if "request" not in context:
-        return ""
-    request: HttpRequest = context["request"]
-    updated = request.GET.copy()
-    for key, value in kwargs.items():
-        updated[key] = value
-    return updated.urlencode()
diff --git a/authentik/lib/utils/ui.py b/authentik/lib/utils/ui.py
deleted file mode 100644
index e6ba76cba..000000000
--- a/authentik/lib/utils/ui.py
+++ /dev/null
@@ -1,11 +0,0 @@
-"""authentik UI utils"""
-from typing import Any
-
-
-def human_list(_list: list[Any]) -> str:
-    """Convert a list of items into 'a, b or c'"""
-    last_item = _list.pop()
-    if len(_list) < 1:
-        return last_item
-    result = ", ".join(_list)
-    return "%s or %s" % (result, last_item)
diff --git a/authentik/outposts/api/outpost_service_connections.py b/authentik/outposts/api/outpost_service_connections.py
index 1a5c7d947..d8ed4bd7d 100644
--- a/authentik/outposts/api/outpost_service_connections.py
+++ b/authentik/outposts/api/outpost_service_connections.py
@@ -2,7 +2,7 @@
 from dataclasses import asdict
 
 from django.db.models.base import Model
-from django.shortcuts import reverse
+from django.urls import reverse
 from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, SerializerMethodField
diff --git a/authentik/outposts/api/outposts.py b/authentik/outposts/api/outposts.py
index 9ab0ae326..f908e14ff 100644
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@@ -59,6 +59,7 @@ class OutpostViewSet(ModelViewSet):
         "name",
         "providers__name",
     ]
+    ordering = ["name"]
 
     @swagger_auto_schema(responses={200: OutpostHealthSerializer(many=True)})
     @action(methods=["GET"], detail=True)
diff --git a/authentik/policies/api.py b/authentik/policies/api.py
index 9b480d6b6..75a8fa6ab 100644
--- a/authentik/policies/api.py
+++ b/authentik/policies/api.py
@@ -1,7 +1,7 @@
 """policy API Views"""
 from django.core.cache import cache
 from django.core.exceptions import ObjectDoesNotExist
-from django.shortcuts import reverse
+from django.urls import reverse
 from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.decorators import action
 from rest_framework.request import Request
diff --git a/authentik/policies/event_matcher/migrations/0010_auto_20210222_1821.py b/authentik/policies/event_matcher/migrations/0010_auto_20210222_1821.py
new file mode 100644
index 000000000..0701aaf20
--- /dev/null
+++ b/authentik/policies/event_matcher/migrations/0010_auto_20210222_1821.py
@@ -0,0 +1,86 @@
+# Generated by Django 3.1.6 on 2021-02-22 18:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_policies_event_matcher", "0009_auto_20210215_2159"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="eventmatcherpolicy",
+            name="app",
+            field=models.TextField(
+                blank=True,
+                choices=[
+                    ("authentik.admin", "authentik Admin"),
+                    ("authentik.api", "authentik API"),
+                    ("authentik.events", "authentik Events"),
+                    ("authentik.crypto", "authentik Crypto"),
+                    ("authentik.flows", "authentik Flows"),
+                    ("authentik.outposts", "authentik Outpost"),
+                    ("authentik.lib", "authentik lib"),
+                    ("authentik.policies", "authentik Policies"),
+                    ("authentik.policies.dummy", "authentik Policies.Dummy"),
+                    (
+                        "authentik.policies.event_matcher",
+                        "authentik Policies.Event Matcher",
+                    ),
+                    ("authentik.policies.expiry", "authentik Policies.Expiry"),
+                    ("authentik.policies.expression", "authentik Policies.Expression"),
+                    (
+                        "authentik.policies.group_membership",
+                        "authentik Policies.Group Membership",
+                    ),
+                    ("authentik.policies.hibp", "authentik Policies.HaveIBeenPwned"),
+                    ("authentik.policies.password", "authentik Policies.Password"),
+                    ("authentik.policies.reputation", "authentik Policies.Reputation"),
+                    ("authentik.providers.proxy", "authentik Providers.Proxy"),
+                    ("authentik.providers.oauth2", "authentik Providers.OAuth2"),
+                    ("authentik.providers.saml", "authentik Providers.SAML"),
+                    ("authentik.recovery", "authentik Recovery"),
+                    ("authentik.sources.ldap", "authentik Sources.LDAP"),
+                    ("authentik.sources.oauth", "authentik Sources.OAuth"),
+                    ("authentik.sources.saml", "authentik Sources.SAML"),
+                    (
+                        "authentik.stages.authenticator_static",
+                        "authentik Stages.Authenticator.Static",
+                    ),
+                    (
+                        "authentik.stages.authenticator_totp",
+                        "authentik Stages.Authenticator.TOTP",
+                    ),
+                    (
+                        "authentik.stages.authenticator_validate",
+                        "authentik Stages.Authenticator.Validate",
+                    ),
+                    (
+                        "authentik.stages.authenticator_webauthn",
+                        "authentik Stages.Authenticator.WebAuthn",
+                    ),
+                    ("authentik.stages.captcha", "authentik Stages.Captcha"),
+                    ("authentik.stages.consent", "authentik Stages.Consent"),
+                    ("authentik.stages.dummy", "authentik Stages.Dummy"),
+                    ("authentik.stages.email", "authentik Stages.Email"),
+                    (
+                        "authentik.stages.identification",
+                        "authentik Stages.Identification",
+                    ),
+                    ("authentik.stages.invitation", "authentik Stages.User Invitation"),
+                    ("authentik.stages.password", "authentik Stages.Password"),
+                    ("authentik.stages.prompt", "authentik Stages.Prompt"),
+                    ("authentik.stages.user_delete", "authentik Stages.User Delete"),
+                    ("authentik.stages.user_login", "authentik Stages.User Login"),
+                    ("authentik.stages.user_logout", "authentik Stages.User Logout"),
+                    ("authentik.stages.user_write", "authentik Stages.User Write"),
+                    ("authentik.managed", "authentik Managed"),
+                    ("authentik.core", "authentik Core"),
+                ],
+                default="",
+                help_text="Match events created by selected application. When left empty, all applications are matched.",
+            ),
+        ),
+    ]
diff --git a/authentik/providers/oauth2/api.py b/authentik/providers/oauth2/api.py
index 13edd2c66..7e6ef24ee 100644
--- a/authentik/providers/oauth2/api.py
+++ b/authentik/providers/oauth2/api.py
@@ -1,5 +1,5 @@
 """OAuth2Provider API Views"""
-from django.shortcuts import reverse
+from django.urls import reverse
 from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
diff --git a/authentik/providers/oauth2/templates/providers/oauth2/consent.html b/authentik/providers/oauth2/templates/providers/oauth2/consent.html
deleted file mode 100644
index 6dea2e852..000000000
--- a/authentik/providers/oauth2/templates/providers/oauth2/consent.html
+++ /dev/null
@@ -1,20 +0,0 @@
-{% extends 'login/form_with_user.html' %}
-
-{% load i18n %}
-
-{% block beneath_form %}
-<div class="pf-c-form__group">
-    <p>
-        {% blocktrans with name=context.application.name %}
-        You're about to sign into <strong id="application-name">{{ name }}</strong>.
-        {% endblocktrans %}
-    </p>
-    <p>{% trans "Application requires following permissions" %}</p>
-    <ul class="pf-c-list" id="scopes">
-        {% for scope_name, description in context.scope_descriptions.items %}
-        <li id="scope-{{ scope_name }}">{{ description }}</li>
-        {% endfor %}
-    </ul>
-    {{ hidden_inputs }}
-</div>
-{% endblock %}
diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py
index aacafb8f4..f943e7b18 100644
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@@ -9,6 +9,7 @@ from django.http import HttpRequest, HttpResponse
 from django.http.response import Http404
 from django.shortcuts import get_object_or_404, redirect
 from django.utils import timezone
+from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
 from authentik.core.models import Application
@@ -48,14 +49,14 @@ from authentik.providers.oauth2.models import (
 from authentik.providers.oauth2.views.userinfo import UserInfoView
 from authentik.stages.consent.models import ConsentMode, ConsentStage
 from authentik.stages.consent.stage import (
-    PLAN_CONTEXT_CONSENT_TEMPLATE,
+    PLAN_CONTEXT_CONSENT_HEADER,
+    PLAN_CONTEXT_CONSENT_PERMISSIONS,
     ConsentStageView,
 )
 
 LOGGER = get_logger()
 
 PLAN_CONTEXT_PARAMS = "params"
-PLAN_CONTEXT_SCOPE_DESCRIPTIONS = "scope_descriptions"
 SESSION_NEEDS_LOGIN = "authentik_oauth2_needs_login"
 
 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSNET, PROMPT_LOGIN}
@@ -232,7 +233,9 @@ class OAuthFulfillmentStage(StageView):
     params: OAuthAuthorizationParams
     provider: OAuth2Provider
 
+    # pylint: disable=unused-argument
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """final Stage of an OAuth2 Flow"""
         self.params: OAuthAuthorizationParams = self.executor.plan.context.pop(
             PLAN_CONTEXT_PARAMS
         )
@@ -432,6 +435,7 @@ class AuthorizationFlowInitView(PolicyAccessView):
         planner = FlowPlanner(self.provider.authorization_flow)
         # planner.use_cache = False
         planner.allow_empty_flows = True
+        scope_descriptions = UserInfoView().get_scope_descriptions(self.params.scope)
         plan: FlowPlan = planner.plan(
             self.request,
             {
@@ -439,11 +443,12 @@ class AuthorizationFlowInitView(PolicyAccessView):
                 PLAN_CONTEXT_APPLICATION: self.application,
                 # OAuth2 related params
                 PLAN_CONTEXT_PARAMS: self.params,
-                PLAN_CONTEXT_SCOPE_DESCRIPTIONS: UserInfoView().get_scope_descriptions(
-                    self.params.scope
-                ),
                 # Consent related params
-                PLAN_CONTEXT_CONSENT_TEMPLATE: "providers/oauth2/consent.html",
+                PLAN_CONTEXT_CONSENT_HEADER: _(
+                    "You're about to sign into %(application)s."
+                )
+                % {"application": self.application.name},
+                PLAN_CONTEXT_CONSENT_PERMISSIONS: scope_descriptions,
             },
         )
         # OpenID clients can specify a `prompt` parameter, and if its set to consent we
diff --git a/authentik/providers/oauth2/views/userinfo.py b/authentik/providers/oauth2/views/userinfo.py
index 22dabbf5f..1c9160dcf 100644
--- a/authentik/providers/oauth2/views/userinfo.py
+++ b/authentik/providers/oauth2/views/userinfo.py
@@ -22,14 +22,16 @@ class UserInfoView(View):
     """Create a dictionary with all the requested claims about the End-User.
     See: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse"""
 
-    def get_scope_descriptions(self, scopes: list[str]) -> dict[str, str]:
+    def get_scope_descriptions(self, scopes: list[str]) -> list[dict[str, str]]:
         """Get a list of all Scopes's descriptions"""
-        scope_descriptions = {}
+        scope_descriptions = []
         for scope in ScopeMapping.objects.filter(scope_name__in=scopes).order_by(
             "scope_name"
         ):
             if scope.description != "":
-                scope_descriptions[scope.scope_name] = scope.description
+                scope_descriptions.append(
+                    {"id": scope.scope_name, "name": scope.description}
+                )
         # GitHub Compatibility Scopes are handeled differently, since they required custom paths
         # Hence they don't exist as Scope objects
         github_scope_map = {
@@ -44,7 +46,9 @@ class UserInfoView(View):
         }
         for scope in scopes:
             if scope in github_scope_map:
-                scope_descriptions[scope] = github_scope_map[scope]
+                scope_descriptions.append(
+                    {"id": scope, "name": github_scope_map[scope]}
+                )
         return scope_descriptions
 
     def get_claims(self, token: RefreshToken) -> dict[str, Any]:
diff --git a/authentik/providers/proxy/api.py b/authentik/providers/proxy/api.py
index 40ac49bea..f9374c0b5 100644
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@@ -67,6 +67,7 @@ class ProxyProviderViewSet(ModelViewSet):
 
     queryset = ProxyProvider.objects.all()
     serializer_class = ProxyProviderSerializer
+    ordering = ["name"]
 
 
 class ProxyOutpostConfigSerializer(ModelSerializer):
@@ -115,3 +116,4 @@ class ProxyOutpostConfigViewSet(ModelViewSet):
 
     queryset = ProxyProvider.objects.filter(application__isnull=False)
     serializer_class = ProxyOutpostConfigSerializer
+    ordering = ["name"]
diff --git a/authentik/providers/saml/processors/metadata.py b/authentik/providers/saml/processors/metadata.py
index 218dad17e..32edb7d15 100644
--- a/authentik/providers/saml/processors/metadata.py
+++ b/authentik/providers/saml/processors/metadata.py
@@ -3,7 +3,7 @@ from typing import Iterator, Optional
 
 import xmlsec  # nosec
 from django.http import HttpRequest
-from django.shortcuts import reverse
+from django.urls import reverse
 from lxml.etree import Element, SubElement, tostring  # nosec
 
 from authentik.providers.saml.models import SAMLProvider
diff --git a/authentik/providers/saml/templates/providers/saml/consent.html b/authentik/providers/saml/templates/providers/saml/consent.html
deleted file mode 100644
index 0618a3c94..000000000
--- a/authentik/providers/saml/templates/providers/saml/consent.html
+++ /dev/null
@@ -1,14 +0,0 @@
-{% extends 'login/form_with_user.html' %}
-
-{% load i18n %}
-
-{% block beneath_form %}
-<div class="pf-c-form__group">
-    <p>
-        {% blocktrans with name=context.application.name %}
-        You're about to sign into <strong id="application-name">{{ name }}</strong>.
-        {% endblocktrans %}
-    </p>
-    {{ hidden_inputs }}
-</div>
-{% endblock %}
diff --git a/authentik/providers/saml/views/flows.py b/authentik/providers/saml/views/flows.py
index eb0b08d63..2cd2758bc 100644
--- a/authentik/providers/saml/views/flows.py
+++ b/authentik/providers/saml/views/flows.py
@@ -1,15 +1,17 @@
 """authentik SAML IDP Views"""
 from django.core.validators import URLValidator
 from django.http import HttpRequest, HttpResponse
-from django.shortcuts import get_object_or_404, redirect, render
+from django.http.response import HttpResponseBadRequest
+from django.shortcuts import get_object_or_404, redirect
 from django.utils.http import urlencode
-from django.utils.translation import gettext_lazy as _
+from rest_framework.fields import CharField, DictField
 from structlog.stdlib import get_logger
 
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
+from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION
-from authentik.flows.stage import StageView
+from authentik.flows.stage import ChallengeStageView
 from authentik.lib.views import bad_request_message
 from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.processors.assertion import AssertionProcessor
@@ -27,10 +29,17 @@ REQUEST_KEY_RELAY_STATE = "RelayState"
 SESSION_KEY_AUTH_N_REQUEST = "authn_request"
 
 
+class AutosubmitChallenge(Challenge):
+    """Autosubmit challenge used to send and navigate a POST request"""
+
+    url = CharField()
+    attrs = DictField(child=CharField())
+
+
 # This View doesn't have a URL on purpose, as its called by the FlowExecutor
-class SAMLFlowFinalView(StageView):
+class SAMLFlowFinalView(ChallengeStageView):
     """View used by FlowExecutor after all stages have passed. Logs the authorization,
-    and redirects to the SP (if REDIRECT is configured) or shows and auto-submit for
+    and redirects to the SP (if REDIRECT is configured) or shows an auto-submit element
     (if POST is configured)."""
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
@@ -62,12 +71,13 @@ class SAMLFlowFinalView(StageView):
             }
             if auth_n_request.relay_state:
                 form_attrs[REQUEST_KEY_RELAY_STATE] = auth_n_request.relay_state
-            return render(
+            return super().get(
                 self.request,
-                "generic/autosubmit_form.html",
-                {
+                **{
+                    "type": ChallengeTypes.native,
+                    "component": "ak-stage-autosubmit",
+                    "title": "Redirecting to %(app)s..." % {"app": application.name},
                     "url": provider.acs_url,
-                    "title": _("Redirecting to %(app)s..." % {"app": application.name}),
                     "attrs": form_attrs,
                 },
             )
@@ -80,3 +90,10 @@ class SAMLFlowFinalView(StageView):
             querystring = urlencode(url_args)
             return redirect(f"{provider.acs_url}?{querystring}")
         return bad_request_message(request, "Invalid sp_binding specified")
+
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        return AutosubmitChallenge(data=kwargs)
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        # We'll never get here since the challenge redirects to the SP
+        return HttpResponseBadRequest()
diff --git a/authentik/providers/saml/views/sso.py b/authentik/providers/saml/views/sso.py
index 7eea5d9ae..ae869ca47 100644
--- a/authentik/providers/saml/views/sso.py
+++ b/authentik/providers/saml/views/sso.py
@@ -4,6 +4,7 @@ from typing import Optional
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404
 from django.utils.decorators import method_decorator
+from django.utils.translation import gettext as _
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger
@@ -31,7 +32,10 @@ from authentik.providers.saml.views.flows import (
     SESSION_KEY_AUTH_N_REQUEST,
     SAMLFlowFinalView,
 )
-from authentik.stages.consent.stage import PLAN_CONTEXT_CONSENT_TEMPLATE
+from authentik.stages.consent.stage import (
+    PLAN_CONTEXT_CONSENT_HEADER,
+    PLAN_CONTEXT_CONSENT_PERMISSIONS,
+)
 
 LOGGER = get_logger()
 
@@ -68,7 +72,11 @@ class SAMLSSOView(PolicyAccessView):
             {
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_APPLICATION: self.application,
-                PLAN_CONTEXT_CONSENT_TEMPLATE: "providers/saml/consent.html",
+                PLAN_CONTEXT_CONSENT_HEADER: _(
+                    "You're about to sign into %(application)s."
+                )
+                % {"application": self.application.name},
+                PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
             },
         )
         plan.append(in_memory_stage(SAMLFlowFinalView))
diff --git a/authentik/recovery/tests.py b/authentik/recovery/tests.py
index 39406d49d..4357a7c80 100644
--- a/authentik/recovery/tests.py
+++ b/authentik/recovery/tests.py
@@ -2,8 +2,8 @@
 from io import StringIO
 
 from django.core.management import call_command
-from django.shortcuts import reverse
 from django.test import TestCase
+from django.urls import reverse
 
 from authentik.core.models import Token, TokenIntents, User
 
diff --git a/authentik/root/messages/storage.py b/authentik/root/messages/storage.py
index 33710b823..0999c276c 100644
--- a/authentik/root/messages/storage.py
+++ b/authentik/root/messages/storage.py
@@ -18,8 +18,6 @@ class ChannelsStorage(FallbackStorage):
     def _store(self, messages: list[Message], response, *args, **kwargs):
         prefix = f"user_{self.request.session.session_key}_messages_"
         keys = cache.keys(f"{prefix}*")
-        if len(keys) < 1:
-            return super()._store(messages, response, *args, **kwargs)
         for key in keys:
             uid = key.replace(prefix, "")
             for message in messages:
@@ -32,4 +30,3 @@ class ChannelsStorage(FallbackStorage):
                         "message": message.message,
                     },
                 )
-        return None
diff --git a/authentik/root/settings.py b/authentik/root/settings.py
index 8197138f7..ebb503edb 100644
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -108,22 +108,22 @@ INSTALLED_APPS = [
     "authentik.sources.ldap.apps.AuthentikSourceLDAPConfig",
     "authentik.sources.oauth.apps.AuthentikSourceOAuthConfig",
     "authentik.sources.saml.apps.AuthentikSourceSAMLConfig",
-    "authentik.stages.captcha.apps.AuthentikStageCaptchaConfig",
-    "authentik.stages.consent.apps.AuthentikStageConsentConfig",
-    "authentik.stages.dummy.apps.AuthentikStageDummyConfig",
-    "authentik.stages.email.apps.AuthentikStageEmailConfig",
-    "authentik.stages.prompt.apps.AuthentikStagPromptConfig",
-    "authentik.stages.identification.apps.AuthentikStageIdentificationConfig",
-    "authentik.stages.invitation.apps.AuthentikStageUserInvitationConfig",
-    "authentik.stages.user_delete.apps.AuthentikStageUserDeleteConfig",
-    "authentik.stages.user_login.apps.AuthentikStageUserLoginConfig",
-    "authentik.stages.user_logout.apps.AuthentikStageUserLogoutConfig",
-    "authentik.stages.user_write.apps.AuthentikStageUserWriteConfig",
     "authentik.stages.authenticator_static.apps.AuthentikStageAuthenticatorStaticConfig",
     "authentik.stages.authenticator_totp.apps.AuthentikStageAuthenticatorTOTPConfig",
     "authentik.stages.authenticator_validate.apps.AuthentikStageAuthenticatorValidateConfig",
     "authentik.stages.authenticator_webauthn.apps.AuthentikStageAuthenticatorWebAuthnConfig",
+    "authentik.stages.captcha.apps.AuthentikStageCaptchaConfig",
+    "authentik.stages.consent.apps.AuthentikStageConsentConfig",
+    "authentik.stages.dummy.apps.AuthentikStageDummyConfig",
+    "authentik.stages.email.apps.AuthentikStageEmailConfig",
+    "authentik.stages.identification.apps.AuthentikStageIdentificationConfig",
+    "authentik.stages.invitation.apps.AuthentikStageUserInvitationConfig",
     "authentik.stages.password.apps.AuthentikStagePasswordConfig",
+    "authentik.stages.prompt.apps.AuthentikStagePromptConfig",
+    "authentik.stages.user_delete.apps.AuthentikStageUserDeleteConfig",
+    "authentik.stages.user_login.apps.AuthentikStageUserLoginConfig",
+    "authentik.stages.user_logout.apps.AuthentikStageUserLogoutConfig",
+    "authentik.stages.user_write.apps.AuthentikStageUserWriteConfig",
     "rest_framework",
     "django_filters",
     "drf_yasg2",
@@ -470,8 +470,6 @@ for _app in INSTALLED_APPS:
             pass
 
 if DEBUG:
-    INSTALLED_APPS.append("debug_toolbar")
-    MIDDLEWARE.append("debug_toolbar.middleware.DebugToolbarMiddleware")
     CELERY_TASK_ALWAYS_EAGER = True
 
 INSTALLED_APPS.append("authentik.core.apps.AuthentikCoreConfig")
diff --git a/authentik/root/tests.py b/authentik/root/tests.py
index e8021c617..94ae0a5cf 100644
--- a/authentik/root/tests.py
+++ b/authentik/root/tests.py
@@ -2,8 +2,8 @@
 from base64 import b64encode
 
 from django.conf import settings
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 
 
 class TestRoot(TestCase):
diff --git a/authentik/root/urls.py b/authentik/root/urls.py
index f920680c0..5b9d77ddb 100644
--- a/authentik/root/urls.py
+++ b/authentik/root/urls.py
@@ -63,13 +63,9 @@ urlpatterns += [
 ]
 
 if settings.DEBUG:
-    import debug_toolbar
 
     urlpatterns = (
-        [
-            path("-/debug/", include(debug_toolbar.urls)),
-        ]
-        + static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
+        static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
         + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
         + urlpatterns
     )
diff --git a/authentik/sources/oauth/models.py b/authentik/sources/oauth/models.py
index f01728889..af232e976 100644
--- a/authentik/sources/oauth/models.py
+++ b/authentik/sources/oauth/models.py
@@ -3,7 +3,8 @@ from typing import Optional, Type
 
 from django.db import models
 from django.forms import ModelForm
-from django.urls import reverse, reverse_lazy
+from django.templatetags.static import static
+from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 
@@ -56,11 +57,11 @@ class OAuthSource(Source):
     @property
     def ui_login_button(self) -> UILoginButton:
         return UILoginButton(
-            url=reverse_lazy(
+            url=reverse(
                 "authentik_sources_oauth:oauth-client-login",
                 kwargs={"source_slug": self.slug},
             ),
-            icon_path=f"authentik/sources/{self.provider_type}.svg",
+            icon_url=static(f"authentik/sources/{self.provider_type}.svg"),
             name=self.name,
         )
 
diff --git a/authentik/sources/oauth/tests/test_views.py b/authentik/sources/oauth/tests/test_views.py
index ec4f44eec..9478902ab 100644
--- a/authentik/sources/oauth/tests/test_views.py
+++ b/authentik/sources/oauth/tests/test_views.py
@@ -1,6 +1,6 @@
 """OAuth Source tests"""
-from django.shortcuts import reverse
 from django.test import TestCase
+from django.urls import reverse
 
 from authentik.sources.oauth.models import OAuthSource
 
diff --git a/authentik/sources/oauth/views/flows.py b/authentik/sources/oauth/views/flows.py
index fbcba821e..1dc239aed 100644
--- a/authentik/sources/oauth/views/flows.py
+++ b/authentik/sources/oauth/views/flows.py
@@ -14,7 +14,9 @@ class PostUserEnrollmentStage(StageView):
     """Dynamically injected stage which saves the OAuth Connection after
     the user has been enrolled."""
 
+    # pylint: disable=unused-argument
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Stage used after the user has been enrolled"""
         access: UserOAuthSourceConnection = self.executor.plan.context[
             PLAN_CONTEXT_SOURCES_OAUTH_ACCESS
         ]
diff --git a/authentik/sources/saml/models.py b/authentik/sources/saml/models.py
index b4398cb98..007cc89fc 100644
--- a/authentik/sources/saml/models.py
+++ b/authentik/sources/saml/models.py
@@ -4,8 +4,7 @@ from typing import Type
 from django.db import models
 from django.forms import ModelForm
 from django.http import HttpRequest
-from django.shortcuts import reverse
-from django.urls import reverse_lazy
+from django.urls import reverse, reverse_lazy
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 
@@ -166,10 +165,9 @@ class SAMLSource(Source):
     def ui_login_button(self) -> UILoginButton:
         return UILoginButton(
             name=self.name,
-            url=reverse_lazy(
+            url=reverse(
                 "authentik_sources_saml:login", kwargs={"source_slug": self.slug}
             ),
-            icon_path="",
         )
 
     @property
diff --git a/authentik/stages/authenticator_static/forms.py b/authentik/stages/authenticator_static/forms.py
index 9195c84fd..95e6b3447 100644
--- a/authentik/stages/authenticator_static/forms.py
+++ b/authentik/stages/authenticator_static/forms.py
@@ -1,31 +1,9 @@
 """Static Authenticator forms"""
 from django import forms
-from django.utils.safestring import mark_safe
 
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
 
 
-class StaticTokenWidget(forms.widgets.Widget):
-    """Widget to render tokens as multiple labels"""
-
-    def render(self, name, value, attrs=None, renderer=None):
-        final_string = '<ul class="ak-otp-tokens">'
-        for token in value:
-            final_string += f"<li>{token.token}</li>"
-        final_string += "</ul>"
-        return mark_safe(final_string)  # nosec
-
-
-class SetupForm(forms.Form):
-    """Form to setup Static OTP"""
-
-    tokens = forms.CharField(widget=StaticTokenWidget, disabled=True, required=False)
-
-    def __init__(self, tokens, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.fields["tokens"].initial = tokens
-
-
 class AuthenticatorStaticStageForm(forms.ModelForm):
     """Static Authenticator Stage setup form"""
 
diff --git a/authentik/stages/authenticator_static/models.py b/authentik/stages/authenticator_static/models.py
index aa76a955b..8184f3c27 100644
--- a/authentik/stages/authenticator_static/models.py
+++ b/authentik/stages/authenticator_static/models.py
@@ -3,7 +3,7 @@ from typing import Optional, Type
 
 from django.db import models
 from django.forms import ModelForm
-from django.shortcuts import reverse
+from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django.views import View
 from rest_framework.serializers import BaseSerializer
diff --git a/authentik/stages/authenticator_static/stage.py b/authentik/stages/authenticator_static/stage.py
index 839ad8afb..caa5ad6d2 100644
--- a/authentik/stages/authenticator_static/stage.py
+++ b/authentik/stages/authenticator_static/stage.py
@@ -1,14 +1,16 @@
 """Static OTP Setup stage"""
-from typing import Any
-
 from django.http import HttpRequest, HttpResponse
-from django.views.generic import FormView
 from django_otp.plugins.otp_static.models import StaticDevice, StaticToken
+from rest_framework.fields import CharField, ListField
 from structlog.stdlib import get_logger
 
+from authentik.flows.challenge import (
+    ChallengeResponse,
+    ChallengeTypes,
+    WithUserInfoChallenge,
+)
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
-from authentik.flows.stage import StageView
-from authentik.stages.authenticator_static.forms import SetupForm
+from authentik.flows.stage import ChallengeStageView
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
 
 LOGGER = get_logger()
@@ -16,16 +18,24 @@ SESSION_STATIC_DEVICE = "static_device"
 SESSION_STATIC_TOKENS = "static_device_tokens"
 
 
-class AuthenticatorStaticStageView(FormView, StageView):
+class AuthenticatorStaticChallenge(WithUserInfoChallenge):
+    """Static authenticator challenge"""
+
+    codes = ListField(child=CharField())
+
+
+class AuthenticatorStaticStageView(ChallengeStageView):
     """Static OTP Setup stage"""
 
-    form_class = SetupForm
-
-    def get_form_kwargs(self, **kwargs) -> dict[str, Any]:
-        kwargs = super().get_form_kwargs(**kwargs)
-        tokens = self.request.session[SESSION_STATIC_TOKENS]
-        kwargs["tokens"] = tokens
-        return kwargs
+    def get_challenge(self, *args, **kwargs) -> AuthenticatorStaticChallenge:
+        tokens: list[StaticToken] = self.request.session[SESSION_STATIC_TOKENS]
+        return AuthenticatorStaticChallenge(
+            data={
+                "type": ChallengeTypes.native,
+                "component": "ak-stage-authenticator-static",
+                "codes": [token.token for token in tokens],
+            }
+        )
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         user = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
@@ -51,7 +61,7 @@ class AuthenticatorStaticStageView(FormView, StageView):
             self.request.session[SESSION_STATIC_TOKENS] = tokens
         return super().get(request, *args, **kwargs)
 
-    def form_valid(self, form: SetupForm) -> HttpResponse:
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
         """Verify OTP Token"""
         device: StaticDevice = self.request.session[SESSION_STATIC_DEVICE]
         device.save()
diff --git a/authentik/stages/authenticator_totp/forms.py b/authentik/stages/authenticator_totp/forms.py
index 91d635c92..98ebe481e 100644
--- a/authentik/stages/authenticator_totp/forms.py
+++ b/authentik/stages/authenticator_totp/forms.py
@@ -1,54 +1,9 @@
 """OTP Time forms"""
 from django import forms
-from django.utils.safestring import mark_safe
-from django.utils.translation import gettext_lazy as _
-from django_otp.models import Device
 
 from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage
 
 
-class PictureWidget(forms.widgets.Widget):
-    """Widget to render value as img-tag"""
-
-    def render(self, name, value, attrs=None, renderer=None):
-        return mark_safe(f"<br>{value}")  # nosec
-
-
-class SetupForm(forms.Form):
-    """Form to setup Time-based OTP"""
-
-    device: Device = None
-
-    qr_code = forms.CharField(
-        widget=PictureWidget,
-        disabled=True,
-        required=False,
-        label=_("Scan this Code with your OTP App."),
-    )
-    code = forms.CharField(
-        label=_("Please enter the Token on your device."),
-        widget=forms.TextInput(
-            attrs={
-                "autocomplete": "off",
-                "placeholder": "Code",
-                "autofocus": "autofocus",
-            }
-        ),
-    )
-
-    def __init__(self, device, qr_code, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.device = device
-        self.fields["qr_code"].initial = qr_code
-
-    def clean_code(self):
-        """Check code with new otp device"""
-        if self.device is not None:
-            if not self.device.verify_token(self.cleaned_data.get("code")):
-                raise forms.ValidationError(_("OTP Code does not match"))
-        return self.cleaned_data.get("code")
-
-
 class AuthenticatorTOTPStageForm(forms.ModelForm):
     """OTP Time-based Stage setup form"""
 
diff --git a/authentik/stages/authenticator_totp/models.py b/authentik/stages/authenticator_totp/models.py
index 010a1fd97..4f19d47a7 100644
--- a/authentik/stages/authenticator_totp/models.py
+++ b/authentik/stages/authenticator_totp/models.py
@@ -3,7 +3,7 @@ from typing import Optional, Type
 
 from django.db import models
 from django.forms import ModelForm
-from django.shortcuts import reverse
+from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django.views import View
 from rest_framework.serializers import BaseSerializer
diff --git a/authentik/stages/authenticator_totp/stage.py b/authentik/stages/authenticator_totp/stage.py
index cfada422b..7c51e4993 100644
--- a/authentik/stages/authenticator_totp/stage.py
+++ b/authentik/stages/authenticator_totp/stage.py
@@ -1,43 +1,66 @@
 """TOTP Setup stage"""
-from typing import Any
-
 from django.http import HttpRequest, HttpResponse
-from django.utils.encoding import force_str
-from django.views.generic import FormView
+from django.http.request import QueryDict
+from django.utils.translation import gettext_lazy as _
 from django_otp.plugins.otp_totp.models import TOTPDevice
-from lxml.etree import tostring  # nosec
-from qrcode import QRCode
-from qrcode.image.svg import SvgFillImage
+from rest_framework.fields import CharField, IntegerField
+from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
 
+from authentik.flows.challenge import (
+    Challenge,
+    ChallengeResponse,
+    ChallengeTypes,
+    WithUserInfoChallenge,
+)
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
-from authentik.flows.stage import StageView
-from authentik.stages.authenticator_totp.forms import SetupForm
+from authentik.flows.stage import ChallengeStageView
 from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage
 
 LOGGER = get_logger()
 SESSION_TOTP_DEVICE = "totp_device"
 
 
-class AuthenticatorTOTPStageView(FormView, StageView):
+class AuthenticatorTOTPChallenge(WithUserInfoChallenge):
+    """TOTP Setup challenge"""
+
+    config_url = CharField()
+
+
+class AuthenticatorTOTPChallengeResponse(ChallengeResponse):
+    """TOTP Challenge response, device is set by get_response_instance"""
+
+    device: TOTPDevice
+
+    code = IntegerField()
+
+    def validate_code(self, code: int) -> int:
+        """Validate totp code"""
+        if self.device is not None:
+            if not self.device.verify_token(code):
+                raise ValidationError(_("OTP Code does not match"))
+        return code
+
+
+class AuthenticatorTOTPStageView(ChallengeStageView):
     """OTP totp Setup stage"""
 
-    form_class = SetupForm
+    response_class = AuthenticatorTOTPChallengeResponse
 
-    def get_form_kwargs(self, **kwargs) -> dict[str, Any]:
-        kwargs = super().get_form_kwargs(**kwargs)
+    def get_challenge(self, *args, **kwargs) -> Challenge:
         device: TOTPDevice = self.request.session[SESSION_TOTP_DEVICE]
-        kwargs["device"] = device
-        kwargs["qr_code"] = self._get_qr_code(device)
-        return kwargs
+        return AuthenticatorTOTPChallenge(
+            data={
+                "type": ChallengeTypes.native,
+                "component": "ak-stage-authenticator-totp",
+                "config_url": device.config_url,
+            }
+        )
 
-    def _get_qr_code(self, device: TOTPDevice) -> str:
-        """Get QR Code SVG as string based on `device`"""
-        qr_code = QRCode(image_factory=SvgFillImage)
-        qr_code.add_data(device.config_url)
-        svg_image = tostring(qr_code.make_image().get_image())
-        sr_wrapper = f'<div id="qr" data-otpuri="{device.config_url}">{force_str(svg_image)}</div>'
-        return sr_wrapper
+    def get_response_instance(self, data: QueryDict) -> ChallengeResponse:
+        response = super().get_response_instance(data)
+        response.device = self.request.session[SESSION_TOTP_DEVICE]
+        return response
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         user = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
@@ -58,8 +81,8 @@ class AuthenticatorTOTPStageView(FormView, StageView):
             self.request.session[SESSION_TOTP_DEVICE] = device
         return super().get(request, *args, **kwargs)
 
-    def form_valid(self, form: SetupForm) -> HttpResponse:
-        """Verify OTP Token"""
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        """TOTP Token is validated by challenge"""
         device: TOTPDevice = self.request.session[SESSION_TOTP_DEVICE]
         device.save()
         del self.request.session[SESSION_TOTP_DEVICE]
diff --git a/authentik/stages/authenticator_totp/views.py b/authentik/stages/authenticator_totp/views.py
index 338350d71..e94624aec 100644
--- a/authentik/stages/authenticator_totp/views.py
+++ b/authentik/stages/authenticator_totp/views.py
@@ -29,7 +29,8 @@ class UserSettingsView(LoginRequiredMixin, TemplateView):
 class DisableView(LoginRequiredMixin, View):
     """Disable TOTP for user"""
 
-    def get(self, request: HttpRequest) -> HttpResponse:
+    # pylint: disable=unused-argument
+    def get(self, request: HttpRequest, **kwargs) -> HttpResponse:
         """Delete all the devices for user"""
         totp = TOTPDevice.objects.filter(user=request.user, confirmed=True)
         totp.delete()
diff --git a/authentik/stages/authenticator_validate/challenge.py b/authentik/stages/authenticator_validate/challenge.py
new file mode 100644
index 000000000..d5781125c
--- /dev/null
+++ b/authentik/stages/authenticator_validate/challenge.py
@@ -0,0 +1,119 @@
+"""Validation stage challenge checking"""
+from django.db.models import Model
+from django.http import HttpRequest
+from django.utils.translation import gettext_lazy as _
+from django_otp import match_token
+from django_otp.models import Device
+from django_otp.plugins.otp_static.models import StaticDevice
+from django_otp.plugins.otp_totp.models import TOTPDevice
+from rest_framework.fields import CharField, JSONField
+from rest_framework.serializers import Serializer, ValidationError
+from webauthn import WebAuthnAssertionOptions, WebAuthnAssertionResponse, WebAuthnUser
+from webauthn.webauthn import (
+    AuthenticationRejectedException,
+    RegistrationRejectedException,
+    WebAuthnUserDataMissing,
+)
+
+from authentik.core.models import User
+from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
+from authentik.stages.authenticator_webauthn.utils import generate_challenge, get_origin
+
+
+class DeviceChallenge(Serializer):
+    """Single device challenge"""
+
+    device_class = CharField()
+    device_uid = CharField()
+    challenge = JSONField()
+
+    def create(self, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+
+def get_challenge_for_device(request: HttpRequest, device: Device) -> dict:
+    """Generate challenge for a single device"""
+    if isinstance(device, (TOTPDevice, StaticDevice)):
+        # Code-based challenges have no hints
+        return {}
+    return get_webauthn_challenge(request, device)
+
+
+def get_webauthn_challenge(request: HttpRequest, device: WebAuthnDevice) -> dict:
+    """Send the client a challenge that we'll check later"""
+    request.session.pop("challenge", None)
+
+    challenge = generate_challenge(32)
+
+    # We strip the padding from the challenge stored in the session
+    # for the reasons outlined in the comment in webauthn_begin_activate.
+    request.session["challenge"] = challenge.rstrip("=")
+
+    webauthn_user = WebAuthnUser(
+        device.user.uid,
+        device.user.username,
+        device.user.name,
+        device.user.avatar,
+        device.credential_id,
+        device.public_key,
+        device.sign_count,
+        device.rp_id,
+    )
+
+    webauthn_assertion_options = WebAuthnAssertionOptions(webauthn_user, challenge)
+
+    return webauthn_assertion_options.assertion_dict
+
+
+def validate_challenge_code(code: str, request: HttpRequest, user: User) -> str:
+    """Validate code-based challenges. We test against every device, on purpose, as
+    the user mustn't choose between totp and static devices."""
+    device = match_token(user, code)
+    if not device:
+        raise ValidationError(_("Invalid Token"))
+    return code
+
+
+def validate_challenge_webauthn(data: dict, request: HttpRequest, user: User) -> dict:
+    """Validate WebAuthn Challenge"""
+    challenge = request.session.get("challenge")
+    assertion_response = data
+    credential_id = assertion_response.get("id")
+
+    device = WebAuthnDevice.objects.filter(credential_id=credential_id).first()
+    if not device:
+        raise ValidationError("Device does not exist.")
+
+    webauthn_user = WebAuthnUser(
+        user.uid,
+        user.username,
+        user.name,
+        user.avatar,
+        device.credential_id,
+        device.public_key,
+        device.sign_count,
+        device.rp_id,
+    )
+
+    webauthn_assertion_response = WebAuthnAssertionResponse(
+        webauthn_user,
+        assertion_response,
+        challenge,
+        get_origin(request),
+        uv_required=False,
+    )  # User Verification
+
+    try:
+        sign_count = webauthn_assertion_response.verify()
+    except (
+        AuthenticationRejectedException,
+        WebAuthnUserDataMissing,
+        RegistrationRejectedException,
+    ) as exc:
+        raise ValidationError("Assertion failed") from exc
+
+    device.set_sign_count(sign_count)
+    return data
diff --git a/authentik/stages/authenticator_validate/models.py b/authentik/stages/authenticator_validate/models.py
index 688cd0e1a..73d060751 100644
--- a/authentik/stages/authenticator_validate/models.py
+++ b/authentik/stages/authenticator_validate/models.py
@@ -14,6 +14,7 @@ from authentik.flows.models import NotConfiguredAction, Stage
 class DeviceClasses(models.TextChoices):
     """Device classes this stage can validate"""
 
+    # device class must match Device's class name so StaticDevice -> static
     STATIC = "static"
     TOTP = "totp", _("TOTP")
     WEBAUTHN = "webauthn", _("WebAuthn")
diff --git a/authentik/stages/authenticator_validate/stage.py b/authentik/stages/authenticator_validate/stage.py
index 0fd969ba3..f8ed7e842 100644
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@@ -1,46 +1,153 @@
-"""OTP Validation"""
-from typing import Any
-
+"""Authenticator Validation"""
 from django.http import HttpRequest, HttpResponse
-from django.views.generic import FormView
-from django_otp import user_has_device
+from django_otp import devices_for_user
+from rest_framework.fields import CharField, JSONField, ListField
+from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
 
+from authentik.flows.challenge import (
+    ChallengeResponse,
+    ChallengeTypes,
+    WithUserInfoChallenge,
+)
 from authentik.flows.models import NotConfiguredAction
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
-from authentik.flows.stage import StageView
-from authentik.stages.authenticator_validate.forms import ValidationForm
-from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage
+from authentik.flows.stage import ChallengeStageView
+from authentik.stages.authenticator_validate.challenge import (
+    DeviceChallenge,
+    get_challenge_for_device,
+    validate_challenge_code,
+    validate_challenge_webauthn,
+)
+from authentik.stages.authenticator_validate.models import (
+    AuthenticatorValidateStage,
+    DeviceClasses,
+)
 
 LOGGER = get_logger()
 
+PER_DEVICE_CLASSES = [DeviceClasses.WEBAUTHN]
 
-class AuthenticatorValidateStageView(FormView, StageView):
-    """OTP Validation"""
 
-    form_class = ValidationForm
+class AuthenticatorChallenge(WithUserInfoChallenge):
+    """Authenticator challenge"""
 
-    def get_form_kwargs(self, **kwargs) -> dict[str, Any]:
-        kwargs = super().get_form_kwargs(**kwargs)
-        kwargs["user"] = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
-        return kwargs
+    device_challenges = ListField(child=DeviceChallenge())
+
+
+class AuthenticatorChallengeResponse(ChallengeResponse):
+    """Challenge used for Code-based and WebAuthn authenticators"""
+
+    code = CharField(required=False)
+    webauthn = JSONField(required=False)
+
+    def validate_code(self, code: str) -> str:
+        """Validate code-based response, raise error if code isn't allowed"""
+        device_challenges: list[dict] = self.stage.request.session.get(
+            "device_challenges"
+        )
+        if not any(
+            x["device_class"] in (DeviceClasses.TOTP, DeviceClasses.STATIC)
+            for x in device_challenges
+        ):
+            raise ValidationError("Got code but no compatible device class allowed")
+        return validate_challenge_code(
+            code, self.stage.request, self.stage.get_pending_user()
+        )
+
+    def validate_webauthn(self, webauthn: dict) -> dict:
+        """Validate webauthn response, raise error if webauthn wasn't allowed
+        or response is invalid"""
+        device_challenges: list[dict] = self.stage.request.session.get(
+            "device_challenges"
+        )
+        if not any(
+            x["device_class"] in (DeviceClasses.WEBAUTHN) for x in device_challenges
+        ):
+            raise ValidationError("Got webauthn but no compatible device class allowed")
+        return validate_challenge_webauthn(
+            webauthn, self.stage.request, self.stage.get_pending_user()
+        )
+
+    def validate(self, data: dict):
+        # Checking if the given data is from a valid device class is done above
+        # Here we only check if the any data was sent at all
+        if "code" not in data and "webauthn" not in data:
+            raise ValidationError("Empty response")
+        return data
+
+
+class AuthenticatorValidateStageView(ChallengeStageView):
+    """Authenticator Validation"""
+
+    response_class = AuthenticatorChallengeResponse
+
+    def get_device_challenges(self) -> list[dict]:
+        """Get a list of all device challenges applicable for the current stage"""
+        challenges = []
+        user_devices = devices_for_user(self.get_pending_user())
+
+        # static and totp are only shown once
+        # since their challenges are device-independant
+        seen_classes = []
+
+        stage: AuthenticatorValidateStage = self.executor.current_stage
+
+        for device in user_devices:
+            device_class = device.__class__.__name__.lower().replace("device", "")
+            if device_class not in stage.device_classes:
+                continue
+            # Ensure only classes in PER_DEVICE_CLASSES are returned per device
+            # otherwise only return a single challenge
+            if device_class in seen_classes and device_class not in PER_DEVICE_CLASSES:
+                continue
+            if device_class not in seen_classes:
+                seen_classes.append(device_class)
+            challenges.append(
+                DeviceChallenge(
+                    data={
+                        "device_class": device_class,
+                        "device_uid": device.pk,
+                        "challenge": get_challenge_for_device(self.request, device),
+                    }
+                ).initial_data
+            )
+        return challenges
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Check if a user is set, and check if the user has any devices
+        if not, we can skip this entire stage"""
         user = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
         if not user:
             LOGGER.debug("No pending user, continuing")
             return self.executor.stage_ok()
-        has_devices = user_has_device(user)
         stage: AuthenticatorValidateStage = self.executor.current_stage
+        challenges = self.get_device_challenges()
+        self.request.session["device_challenges"] = challenges
 
-        if not has_devices:
+        # No allowed devices
+        if len(challenges) < 1:
             if stage.not_configured_action == NotConfiguredAction.SKIP:
                 LOGGER.debug("Authenticator not configured, skipping stage")
                 return self.executor.stage_ok()
+            if stage.not_configured_action == NotConfiguredAction.DENY:
+                LOGGER.debug("Authenticator not configured, denying")
+                return self.executor.stage_invalid()
         return super().get(request, *args, **kwargs)
 
-    def form_valid(self, form: ValidationForm) -> HttpResponse:
-        """Verify OTP Token"""
-        # Since we do token checking in the form, we know the token is valid here
-        # so we can just continue
+    def get_challenge(self) -> AuthenticatorChallenge:
+        challenges = self.request.session["device_challenges"]
+        return AuthenticatorChallenge(
+            data={
+                "type": ChallengeTypes.native,
+                "component": "ak-stage-authenticator-validate",
+                "device_challenges": challenges,
+            }
+        )
+
+    # pylint: disable=unused-argument
+    def challenge_valid(
+        self, challenge: AuthenticatorChallengeResponse
+    ) -> HttpResponse:
+        # All validation is done by the serializer
         return self.executor.stage_ok()
diff --git a/authentik/stages/authenticator_webauthn/migrations/0002_default_setup_flow.py b/authentik/stages/authenticator_webauthn/migrations/0002_default_setup_flow.py
index 6be74a728..bdb88d01b 100644
--- a/authentik/stages/authenticator_webauthn/migrations/0002_default_setup_flow.py
+++ b/authentik/stages/authenticator_webauthn/migrations/0002_default_setup_flow.py
@@ -22,7 +22,7 @@ def create_default_setup_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEdito
         designation=FlowDesignation.STAGE_CONFIGURATION,
         defaults={
             "name": "default-authenticator-webuahtn-setup",
-            "title": "Setup Static OTP Tokens",
+            "title": "Setup WebAuthn",
         },
     )
 
diff --git a/authentik/stages/authenticator_webauthn/migrations/0003_webauthndevice_confirmed.py b/authentik/stages/authenticator_webauthn/migrations/0003_webauthndevice_confirmed.py
new file mode 100644
index 000000000..be8e9035d
--- /dev/null
+++ b/authentik/stages/authenticator_webauthn/migrations/0003_webauthndevice_confirmed.py
@@ -0,0 +1,20 @@
+# Generated by Django 3.1.6 on 2021-02-22 18:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_authenticator_webauthn", "0002_default_setup_flow"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="webauthndevice",
+            name="confirmed",
+            field=models.BooleanField(
+                default=True, help_text="Is this device ready for use?"
+            ),
+        ),
+    ]
diff --git a/authentik/stages/authenticator_webauthn/models.py b/authentik/stages/authenticator_webauthn/models.py
index a3f5c409c..f84c0b799 100644
--- a/authentik/stages/authenticator_webauthn/models.py
+++ b/authentik/stages/authenticator_webauthn/models.py
@@ -4,10 +4,11 @@ from typing import Optional, Type
 from django.contrib.auth import get_user_model
 from django.db import models
 from django.forms import ModelForm
-from django.shortcuts import reverse
+from django.urls import reverse
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django.views import View
+from django_otp.models import Device
 from rest_framework.serializers import BaseSerializer
 
 from authentik.flows.models import ConfigurableStage, Stage
@@ -27,10 +28,10 @@ class AuthenticateWebAuthnStage(ConfigurableStage, Stage):
     @property
     def type(self) -> Type[View]:
         from authentik.stages.authenticator_webauthn.stage import (
-            AuthenticateWebAuthnStageView,
+            AuthenticatorWebAuthnStageView,
         )
 
-        return AuthenticateWebAuthnStageView
+        return AuthenticatorWebAuthnStageView
 
     @property
     def form(self) -> Type[ModelForm]:
@@ -56,7 +57,7 @@ class AuthenticateWebAuthnStage(ConfigurableStage, Stage):
         verbose_name_plural = _("WebAuthn Authenticator Setup Stages")
 
 
-class WebAuthnDevice(models.Model):
+class WebAuthnDevice(Device):
     """WebAuthn Device for a single user"""
 
     user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
diff --git a/authentik/stages/authenticator_webauthn/stage.py b/authentik/stages/authenticator_webauthn/stage.py
index 3116dc161..71218b5f8 100644
--- a/authentik/stages/authenticator_webauthn/stage.py
+++ b/authentik/stages/authenticator_webauthn/stage.py
@@ -1,13 +1,29 @@
 """WebAuthn stage"""
 
 from django.http import HttpRequest, HttpResponse
-from django.shortcuts import render
-from django.views.generic import FormView
+from django.http.request import QueryDict
+from rest_framework.fields import JSONField
+from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
+from webauthn.webauthn import (
+    RegistrationRejectedException,
+    WebAuthnCredential,
+    WebAuthnMakeCredentialOptions,
+    WebAuthnRegistrationResponse,
+)
 
+from authentik.core.models import User
+from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
-from authentik.flows.stage import StageView
+from authentik.flows.stage import ChallengeStageView
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
+from authentik.stages.authenticator_webauthn.utils import (
+    generate_challenge,
+    get_origin,
+    get_rp_id,
+)
+
+RP_NAME = "authentik"
 
 LOGGER = get_logger()
 
@@ -16,29 +32,135 @@ SESSION_KEY_WEBAUTHN_AUTHENTICATED = (
 )
 
 
-class AuthenticateWebAuthnStageView(FormView, StageView):
+class AuthenticatorWebAuthnChallenge(Challenge):
+    """WebAuthn Challenge"""
+
+    registration = JSONField()
+
+
+class AuthenticatorWebAuthnChallengeResponse(ChallengeResponse):
+    """WebAuthn Challenge response"""
+
+    response = JSONField()
+
+    request: HttpRequest
+    user: User
+
+    def validate_response(self, response: dict) -> dict:
+        """Validate webauthn challenge response"""
+        challenge = self.request.session["challenge"]
+
+        trusted_attestation_cert_required = True
+        self_attestation_permitted = True
+        none_attestation_permitted = True
+
+        webauthn_registration_response = WebAuthnRegistrationResponse(
+            get_rp_id(self.request),
+            get_origin(self.request),
+            response,
+            challenge,
+            trusted_attestation_cert_required=trusted_attestation_cert_required,
+            self_attestation_permitted=self_attestation_permitted,
+            none_attestation_permitted=none_attestation_permitted,
+            uv_required=False,
+        )  # User Verification
+
+        try:
+            webauthn_credential = webauthn_registration_response.verify()
+        except RegistrationRejectedException as exc:
+            LOGGER.warning("registration failed", exc=exc)
+            raise ValidationError("Registration failed. Error: {}".format(exc))
+
+        # Step 17.
+        #
+        # Check that the credentialId is not yet registered to any other user.
+        # If registration is requested for a credential that is already registered
+        # to a different user, the Relying Party SHOULD fail this registration
+        # ceremony, or it MAY decide to accept the registration, e.g. while deleting
+        # the older registration.
+        credential_id_exists = WebAuthnDevice.objects.filter(
+            credential_id=webauthn_credential.credential_id
+        ).first()
+        if credential_id_exists:
+            raise ValidationError("Credential ID already exists.")
+
+        webauthn_credential.credential_id = str(
+            webauthn_credential.credential_id, "utf-8"
+        )
+        webauthn_credential.public_key = str(webauthn_credential.public_key, "utf-8")
+
+        return webauthn_credential
+
+
+class AuthenticatorWebAuthnStageView(ChallengeStageView):
     """WebAuthn stage"""
 
+    response_class = AuthenticatorWebAuthnChallengeResponse
+
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        # clear session variables prior to starting a new registration
+        self.request.session.pop("challenge", None)
+
+        challenge = generate_challenge(32)
+
+        # We strip the saved challenge of padding, so that we can do a byte
+        # comparison on the URL-safe-without-padding challenge we get back
+        # from the browser.
+        # We will still pass the padded version down to the browser so that the JS
+        # can decode the challenge into binary without too much trouble.
+        self.request.session["challenge"] = challenge.rstrip("=")
+        user = self.get_pending_user()
+        make_credential_options = WebAuthnMakeCredentialOptions(
+            challenge,
+            RP_NAME,
+            get_rp_id(self.request),
+            user.uid,
+            user.username,
+            user.name,
+            user.avatar,
+        )
+
+        return AuthenticatorWebAuthnChallenge(
+            data={
+                "type": ChallengeTypes.native,
+                "component": "ak-stage-authenticator-webauthn",
+                "registration": make_credential_options.registration_dict,
+            }
+        )
+
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         user = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
         if not user:
             LOGGER.debug("No pending user, continuing")
             return self.executor.stage_ok()
-        devices = WebAuthnDevice.objects.filter(user=user)
-        # If the current user is logged in already, or the pending user
-        # has no devices, show setup
-        if self.request.user == user:
-            # Because the user is already authenticated, skip the later check
-            self.request.session[SESSION_KEY_WEBAUTHN_AUTHENTICATED] = True
-            return render(request, "stages/authenticator_webauthn/setup.html")
-        if not devices.exists():
-            return self.executor.stage_ok()
-        self.request.session[SESSION_KEY_WEBAUTHN_AUTHENTICATED] = False
-        return render(request, "stages/authenticator_webauthn/auth.html")
+        return super().get(request, *args, **kwargs)
 
-    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """Since the client can't directly indicate when a stage is done,
-        we use the post handler for this"""
-        if request.session.pop(SESSION_KEY_WEBAUTHN_AUTHENTICATED, False):
-            return self.executor.stage_ok()
-        return self.executor.stage_invalid()
+    def get_response_instance(
+        self, data: QueryDict
+    ) -> AuthenticatorWebAuthnChallengeResponse:
+        response: AuthenticatorWebAuthnChallengeResponse = (
+            super().get_response_instance(data)
+        )
+        response.request = self.request
+        response.user = self.get_pending_user()
+        return response
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        # Webauthn Challenge has already been validated
+        webauthn_credential: WebAuthnCredential = response.validated_data["response"]
+        existing_device = WebAuthnDevice.objects.filter(
+            credential_id=webauthn_credential.credential_id
+        ).first()
+        if not existing_device:
+            WebAuthnDevice.objects.create(
+                user=self.get_pending_user(),
+                public_key=webauthn_credential.public_key,
+                credential_id=webauthn_credential.credential_id,
+                sign_count=webauthn_credential.sign_count,
+                rp_id=get_rp_id(self.request),
+            )
+        else:
+            return self.executor.stage_invalid(
+                "Device with Credential ID already exists."
+            )
+        return self.executor.stage_ok()
diff --git a/authentik/stages/authenticator_webauthn/urls.py b/authentik/stages/authenticator_webauthn/urls.py
index d2d7e5c91..d163dcc39 100644
--- a/authentik/stages/authenticator_webauthn/urls.py
+++ b/authentik/stages/authenticator_webauthn/urls.py
@@ -1,37 +1,9 @@
 """WebAuthn urls"""
 from django.urls import path
-from django.views.decorators.csrf import csrf_exempt
 
-from authentik.stages.authenticator_webauthn.views import (
-    BeginActivateView,
-    BeginAssertion,
-    UserSettingsView,
-    VerifyAssertion,
-    VerifyCredentialInfo,
-)
+from authentik.stages.authenticator_webauthn.views import UserSettingsView
 
-# TODO: Move to API views so we don't need csrf_exempt
 urlpatterns = [
-    path(
-        "begin-activate/",
-        csrf_exempt(BeginActivateView.as_view()),
-        name="activate-begin",
-    ),
-    path(
-        "begin-assertion/",
-        csrf_exempt(BeginAssertion.as_view()),
-        name="assertion-begin",
-    ),
-    path(
-        "verify-credential-info/",
-        csrf_exempt(VerifyCredentialInfo.as_view()),
-        name="credential-info-verify",
-    ),
-    path(
-        "verify-assertion/",
-        csrf_exempt(VerifyAssertion.as_view()),
-        name="assertion-verify",
-    ),
     path(
         "<uuid:stage_uuid>/settings/", UserSettingsView.as_view(), name="user-settings"
     ),
diff --git a/authentik/stages/authenticator_webauthn/utils.py b/authentik/stages/authenticator_webauthn/utils.py
index 217f685e4..881066ef8 100644
--- a/authentik/stages/authenticator_webauthn/utils.py
+++ b/authentik/stages/authenticator_webauthn/utils.py
@@ -2,6 +2,8 @@
 import base64
 import os
 
+from django.http import HttpRequest
+
 CHALLENGE_DEFAULT_BYTE_LEN = 32
 
 
@@ -21,3 +23,18 @@ def generate_challenge(challenge_len=CHALLENGE_DEFAULT_BYTE_LEN):
     if not isinstance(challenge_base64, str):
         challenge_base64 = challenge_base64.decode("utf-8")
     return challenge_base64
+
+
+def get_rp_id(request: HttpRequest) -> str:
+    """Get hostname from http request, without port"""
+    host = request.get_host()
+    if ":" in host:
+        return host.split(":")[0]
+    return host
+
+
+def get_origin(request: HttpRequest) -> str:
+    """Return Origin by building an absolute URL and removing the
+    trailing slash"""
+    full_url = request.build_absolute_uri("/")
+    return full_url[:-1]
diff --git a/authentik/stages/authenticator_webauthn/views.py b/authentik/stages/authenticator_webauthn/views.py
index b9a4a4c57..6881fb571 100644
--- a/authentik/stages/authenticator_webauthn/views.py
+++ b/authentik/stages/authenticator_webauthn/views.py
@@ -1,229 +1,12 @@
 """webauthn views"""
 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.http import HttpRequest, HttpResponse, JsonResponse
-from django.http.response import HttpResponseBadRequest
 from django.shortcuts import get_object_or_404
-from django.views import View
 from django.views.generic import TemplateView
-from structlog.stdlib import get_logger
-from webauthn import (
-    WebAuthnAssertionOptions,
-    WebAuthnAssertionResponse,
-    WebAuthnMakeCredentialOptions,
-    WebAuthnRegistrationResponse,
-    WebAuthnUser,
-)
-from webauthn.webauthn import (
-    AuthenticationRejectedException,
-    RegistrationRejectedException,
-    WebAuthnUserDataMissing,
-)
 
-from authentik.core.models import User
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
-from authentik.flows.views import SESSION_KEY_PLAN
-from authentik.lib.templatetags.authentik_utils import avatar
 from authentik.stages.authenticator_webauthn.models import (
     AuthenticateWebAuthnStage,
     WebAuthnDevice,
 )
-from authentik.stages.authenticator_webauthn.stage import (
-    SESSION_KEY_WEBAUTHN_AUTHENTICATED,
-)
-from authentik.stages.authenticator_webauthn.utils import generate_challenge
-
-LOGGER = get_logger()
-RP_ID = "localhost"
-RP_NAME = "authentik"
-ORIGIN = "http://localhost:8000"
-
-
-class FlowUserRequiredView(View):
-    """Base class for views which can only be called in the context of a flow."""
-
-    user: User
-
-    def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        plan = request.session.get(SESSION_KEY_PLAN, None)
-        if not plan:
-            return HttpResponseBadRequest()
-        self.user = plan.context.get(PLAN_CONTEXT_PENDING_USER)
-        if not self.user:
-            return HttpResponseBadRequest()
-        return super().dispatch(request, *args, **kwargs)
-
-
-class BeginActivateView(FlowUserRequiredView):
-    """Initial device registration view"""
-
-    def post(self, request: HttpRequest) -> HttpResponse:
-        """Initial device registration view"""
-        # clear session variables prior to starting a new registration
-        request.session.pop("challenge", None)
-
-        challenge = generate_challenge(32)
-
-        # We strip the saved challenge of padding, so that we can do a byte
-        # comparison on the URL-safe-without-padding challenge we get back
-        # from the browser.
-        # We will still pass the padded version down to the browser so that the JS
-        # can decode the challenge into binary without too much trouble.
-        request.session["challenge"] = challenge.rstrip("=")
-
-        make_credential_options = WebAuthnMakeCredentialOptions(
-            challenge,
-            RP_NAME,
-            RP_ID,
-            self.user.uid,
-            self.user.username,
-            self.user.name,
-            avatar(self.user),
-        )
-
-        return JsonResponse(make_credential_options.registration_dict)
-
-
-class VerifyCredentialInfo(FlowUserRequiredView):
-    """Finish device registration"""
-
-    def post(self, request: HttpRequest) -> HttpResponse:
-        """Finish device registration"""
-        challenge = request.session["challenge"]
-
-        registration_response = request.POST
-        trusted_attestation_cert_required = True
-        self_attestation_permitted = True
-        none_attestation_permitted = True
-
-        webauthn_registration_response = WebAuthnRegistrationResponse(
-            RP_ID,
-            ORIGIN,
-            registration_response,
-            challenge,
-            trusted_attestation_cert_required=trusted_attestation_cert_required,
-            self_attestation_permitted=self_attestation_permitted,
-            none_attestation_permitted=none_attestation_permitted,
-            uv_required=False,
-        )  # User Verification
-
-        try:
-            webauthn_credential = webauthn_registration_response.verify()
-        except RegistrationRejectedException as exc:
-            LOGGER.warning("registration failed", exc=exc)
-            return JsonResponse({"fail": "Registration failed. Error: {}".format(exc)})
-
-        # Step 17.
-        #
-        # Check that the credentialId is not yet registered to any other user.
-        # If registration is requested for a credential that is already registered
-        # to a different user, the Relying Party SHOULD fail this registration
-        # ceremony, or it MAY decide to accept the registration, e.g. while deleting
-        # the older registration.
-        credential_id_exists = WebAuthnDevice.objects.filter(
-            credential_id=webauthn_credential.credential_id
-        ).first()
-        if credential_id_exists:
-            return JsonResponse({"fail": "Credential ID already exists."}, status=401)
-
-        webauthn_credential.credential_id = str(
-            webauthn_credential.credential_id, "utf-8"
-        )
-        webauthn_credential.public_key = str(webauthn_credential.public_key, "utf-8")
-        existing_device = WebAuthnDevice.objects.filter(
-            credential_id=webauthn_credential.credential_id
-        ).first()
-        if not existing_device:
-            user = WebAuthnDevice.objects.create(
-                user=self.user,
-                public_key=webauthn_credential.public_key,
-                credential_id=webauthn_credential.credential_id,
-                sign_count=webauthn_credential.sign_count,
-                rp_id=RP_ID,
-            )
-        else:
-            return JsonResponse({"fail": "User already exists."}, status=401)
-
-        LOGGER.debug("Successfully registered.", user=user)
-
-        return JsonResponse({"success": "User successfully registered."})
-
-
-class BeginAssertion(FlowUserRequiredView):
-    """Send the client a challenge that we'll check later"""
-
-    def post(self, request: HttpRequest) -> HttpResponse:
-        """Send the client a challenge that we'll check later"""
-        request.session.pop("challenge", None)
-
-        challenge = generate_challenge(32)
-
-        # We strip the padding from the challenge stored in the session
-        # for the reasons outlined in the comment in webauthn_begin_activate.
-        request.session["challenge"] = challenge.rstrip("=")
-
-        devices = WebAuthnDevice.objects.filter(user=self.user)
-        if not devices.exists():
-            return HttpResponseBadRequest()
-        device: WebAuthnDevice = devices.first()
-
-        webauthn_user = WebAuthnUser(
-            self.user.uid,
-            self.user.username,
-            self.user.name,
-            avatar(self.user),
-            device.credential_id,
-            device.public_key,
-            device.sign_count,
-            device.rp_id,
-        )
-
-        webauthn_assertion_options = WebAuthnAssertionOptions(webauthn_user, challenge)
-
-        return JsonResponse(webauthn_assertion_options.assertion_dict)
-
-
-class VerifyAssertion(FlowUserRequiredView):
-    """Verify assertion result that we've sent to the client"""
-
-    def post(self, request: HttpRequest) -> HttpResponse:
-        """Verify assertion result that we've sent to the client"""
-        challenge = request.session.get("challenge")
-        assertion_response = request.POST
-        credential_id = assertion_response.get("id")
-
-        device = WebAuthnDevice.objects.filter(credential_id=credential_id).first()
-        if not device:
-            return JsonResponse({"fail": "Device does not exist."}, status=401)
-
-        webauthn_user = WebAuthnUser(
-            self.user.uid,
-            self.user.username,
-            self.user.name,
-            avatar(self.user),
-            device.credential_id,
-            device.public_key,
-            device.sign_count,
-            device.rp_id,
-        )
-
-        webauthn_assertion_response = WebAuthnAssertionResponse(
-            webauthn_user, assertion_response, challenge, ORIGIN, uv_required=False
-        )  # User Verification
-
-        try:
-            sign_count = webauthn_assertion_response.verify()
-        except (
-            AuthenticationRejectedException,
-            WebAuthnUserDataMissing,
-            RegistrationRejectedException,
-        ) as exc:
-            return JsonResponse({"fail": "Assertion failed. Error: {}".format(exc)})
-
-        device.set_sign_count(sign_count)
-        request.session[SESSION_KEY_WEBAUTHN_AUTHENTICATED] = True
-        return JsonResponse(
-            {"success": "Successfully authenticated as {}".format(self.user.username)}
-        )
 
 
 class UserSettingsView(LoginRequiredMixin, TemplateView):
diff --git a/authentik/stages/captcha/api.py b/authentik/stages/captcha/api.py
index 6cd61185f..fb425e42f 100644
--- a/authentik/stages/captcha/api.py
+++ b/authentik/stages/captcha/api.py
@@ -12,6 +12,7 @@ class CaptchaStageSerializer(StageSerializer):
 
         model = CaptchaStage
         fields = StageSerializer.Meta.fields + ["public_key", "private_key"]
+        extra_kwargs = {"private_key": {"write_only": True}}
 
 
 class CaptchaStageViewSet(ModelViewSet):
diff --git a/authentik/stages/captcha/forms.py b/authentik/stages/captcha/forms.py
index d2ba260ad..7902bcbd7 100644
--- a/authentik/stages/captcha/forms.py
+++ b/authentik/stages/captcha/forms.py
@@ -1,16 +1,9 @@
 """authentik captcha stage forms"""
-from captcha.fields import ReCaptchaField
 from django import forms
 
 from authentik.stages.captcha.models import CaptchaStage
 
 
-class CaptchaForm(forms.Form):
-    """authentik captcha stage form"""
-
-    captcha = ReCaptchaField()
-
-
 class CaptchaStageForm(forms.ModelForm):
     """Form to edit CaptchaStage Instance"""
 
diff --git a/authentik/stages/captcha/settings.py b/authentik/stages/captcha/settings.py
deleted file mode 100644
index 6b63a51db..000000000
--- a/authentik/stages/captcha/settings.py
+++ /dev/null
@@ -1,9 +0,0 @@
-"""authentik captcha stage settings"""
-# https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha.-what-should-i-do
-RECAPTCHA_PUBLIC_KEY = "6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI"
-RECAPTCHA_PRIVATE_KEY = "6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe"
-
-NOCAPTCHA = True
-INSTALLED_APPS = ["captcha"]
-
-SILENCED_SYSTEM_CHECKS = ["captcha.recaptcha_test_key_error"]
diff --git a/authentik/stages/captcha/stage.py b/authentik/stages/captcha/stage.py
index 5f8c968cd..4254c8b94 100644
--- a/authentik/stages/captcha/stage.py
+++ b/authentik/stages/captcha/stage.py
@@ -1,24 +1,73 @@
 """authentik captcha stage"""
 
-from django.views.generic import FormView
+from django.http.response import HttpResponse
+from requests import RequestException, post
+from rest_framework.fields import CharField
+from rest_framework.serializers import ValidationError
 
-from authentik.flows.stage import StageView
-from authentik.stages.captcha.forms import CaptchaForm
+from authentik import __version__
+from authentik.flows.challenge import (
+    Challenge,
+    ChallengeResponse,
+    ChallengeTypes,
+    WithUserInfoChallenge,
+)
+from authentik.flows.stage import ChallengeStageView
+from authentik.lib.utils.http import get_client_ip
+from authentik.stages.captcha.models import CaptchaStage
 
 
-class CaptchaStageView(FormView, StageView):
+class CaptchaChallenge(WithUserInfoChallenge):
+    """Site public key"""
+
+    site_key = CharField()
+
+
+class CaptchaChallengeResponse(ChallengeResponse):
+    """Validate captcha token"""
+
+    token = CharField()
+
+    def validate_token(self, token: str) -> str:
+        """Validate captcha token"""
+        stage: CaptchaStage = self.stage.executor.current_stage
+        try:
+            response = post(
+                "https://www.google.com/recaptcha/api/siteverify",
+                headers={
+                    "Content-type": "application/x-www-form-urlencoded",
+                    "User-agent": f"authentik {__version__} ReCaptcha",
+                },
+                data={
+                    "secret": stage.private_key,
+                    "response": token,
+                    "remoteip": get_client_ip(self.stage.request),
+                },
+            )
+            response.raise_for_status()
+            data = response.json()
+            if not data.get("success", False):
+                raise ValidationError(
+                    f"Failed to validate token: {data.get('error-codes', '')}"
+                )
+        except RequestException as exc:
+            raise ValidationError("Failed to validate token") from exc
+        return token
+
+
+class CaptchaStageView(ChallengeStageView):
     """Simple captcha checker, logic is handeled in django-captcha module"""
 
-    form_class = CaptchaForm
+    response_class = CaptchaChallengeResponse
 
-    def form_valid(self, form):
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        return CaptchaChallenge(
+            data={
+                "type": ChallengeTypes.native,
+                "component": "ak-stage-captcha",
+                "site_key": self.executor.current_stage.public_key,
+            }
+        )
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
         return self.executor.stage_ok()
-
-    def get_form(self, form_class=None):
-        form = CaptchaForm(**self.get_form_kwargs())
-        form.fields["captcha"].public_key = self.executor.current_stage.public_key
-        form.fields["captcha"].private_key = self.executor.current_stage.private_key
-        form.fields["captcha"].widget.attrs["data-sitekey"] = form.fields[
-            "captcha"
-        ].public_key
-        return form
diff --git a/authentik/stages/captcha/tests.py b/authentik/stages/captcha/tests.py
index b3664fa37..aaf025cac 100644
--- a/authentik/stages/captcha/tests.py
+++ b/authentik/stages/captcha/tests.py
@@ -1,7 +1,6 @@
 """captcha tests"""
-from django.conf import settings
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import User
@@ -11,6 +10,10 @@ from authentik.flows.planner import FlowPlan
 from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.stages.captcha.models import CaptchaStage
 
+# https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha.-what-should-i-do
+RECAPTCHA_PUBLIC_KEY = "6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI"
+RECAPTCHA_PRIVATE_KEY = "6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe"
+
 
 class TestCaptchaStage(TestCase):
     """Captcha tests"""
@@ -29,8 +32,8 @@ class TestCaptchaStage(TestCase):
         )
         self.stage = CaptchaStage.objects.create(
             name="captcha",
-            public_key=settings.RECAPTCHA_PUBLIC_KEY,
-            private_key=settings.RECAPTCHA_PRIVATE_KEY,
+            public_key=RECAPTCHA_PUBLIC_KEY,
+            private_key=RECAPTCHA_PRIVATE_KEY,
         )
         FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)
 
@@ -44,12 +47,12 @@ class TestCaptchaStage(TestCase):
         session.save()
         response = self.client.post(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
-            {"g-recaptcha-response": "PASSED"},
+            {"token": "PASSED"},
         )
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
diff --git a/authentik/stages/consent/forms.py b/authentik/stages/consent/forms.py
index 508ff1a7c..f61e483fd 100644
--- a/authentik/stages/consent/forms.py
+++ b/authentik/stages/consent/forms.py
@@ -4,10 +4,6 @@ from django import forms
 from authentik.stages.consent.models import ConsentStage
 
 
-class ConsentForm(forms.Form):
-    """authentik consent stage form"""
-
-
 class ConsentStageForm(forms.ModelForm):
     """Form to edit ConsentStage Instance"""
 
diff --git a/authentik/stages/consent/stage.py b/authentik/stages/consent/stage.py
index 2ac1ab849..6b30cd078 100644
--- a/authentik/stages/consent/stage.py
+++ b/authentik/stages/consent/stage.py
@@ -1,40 +1,66 @@
 """authentik consent stage"""
-from typing import Any
-
 from django.http import HttpRequest, HttpResponse
 from django.utils.timezone import now
-from django.views.generic import FormView
+from rest_framework.fields import CharField
 
+from authentik.flows.challenge import (
+    Challenge,
+    ChallengeResponse,
+    ChallengeTypes,
+    PermissionSerializer,
+    WithUserInfoChallenge,
+)
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_PENDING_USER
-from authentik.flows.stage import StageView
+from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.stages.consent.forms import ConsentForm
 from authentik.stages.consent.models import ConsentMode, ConsentStage, UserConsent
 
-PLAN_CONTEXT_CONSENT_TEMPLATE = "consent_template"
+PLAN_CONTEXT_CONSENT_HEADER = "consent_header"
+PLAN_CONTEXT_CONSENT_PERMISSIONS = "consent_permissions"
 
 
-class ConsentStageView(FormView, StageView):
+class ConsentChallenge(WithUserInfoChallenge):
+    """Challenge info for consent screens"""
+
+    header_text = CharField()
+    permissions = PermissionSerializer(many=True)
+
+
+class ConsentChallengeResponse(ChallengeResponse):
+    """Consent challenge response, any valid response request is valid"""
+
+
+class ConsentStageView(ChallengeStageView):
     """Simple consent checker."""
 
-    form_class = ConsentForm
+    response_class = ConsentChallengeResponse
 
-    def get_context_data(self, **kwargs: dict[str, Any]) -> dict[str, Any]:
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["current_stage"] = self.executor.current_stage
-        kwargs["context"] = self.executor.plan.context
-        return kwargs
-
-    def get_template_names(self) -> list[str]:
-        # PLAN_CONTEXT_CONSENT_TEMPLATE has to be set by a template that calls this stage
-        if PLAN_CONTEXT_CONSENT_TEMPLATE in self.executor.plan.context:
-            template_name = self.executor.plan.context[PLAN_CONTEXT_CONSENT_TEMPLATE]
-            return [template_name]
-        return ["stages/consent/fallback.html"]
+    def get_challenge(self) -> Challenge:
+        challenge = ConsentChallenge(
+            data={
+                "type": ChallengeTypes.native,
+                "component": "ak-stage-consent",
+            }
+        )
+        if PLAN_CONTEXT_CONSENT_HEADER in self.executor.plan.context:
+            challenge.initial_data["header_text"] = self.executor.plan.context[
+                PLAN_CONTEXT_CONSENT_HEADER
+            ]
+        if PLAN_CONTEXT_CONSENT_PERMISSIONS in self.executor.plan.context:
+            challenge.initial_data["permissions"] = self.executor.plan.context[
+                PLAN_CONTEXT_CONSENT_PERMISSIONS
+            ]
+        # If there's a pending user, update the `username` field
+        # this field is only used by password managers.
+        # If there's no user set, an error is raised later.
+        if user := self.get_pending_user():
+            challenge.initial_data["pending_user"] = user.username
+            challenge.initial_data["pending_user_avatar"] = user.avatar
+        return challenge
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         current_stage: ConsentStage = self.executor.current_stage
-        # For always require, we always show the form
+        # For always require, we always return the challenge
         if current_stage.mode == ConsentMode.ALWAYS_REQUIRE:
             return super().get(request, *args, **kwargs)
         # at this point we need to check consent from database
@@ -51,10 +77,10 @@ class ConsentStageView(FormView, StageView):
         if UserConsent.filter_not_expired(user=user, application=application).exists():
             return self.executor.stage_ok()
 
-        # No consent found, show form
+        # No consent found, return consent
         return super().get(request, *args, **kwargs)
 
-    def form_valid(self, form: ConsentForm) -> HttpResponse:
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
         current_stage: ConsentStage = self.executor.current_stage
         if PLAN_CONTEXT_APPLICATION not in self.executor.plan.context:
             return self.executor.stage_ok()
diff --git a/authentik/stages/consent/templates/stages/consent/fallback.html b/authentik/stages/consent/templates/stages/consent/fallback.html
deleted file mode 100644
index cdb16e689..000000000
--- a/authentik/stages/consent/templates/stages/consent/fallback.html
+++ /dev/null
@@ -1,9 +0,0 @@
-{% extends 'login/form_with_user.html' %}
-
-{% load i18n %}
-
-{% block beneath_form %}
-<div class="pf-c-form__group">
-    {{ hidden_inputs }}
-</div>
-{% endblock %}
diff --git a/authentik/stages/consent/tests.py b/authentik/stages/consent/tests.py
index 7ab6dbf63..cc75031bb 100644
--- a/authentik/stages/consent/tests.py
+++ b/authentik/stages/consent/tests.py
@@ -1,8 +1,8 @@
 """consent tests"""
 from time import sleep
 
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import Application, User
@@ -45,13 +45,13 @@ class TestConsentStage(TestCase):
         session[SESSION_KEY_PLAN] = plan
         session.save()
         response = self.client.post(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
             {},
         )
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
         self.assertFalse(UserConsent.objects.filter(user=self.user).exists())
 
@@ -76,13 +76,13 @@ class TestConsentStage(TestCase):
         session[SESSION_KEY_PLAN] = plan
         session.save()
         response = self.client.post(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
             {},
         )
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
         self.assertTrue(
             UserConsent.objects.filter(
@@ -113,13 +113,13 @@ class TestConsentStage(TestCase):
         session[SESSION_KEY_PLAN] = plan
         session.save()
         response = self.client.post(
-            reverse("authentik_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
             {},
         )
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
         self.assertTrue(
             UserConsent.objects.filter(
diff --git a/authentik/stages/dummy/stage.py b/authentik/stages/dummy/stage.py
index fefb2c0dc..cf280d444 100644
--- a/authentik/stages/dummy/stage.py
+++ b/authentik/stages/dummy/stage.py
@@ -1,19 +1,31 @@
 """authentik multi-stage authentication engine"""
-from typing import Any
+from django.http.response import HttpResponse
 
-from django.http import HttpRequest
-
-from authentik.flows.stage import StageView
+from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
+from authentik.flows.stage import ChallengeStageView
 
 
-class DummyStageView(StageView):
+class DummyChallenge(Challenge):
+    """Dummy challenge"""
+
+
+class DummyChallengeResponse(ChallengeResponse):
+    """Dummy challenge response"""
+
+
+class DummyStageView(ChallengeStageView):
     """Dummy stage for testing with multiple stages"""
 
-    def post(self, request: HttpRequest):
-        """Just redirect to next stage"""
+    response_class = DummyChallengeResponse
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
         return self.executor.stage_ok()
 
-    def get_context_data(self, **kwargs: dict[str, Any]) -> dict[str, Any]:
-        kwargs = super().get_context_data(**kwargs)
-        kwargs["title"] = self.executor.current_stage.name
-        return kwargs
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        return DummyChallenge(
+            data={
+                "type": ChallengeTypes.native,
+                "component": "",
+                "title": self.executor.current_stage.name,
+            }
+        )
diff --git a/authentik/stages/dummy/tests.py b/authentik/stages/dummy/tests.py
index 61493ead6..bdbdb9e33 100644
--- a/authentik/stages/dummy/tests.py
+++ b/authentik/stages/dummy/tests.py
@@ -1,6 +1,6 @@
 """dummy tests"""
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import User
@@ -34,22 +34,20 @@ class TestDummyStage(TestCase):
     def test_valid_render(self):
         """Test that View renders correctly"""
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
         self.assertEqual(response.status_code, 200)
 
     def test_post(self):
         """Test with valid email, check that URL redirects back to itself"""
         url = reverse(
-            "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
         )
         response = self.client.post(url, {})
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
     def test_form(self):
diff --git a/authentik/stages/email/forms.py b/authentik/stages/email/forms.py
index 303d7834b..5e87b6544 100644
--- a/authentik/stages/email/forms.py
+++ b/authentik/stages/email/forms.py
@@ -5,12 +5,6 @@ from django.utils.translation import gettext_lazy as _
 from authentik.stages.email.models import EmailStage, get_template_choices
 
 
-class EmailStageSendForm(forms.Form):
-    """Form used when sending the email to prevent multiple emails being sent"""
-
-    invalid = forms.CharField(widget=forms.HiddenInput, required=True)
-
-
 class EmailStageForm(forms.ModelForm):
     """Form to create/edit Email Stage"""
 
diff --git a/authentik/stages/email/stage.py b/authentik/stages/email/stage.py
index 5d2ef8991..7c398ccb0 100644
--- a/authentik/stages/email/stage.py
+++ b/authentik/stages/email/stage.py
@@ -3,18 +3,19 @@ from datetime import timedelta
 
 from django.contrib import messages
 from django.http import HttpRequest, HttpResponse
-from django.shortcuts import get_object_or_404, reverse
+from django.shortcuts import get_object_or_404
+from django.urls import reverse
 from django.utils.http import urlencode
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from django.views.generic import FormView
+from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
 
 from authentik.core.models import Token
+from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
-from authentik.flows.stage import StageView
+from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views import SESSION_KEY_GET
-from authentik.stages.email.forms import EmailStageSendForm
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -24,11 +25,22 @@ QS_KEY_TOKEN = "token"  # nosec
 PLAN_CONTEXT_EMAIL_SENT = "email_sent"
 
 
-class EmailStageView(FormView, StageView):
+class EmailChallenge(Challenge):
+    """Email challenge"""
+
+
+class EmailChallengeResponse(ChallengeResponse):
+    """Email challenge resposen. No fields. This challenge is
+    always declared invalid to give the user a chance to retry"""
+
+    def validate(self, data):
+        raise ValidationError("")
+
+
+class EmailStageView(ChallengeStageView):
     """Email stage which sends Email for verification"""
 
-    form_class = EmailStageSendForm
-    template_name = "stages/email/waiting_message.html"
+    response_class = EmailChallengeResponse
 
     def get_full_url(self, **kwargs) -> str:
         """Get full URL to be used in template"""
@@ -80,11 +92,20 @@ class EmailStageView(FormView, StageView):
             self.executor.plan.context[PLAN_CONTEXT_EMAIL_SENT] = True
         return super().get(request, *args, **kwargs)
 
-    def form_invalid(self, form: EmailStageSendForm) -> HttpResponse:
+    def get_challenge(self) -> Challenge:
+        challenge = EmailChallenge(
+            data={"type": ChallengeTypes.native, "component": "ak-stage-email"}
+        )
+        return challenge
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        return super().challenge_invalid(response)
+
+    def challenge_invalid(self, response: ChallengeResponse) -> HttpResponse:
         if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
             messages.error(self.request, _("No pending user."))
-            return super().form_invalid(form)
+            return super().challenge_invalid(response)
         self.send_email()
         # We can't call stage_ok yet, as we're still waiting
         # for the user to click the link in the email
-        return super().form_invalid(form)
+        return super().challenge_invalid(response)
diff --git a/authentik/stages/email/templates/stages/email/waiting_message.html b/authentik/stages/email/templates/stages/email/waiting_message.html
deleted file mode 100644
index 5f1762624..000000000
--- a/authentik/stages/email/templates/stages/email/waiting_message.html
+++ /dev/null
@@ -1,21 +0,0 @@
-{% extends 'login/base.html' %}
-
-{% load static %}
-{% load i18n %}
-
-{% block card %}
-<form method="POST" class="pf-c-form">
-    <p>
-        {% blocktrans %}
-        Check your Emails for a password reset link.
-        {% endblocktrans %}
-    </p>
-    {% csrf_token %}
-
-    {% block beneath_form %}
-    {% endblock %}
-    <div class="pf-c-form__group pf-m-action">
-        <button class="pf-c-button pf-m-block" type="submit">{% trans "Send Email again." %}</button>
-    </div>
-</form>
-{% endblock %}
diff --git a/authentik/stages/email/tests/test_sending.py b/authentik/stages/email/tests/test_sending.py
index b97a8ce7c..62be151db 100644
--- a/authentik/stages/email/tests/test_sending.py
+++ b/authentik/stages/email/tests/test_sending.py
@@ -4,8 +4,8 @@ from unittest.mock import MagicMock, patch
 
 from django.core import mail
 from django.core.mail.backends.locmem import EmailBackend
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 
 from authentik.core.models import User
 from authentik.flows.markers import StageMarker
@@ -46,7 +46,7 @@ class TestEmailStageSending(TestCase):
         session.save()
 
         url = reverse(
-            "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
         )
         with self.settings(
             EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend"
@@ -67,7 +67,7 @@ class TestEmailStageSending(TestCase):
         session.save()
 
         url = reverse(
-            "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
         )
         with self.settings(
             EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend"
diff --git a/authentik/stages/email/tests/test_stage.py b/authentik/stages/email/tests/test_stage.py
index 0a84ecf7b..94e1d3c45 100644
--- a/authentik/stages/email/tests/test_stage.py
+++ b/authentik/stages/email/tests/test_stage.py
@@ -2,8 +2,8 @@
 from unittest.mock import MagicMock, patch
 
 from django.core import mail
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import Token, User
@@ -46,7 +46,7 @@ class TestEmailStage(TestCase):
         session.save()
 
         url = reverse(
-            "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
         )
         response = self.client.get(url)
         self.assertEqual(response.status_code, 200)
@@ -61,7 +61,7 @@ class TestEmailStage(TestCase):
         session.save()
 
         url = reverse(
-            "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
         )
         response = self.client.get(url)
         self.assertEqual(response.status_code, 200)
@@ -77,7 +77,7 @@ class TestEmailStage(TestCase):
         session.save()
 
         url = reverse(
-            "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
         )
         with self.settings(
             EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend"
@@ -118,7 +118,7 @@ class TestEmailStage(TestCase):
             # Call the actual executor to get the JSON Response
             response = self.client.get(
                 reverse(
-                    "authentik_flows:flow-executor",
+                    "authentik_api:flow-executor",
                     kwargs={"flow_slug": self.flow.slug},
                 )
             )
@@ -126,7 +126,7 @@ class TestEmailStage(TestCase):
             self.assertEqual(response.status_code, 200)
             self.assertJSONEqual(
                 force_str(response.content),
-                {"type": "redirect", "to": reverse("authentik_core:shell")},
+                {"to": reverse("authentik_core:shell"), "type": "redirect"},
             )
 
             session = self.client.session
diff --git a/authentik/stages/identification/api.py b/authentik/stages/identification/api.py
index 677467b70..1e3e70aab 100644
--- a/authentik/stages/identification/api.py
+++ b/authentik/stages/identification/api.py
@@ -15,7 +15,6 @@ class IdentificationStageSerializer(StageSerializer):
             "user_fields",
             "case_insensitive_matching",
             "show_matched_user",
-            "template",
             "enrollment_flow",
             "recovery_flow",
         ]
diff --git a/authentik/stages/identification/forms.py b/authentik/stages/identification/forms.py
index 706c291f1..29e9f37b0 100644
--- a/authentik/stages/identification/forms.py
+++ b/authentik/stages/identification/forms.py
@@ -1,12 +1,9 @@
 """authentik flows identification forms"""
 from django import forms
-from django.core.validators import validate_email
-from django.utils.translation import gettext_lazy as _
 from structlog.stdlib import get_logger
 
 from authentik.admin.fields import ArrayFieldSelectMultiple
 from authentik.flows.models import Flow, FlowDesignation
-from authentik.lib.utils.ui import human_list
 from authentik.stages.identification.models import IdentificationStage, UserFields
 
 LOGGER = get_logger()
@@ -32,7 +29,6 @@ class IdentificationStageForm(forms.ModelForm):
             "user_fields",
             "case_insensitive_matching",
             "show_matched_user",
-            "template",
             "enrollment_flow",
             "recovery_flow",
         ]
@@ -40,35 +36,3 @@ class IdentificationStageForm(forms.ModelForm):
             "name": forms.TextInput(),
             "user_fields": ArrayFieldSelectMultiple(choices=UserFields.choices),
         }
-
-
-class IdentificationForm(forms.Form):
-    """Allow users to login"""
-
-    stage: IdentificationStage
-
-    title = _("Log in to your account")
-    uid_field = forms.CharField(label=_(""))
-
-    def __init__(self, *args, **kwargs):
-        self.stage = kwargs.pop("stage")
-        super().__init__(*args, **kwargs)
-        if self.stage.user_fields == [UserFields.E_MAIL]:
-            self.fields["uid_field"] = forms.EmailField()
-        label = human_list([x.title() for x in self.stage.user_fields])
-        self.fields["uid_field"].label = label
-        self.fields["uid_field"].widget.attrs.update(
-            {
-                "placeholder": _(label),
-                "autofocus": "autofocus",
-                # Autocomplete according to
-                # https://www.chromium.org/developers/design-documents/form-styles-that-chromium-understands
-                "autocomplete": "username",
-            }
-        )
-
-    def clean_uid_field(self):
-        """Validate uid_field after EmailValidator if 'email' is the only selected uid_fields"""
-        if self.stage.user_fields == [UserFields.E_MAIL]:
-            validate_email(self.cleaned_data.get("uid_field"))
-        return self.cleaned_data.get("uid_field")
diff --git a/authentik/stages/identification/migrations/0007_remove_identificationstage_template.py b/authentik/stages/identification/migrations/0007_remove_identificationstage_template.py
new file mode 100644
index 000000000..953ba7919
--- /dev/null
+++ b/authentik/stages/identification/migrations/0007_remove_identificationstage_template.py
@@ -0,0 +1,20 @@
+# Generated by Django 3.1.6 on 2021-02-20 22:46
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_identification",
+            "0006_identificationstage_show_matched_user",
+        ),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="identificationstage",
+            name="template",
+        ),
+    ]
diff --git a/authentik/stages/identification/models.py b/authentik/stages/identification/models.py
index cf6513e97..88b20a966 100644
--- a/authentik/stages/identification/models.py
+++ b/authentik/stages/identification/models.py
@@ -18,13 +18,6 @@ class UserFields(models.TextChoices):
     USERNAME = "username"
 
 
-class Templates(models.TextChoices):
-    """Templates to be used for the stage"""
-
-    DEFAULT_LOGIN = "stages/identification/login.html"
-    DEFAULT_RECOVERY = "stages/identification/recovery.html"
-
-
 class IdentificationStage(Stage):
     """Allows the user to identify themselves for authentication."""
 
@@ -37,7 +30,6 @@ class IdentificationStage(Stage):
             )
         ),
     )
-    template = models.TextField(choices=Templates.choices)
 
     case_insensitive_matching = models.BooleanField(
         default=True,
diff --git a/authentik/stages/identification/stage.py b/authentik/stages/identification/stage.py
index 9fb9f70c1..61f99cb3b 100644
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@@ -1,69 +1,61 @@
 """Identification stage logic"""
+from dataclasses import asdict
 from typing import Optional
 
-from django.contrib import messages
 from django.db.models import Q
 from django.http import HttpResponse
-from django.shortcuts import reverse
+from django.urls import reverse
 from django.utils.translation import gettext as _
-from django.views.generic import FormView
+from rest_framework.fields import CharField
+from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
 
-from authentik.core.models import Source, User
+from authentik.core.models import Application, Source, User
+from authentik.core.types import UILoginButtonSerializer
+from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
-from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, StageView
+from authentik.flows.stage import (
+    PLAN_CONTEXT_PENDING_USER_IDENTIFIER,
+    ChallengeStageView,
+)
 from authentik.flows.views import SESSION_KEY_APPLICATION_PRE
-from authentik.stages.identification.forms import IdentificationForm
-from authentik.stages.identification.models import IdentificationStage
+from authentik.stages.identification.models import IdentificationStage, UserFields
 
 LOGGER = get_logger()
 
 
-class IdentificationStageView(FormView, StageView):
+class IdentificationChallenge(Challenge):
+    """Identification challenges with all UI elements"""
+
+    input_type = CharField()
+    application_pre = CharField(required=False)
+
+    enroll_url = CharField(required=False)
+    recovery_url = CharField(required=False)
+    primary_action = CharField()
+    sources = UILoginButtonSerializer(many=True, required=False)
+
+
+class IdentificationChallengeResponse(ChallengeResponse):
+    """Identification challenge"""
+
+    uid_field = CharField()
+    pre_user: Optional[User] = None
+
+    def validate_uid_field(self, value: str) -> str:
+        """Validate that user exists"""
+        pre_user = self.stage.get_user(value)
+        if not pre_user:
+            LOGGER.debug("invalid_login", identifier=value)
+            raise ValidationError("Failed to authenticate.")
+        self.pre_user = pre_user
+        return value
+
+
+class IdentificationStageView(ChallengeStageView):
     """Form to identify the user"""
 
-    form_class = IdentificationForm
-
-    def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs["stage"] = self.executor.current_stage
-        return kwargs
-
-    def get_template_names(self) -> list[str]:
-        current_stage: IdentificationStage = self.executor.current_stage
-        return [current_stage.template]
-
-    def get_context_data(self, **kwargs):
-        current_stage: IdentificationStage = self.executor.current_stage
-        # If the user has been redirected to us whilst trying to access an
-        # application, SESSION_KEY_APPLICATION_PRE is set in the session
-        if SESSION_KEY_APPLICATION_PRE in self.request.session:
-            kwargs["application_pre"] = self.request.session[
-                SESSION_KEY_APPLICATION_PRE
-            ]
-        # Check for related enrollment and recovery flow, add URL to view
-        if current_stage.enrollment_flow:
-            kwargs["enroll_url"] = reverse(
-                "authentik_flows:flow-executor-shell",
-                kwargs={"flow_slug": current_stage.enrollment_flow.slug},
-            )
-        if current_stage.recovery_flow:
-            kwargs["recovery_url"] = reverse(
-                "authentik_flows:flow-executor-shell",
-                kwargs={"flow_slug": current_stage.recovery_flow.slug},
-            )
-        kwargs["primary_action"] = _("Log in")
-
-        # Check all enabled source, add them if they have a UI Login button.
-        kwargs["sources"] = []
-        sources: list[Source] = (
-            Source.objects.filter(enabled=True).order_by("name").select_subclasses()
-        )
-        for source in sources:
-            ui_login_button = source.ui_login_button
-            if ui_login_button:
-                kwargs["sources"].append(ui_login_button)
-        return super().get_context_data(**kwargs)
+    response_class = IdentificationChallengeResponse
 
     def get_user(self, uid_value: str) -> Optional[User]:
         """Find user instance. Returns None if no user was found."""
@@ -82,20 +74,55 @@ class IdentificationStageView(FormView, StageView):
             return users.first()
         return None
 
-    def form_valid(self, form: IdentificationForm) -> HttpResponse:
-        """Form data is valid"""
-        user_identifier = form.cleaned_data.get("uid_field")
-        pre_user = self.get_user(user_identifier)
-        if not pre_user:
-            LOGGER.debug("invalid_login")
-            messages.error(self.request, _("Failed to authenticate."))
-            return self.form_invalid(form)
-        self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = pre_user
+    def get_challenge(self) -> Challenge:
+        current_stage: IdentificationStage = self.executor.current_stage
+        challenge = IdentificationChallenge(
+            data={
+                "type": ChallengeTypes.native,
+                "component": "ak-stage-identification",
+                "primary_action": _("Log in"),
+                "input_type": "text",
+            }
+        )
+        if current_stage.user_fields == [UserFields.E_MAIL]:
+            challenge.initial_data["input_type"] = "email"
+        # If the user has been redirected to us whilst trying to access an
+        # application, SESSION_KEY_APPLICATION_PRE is set in the session
+        if SESSION_KEY_APPLICATION_PRE in self.request.session:
+            challenge.initial_data["application_pre"] = self.request.session.get(
+                SESSION_KEY_APPLICATION_PRE, Application()
+            ).name
+        # Check for related enrollment and recovery flow, add URL to view
+        if current_stage.enrollment_flow:
+            challenge.initial_data["enroll_url"] = reverse(
+                "authentik_flows:flow-executor-shell",
+                kwargs={"flow_slug": current_stage.enrollment_flow.slug},
+            )
+        if current_stage.recovery_flow:
+            challenge.initial_data["recovery_url"] = reverse(
+                "authentik_flows:flow-executor-shell",
+                kwargs={"flow_slug": current_stage.recovery_flow.slug},
+            )
 
+        # Check all enabled source, add them if they have a UI Login button.
+        ui_sources = []
+        sources: list[Source] = (
+            Source.objects.filter(enabled=True).order_by("name").select_subclasses()
+        )
+        for source in sources:
+            ui_login_button = source.ui_login_button
+            if ui_login_button:
+                ui_sources.append(asdict(ui_login_button))
+        challenge.initial_data["sources"] = ui_sources
+        return challenge
+
+    def challenge_valid(
+        self, response: IdentificationChallengeResponse
+    ) -> HttpResponse:
+        self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = response.pre_user
         current_stage: IdentificationStage = self.executor.current_stage
         if not current_stage.show_matched_user:
             self.executor.plan.context[
                 PLAN_CONTEXT_PENDING_USER_IDENTIFIER
-            ] = user_identifier
-
+            ] = response.validated_data.get("uid_field")
         return self.executor.stage_ok()
diff --git a/authentik/stages/identification/templates/stages/identification/login.html b/authentik/stages/identification/templates/stages/identification/login.html
deleted file mode 100644
index 34b9e7ac4..000000000
--- a/authentik/stages/identification/templates/stages/identification/login.html
+++ /dev/null
@@ -1,63 +0,0 @@
-{% load i18n %}
-{% load static %}
-
-<header class="pf-c-login__main-header">
-    <h1 class="pf-c-title pf-m-3xl">
-        {% block card_title %}
-        {% trans title %}
-        {% endblock %}
-    </h1>
-</header>
-<div class="pf-c-login__main-body">
-    <form method="POST" class="pf-c-form">
-        {% block above_form %}
-            {% if application_pre %}
-            <p>
-                {% blocktrans with app_name=application_pre.name %}
-                Login to continue to <strong id="application-name">{{ app_name }}</strong>.
-                {% endblocktrans %}
-            </p>
-            {% endif %}
-        {% endblock %}
-
-        {% include 'partials/form.html' %}
-
-        {% block beneath_form %}
-        {% endblock %}
-        <div class="pf-c-form__group pf-m-action">
-            <button class="pf-c-button pf-m-primary pf-m-block" type="submit">{% trans primary_action %}</button>
-        </div>
-    </form>
-</div>
-<footer class="pf-c-login__main-footer">
-    <ul class="pf-c-login__main-footer-links">
-        {% for source in sources %}
-        <li class="pf-c-login__main-footer-links-item">
-            <a href="{{ source.url }}" class="pf-c-login__main-footer-links-item-link">
-                {% if source.icon_path %}
-                <img src="{% static source.icon_path %}" style="width:24px;" alt="{{ source.name }}">
-                {% elif source.icon_url %}
-                <img src="icon_url" alt="{{ source.name }}">
-                {% else %}
-                <i class="pf-icon pf-icon-arrow" title="{{ source.name }}"></i>
-                {% endif %}
-            </a>
-        </li>
-        {% endfor %}
-    </ul>
-    {% if enroll_url or recovery_url %}
-    <div class="pf-c-login__main-footer-band">
-        {% if enroll_url %}
-        <p class="pf-c-login__main-footer-band-item">
-            {% trans 'Need an account?' %}
-            <a role="enroll" href="{{ enroll_url }}">{% trans 'Sign up.' %}</a>
-        </p>
-        {% endif %}
-        {% if recovery_url %}
-        <p class="pf-c-login__main-footer-band-item">
-            <a role="recovery" href="{{ recovery_url }}">{% trans 'Forgot username or password?' %}</a>
-        </p>
-        {% endif %}
-    </div>
-    {% endif %}
-</footer>
diff --git a/authentik/stages/identification/templates/stages/identification/recovery.html b/authentik/stages/identification/templates/stages/identification/recovery.html
deleted file mode 100644
index 5603b0414..000000000
--- a/authentik/stages/identification/templates/stages/identification/recovery.html
+++ /dev/null
@@ -1,28 +0,0 @@
-{% load i18n %}
-
-<header class="pf-c-login__main-header">
-    <h1 class="pf-c-title pf-m-3xl">
-        {% trans 'Trouble Logging In?' %}
-    </h1>
-</header>
-<div class="pf-c-login__main-body">
-    {% block card %}
-    <form method="POST" class="pf-c-form">
-        {% block above_form %}
-        {% endblock %}
-
-        {% include 'partials/form.html' %}
-
-        {% block beneath_form %}
-        {% endblock %}
-        <div class="pf-c-form__group pf-m-action">
-            <button class="pf-c-button pf-m-primary pf-m-block" type="submit">{% trans primary_action %}</button>
-        </div>
-    </form>
-    {% endblock %}
-</div>
-<footer class="pf-c-login__main-footer">
-    {% if config.login.subtext %}
-    <p>{{ config.login.subtext }}</p>
-    {% endif %}
-</footer>
diff --git a/authentik/stages/identification/tests.py b/authentik/stages/identification/tests.py
index 326256e47..ccda61683 100644
--- a/authentik/stages/identification/tests.py
+++ b/authentik/stages/identification/tests.py
@@ -1,16 +1,13 @@
 """identification tests"""
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import User
+from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.sources.oauth.models import OAuthSource
-from authentik.stages.identification.models import (
-    IdentificationStage,
-    Templates,
-    UserFields,
-)
+from authentik.stages.identification.models import IdentificationStage, UserFields
 
 
 class TestIdentificationStage(TestCase):
@@ -29,7 +26,6 @@ class TestIdentificationStage(TestCase):
         self.stage = IdentificationStage.objects.create(
             name="identification",
             user_fields=[UserFields.E_MAIL],
-            template=Templates.DEFAULT_LOGIN,
         )
         FlowStageBinding.objects.create(
             target=self.flow,
@@ -43,9 +39,7 @@ class TestIdentificationStage(TestCase):
     def test_valid_render(self):
         """Test that View renders correctly"""
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
         self.assertEqual(response.status_code, 200)
 
@@ -53,13 +47,13 @@ class TestIdentificationStage(TestCase):
         """Test with valid email, check that URL redirects back to itself"""
         form_data = {"uid_field": self.user.email}
         url = reverse(
-            "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
         )
         response = self.client.post(url, form_data)
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
     def test_invalid_with_username(self):
@@ -67,7 +61,7 @@ class TestIdentificationStage(TestCase):
         form_data = {"uid_field": self.user.username}
         response = self.client.post(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
             form_data,
         )
@@ -78,7 +72,7 @@ class TestIdentificationStage(TestCase):
         form_data = {"uid_field": self.user.email + "test"}
         response = self.client.post(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
             form_data,
         )
@@ -89,6 +83,7 @@ class TestIdentificationStage(TestCase):
         flow = Flow.objects.create(
             name="enroll-test",
             slug="unique-enrollment-string",
+            title="unique-enrollment-string",
             designation=FlowDesignation.ENROLLMENT,
         )
         self.stage.enrollment_flow = flow
@@ -101,11 +96,28 @@ class TestIdentificationStage(TestCase):
 
         response = self.client.get(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
         )
         self.assertEqual(response.status_code, 200)
-        self.assertIn(flow.slug, force_str(response.content))
+        self.assertJSONEqual(
+            force_str(response.content),
+            {
+                "type": ChallengeTypes.native.value,
+                "component": "ak-stage-identification",
+                "input_type": "email",
+                "enroll_url": "/flows/unique-enrollment-string/",
+                "primary_action": "Log in",
+                "title": self.flow.title,
+                "sources": [
+                    {
+                        "icon_url": "/static/authentik/sources/.svg",
+                        "name": "test",
+                        "url": "/source/oauth/login/test/",
+                    }
+                ],
+            },
+        )
 
     def test_recovery_flow(self):
         """Test that recovery flow is linked correctly"""
@@ -121,11 +133,27 @@ class TestIdentificationStage(TestCase):
             stage=self.stage,
             order=0,
         )
-
         response = self.client.get(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
         )
         self.assertEqual(response.status_code, 200)
-        self.assertIn(flow.slug, force_str(response.content))
+        self.assertJSONEqual(
+            force_str(response.content),
+            {
+                "type": ChallengeTypes.native.value,
+                "component": "ak-stage-identification",
+                "input_type": "email",
+                "recovery_url": "/flows/unique-recovery-string/",
+                "primary_action": "Log in",
+                "title": self.flow.title,
+                "sources": [
+                    {
+                        "icon_url": "/static/authentik/sources/.svg",
+                        "name": "test",
+                        "url": "/source/oauth/login/test/",
+                    }
+                ],
+            },
+        )
diff --git a/authentik/stages/invitation/stage.py b/authentik/stages/invitation/stage.py
index 5711fd8e9..77292d2eb 100644
--- a/authentik/stages/invitation/stage.py
+++ b/authentik/stages/invitation/stage.py
@@ -15,6 +15,7 @@ class InvitationStageView(StageView):
     """Finalise Authentication flow by logging the user in"""
 
     def get(self, request: HttpRequest) -> HttpResponse:
+        """Apply data to the current flow based on a URL"""
         stage: InvitationStage = self.executor.current_stage
         if INVITATION_TOKEN_KEY not in request.GET:
             # No Invitation was given, raise error or continue
diff --git a/authentik/stages/invitation/tests.py b/authentik/stages/invitation/tests.py
index 94f6d3d61..156ae2529 100644
--- a/authentik/stages/invitation/tests.py
+++ b/authentik/stages/invitation/tests.py
@@ -1,8 +1,8 @@
 """invitation tests"""
 from unittest.mock import MagicMock, patch
 
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 from guardian.shortcuts import get_anonymous_user
 
@@ -58,9 +58,7 @@ class TestUserLoginStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
         self.assertEqual(response.status_code, 200)
         self.assertIsInstance(response, AccessDeniedResponse)
@@ -81,15 +79,13 @@ class TestUserLoginStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
 
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
         self.stage.continue_flow_without_invitation = False
@@ -115,7 +111,7 @@ class TestUserLoginStage(TestCase):
 
         with patch("authentik.flows.views.FlowExecutorView.cancel", MagicMock()):
             base_url = reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             )
             response = self.client.get(
                 base_url + f"?{INVITATION_TOKEN_KEY}={invite.pk.hex}"
@@ -128,5 +124,5 @@ class TestUserLoginStage(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
diff --git a/authentik/stages/password/forms.py b/authentik/stages/password/forms.py
index b29591c2d..5fba58db9 100644
--- a/authentik/stages/password/forms.py
+++ b/authentik/stages/password/forms.py
@@ -20,24 +20,6 @@ def get_authentication_backends():
     ]
 
 
-class PasswordForm(forms.Form):
-    """Password authentication form"""
-
-    username = forms.CharField(
-        widget=forms.HiddenInput(attrs={"autocomplete": "username"}), required=False
-    )
-    password = forms.CharField(
-        label=_("Please enter your password."),
-        widget=forms.PasswordInput(
-            attrs={
-                "placeholder": _("Password"),
-                "autofocus": "autofocus",
-                "autocomplete": "current-password",
-            }
-        ),
-    )
-
-
 class PasswordStageForm(forms.ModelForm):
     """Form to create/edit Password Stages"""
 
diff --git a/authentik/stages/password/models.py b/authentik/stages/password/models.py
index 43e4a6277..e599d49cd 100644
--- a/authentik/stages/password/models.py
+++ b/authentik/stages/password/models.py
@@ -4,7 +4,7 @@ from typing import Optional, Type
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.forms import ModelForm
-from django.shortcuts import reverse
+from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django.views import View
 from rest_framework.serializers import BaseSerializer
diff --git a/authentik/stages/password/stage.py b/authentik/stages/password/stage.py
index 10cdd3e68..e5760bc8f 100644
--- a/authentik/stages/password/stage.py
+++ b/authentik/stages/password/stage.py
@@ -6,16 +6,23 @@ from django.contrib.auth.backends import BaseBackend
 from django.contrib.auth.signals import user_login_failed
 from django.core.exceptions import PermissionDenied
 from django.http import HttpRequest, HttpResponse
+from django.urls import reverse
 from django.utils.translation import gettext as _
-from django.views.generic import FormView
+from rest_framework.exceptions import ErrorDetail
+from rest_framework.fields import CharField
 from structlog.stdlib import get_logger
 
 from authentik.core.models import User
+from authentik.flows.challenge import (
+    Challenge,
+    ChallengeResponse,
+    ChallengeTypes,
+    WithUserInfoChallenge,
+)
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
-from authentik.flows.stage import StageView
+from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.reflection import path_to_class
-from authentik.stages.password.forms import PasswordForm
 from authentik.stages.password.models import PasswordStage
 
 LOGGER = get_logger()
@@ -51,32 +58,42 @@ def authenticate(
     )
 
 
-class PasswordStageView(FormView, StageView):
+class PasswordChallenge(WithUserInfoChallenge):
+    """Password challenge UI fields"""
+
+    recovery_url = CharField(required=False)
+
+
+class PasswordChallengeResponse(ChallengeResponse):
+    """Password challenge response"""
+
+    password = CharField()
+
+
+class PasswordStageView(ChallengeStageView):
     """Authentication stage which authenticates against django's AuthBackend"""
 
-    form_class = PasswordForm
-    template_name = "stages/password/flow-form.html"
+    response_class = PasswordChallengeResponse
 
-    def get_form(self, form_class=None) -> PasswordForm:
-        form = super().get_form(form_class=form_class)
-
-        # If there's a pending user, update the `username` field
-        # this field is only used by password managers.
-        # If there's no user set, an error is raised later.
-        if PLAN_CONTEXT_PENDING_USER in self.executor.plan.context:
-            pending_user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
-            form.fields["username"].initial = pending_user.username
-
-        return form
-
-    def get_context_data(self, **kwargs):
-        kwargs = super().get_context_data(**kwargs)
+    def get_challenge(self) -> Challenge:
+        challenge = PasswordChallenge(
+            data={
+                "type": ChallengeTypes.native,
+                "component": "ak-stage-password",
+            }
+        )
         recovery_flow = Flow.objects.filter(designation=FlowDesignation.RECOVERY)
         if recovery_flow.exists():
-            kwargs["recovery_flow"] = recovery_flow.first()
-        return kwargs
+            recover_url = reverse(
+                "authentik_flows:flow-executor-shell",
+                kwargs={"flow_slug": recovery_flow.first().slug},
+            )
+            challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(
+                recover_url
+            )
+        return challenge
 
-    def form_invalid(self, form: PasswordForm) -> HttpResponse:
+    def challenge_invalid(self, response: PasswordChallengeResponse) -> HttpResponse:
         if SESSION_INVALID_TRIES not in self.request.session:
             self.request.session[SESSION_INVALID_TRIES] = 0
         self.request.session[SESSION_INVALID_TRIES] += 1
@@ -88,9 +105,9 @@ class PasswordStageView(FormView, StageView):
             LOGGER.debug("User has exceeded maximum tries")
             del self.request.session[SESSION_INVALID_TRIES]
             return self.executor.stage_invalid()
-        return super().form_invalid(form)
+        return super().challenge_invalid(response)
 
-    def form_valid(self, form: PasswordForm) -> HttpResponse:
+    def challenge_valid(self, response: PasswordChallengeResponse) -> HttpResponse:
         """Authenticate against django's authentication backend"""
         if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
             return self.executor.stage_invalid()
@@ -98,7 +115,7 @@ class PasswordStageView(FormView, StageView):
         # an Identifier by most authentication backends
         pending_user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
         auth_kwargs = {
-            "password": form.cleaned_data.get("password", None),
+            "password": response.validated_data.get("password", None),
             "username": pending_user.username,
         }
         try:
@@ -115,8 +132,11 @@ class PasswordStageView(FormView, StageView):
                 # No user was found -> invalid credentials
                 LOGGER.debug("Invalid credentials")
                 # Manually inject error into form
-                form.add_error("password", _("Invalid password"))
-                return self.form_invalid(form)
+                response._errors.setdefault("password", [])
+                response._errors["password"].append(
+                    ErrorDetail(_("Invalid password"), "invalid")
+                )
+                return self.challenge_invalid(response)
             # User instance returned from authenticate() has .backend property set
             self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = user
             self.executor.plan.context[
diff --git a/authentik/stages/password/templates/stages/password/flow-form.html b/authentik/stages/password/templates/stages/password/flow-form.html
deleted file mode 100644
index b0cece8d6..000000000
--- a/authentik/stages/password/templates/stages/password/flow-form.html
+++ /dev/null
@@ -1,10 +0,0 @@
-{% extends 'login/form_with_user.html' %}
-
-{% load i18n %}
-{% load authentik_utils %}
-
-{% block beneath_form %}
-{% if recovery_flow %}
-<a href="{% url 'authentik_flows:flow-executor' flow_slug=recovery_flow.slug %}">{% trans 'Forgot password?' %}</a>
-{% endif %}
-{% endblock %}
diff --git a/authentik/stages/password/tests.py b/authentik/stages/password/tests.py
index ed604f45c..6c39e341b 100644
--- a/authentik/stages/password/tests.py
+++ b/authentik/stages/password/tests.py
@@ -4,8 +4,8 @@ from random import SystemRandom
 from unittest.mock import MagicMock, patch
 
 from django.core.exceptions import PermissionDenied
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import User
@@ -59,7 +59,7 @@ class TestPasswordStage(TestCase):
 
         response = self.client.post(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
             # Still have to send the password so the form is valid
             {"password": self.password},
@@ -83,7 +83,7 @@ class TestPasswordStage(TestCase):
 
         response = self.client.get(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
         )
         self.assertEqual(response.status_code, 200)
@@ -101,7 +101,7 @@ class TestPasswordStage(TestCase):
 
         response = self.client.post(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
             # Form data
             {"password": self.password},
@@ -110,7 +110,7 @@ class TestPasswordStage(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
     def test_invalid_password(self):
@@ -125,7 +125,7 @@ class TestPasswordStage(TestCase):
 
         response = self.client.post(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
             # Form data
             {"password": self.password + "test"},
@@ -145,7 +145,7 @@ class TestPasswordStage(TestCase):
         for _ in range(self.stage.failed_attempts_before_cancel):
             response = self.client.post(
                 reverse(
-                    "authentik_flows:flow-executor",
+                    "authentik_api:flow-executor",
                     kwargs={"flow_slug": self.flow.slug},
                 ),
                 # Form data
@@ -155,7 +155,7 @@ class TestPasswordStage(TestCase):
 
         response = self.client.post(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
             # Form data
             {"password": self.password + "test"},
@@ -185,7 +185,7 @@ class TestPasswordStage(TestCase):
 
         response = self.client.post(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
             # Form data
             {"password": self.password + "test"},
diff --git a/authentik/stages/password/views.py b/authentik/stages/password/views.py
index 1808781a7..1a4624719 100644
--- a/authentik/stages/password/views.py
+++ b/authentik/stages/password/views.py
@@ -2,7 +2,7 @@
 from typing import Any
 
 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.shortcuts import reverse
+from django.urls import reverse
 from django.utils.http import urlencode
 from django.views.generic import TemplateView
 
diff --git a/authentik/stages/prompt/apps.py b/authentik/stages/prompt/apps.py
index 9280f6ac5..c584b2968 100644
--- a/authentik/stages/prompt/apps.py
+++ b/authentik/stages/prompt/apps.py
@@ -2,7 +2,7 @@
 from django.apps import AppConfig
 
 
-class AuthentikStagPromptConfig(AppConfig):
+class AuthentikStagePromptConfig(AppConfig):
     """authentik prompt stage config"""
 
     name = "authentik.stages.prompt"
diff --git a/authentik/stages/prompt/forms.py b/authentik/stages/prompt/forms.py
index 9dcaee300..abdcf0ed8 100644
--- a/authentik/stages/prompt/forms.py
+++ b/authentik/stages/prompt/forms.py
@@ -1,20 +1,7 @@
 """Prompt forms"""
-from email.policy import Policy
-from types import MethodType
-from typing import Any, Callable, Iterator
-
 from django import forms
-from django.db.models.query import QuerySet
-from django.http import HttpRequest
-from django.utils.translation import gettext_lazy as _
-from guardian.shortcuts import get_anonymous_user
 
-from authentik.core.models import User
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
-from authentik.policies.engine import PolicyEngine
-from authentik.policies.models import PolicyBinding, PolicyBindingModel
-from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
-from authentik.stages.prompt.signals import password_validate
+from authentik.stages.prompt.models import Prompt, PromptStage
 
 
 class PromptStageForm(forms.ModelForm):
@@ -47,111 +34,3 @@ class PromptAdminForm(forms.ModelForm):
             "label": forms.TextInput(),
             "placeholder": forms.TextInput(),
         }
-
-
-class ListPolicyEngine(PolicyEngine):
-    """Slightly modified policy engine, which uses a list instead of a PolicyBindingModel"""
-
-    __list: list[Policy]
-
-    def __init__(
-        self, policies: list[Policy], user: User, request: HttpRequest = None
-    ) -> None:
-        super().__init__(PolicyBindingModel(), user, request)
-        self.__list = policies
-        self.use_cache = False
-
-    def _iter_bindings(self) -> Iterator[PolicyBinding]:
-        for policy in self.__list:
-            yield PolicyBinding(
-                policy=policy,
-            )
-
-
-class PromptForm(forms.Form):
-    """Dynamically created form based on PromptStage"""
-
-    stage: PromptStage
-    plan: FlowPlan
-
-    def __init__(self, stage: PromptStage, plan: FlowPlan, *args, **kwargs):
-        self.stage = stage
-        self.plan = plan
-        super().__init__(*args, **kwargs)
-        # list() is called so we only load the fields once
-        fields = list(self.stage.fields.all())
-        for field in fields:
-            field: Prompt
-            self.fields[field.field_key] = field.field
-            # Special handling for fields with username type
-            # these check for existing users with the same username
-            if field.type == FieldTypes.USERNAME:
-                setattr(
-                    self,
-                    f"clean_{field.field_key}",
-                    MethodType(username_field_cleaner_factory(field), self),
-                )
-            # Check if we have a password field, add a handler that sends a signal
-            # to validate it
-            if field.type == FieldTypes.PASSWORD:
-                setattr(
-                    self,
-                    f"clean_{field.field_key}",
-                    MethodType(password_single_cleaner_factory(field), self),
-                )
-
-        self.field_order = sorted(fields, key=lambda x: x.order)
-
-    def _clean_password_fields(self, *field_names):
-        """Check if the value of all password fields match by merging them into a set
-        and checking the length"""
-        all_passwords = {self.cleaned_data[x] for x in field_names}
-        if len(all_passwords) > 1:
-            raise forms.ValidationError(_("Passwords don't match."))
-
-    def clean(self):
-        cleaned_data = super().clean()
-        if cleaned_data == {}:
-            return {}
-        # Check if we have two password fields, and make sure they are the same
-        password_fields: QuerySet[Prompt] = self.stage.fields.filter(
-            type=FieldTypes.PASSWORD
-        )
-        if password_fields.exists() and password_fields.count() == 2:
-            self._clean_password_fields(*[field.field_key for field in password_fields])
-
-        user = self.plan.context.get(PLAN_CONTEXT_PENDING_USER, get_anonymous_user())
-        engine = ListPolicyEngine(self.stage.validation_policies.all(), user)
-        engine.request.context = cleaned_data
-        engine.build()
-        result = engine.result
-        if not result.passing:
-            raise forms.ValidationError(list(result.messages))
-        return cleaned_data
-
-
-def username_field_cleaner_factory(field: Prompt) -> Callable:
-    """Return a `clean_` method for `field`. Clean method checks if username is taken already."""
-
-    def username_field_cleaner(self: PromptForm) -> Any:
-        """Check for duplicate usernames"""
-        username = self.cleaned_data.get(field.field_key)
-        if User.objects.filter(username=username).exists():
-            raise forms.ValidationError("Username is already taken.")
-        return username
-
-    return username_field_cleaner
-
-
-def password_single_cleaner_factory(field: Prompt) -> Callable[[PromptForm], Any]:
-    """Return a `clean_` method for `field`. Clean method checks if username is taken already."""
-
-    def password_single_clean(self: PromptForm) -> Any:
-        """Send password validation signals for e.g. LDAP Source"""
-        password = self.cleaned_data[field.field_key]
-        password_validate.send(
-            sender=self, password=password, plan_context=self.plan.context
-        )
-        return password
-
-    return password_single_clean
diff --git a/authentik/stages/prompt/migrations/0003_auto_20210222_1821.py b/authentik/stages/prompt/migrations/0003_auto_20210222_1821.py
new file mode 100644
index 000000000..c6f97e91c
--- /dev/null
+++ b/authentik/stages/prompt/migrations/0003_auto_20210222_1821.py
@@ -0,0 +1,42 @@
+# Generated by Django 3.1.6 on 2021-02-22 18:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_prompt", "0002_auto_20200920_1859"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="prompt",
+            name="type",
+            field=models.CharField(
+                choices=[
+                    ("text", "Text: Simple Text input"),
+                    (
+                        "username",
+                        "Username: Same as Text input, but checks for and prevents duplicate usernames.",
+                    ),
+                    ("email", "Email: Text field with Email type."),
+                    (
+                        "password",
+                        "Password: Masked input, password is validated against sources. Policies still have to be applied to this Stage. If two of these are used in the same stage, they are ensured to be identical.",
+                    ),
+                    ("number", "Number"),
+                    ("checkbox", "Checkbox"),
+                    ("date", "Date"),
+                    ("date-time", "Date Time"),
+                    ("separator", "Separator: Static Separator Line"),
+                    (
+                        "hidden",
+                        "Hidden: Hidden field, can be used to insert data into form.",
+                    ),
+                    ("static", "Static: Static value, displayed as-is."),
+                ],
+                max_length=100,
+            ),
+        ),
+    ]
diff --git a/authentik/stages/prompt/models.py b/authentik/stages/prompt/models.py
index 602e8b64e..46d55b870 100644
--- a/authentik/stages/prompt/models.py
+++ b/authentik/stages/prompt/models.py
@@ -2,17 +2,23 @@
 from typing import Type
 from uuid import uuid4
 
-from django import forms
 from django.db import models
 from django.forms import ModelForm
 from django.utils.translation import gettext_lazy as _
 from django.views import View
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    DateField,
+    DateTimeField,
+    EmailField,
+    IntegerField,
+)
 from rest_framework.serializers import BaseSerializer
 
 from authentik.flows.models import Stage
 from authentik.lib.models import SerializerModel
 from authentik.policies.models import Policy
-from authentik.stages.prompt.widgets import HorizontalRuleWidget, StaticTextWidget
 
 
 class FieldTypes(models.TextChoices):
@@ -43,8 +49,8 @@ class FieldTypes(models.TextChoices):
     )
     NUMBER = "number"
     CHECKBOX = "checkbox"
-    DATE = "data"
-    DATE_TIME = "data-time"
+    DATE = "date"
+    DATE_TIME = "date-time"
 
     SEPARATOR = "separator", _("Separator: Static Separator Line")
     HIDDEN = "hidden", _("Hidden: Hidden field, can be used to insert data into form.")
@@ -73,49 +79,34 @@ class Prompt(SerializerModel):
         return PromptSerializer
 
     @property
-    def field(self):
-        """Return instantiated form input field"""
-        attrs = {"placeholder": _(self.placeholder)}
-        field_class = forms.CharField
-        widget = forms.TextInput(attrs=attrs)
+    def field(self) -> CharField:
+        """Get field type for Challenge and response"""
+        field_class = CharField
         kwargs = {
-            "label": _(self.label),
             "required": self.required,
         }
         if self.type == FieldTypes.EMAIL:
-            field_class = forms.EmailField
-        if self.type == FieldTypes.USERNAME:
-            attrs["autocomplete"] = "username"
-        if self.type == FieldTypes.PASSWORD:
-            widget = forms.PasswordInput(attrs=attrs)
-            attrs["autocomplete"] = "new-password"
+            field_class = EmailField
         if self.type == FieldTypes.NUMBER:
-            field_class = forms.IntegerField
-            widget = forms.NumberInput(attrs=attrs)
+            field_class = IntegerField
+        # TODO: Hidden?
         if self.type == FieldTypes.HIDDEN:
-            widget = forms.HiddenInput(attrs=attrs)
             kwargs["required"] = False
             kwargs["initial"] = self.placeholder
         if self.type == FieldTypes.CHECKBOX:
-            field_class = forms.BooleanField
+            field_class = BooleanField
             kwargs["required"] = False
         if self.type == FieldTypes.DATE:
-            attrs["type"] = "date"
-            widget = forms.DateInput(attrs=attrs)
+            field_class = DateField
         if self.type == FieldTypes.DATE_TIME:
-            attrs["type"] = "datetime-local"
-            widget = forms.DateTimeInput(attrs=attrs)
+            field_class = DateTimeField
         if self.type == FieldTypes.STATIC:
-            widget = StaticTextWidget(attrs=attrs)
             kwargs["initial"] = self.placeholder
             kwargs["required"] = False
             kwargs["label"] = ""
         if self.type == FieldTypes.SEPARATOR:
-            widget = HorizontalRuleWidget(attrs=attrs)
             kwargs["required"] = False
             kwargs["label"] = ""
-
-        kwargs["widget"] = widget
         return field_class(**kwargs)
 
     def save(self, *args, **kwargs):
diff --git a/authentik/stages/prompt/stage.py b/authentik/stages/prompt/stage.py
index 93ecf8b21..d6ca1e65b 100644
--- a/authentik/stages/prompt/stage.py
+++ b/authentik/stages/prompt/stage.py
@@ -1,36 +1,188 @@
 """Prompt Stage Logic"""
-from django.http import HttpResponse
+from email.policy import Policy
+from types import MethodType
+from typing import Any, Callable, Iterator
+
+from django.db.models.base import Model
+from django.db.models.query import QuerySet
+from django.http import HttpRequest, HttpResponse
+from django.http.request import QueryDict
 from django.utils.translation import gettext_lazy as _
-from django.views.generic import FormView
+from guardian.shortcuts import get_anonymous_user
+from rest_framework.fields import BooleanField, CharField, IntegerField
+from rest_framework.serializers import Serializer, ValidationError
 from structlog.stdlib import get_logger
 
-from authentik.flows.stage import StageView
-from authentik.stages.prompt.forms import PromptForm
+from authentik.core.models import User
+from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.stage import ChallengeStageView
+from authentik.policies.engine import PolicyEngine
+from authentik.policies.models import PolicyBinding, PolicyBindingModel
+from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
+from authentik.stages.prompt.signals import password_validate
 
 LOGGER = get_logger()
 PLAN_CONTEXT_PROMPT = "prompt_data"
 
 
-class PromptStageView(FormView, StageView):
+class PromptSerializer(Serializer):
+    """Serializer for a single Prompt field"""
+
+    field_key = CharField()
+    label = CharField()
+    type = CharField()
+    required = BooleanField()
+    placeholder = CharField()
+    order = IntegerField()
+
+    def create(self, validated_data: dict) -> Model:
+        return Model()
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        return Model()
+
+
+class PromptChallenge(Challenge):
+    """Initial challenge being sent, define fields"""
+
+    fields = PromptSerializer(many=True)
+
+
+class PromptResponseChallenge(ChallengeResponse):
+    """Validate response, fields are dynamically created based
+    on the stage"""
+
+    def __init__(self, *args, stage: PromptStage, plan: FlowPlan, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.stage = stage
+        self.plan = plan
+        # list() is called so we only load the fields once
+        fields = list(self.stage.fields.all())
+        for field in fields:
+            field: Prompt
+            self.fields[field.field_key] = field.field
+            # Special handling for fields with username type
+            # these check for existing users with the same username
+            if field.type == FieldTypes.USERNAME:
+                setattr(
+                    self,
+                    f"validate_{field.field_key}",
+                    MethodType(username_field_validator_factory(), self),
+                )
+            # Check if we have a password field, add a handler that sends a signal
+            # to validate it
+            if field.type == FieldTypes.PASSWORD:
+                setattr(
+                    self,
+                    f"validate_{field.field_key}",
+                    MethodType(password_single_validator_factory(), self),
+                )
+
+        self.field_order = sorted(fields, key=lambda x: x.order)
+
+    def _validate_password_fields(self, *field_names):
+        """Check if the value of all password fields match by merging them into a set
+        and checking the length"""
+        all_passwords = {self.initial_data[x] for x in field_names}
+        if len(all_passwords) > 1:
+            raise ValidationError(_("Passwords don't match."))
+
+    def validate(self, attrs):
+        if attrs == {}:
+            return {}
+        # Check if we have two password fields, and make sure they are the same
+        password_fields: QuerySet[Prompt] = self.stage.fields.filter(
+            type=FieldTypes.PASSWORD
+        )
+        if password_fields.exists() and password_fields.count() == 2:
+            self._validate_password_fields(
+                *[field.field_key for field in password_fields]
+            )
+
+        user = self.plan.context.get(PLAN_CONTEXT_PENDING_USER, get_anonymous_user())
+        engine = ListPolicyEngine(self.stage.validation_policies.all(), user)
+        engine.request.context = attrs
+        engine.build()
+        result = engine.result
+        if not result.passing:
+            raise ValidationError(list(result.messages))
+        return attrs
+
+
+def username_field_validator_factory() -> Callable[[PromptChallenge, str], Any]:
+    """Return a `clean_` method for `field`. Clean method checks if username is taken already."""
+
+    # pylint: disable=unused-argument
+    def username_field_validator(self: PromptChallenge, value: str) -> Any:
+        """Check for duplicate usernames"""
+        if User.objects.filter(username=value).exists():
+            raise ValidationError("Username is already taken.")
+        return value
+
+    return username_field_validator
+
+
+def password_single_validator_factory() -> Callable[[PromptChallenge, str], Any]:
+    """Return a `clean_` method for `field`. Clean method checks if username is taken already."""
+
+    def password_single_clean(self: PromptChallenge, value: str) -> Any:
+        """Send password validation signals for e.g. LDAP Source"""
+        password_validate.send(
+            sender=self, password=value, plan_context=self.plan.context
+        )
+        return value
+
+    return password_single_clean
+
+
+class ListPolicyEngine(PolicyEngine):
+    """Slightly modified policy engine, which uses a list instead of a PolicyBindingModel"""
+
+    __list: list[Policy]
+
+    def __init__(
+        self, policies: list[Policy], user: User, request: HttpRequest = None
+    ) -> None:
+        super().__init__(PolicyBindingModel(), user, request)
+        self.__list = policies
+        self.use_cache = False
+
+    def _iter_bindings(self) -> Iterator[PolicyBinding]:
+        for policy in self.__list:
+            yield PolicyBinding(
+                policy=policy,
+            )
+
+
+class PromptStageView(ChallengeStageView):
     """Prompt Stage, save form data in plan context."""
 
-    template_name = "login/form.html"
-    form_class = PromptForm
+    response_class = PromptResponseChallenge
 
-    def get_context_data(self, **kwargs):
-        ctx = super().get_context_data(**kwargs)
-        ctx["title"] = _(self.executor.current_stage.name)
-        return ctx
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        fields = list(self.executor.current_stage.fields.all().order_by("order"))
+        challenge = PromptChallenge(
+            data={
+                "type": ChallengeTypes.native,
+                "component": "ak-stage-prompt",
+                "fields": [PromptSerializer(field).data for field in fields],
+            },
+        )
+        return challenge
 
-    def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
-        kwargs["stage"] = self.executor.current_stage
-        kwargs["plan"] = self.executor.plan
-        return kwargs
+    def get_response_instance(self, data: QueryDict) -> ChallengeResponse:
+        if not self.executor.plan:
+            raise ValueError
+        return PromptResponseChallenge(
+            instance=None,
+            data=data,
+            stage=self.executor.current_stage,
+            plan=self.executor.plan,
+        )
 
-    def form_valid(self, form: PromptForm) -> HttpResponse:
-        """Form data is valid"""
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
         if PLAN_CONTEXT_PROMPT not in self.executor.plan.context:
             self.executor.plan.context[PLAN_CONTEXT_PROMPT] = {}
-        self.executor.plan.context[PLAN_CONTEXT_PROMPT].update(form.cleaned_data)
+        self.executor.plan.context[PLAN_CONTEXT_PROMPT].update(response.validated_data)
         return self.executor.stage_ok()
diff --git a/authentik/stages/prompt/tests.py b/authentik/stages/prompt/tests.py
index bbacd8c26..58be327cd 100644
--- a/authentik/stages/prompt/tests.py
+++ b/authentik/stages/prompt/tests.py
@@ -1,8 +1,8 @@
 """Prompt tests"""
 from unittest.mock import MagicMock, patch
 
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import User
@@ -11,9 +11,8 @@ from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.policies.expression.models import ExpressionPolicy
-from authentik.stages.prompt.forms import PromptForm
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT, PromptResponseChallenge
 
 
 class TestPromptStage(TestCase):
@@ -104,9 +103,7 @@ class TestPromptStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
         self.assertEqual(response.status_code, 200)
         for prompt in self.stage.fields.all():
@@ -114,8 +111,8 @@ class TestPromptStage(TestCase):
             self.assertIn(prompt.label, force_str(response.content))
             self.assertIn(prompt.placeholder, force_str(response.content))
 
-    def test_valid_form_with_policy(self) -> PromptForm:
-        """Test form validation"""
+    def test_valid_challenge_with_policy(self) -> PromptResponseChallenge:
+        """Test challenge_response validation"""
         plan = FlowPlan(
             flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
         )
@@ -125,12 +122,14 @@ class TestPromptStage(TestCase):
         )
         self.stage.validation_policies.set([expr_policy])
         self.stage.save()
-        form = PromptForm(stage=self.stage, plan=plan, data=self.prompt_data)
-        self.assertEqual(form.is_valid(), True)
-        return form
+        challenge_response = PromptResponseChallenge(
+            None, stage=self.stage, plan=plan, data=self.prompt_data
+        )
+        self.assertEqual(challenge_response.is_valid(), True)
+        return challenge_response
 
-    def test_invalid_form(self) -> PromptForm:
-        """Test form validation"""
+    def test_invalid_challenge(self) -> PromptResponseChallenge:
+        """Test challenge_response validation"""
         plan = FlowPlan(
             flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
         )
@@ -140,12 +139,14 @@ class TestPromptStage(TestCase):
         )
         self.stage.validation_policies.set([expr_policy])
         self.stage.save()
-        form = PromptForm(stage=self.stage, plan=plan, data=self.prompt_data)
-        self.assertEqual(form.is_valid(), False)
-        return form
+        challenge_response = PromptResponseChallenge(
+            None, stage=self.stage, plan=plan, data=self.prompt_data
+        )
+        self.assertEqual(challenge_response.is_valid(), False)
+        return challenge_response
 
-    def test_valid_form_request(self):
-        """Test a request with valid form data"""
+    def test_valid_challenge_request(self):
+        """Test a request with valid challenge_response data"""
         plan = FlowPlan(
             flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
         )
@@ -153,20 +154,20 @@ class TestPromptStage(TestCase):
         session[SESSION_KEY_PLAN] = plan
         session.save()
 
-        form = self.test_valid_form_with_policy()
+        challenge_response = self.test_valid_challenge_with_policy()
 
         with patch("authentik.flows.views.FlowExecutorView.cancel", MagicMock()):
             response = self.client.post(
                 reverse(
-                    "authentik_flows:flow-executor",
+                    "authentik_api:flow-executor",
                     kwargs={"flow_slug": self.flow.slug},
                 ),
-                form.cleaned_data,
+                challenge_response.validated_data,
             )
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
         # Check that valid data has been saved
diff --git a/authentik/stages/prompt/widgets.py b/authentik/stages/prompt/widgets.py
deleted file mode 100644
index 0ddb26a10..000000000
--- a/authentik/stages/prompt/widgets.py
+++ /dev/null
@@ -1,17 +0,0 @@
-"""Prompt Widgets"""
-from django import forms
-from django.utils.safestring import mark_safe
-
-
-class StaticTextWidget(forms.widgets.Widget):
-    """Widget to render static text"""
-
-    def render(self, name, value, attrs=None, renderer=None):
-        return mark_safe(f"<p>{value}</p>")  # nosec
-
-
-class HorizontalRuleWidget(forms.widgets.Widget):
-    """Widget, which renders an <hr> element"""
-
-    def render(self, name, value, attrs=None, renderer=None):
-        return mark_safe("<hr>")  # nosec
diff --git a/authentik/stages/user_delete/tests.py b/authentik/stages/user_delete/tests.py
index fb87118bc..8a53b75c8 100644
--- a/authentik/stages/user_delete/tests.py
+++ b/authentik/stages/user_delete/tests.py
@@ -1,8 +1,8 @@
 """delete tests"""
 from unittest.mock import patch
 
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import User
@@ -46,9 +46,7 @@ class TestUserDeleteStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
         self.assertEqual(response.status_code, 200)
         self.assertIsInstance(response, AccessDeniedResponse)
@@ -64,9 +62,7 @@ class TestUserDeleteStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
         self.assertEqual(response.status_code, 200)
 
@@ -82,14 +78,14 @@ class TestUserDeleteStage(TestCase):
 
         response = self.client.post(
             reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
             {},
         )
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
         self.assertFalse(User.objects.filter(username=self.username).exists())
diff --git a/authentik/stages/user_login/stage.py b/authentik/stages/user_login/stage.py
index c559a9ca7..bc9601066 100644
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@@ -17,6 +17,7 @@ class UserLoginStageView(StageView):
     """Finalise Authentication flow by logging the user in"""
 
     def get(self, request: HttpRequest) -> HttpResponse:
+        """Attach the currently pending user to the current session"""
         if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
             message = _("No Pending user to login.")
             messages.error(request, message)
diff --git a/authentik/stages/user_login/tests.py b/authentik/stages/user_login/tests.py
index 059793f8b..c84960a8f 100644
--- a/authentik/stages/user_login/tests.py
+++ b/authentik/stages/user_login/tests.py
@@ -1,8 +1,8 @@
 """login tests"""
 from unittest.mock import patch
 
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import User
@@ -47,15 +47,13 @@ class TestUserLoginStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
 
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
     @patch(
@@ -72,9 +70,7 @@ class TestUserLoginStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
 
         self.assertEqual(response.status_code, 200)
@@ -95,9 +91,7 @@ class TestUserLoginStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
 
         self.assertEqual(response.status_code, 200)
diff --git a/authentik/stages/user_logout/stage.py b/authentik/stages/user_logout/stage.py
index 8a09aa5af..1302d2183 100644
--- a/authentik/stages/user_logout/stage.py
+++ b/authentik/stages/user_logout/stage.py
@@ -12,6 +12,7 @@ class UserLogoutStageView(StageView):
     """Finalise Authentication flow by logging the user in"""
 
     def get(self, request: HttpRequest) -> HttpResponse:
+        """Remove the user from the current session"""
         LOGGER.debug(
             "Logged out",
             user=request.user,
diff --git a/authentik/stages/user_logout/tests.py b/authentik/stages/user_logout/tests.py
index dd3b9367d..7edd92ccc 100644
--- a/authentik/stages/user_logout/tests.py
+++ b/authentik/stages/user_logout/tests.py
@@ -1,6 +1,6 @@
 """logout tests"""
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import User
@@ -43,15 +43,13 @@ class TestUserLogoutStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
 
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
 
     def test_form(self):
diff --git a/authentik/stages/user_write/stage.py b/authentik/stages/user_write/stage.py
index 9f020f19f..a7269a168 100644
--- a/authentik/stages/user_write/stage.py
+++ b/authentik/stages/user_write/stage.py
@@ -22,6 +22,8 @@ class UserWriteStageView(StageView):
     """Finalise Enrollment flow by creating a user object."""
 
     def get(self, request: HttpRequest) -> HttpResponse:
+        """Save data in the current flow to the currently pending user. If no user is pending,
+        a new user is created."""
         if PLAN_CONTEXT_PROMPT not in self.executor.plan.context:
             message = _("No Pending data.")
             messages.error(request, message)
diff --git a/authentik/stages/user_write/tests.py b/authentik/stages/user_write/tests.py
index 214c693c7..0cf220d57 100644
--- a/authentik/stages/user_write/tests.py
+++ b/authentik/stages/user_write/tests.py
@@ -3,8 +3,8 @@ import string
 from random import SystemRandom
 from unittest.mock import patch
 
-from django.shortcuts import reverse
 from django.test import Client, TestCase
+from django.urls import reverse
 from django.utils.encoding import force_str
 
 from authentik.core.models import User
@@ -55,15 +55,13 @@ class TestUserWriteStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
 
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
         user_qs = User.objects.filter(
             username=plan.context[PLAN_CONTEXT_PROMPT]["username"]
@@ -94,15 +92,13 @@ class TestUserWriteStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
 
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(
             force_str(response.content),
-            {"type": "redirect", "to": reverse("authentik_core:shell")},
+            {"to": reverse("authentik_core:shell"), "type": "redirect"},
         )
         user_qs = User.objects.filter(
             username=plan.context[PLAN_CONTEXT_PROMPT]["username"]
@@ -126,9 +122,7 @@ class TestUserWriteStage(TestCase):
         session.save()
 
         response = self.client.get(
-            reverse(
-                "authentik_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
 
         self.assertEqual(response.status_code, 200)
diff --git a/docker.env.yml b/docker.env.yml
deleted file mode 100644
index f8961f7ef..000000000
--- a/docker.env.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-debug: true
-postgresql:
-  user: postgres
-  host: postgresql
-
-redis:
-  host: redis
-
-log_level: debug
diff --git a/swagger.yaml b/swagger.yaml
index 0aba5c0e2..c9bfe0cf1 100755
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -8249,6 +8249,7 @@ definitions:
         title: Avatar
         type: string
         readOnly: true
+        minLength: 1
       attributes:
         title: Attributes
         type: object
@@ -9657,22 +9658,22 @@ definitions:
           - authentik.sources.ldap
           - authentik.sources.oauth
           - authentik.sources.saml
-          - authentik.stages.captcha
-          - authentik.stages.consent
-          - authentik.stages.dummy
-          - authentik.stages.email
-          - authentik.stages.prompt
-          - authentik.stages.identification
-          - authentik.stages.invitation
-          - authentik.stages.user_delete
-          - authentik.stages.user_login
-          - authentik.stages.user_logout
-          - authentik.stages.user_write
           - authentik.stages.authenticator_static
           - authentik.stages.authenticator_totp
           - authentik.stages.authenticator_validate
           - authentik.stages.authenticator_webauthn
+          - authentik.stages.captcha
+          - authentik.stages.consent
+          - authentik.stages.dummy
+          - authentik.stages.email
+          - authentik.stages.identification
+          - authentik.stages.invitation
           - authentik.stages.password
+          - authentik.stages.prompt
+          - authentik.stages.user_delete
+          - authentik.stages.user_login
+          - authentik.stages.user_logout
+          - authentik.stages.user_write
           - authentik.managed
           - authentik.core
   ExpressionPolicy:
@@ -11048,6 +11049,7 @@ definitions:
         type: string
         enum:
           - skip
+          - deny
       device_classes:
         description: ''
         type: array
@@ -11297,7 +11299,6 @@ definitions:
     required:
       - name
       - user_fields
-      - template
     type: object
     properties:
       pk:
@@ -11345,12 +11346,6 @@ definitions:
           is enabled, the user's username and avatar will be shown. Otherwise, the
           text that the user entered will be shown
         type: boolean
-      template:
-        title: Template
-        type: string
-        enum:
-          - stages/identification/login.html
-          - stages/identification/recovery.html
       enrollment_flow:
         title: Enrollment flow
         description: Optional enrollment flow, which is linked at the bottom of the
@@ -11749,8 +11744,8 @@ definitions:
           - password
           - number
           - checkbox
-          - data
-          - data-time
+          - date
+          - date-time
           - separator
           - hidden
           - static
diff --git a/tests/e2e/test_flows_authenticators.py b/tests/e2e/test_flows_authenticators.py
index 632454932..3784cbb56 100644
--- a/tests/e2e/test_flows_authenticators.py
+++ b/tests/e2e/test_flows_authenticators.py
@@ -11,12 +11,13 @@ from django_otp.plugins.otp_totp.models import TOTPDevice
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
+from selenium.webdriver.support.wait import WebDriverWait
 
 from authentik.flows.models import Flow, FlowStageBinding
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
 from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage
-from tests.e2e.utils import USER, SeleniumTestCase, retry
+from tests.e2e.utils import USER, SeleniumTestCase, apply_migration, retry
 
 
 @skipUnless(platform.startswith("linux"), "requires local docker")
@@ -24,6 +25,8 @@ class TestFlowsAuthenticator(SeleniumTestCase):
     """test flow with otp stages"""
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
     def test_totp_validate(self):
         """test flow with otp stages"""
         sleep(1)
@@ -37,31 +40,40 @@ class TestFlowsAuthenticator(SeleniumTestCase):
         )
 
         self.driver.get(f"{self.live_server_url}/flows/{flow.slug}/")
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
 
         # Get expected token
         totp = TOTP(device.bin_key, device.step, device.t0, device.digits, device.drift)
-        self.driver.find_element(By.ID, "id_code").send_keys(totp.token())
-        self.driver.find_element(By.ID, "id_code").send_keys(Keys.ENTER)
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        validation_stage = self.get_shadow_root(
+            "ak-stage-authenticator-validate", flow_executor
+        )
+        code_stage = self.get_shadow_root(
+            "ak-stage-authenticator-validate-code", validation_stage
+        )
+
+        code_stage.find_element(By.CSS_SELECTOR, "input[name=code]").send_keys(
+            totp.token()
+        )
+        code_stage.find_element(By.CSS_SELECTOR, "input[name=code]").send_keys(
+            Keys.ENTER
+        )
+        self.wait_for_url(self.shell_url("/library"))
         self.assert_user(USER())
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_stages_authenticator_totp", "0006_default_setup_flow")
     def test_totp_setup(self):
         """test TOTP Setup stage"""
         flow: Flow = Flow.objects.get(slug="default-authentication-flow")
 
         self.driver.get(f"{self.live_server_url}/flows/{flow.slug}/")
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        self.login()
+
+        self.wait_for_url(self.shell_url("/library"))
         self.assert_user(USER())
 
         self.driver.get(
@@ -71,11 +83,16 @@ class TestFlowsAuthenticator(SeleniumTestCase):
             )
         )
 
-        # Remember the current URL as we should end up back here
-        destination_url = self.driver.current_url
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        totp_stage = self.get_shadow_root("ak-stage-authenticator-totp", flow_executor)
+        wait = WebDriverWait(totp_stage, self.wait_timeout)
 
-        self.wait.until(ec.presence_of_element_located((By.ID, "qr")))
-        otp_uri = self.driver.find_element(By.ID, "qr").get_attribute("data-otpuri")
+        wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "input[name=otp_uri]"))
+        )
+        otp_uri = totp_stage.find_element(
+            By.CSS_SELECTOR, "input[name=otp_uri]"
+        ).get_attribute("value")
 
         # Parse the OTP URI, extract the secret and get the next token
         otp_args = urlparse(otp_uri)
@@ -85,26 +102,28 @@ class TestFlowsAuthenticator(SeleniumTestCase):
 
         totp = TOTP(secret_key)
 
-        self.driver.find_element(By.ID, "id_code").send_keys(totp.token())
-        self.driver.find_element(By.ID, "id_code").send_keys(Keys.ENTER)
-
-        self.wait_for_url(destination_url)
-        sleep(1)
+        totp_stage.find_element(By.CSS_SELECTOR, "input[name=code]").send_keys(
+            totp.token()
+        )
+        totp_stage.find_element(By.CSS_SELECTOR, "input[name=code]").send_keys(
+            Keys.ENTER
+        )
+        sleep(3)
 
         self.assertTrue(TOTPDevice.objects.filter(user=USER(), confirmed=True).exists())
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_stages_authenticator_static", "0005_default_setup_flow")
     def test_static_setup(self):
         """test Static OTP Setup stage"""
         flow: Flow = Flow.objects.get(slug="default-authentication-flow")
 
         self.driver.get(f"{self.live_server_url}/flows/{flow.slug}/")
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        self.login()
+
+        self.wait_for_url(self.shell_url("/library"))
         self.assert_user(USER())
 
         self.driver.get(
@@ -117,11 +136,15 @@ class TestFlowsAuthenticator(SeleniumTestCase):
         # Remember the current URL as we should end up back here
         destination_url = self.driver.current_url
 
-        token = self.driver.find_element(
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        authenticator_stage = self.get_shadow_root(
+            "ak-stage-authenticator-static", flow_executor
+        )
+        token = authenticator_stage.find_element(
             By.CSS_SELECTOR, ".ak-otp-tokens li:nth-child(1)"
         ).text
 
-        self.driver.find_element(By.CSS_SELECTOR, "button[type=submit]").click()
+        authenticator_stage.find_element(By.CSS_SELECTOR, "button[type=submit]").click()
 
         self.wait_for_url(destination_url)
         sleep(1)
diff --git a/tests/e2e/test_flows_enroll.py b/tests/e2e/test_flows_enroll.py
index 553c7a05c..6f09f642d 100644
--- a/tests/e2e/test_flows_enroll.py
+++ b/tests/e2e/test_flows_enroll.py
@@ -7,6 +7,7 @@ from django.test import override_settings
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec
+from selenium.webdriver.support.wait import WebDriverWait
 
 from authentik.core.models import User
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
@@ -15,7 +16,7 @@ from authentik.stages.identification.models import IdentificationStage
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from authentik.stages.user_login.models import UserLoginStage
 from authentik.stages.user_write.models import UserWriteStage
-from tests.e2e.utils import USER, SeleniumTestCase, retry
+from tests.e2e.utils import USER, SeleniumTestCase, apply_migration, retry
 
 
 @skipUnless(platform.startswith("linux"), "requires local docker")
@@ -36,6 +37,8 @@ class TestFlowsEnroll(SeleniumTestCase):
         }
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
     def test_enroll_2_step(self):
         """Test 2-step enroll flow"""
         # First stage fields
@@ -87,19 +90,8 @@ class TestFlowsEnroll(SeleniumTestCase):
         FlowStageBinding.objects.create(target=flow, stage=user_login, order=3)
 
         self.driver.get(self.live_server_url)
-        self.wait.until(
-            ec.presence_of_element_located((By.CSS_SELECTOR, "[role=enroll]"))
-        )
-        self.driver.find_element(By.CSS_SELECTOR, "[role=enroll]").click()
 
-        self.wait.until(ec.presence_of_element_located((By.ID, "id_username")))
-        self.driver.find_element(By.ID, "id_username").send_keys("foo")
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password_repeat").send_keys(USER().username)
-        self.driver.find_element(By.CSS_SELECTOR, ".pf-c-button").click()
-        self.driver.find_element(By.ID, "id_name").send_keys("some name")
-        self.driver.find_element(By.ID, "id_email").send_keys("foo@bar.baz")
-        self.driver.find_element(By.CSS_SELECTOR, ".pf-c-button").click()
+        self.initial_stages()
 
         self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "ak-sidebar")))
         self.driver.get(self.shell_url("authentik_core:user-settings"))
@@ -110,6 +102,8 @@ class TestFlowsEnroll(SeleniumTestCase):
         self.assertEqual(user.email, "foo@bar.baz")
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
     @override_settings(EMAIL_BACKEND="django.core.mail.backends.smtp.EmailBackend")
     def test_enroll_email(self):
         """Test enroll with Email verification"""
@@ -169,18 +163,16 @@ class TestFlowsEnroll(SeleniumTestCase):
         FlowStageBinding.objects.create(target=flow, stage=user_login, order=4)
 
         self.driver.get(self.live_server_url)
-        self.driver.find_element(By.CSS_SELECTOR, "[role=enroll]").click()
-        self.driver.find_element(By.ID, "id_username").send_keys("foo")
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password_repeat").send_keys(USER().username)
-        self.driver.find_element(By.CSS_SELECTOR, ".pf-c-button").click()
-        self.driver.find_element(By.ID, "id_name").send_keys("some name")
-        self.driver.find_element(By.ID, "id_email").send_keys("foo@bar.baz")
-        self.driver.find_element(By.CSS_SELECTOR, ".pf-c-button").click()
+        self.initial_stages()
+
+        # Email stage
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        email_stage = self.get_shadow_root("ak-stage-email", flow_executor)
+
+        wait = WebDriverWait(email_stage, self.wait_timeout)
+
         # Wait for the success message so we know the email is sent
-        self.wait.until(
-            ec.presence_of_element_located((By.CSS_SELECTOR, ".pf-c-form > p"))
-        )
+        wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, ".pf-c-form p")))
 
         # Open Mailhog
         self.driver.get("http://localhost:8025")
@@ -200,3 +192,50 @@ class TestFlowsEnroll(SeleniumTestCase):
         self.driver.get(self.shell_url("authentik_core:user-settings"))
 
         self.assert_user(User.objects.get(username="foo"))
+
+    def initial_stages(self):
+        """Fill out initial stages"""
+        # Identification stage, click enroll
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root(
+            "ak-stage-identification", flow_executor
+        )
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "#enroll")))
+        identification_stage.find_element(By.CSS_SELECTOR, "#enroll").click()
+
+        # First prompt stage
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        prompt_stage = self.get_shadow_root("ak-stage-prompt", flow_executor)
+        wait = WebDriverWait(prompt_stage, self.wait_timeout)
+
+        wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "input[name=username]"))
+        )
+        prompt_stage.find_element(By.CSS_SELECTOR, "input[name=username]").send_keys(
+            "foo"
+        )
+        prompt_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
+            USER().username
+        )
+        prompt_stage.find_element(
+            By.CSS_SELECTOR, "input[name=password_repeat]"
+        ).send_keys(USER().username)
+        prompt_stage.find_element(By.CSS_SELECTOR, ".pf-c-button").click()
+
+        # Second prompt stage
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        prompt_stage = self.get_shadow_root("ak-stage-prompt", flow_executor)
+        wait = WebDriverWait(prompt_stage, self.wait_timeout)
+
+        wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "input[name=name]"))
+        )
+        prompt_stage.find_element(By.CSS_SELECTOR, "input[name=name]").send_keys(
+            "some name"
+        )
+        prompt_stage.find_element(By.CSS_SELECTOR, "input[name=email]").send_keys(
+            "foo@bar.baz"
+        )
+        prompt_stage.find_element(By.CSS_SELECTOR, ".pf-c-button").click()
diff --git a/tests/e2e/test_flows_login.py b/tests/e2e/test_flows_login.py
index 6e59987bd..227890898 100644
--- a/tests/e2e/test_flows_login.py
+++ b/tests/e2e/test_flows_login.py
@@ -2,10 +2,7 @@
 from sys import platform
 from unittest.case import skipUnless
 
-from selenium.webdriver.common.by import By
-from selenium.webdriver.common.keys import Keys
-
-from tests.e2e.utils import USER, SeleniumTestCase, retry
+from tests.e2e.utils import USER, SeleniumTestCase, apply_migration, retry
 
 
 @skipUnless(platform.startswith("linux"), "requires local docker")
@@ -13,13 +10,11 @@ class TestFlowsLogin(SeleniumTestCase):
     """test default login flow"""
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
     def test_login(self):
         """test default login flow"""
         self.driver.get(f"{self.live_server_url}/flows/default-authentication-flow/")
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        self.login()
+        self.wait_for_url(self.shell_url("/library"))
         self.assert_user(USER())
diff --git a/tests/e2e/test_flows_stage_setup.py b/tests/e2e/test_flows_stage_setup.py
index 69fca1c93..b53aead6a 100644
--- a/tests/e2e/test_flows_stage_setup.py
+++ b/tests/e2e/test_flows_stage_setup.py
@@ -9,7 +9,7 @@ from authentik.core.models import User
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.providers.oauth2.generators import generate_client_secret
 from authentik.stages.password.models import PasswordStage
-from tests.e2e.utils import USER, SeleniumTestCase, retry
+from tests.e2e.utils import USER, SeleniumTestCase, apply_migration, retry
 
 
 @skipUnless(platform.startswith("linux"), "requires local docker")
@@ -17,6 +17,9 @@ class TestFlowsStageSetup(SeleniumTestCase):
     """test stage setup flows"""
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_stages_password", "0002_passwordstage_change_flow")
     def test_password_change(self):
         """test password change flow"""
         # Ensure that password stage has change_flow set
@@ -34,11 +37,8 @@ class TestFlowsStageSetup(SeleniumTestCase):
         self.driver.get(
             f"{self.live_server_url}/flows/default-authentication-flow/?next=%2F"
         )
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        self.login()
+        self.wait_for_url(self.shell_url("/library"))
 
         self.driver.get(
             self.url(
@@ -46,12 +46,21 @@ class TestFlowsStageSetup(SeleniumTestCase):
                 stage_uuid=PasswordStage.objects.first().stage_uuid,
             )
         )
-        self.driver.find_element(By.ID, "id_password").send_keys(new_password)
-        self.driver.find_element(By.ID, "id_password_repeat").click()
-        self.driver.find_element(By.ID, "id_password_repeat").send_keys(new_password)
-        self.driver.find_element(By.CSS_SELECTOR, ".pf-c-button").click()
 
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        prompt_stage = self.get_shadow_root("ak-stage-prompt", flow_executor)
+
+        prompt_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
+            new_password
+        )
+        prompt_stage.find_element(
+            By.CSS_SELECTOR, "input[name=password_repeat]"
+        ).send_keys(new_password)
+        prompt_stage.find_element(
+            By.CSS_SELECTOR, "input[name=password_repeat]"
+        ).send_keys(Keys.ENTER)
+
+        self.wait_for_url(self.shell_url("/library"))
         # Because USER() is cached, we need to get the user manually here
         user = User.objects.get(username=USER().username)
         self.assertTrue(user.check_password(new_password))
diff --git a/tests/e2e/test_provider_oauth2_github.py b/tests/e2e/test_provider_oauth2_github.py
index aae6c11c2..827395b9c 100644
--- a/tests/e2e/test_provider_oauth2_github.py
+++ b/tests/e2e/test_provider_oauth2_github.py
@@ -6,7 +6,6 @@ from unittest.case import skipUnless
 
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
-from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 
 from authentik.core.models import Application
@@ -18,7 +17,7 @@ from authentik.providers.oauth2.generators import (
     generate_client_secret,
 )
 from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider
-from tests.e2e.utils import USER, SeleniumTestCase, retry
+from tests.e2e.utils import USER, SeleniumTestCase, apply_migration, retry
 
 
 @skipUnless(platform.startswith("linux"), "requires local docker")
@@ -62,6 +61,10 @@ class TestProviderOAuth2Github(SeleniumTestCase):
         }
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
     def test_authorization_consent_implied(self):
         """test OAuth Provider flow (default authorization flow with implied consent)"""
         # Bootstrap all needed objects
@@ -84,11 +87,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
 
         self.driver.get("http://localhost:3000")
         self.driver.find_element(By.CLASS_NAME, "btn-service--github").click()
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
 
         self.wait_for_url("http://localhost:3000/?orgId=1")
         self.driver.get("http://localhost:3000/profile")
@@ -116,6 +115,10 @@ class TestProviderOAuth2Github(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
     def test_authorization_consent_explicit(self):
         """test OAuth Provider flow (default authorization flow with explicit consent)"""
         # Bootstrap all needed objects
@@ -138,23 +141,27 @@ class TestProviderOAuth2Github(SeleniumTestCase):
 
         self.driver.get("http://localhost:3000")
         self.driver.find_element(By.CLASS_NAME, "btn-service--github").click()
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
 
-        sleep(1)
+        sleep(3)
+        self.wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "ak-flow-executor"))
+        )
 
-        self.assertEqual(
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        consent_stage = self.get_shadow_root("ak-stage-consent", flow_executor)
+
+        self.assertIn(
             app.name,
-            self.driver.find_element(By.ID, "application-name").text,
+            consent_stage.find_element(By.CSS_SELECTOR, "#header-text").text,
         )
         self.assertEqual(
             "GitHub Compatibility: Access you Email addresses",
-            self.driver.find_element(By.ID, "scope-user:email").text,
+            consent_stage.find_element(
+                By.CSS_SELECTOR, "[data-permission-code='user:email']"
+            ).text,
         )
-        self.driver.find_element(
+        consent_stage.find_element(
             By.CSS_SELECTOR,
             ("[type=submit]"),
         ).click()
@@ -185,6 +192,10 @@ class TestProviderOAuth2Github(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
     def test_denied(self):
         """test OAuth Provider flow (default authorization flow, denied)"""
         # Bootstrap all needed objects
@@ -212,11 +223,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
 
         self.driver.get("http://localhost:3000")
         self.driver.find_element(By.CLASS_NAME, "btn-service--github").click()
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
 
         self.wait.until(
             ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1"))
diff --git a/tests/e2e/test_provider_oauth2_grafana.py b/tests/e2e/test_provider_oauth2_grafana.py
index cd2dc95a5..ee6a0af0b 100644
--- a/tests/e2e/test_provider_oauth2_grafana.py
+++ b/tests/e2e/test_provider_oauth2_grafana.py
@@ -6,7 +6,6 @@ from unittest.case import skipUnless
 
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
-from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog.stdlib import get_logger
 
@@ -25,7 +24,13 @@ from authentik.providers.oauth2.generators import (
     generate_client_secret,
 )
 from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
-from tests.e2e.utils import USER, SeleniumTestCase, retry
+from tests.e2e.utils import (
+    USER,
+    SeleniumTestCase,
+    apply_migration,
+    object_manager,
+    retry,
+)
 
 LOGGER = get_logger()
 APPLICATION_SLUG = "grafana"
@@ -76,6 +81,10 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
         }
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
     def test_redirect_uri_error(self):
         """test OpenID Provider flow (invalid redirect URI, check error message)"""
         sleep(1)
@@ -113,6 +122,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_authorization_consent_implied(self):
         """test OpenID Provider flow (default authorization flow with implied consent)"""
         sleep(1)
@@ -143,11 +157,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
 
         self.driver.get("http://localhost:3000")
         self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
         self.wait_for_url("http://localhost:3000/?orgId=1")
         self.driver.get("http://localhost:3000/profile")
         self.assertEqual(
@@ -174,6 +184,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_authorization_logout(self):
         """test OpenID Provider flow with logout"""
         sleep(1)
@@ -204,11 +219,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
 
         self.driver.get("http://localhost:3000")
         self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
         self.wait_for_url("http://localhost:3000/?orgId=1")
         self.driver.get("http://localhost:3000/profile")
         self.assertEqual(
@@ -243,6 +254,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
         self.driver.find_element(By.ID, "logout").click()
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_authorization_consent_explicit(self):
         """test OpenID Provider flow (default authorization flow with explicit consent)"""
         sleep(1)
@@ -273,21 +289,24 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
 
         self.driver.get("http://localhost:3000")
         self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
 
-        self.assertEqual(
-            app.name,
-            self.driver.find_element(By.ID, "application-name").text,
-        )
         self.wait.until(
-            ec.presence_of_element_located((By.CSS_SELECTOR, "[type=submit]"))
+            ec.presence_of_element_located((By.CSS_SELECTOR, "ak-flow-executor"))
         )
         sleep(1)
-        self.driver.find_element(By.CSS_SELECTOR, "[type=submit]").click()
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        consent_stage = self.get_shadow_root("ak-stage-consent", flow_executor)
+
+        self.assertIn(
+            app.name,
+            consent_stage.find_element(By.CSS_SELECTOR, "#header-text").text,
+        )
+        consent_stage.find_element(
+            By.CSS_SELECTOR,
+            ("[type=submit]"),
+        ).click()
 
         self.wait_for_url("http://localhost:3000/?orgId=1")
         self.driver.get("http://localhost:3000/profile")
@@ -316,6 +335,10 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
     def test_authorization_denied(self):
         """test OpenID Provider flow (default authorization with access deny)"""
         sleep(1)
@@ -350,11 +373,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
         PolicyBinding.objects.create(target=app, policy=negative_policy, order=0)
         self.driver.get("http://localhost:3000")
         self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
 
         self.wait.until(
             ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1"))
diff --git a/tests/e2e/test_provider_oauth2_oidc.py b/tests/e2e/test_provider_oauth2_oidc.py
index 8ecbc9155..5aa5f9845 100644
--- a/tests/e2e/test_provider_oauth2_oidc.py
+++ b/tests/e2e/test_provider_oauth2_oidc.py
@@ -8,7 +8,6 @@ from docker import DockerClient, from_env
 from docker.models.containers import Container
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
-from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog.stdlib import get_logger
 
@@ -27,7 +26,13 @@ from authentik.providers.oauth2.generators import (
     generate_client_secret,
 )
 from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
-from tests.e2e.utils import USER, SeleniumTestCase, retry
+from tests.e2e.utils import (
+    USER,
+    SeleniumTestCase,
+    apply_migration,
+    object_manager,
+    retry,
+)
 
 LOGGER = get_logger()
 
@@ -71,6 +76,10 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             sleep(1)
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
     def test_redirect_uri_error(self):
         """test OpenID Provider flow (invalid redirect URI, check error message)"""
         sleep(1)
@@ -108,6 +117,11 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_authorization_consent_implied(self):
         """test OpenID Provider flow (default authorization flow with implied consent)"""
         sleep(1)
@@ -138,13 +152,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         self.container = self.setup_client()
 
         self.driver.get("http://localhost:9009")
-
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-
+        self.login()
         self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "pre")))
         body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
 
@@ -158,6 +166,11 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         self.assertEqual(body["UserInfo"]["email"], USER().email)
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_authorization_consent_explicit(self):
         """test OpenID Provider flow (default authorization flow with explicit consent)"""
         sleep(1)
@@ -188,22 +201,23 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         self.container = self.setup_client()
 
         self.driver.get("http://localhost:9009")
+        self.login()
 
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-
-        self.assertEqual(
-            app.name,
-            self.driver.find_element(By.ID, "application-name").text,
-        )
         self.wait.until(
-            ec.presence_of_element_located((By.CSS_SELECTOR, "[type=submit]"))
+            ec.presence_of_element_located((By.CSS_SELECTOR, "ak-flow-executor"))
         )
-        sleep(1)
-        self.driver.find_element(By.CSS_SELECTOR, "[type=submit]").click()
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        consent_stage = self.get_shadow_root("ak-stage-consent", flow_executor)
+
+        self.assertIn(
+            app.name,
+            consent_stage.find_element(By.CSS_SELECTOR, "#header-text").text,
+        )
+        consent_stage.find_element(
+            By.CSS_SELECTOR,
+            ("[type=submit]"),
+        ).click()
 
         self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "pre")))
         body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
@@ -218,6 +232,10 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         self.assertEqual(body["UserInfo"]["email"], USER().email)
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
     def test_authorization_denied(self):
         """test OpenID Provider flow (default authorization with access deny)"""
         sleep(1)
@@ -253,13 +271,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
 
         self.container = self.setup_client()
         self.driver.get("http://localhost:9009")
-
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-
+        self.login()
         self.wait.until(
             ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1"))
         )
diff --git a/tests/e2e/test_provider_proxy.py b/tests/e2e/test_provider_proxy.py
index cbbb1ee12..1e5554eaf 100644
--- a/tests/e2e/test_provider_proxy.py
+++ b/tests/e2e/test_provider_proxy.py
@@ -9,7 +9,6 @@ from channels.testing import ChannelsLiveServerTestCase
 from docker.client import DockerClient, from_env
 from docker.models.containers import Container
 from selenium.webdriver.common.by import By
-from selenium.webdriver.common.keys import Keys
 
 from authentik import __version__
 from authentik.core.models import Application
@@ -22,7 +21,7 @@ from authentik.outposts.models import (
     OutpostType,
 )
 from authentik.providers.proxy.models import ProxyProvider
-from tests.e2e.utils import USER, SeleniumTestCase, retry
+from tests.e2e.utils import SeleniumTestCase, apply_migration, object_manager, retry
 
 
 @skipUnless(platform.startswith("linux"), "requires local docker")
@@ -59,6 +58,11 @@ class TestProviderProxy(SeleniumTestCase):
         return container
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_proxy_simple(self):
         """Test simple outpost setup with single provider"""
         proxy: ProxyProvider = ProxyProvider.objects.create(
@@ -94,13 +98,7 @@ class TestProviderProxy(SeleniumTestCase):
             sleep(0.5)
 
         self.driver.get("http://localhost:4180")
-
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-
+        self.login()
         sleep(1)
 
         full_body_text = self.driver.find_element(By.CSS_SELECTOR, "pre").text
@@ -112,10 +110,14 @@ class TestProviderProxyConnect(ChannelsLiveServerTestCase):
     """Test Proxy connectivity over websockets"""
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_proxy_connectivity(self):
         """Test proxy connectivity over websocket"""
         AuthentikOutpostConfig.init_local_connection()
-        SeleniumTestCase().apply_default_data()
         proxy: ProxyProvider = ProxyProvider.objects.create(
             name="proxy_provider",
             authorization_flow=Flow.objects.get(
diff --git a/tests/e2e/test_provider_saml.py b/tests/e2e/test_provider_saml.py
index 8736c324c..df6dac35e 100644
--- a/tests/e2e/test_provider_saml.py
+++ b/tests/e2e/test_provider_saml.py
@@ -8,7 +8,6 @@ from docker import DockerClient, from_env
 from docker.models.containers import Container
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
-from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog.stdlib import get_logger
 
@@ -22,7 +21,13 @@ from authentik.providers.saml.models import (
     SAMLPropertyMapping,
     SAMLProvider,
 )
-from tests.e2e.utils import USER, SeleniumTestCase, retry
+from tests.e2e.utils import (
+    USER,
+    SeleniumTestCase,
+    apply_migration,
+    object_manager,
+    retry,
+)
 
 LOGGER = get_logger()
 
@@ -66,6 +71,11 @@ class TestProviderSAML(SeleniumTestCase):
             sleep(1)
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_sp_initiated_implicit(self):
         """test SAML Provider flow SP-initiated flow (implicit consent)"""
         # Bootstrap all needed objects
@@ -90,11 +100,7 @@ class TestProviderSAML(SeleniumTestCase):
         )
         self.container = self.setup_client(provider)
         self.driver.get("http://localhost:9009")
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
         self.wait_for_url("http://localhost:9009/")
 
         body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
@@ -129,6 +135,11 @@ class TestProviderSAML(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_sp_initiated_explicit(self):
         """test SAML Provider flow SP-initiated flow (explicit consent)"""
         # Bootstrap all needed objects
@@ -153,17 +164,24 @@ class TestProviderSAML(SeleniumTestCase):
         )
         self.container = self.setup_client(provider)
         self.driver.get("http://localhost:9009")
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.assertEqual(
-            app.name,
-            self.driver.find_element(By.ID, "application-name").text,
+        self.login()
+
+        self.wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "ak-flow-executor"))
         )
-        sleep(1)
-        self.driver.find_element(By.CSS_SELECTOR, "[type=submit]").click()
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        consent_stage = self.get_shadow_root("ak-stage-consent", flow_executor)
+
+        self.assertIn(
+            app.name,
+            consent_stage.find_element(By.CSS_SELECTOR, "#header-text").text,
+        )
+        consent_stage.find_element(
+            By.CSS_SELECTOR,
+            ("[type=submit]"),
+        ).click()
+
         self.wait_for_url("http://localhost:9009/")
 
         body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
@@ -198,6 +216,11 @@ class TestProviderSAML(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_idp_initiated_implicit(self):
         """test SAML Provider flow IdP-initiated flow (implicit consent)"""
         # Bootstrap all needed objects
@@ -227,11 +250,7 @@ class TestProviderSAML(SeleniumTestCase):
                 application_slug=provider.application.slug,
             )
         )
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
         sleep(1)
         self.wait_for_url("http://localhost:9009/")
 
@@ -267,6 +286,11 @@ class TestProviderSAML(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_sp_initiated_denied(self):
         """test SAML Provider flow SP-initiated flow (Policy denies access)"""
         # Bootstrap all needed objects
@@ -295,11 +319,7 @@ class TestProviderSAML(SeleniumTestCase):
         PolicyBinding.objects.create(target=app, policy=negative_policy, order=0)
         self.container = self.setup_client(provider)
         self.driver.get("http://localhost:9009/")
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.login()
 
         self.wait.until(
             ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1"))
diff --git a/tests/e2e/test_source_oauth.py b/tests/e2e/test_source_oauth.py
index 9f72366a2..a87a81e41 100644
--- a/tests/e2e/test_source_oauth.py
+++ b/tests/e2e/test_source_oauth.py
@@ -11,6 +11,7 @@ from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
+from selenium.webdriver.support.wait import WebDriverWait
 from structlog.stdlib import get_logger
 from yaml import safe_dump
 
@@ -20,7 +21,7 @@ from authentik.providers.oauth2.generators import (
     generate_client_secret,
 )
 from authentik.sources.oauth.models import OAuthSource
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.e2e.utils import SeleniumTestCase, apply_migration, object_manager, retry
 
 CONFIG_PATH = "/tmp/dex.yml"  # nosec
 LOGGER = get_logger()
@@ -107,17 +108,28 @@ class TestSourceOAuth2(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0009_source_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_oauth_enroll(self):
         """test OAuth Source With With OIDC"""
         self.create_objects()
         self.driver.get(self.live_server_url)
 
-        self.wait.until(
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root(
+            "ak-stage-identification", flow_executor
+        )
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(
             ec.presence_of_element_located(
                 (By.CLASS_NAME, "pf-c-login__main-footer-links-item-link")
             )
         )
-        self.driver.find_element(
+        identification_stage.find_element(
             By.CLASS_NAME, "pf-c-login__main-footer-links-item-link"
         ).click()
 
@@ -133,15 +145,21 @@ class TestSourceOAuth2(SeleniumTestCase):
         )
         self.driver.find_element(By.CSS_SELECTOR, "button[type=submit]").click()
 
-        self.wait.until(ec.presence_of_element_located((By.NAME, "username")))
         # At this point we've been redirected back
         # and we're asked for the username
-        self.driver.find_element(By.NAME, "username").click()
-        self.driver.find_element(By.NAME, "username").send_keys("foo")
-        self.driver.find_element(By.NAME, "username").send_keys(Keys.ENTER)
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        prompt_stage = self.get_shadow_root("ak-stage-prompt", flow_executor)
+
+        prompt_stage.find_element(By.CSS_SELECTOR, "input[name=username]").click()
+        prompt_stage.find_element(By.CSS_SELECTOR, "input[name=username]").send_keys(
+            "foo"
+        )
+        prompt_stage.find_element(By.CSS_SELECTOR, "input[name=username]").send_keys(
+            Keys.ENTER
+        )
 
         # Wait until we've logged in
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        self.wait_for_url(self.shell_url("/library"))
         self.driver.get(self.url("authentik_core:user-details"))
 
         self.assertEqual(
@@ -157,6 +175,11 @@ class TestSourceOAuth2(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0009_source_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     @override_settings(SESSION_COOKIE_SAMESITE="strict")
     def test_oauth_samesite_strict(self):
         """test OAuth Source With SameSite set to strict
@@ -164,12 +187,18 @@ class TestSourceOAuth2(SeleniumTestCase):
         self.create_objects()
         self.driver.get(self.live_server_url)
 
-        self.wait.until(
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root(
+            "ak-stage-identification", flow_executor
+        )
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(
             ec.presence_of_element_located(
                 (By.CLASS_NAME, "pf-c-login__main-footer-links-item-link")
             )
         )
-        self.driver.find_element(
+        identification_stage.find_element(
             By.CLASS_NAME, "pf-c-login__main-footer-links-item-link"
         ).click()
 
@@ -185,31 +214,33 @@ class TestSourceOAuth2(SeleniumTestCase):
         )
         self.driver.find_element(By.CSS_SELECTOR, "button[type=submit]").click()
 
-        self.wait.until(
-            ec.presence_of_element_located((By.CSS_SELECTOR, ".pf-c-alert__title"))
-        )
-        self.assertEqual(
-            self.driver.find_element(By.CSS_SELECTOR, ".pf-c-alert__title").text,
-            "Authentication Failed.",
-        )
-
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0009_source_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_oauth_enroll_auth(self):
         """test OAuth Source With With OIDC (enroll and authenticate again)"""
         self.test_oauth_enroll()
         # We're logged in at the end of this, log out and re-login
         self.driver.get(self.url("authentik_flows:default-invalidation"))
+        sleep(1)
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root(
+            "ak-stage-identification", flow_executor
+        )
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
 
-        self.wait.until(
+        wait.until(
             ec.presence_of_element_located(
                 (By.CLASS_NAME, "pf-c-login__main-footer-links-item-link")
             )
         )
-        sleep(1)
-        self.driver.find_element(
+        identification_stage.find_element(
             By.CLASS_NAME, "pf-c-login__main-footer-links-item-link"
         ).click()
-        sleep(1)
+
         # Now we should be at the IDP, wait for the login field
         self.wait.until(ec.presence_of_element_located((By.ID, "login")))
         self.driver.find_element(By.ID, "login").send_keys("admin@example.com")
@@ -223,7 +254,7 @@ class TestSourceOAuth2(SeleniumTestCase):
         self.driver.find_element(By.CSS_SELECTOR, "button[type=submit]").click()
 
         # Wait until we've logged in
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        self.wait_for_url(self.shell_url("/library"))
         self.driver.get(self.url("authentik_core:user-details"))
 
         self.assertEqual(
@@ -288,17 +319,28 @@ class TestSourceOAuth1(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0009_source_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_oauth_enroll(self):
         """test OAuth Source With With OIDC"""
         self.create_objects()
         self.driver.get(self.live_server_url)
 
-        self.wait.until(
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root(
+            "ak-stage-identification", flow_executor
+        )
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(
             ec.presence_of_element_located(
                 (By.CLASS_NAME, "pf-c-login__main-footer-links-item-link")
             )
         )
-        self.driver.find_element(
+        identification_stage.find_element(
             By.CLASS_NAME, "pf-c-login__main-footer-links-item-link"
         ).click()
 
@@ -316,7 +358,7 @@ class TestSourceOAuth1(SeleniumTestCase):
         # Wait until we've loaded the user info page
         sleep(2)
         # Wait until we've logged in
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        self.wait_for_url(self.shell_url("/library"))
         self.driver.get(self.url("authentik_core:user-details"))
 
         self.assertEqual(
diff --git a/tests/e2e/test_source_saml.py b/tests/e2e/test_source_saml.py
index 037eac95e..0f87c83f1 100644
--- a/tests/e2e/test_source_saml.py
+++ b/tests/e2e/test_source_saml.py
@@ -8,12 +8,13 @@ from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
+from selenium.webdriver.support.wait import WebDriverWait
 from structlog.stdlib import get_logger
 
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
 from authentik.sources.saml.models import SAMLBindingTypes, SAMLSource
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.e2e.utils import SeleniumTestCase, apply_migration, object_manager, retry
 
 LOGGER = get_logger()
 
@@ -93,6 +94,11 @@ class TestSourceSAML(SeleniumTestCase):
         }
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0009_source_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_idp_redirect(self):
         """test SAML Source With redirect binding"""
         # Bootstrap all needed objects
@@ -117,12 +123,18 @@ class TestSourceSAML(SeleniumTestCase):
 
         self.driver.get(self.live_server_url)
 
-        self.wait.until(
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root(
+            "ak-stage-identification", flow_executor
+        )
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(
             ec.presence_of_element_located(
                 (By.CLASS_NAME, "pf-c-login__main-footer-links-item-link")
             )
         )
-        self.driver.find_element(
+        identification_stage.find_element(
             By.CLASS_NAME, "pf-c-login__main-footer-links-item-link"
         ).click()
 
@@ -133,7 +145,7 @@ class TestSourceSAML(SeleniumTestCase):
         self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
 
         # Wait until we're logged in
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        self.wait_for_url(self.shell_url("/library"))
         self.driver.get(self.url("authentik_core:user-details"))
 
         # Wait until we've loaded the user info page
@@ -142,6 +154,11 @@ class TestSourceSAML(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0009_source_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_idp_post(self):
         """test SAML Source With post binding"""
         # Bootstrap all needed objects
@@ -166,12 +183,18 @@ class TestSourceSAML(SeleniumTestCase):
 
         self.driver.get(self.live_server_url)
 
-        self.wait.until(
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root(
+            "ak-stage-identification", flow_executor
+        )
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(
             ec.presence_of_element_located(
                 (By.CLASS_NAME, "pf-c-login__main-footer-links-item-link")
             )
         )
-        self.driver.find_element(
+        identification_stage.find_element(
             By.CLASS_NAME, "pf-c-login__main-footer-links-item-link"
         ).click()
         sleep(1)
@@ -184,7 +207,7 @@ class TestSourceSAML(SeleniumTestCase):
         self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
 
         # Wait until we're logged in
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        self.wait_for_url(self.shell_url("/library"))
         self.driver.get(self.url("authentik_core:user-details"))
 
         # Wait until we've loaded the user info page
@@ -193,6 +216,11 @@ class TestSourceSAML(SeleniumTestCase):
         )
 
     @retry()
+    @apply_migration("authentik_core", "0003_default_user")
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0009_source_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
     def test_idp_post_auto(self):
         """test SAML Source With post binding (auto redirect)"""
         # Bootstrap all needed objects
@@ -217,12 +245,18 @@ class TestSourceSAML(SeleniumTestCase):
 
         self.driver.get(self.live_server_url)
 
-        self.wait.until(
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root(
+            "ak-stage-identification", flow_executor
+        )
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(
             ec.presence_of_element_located(
                 (By.CLASS_NAME, "pf-c-login__main-footer-links-item-link")
             )
         )
-        self.driver.find_element(
+        identification_stage.find_element(
             By.CLASS_NAME, "pf-c-login__main-footer-links-item-link"
         ).click()
 
@@ -233,7 +267,7 @@ class TestSourceSAML(SeleniumTestCase):
         self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
 
         # Wait until we're logged in
-        self.wait_for_url(self.shell_url("authentik_core:overview"))
+        self.wait_for_url(self.shell_url("/library"))
         self.driver.get(self.url("authentik_core:user-details"))
 
         # Wait until we've loaded the user info page
diff --git a/tests/e2e/utils.py b/tests/e2e/utils.py
index e63ff2a9d..2cec7f743 100644
--- a/tests/e2e/utils.py
+++ b/tests/e2e/utils.py
@@ -1,19 +1,17 @@
 """authentik e2e testing utilities"""
 import json
-from functools import wraps
-from glob import glob
-from importlib.util import module_from_spec, spec_from_file_location
-from inspect import getmembers, isfunction
+from functools import lru_cache, wraps
 from os import environ, makedirs
 from time import sleep, time
 from typing import Any, Callable, Optional
 
 from django.apps import apps
 from django.contrib.staticfiles.testing import StaticLiveServerTestCase
-from django.db import connection, transaction
-from django.db.utils import IntegrityError
-from django.shortcuts import reverse
+from django.db import connection
+from django.db.migrations.loader import MigrationLoader
+from django.db.migrations.operations.special import RunPython
 from django.test.testcases import TransactionTestCase
+from django.urls import reverse
 from docker import DockerClient, from_env
 from docker.models.containers import Container
 from selenium import webdriver
@@ -24,7 +22,9 @@ from selenium.common.exceptions import (
 )
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
+from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.remote.webdriver import WebDriver
+from selenium.webdriver.remote.webelement import WebElement
 from selenium.webdriver.support.ui import WebDriverWait
 from structlog.stdlib import get_logger
 
@@ -43,15 +43,16 @@ class SeleniumTestCase(StaticLiveServerTestCase):
     """StaticLiveServerTestCase which automatically creates a Webdriver instance"""
 
     container: Optional[Container] = None
+    wait_timeout: int
 
     def setUp(self):
         super().setUp()
+        self.wait_timeout = 60
         makedirs("selenium_screenshots/", exist_ok=True)
         self.driver = self._get_driver()
         self.driver.maximize_window()
         self.driver.implicitly_wait(30)
-        self.wait = WebDriverWait(self.driver, 60)
-        self.apply_default_data()
+        self.wait = WebDriverWait(self.driver, self.wait_timeout)
         self.logger = get_logger()
         if specs := self.get_container_specs():
             self.container = self._start_container(specs)
@@ -108,9 +109,48 @@ class SeleniumTestCase(StaticLiveServerTestCase):
         """reverse `view` with `**kwargs` into full URL using live_server_url"""
         return self.live_server_url + reverse(view, kwargs=kwargs)
 
-    def shell_url(self, view, **kwargs) -> str:
+    def shell_url(self, view) -> str:
         """same as self.url() but show URL in shell"""
-        return f"{self.live_server_url}/#{reverse(view, kwargs=kwargs)}"
+        return f"{self.live_server_url}/#{view}"
+
+    def get_shadow_root(
+        self, selector: str, container: Optional[WebElement] = None
+    ) -> WebElement:
+        """Get shadow root element's inner shadowRoot"""
+        if not container:
+            container = self.driver
+        shadow_root = container.find_element(By.CSS_SELECTOR, selector)
+        element = self.driver.execute_script(
+            "return arguments[0].shadowRoot", shadow_root
+        )
+        return element
+
+    def login(self):
+        """Do entire login flow and check user afterwards"""
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root(
+            "ak-stage-identification", flow_executor
+        )
+
+        identification_stage.find_element(
+            By.CSS_SELECTOR, "input[name=uid_field]"
+        ).click()
+        identification_stage.find_element(
+            By.CSS_SELECTOR, "input[name=uid_field]"
+        ).send_keys(USER().username)
+        identification_stage.find_element(
+            By.CSS_SELECTOR, "input[name=uid_field]"
+        ).send_keys(Keys.ENTER)
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        password_stage = self.get_shadow_root("ak-stage-password", flow_executor)
+        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
+            USER().username
+        )
+        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
+            Keys.ENTER
+        )
+        sleep(1)
 
     def assert_user(self, expected_user: User):
         """Check users/me API and assert it matches expected_user"""
@@ -122,35 +162,45 @@ class SeleniumTestCase(StaticLiveServerTestCase):
         self.assertEqual(user["name"].value, expected_user.name)
         self.assertEqual(user["email"].value, expected_user.email)
 
-    def apply_default_data(self):
-        """apply objects created by migrations after tables have been truncated"""
-        # Not all default objects are managed, like users for example
-        # Hence we still have to load all migrations and apply them, then run the ObjectManager
-        # Find all migration files
-        # load all functions
-        migration_files = glob("**/migrations/*.py", recursive=True)
-        matches = []
-        for migration in migration_files:
-            with open(migration, "r+") as migration_file:
-                # Check if they have a `RunPython`
-                if "RunPython" in migration_file.read():
-                    matches.append(migration)
 
-        with connection.schema_editor() as schema_editor:
-            for match in matches:
-                # Load module from file path
-                spec = spec_from_file_location("", match)
-                migration_module = module_from_spec(spec)
-                # pyright: reportGeneralTypeIssues=false
-                spec.loader.exec_module(migration_module)
-                # Call all functions from module
-                for _, func in getmembers(migration_module, isfunction):
-                    with transaction.atomic():
-                        try:
-                            func(apps, schema_editor)
-                        except IntegrityError:
-                            pass
+@lru_cache
+def get_loader():
+    """Thin wrapper to lazily get a Migration Loader, only when it's needed
+    and only once"""
+    return MigrationLoader(connection)
+
+
+def apply_migration(app_name: str, migration_name: str):
+    """Re-apply migrations that create objects using RunPython before test cases"""
+
+    def wrapper_outter(func: Callable):
+        """Retry test multiple times"""
+
+        @wraps(func)
+        def wrapper(self: TransactionTestCase, *args, **kwargs):
+            migration = get_loader().get_migration(app_name, migration_name)
+            with connection.schema_editor() as schema_editor:
+                for operation in migration.operations:
+                    if not isinstance(operation, RunPython):
+                        continue
+                    operation.code(apps, schema_editor)
+            return func(self, *args, **kwargs)
+
+        return wrapper
+
+    return wrapper_outter
+
+
+def object_manager(func: Callable):
+    """Run objectmanager before a test function"""
+
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        """Run objectmanager before a test function"""
         ObjectManager().run()
+        return func(*args, **kwargs)
+
+    return wrapper
 
 
 def retry(max_retires=3, exceptions=None):
diff --git a/web/package-lock.json b/web/package-lock.json
index 955d22030..bdcbb382d 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -197,42 +197,6 @@
                 }
             }
         },
-        "@sentry/integrations": {
-            "version": "6.2.0",
-            "resolved": "https://registry.npmjs.org/@sentry/integrations/-/integrations-6.2.0.tgz",
-            "integrity": "sha512-gvAhP61qs2fog2xCTDs94ZT8cZbWEjFZmOWfT1VXlZDIVopIporj5Qe6IgrLTiCWL61Yko5h5nFnPZ4mpjf+0w==",
-            "requires": {
-                "@sentry/types": "6.2.0",
-                "@sentry/utils": "6.2.0",
-                "localforage": "^1.8.1",
-                "tslib": "^1.9.3"
-            },
-            "dependencies": {
-                "tslib": {
-                    "version": "1.14.1",
-                    "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
-                    "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
-                }
-            }
-        },
-        "@sentry/integrations": {
-            "version": "6.2.0",
-            "resolved": "https://registry.npmjs.org/@sentry/integrations/-/integrations-6.2.0.tgz",
-            "integrity": "sha512-gvAhP61qs2fog2xCTDs94ZT8cZbWEjFZmOWfT1VXlZDIVopIporj5Qe6IgrLTiCWL61Yko5h5nFnPZ4mpjf+0w==",
-            "requires": {
-                "@sentry/types": "6.2.0",
-                "@sentry/utils": "6.2.0",
-                "localforage": "^1.8.1",
-                "tslib": "^1.9.3"
-            },
-            "dependencies": {
-                "tslib": {
-                    "version": "1.14.1",
-                    "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
-                    "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
-                }
-            }
-        },
         "@sentry/minimal": {
             "version": "6.2.0",
             "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.2.0.tgz",
@@ -337,6 +301,11 @@
                 "@types/node": "*"
             }
         },
+        "@types/grecaptcha": {
+            "version": "3.0.1",
+            "resolved": "https://registry.npmjs.org/@types/grecaptcha/-/grecaptcha-3.0.1.tgz",
+            "integrity": "sha512-eMA/2quQoxwSe8oOBB1H6KNXNqginzt9BHAt2vVVUoQswZNct2QwSAmEMsN/VHj/XSNxM3p+Py15B7omEaAC9w=="
+        },
         "@types/html-minifier": {
             "version": "3.5.3",
             "resolved": "https://registry.npmjs.org/@types/html-minifier/-/html-minifier-3.5.3.tgz",
@@ -1758,11 +1727,6 @@
             "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.1.8.tgz",
             "integrity": "sha512-BMpfD7PpiETpBl/A6S498BaIJ6Y/ABT93ETbby2fP00v4EbvPBXWEoaR1UBPKs3iR53pJY7EtZk5KACI57i1Uw=="
         },
-        "immediate": {
-            "version": "3.0.6",
-            "resolved": "https://registry.npmjs.org/immediate/-/immediate-3.0.6.tgz",
-            "integrity": "sha1-nbHb0Pr43m++D13V5Wu2BigN5ps="
-        },
         "import-fresh": {
             "version": "3.3.0",
             "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.0.tgz",
@@ -2017,14 +1981,6 @@
                 "type-check": "~0.4.0"
             }
         },
-        "lie": {
-            "version": "3.1.1",
-            "resolved": "https://registry.npmjs.org/lie/-/lie-3.1.1.tgz",
-            "integrity": "sha1-mkNrLMd0bKWd56QfpGmz77dr2H4=",
-            "requires": {
-                "immediate": "~3.0.5"
-            }
-        },
         "lit-analyzer": {
             "version": "1.2.1",
             "resolved": "https://registry.npmjs.org/lit-analyzer/-/lit-analyzer-1.2.1.tgz",
@@ -2206,14 +2162,6 @@
             "resolved": "https://registry.npmjs.org/lit-html/-/lit-html-1.3.0.tgz",
             "integrity": "sha512-0Q1bwmaFH9O14vycPHw8C/IeHMk/uSDldVLIefu/kfbTBGIc44KGH6A8p1bDfxUfHdc8q6Ct7kQklWoHgr4t1Q=="
         },
-        "localforage": {
-            "version": "1.9.0",
-            "resolved": "https://registry.npmjs.org/localforage/-/localforage-1.9.0.tgz",
-            "integrity": "sha512-rR1oyNrKulpe+VM9cYmcFn6tsHuokyVHFaCM3+osEmxaHTbEk8oQu6eGDfS6DQLWi/N67XRmB8ECG37OES368g==",
-            "requires": {
-                "lie": "3.1.1"
-            }
-        },
         "locate-path": {
             "version": "5.0.0",
             "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
@@ -2594,6 +2542,11 @@
             "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==",
             "dev": true
         },
+        "qrjs": {
+            "version": "0.1.2",
+            "resolved": "https://registry.npmjs.org/qrjs/-/qrjs-0.1.2.tgz",
+            "integrity": "sha1-os38FpElvkCspBIhD5u1g9Bu6c8="
+        },
         "randombytes": {
             "version": "2.1.0",
             "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz",
@@ -3552,6 +3505,14 @@
                 }
             }
         },
+        "webcomponent-qr-code": {
+            "version": "1.0.5",
+            "resolved": "https://registry.npmjs.org/webcomponent-qr-code/-/webcomponent-qr-code-1.0.5.tgz",
+            "integrity": "sha512-uLulSj2nUe8HvhsuXSy8NySz3YPikpA2oIVrv15a4acNoiAdpickMFw5wSgFp7kxEb0twT/wC5VozZQHZhsZIw==",
+            "requires": {
+                "qrjs": "^0.1.2"
+            }
+        },
         "which": {
             "version": "2.0.2",
             "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
diff --git a/web/package.json b/web/package.json
index 344d6ac8a..251356951 100644
--- a/web/package.json
+++ b/web/package.json
@@ -13,10 +13,10 @@
         "@fortawesome/fontawesome-free": "^5.15.2",
         "@patternfly/patternfly": "^4.87.3",
         "@sentry/browser": "^6.2.0",
-        "@sentry/integrations": "^6.2.0",
         "@sentry/tracing": "^6.2.0",
         "@types/chart.js": "^2.9.31",
         "@types/codemirror": "0.0.108",
+        "@types/grecaptcha": "^3.0.1",
         "base64-js": "^1.5.1",
         "chart.js": "^2.9.4",
         "codemirror": "^5.59.4",
@@ -28,7 +28,8 @@
         "rollup-plugin-copy": "^3.4.0",
         "rollup-plugin-cssimport": "^1.0.2",
         "rollup-plugin-external-globals": "^0.6.1",
-        "tslib": "^2.1.0"
+        "tslib": "^2.1.0",
+        "webcomponent-qr-code": "^1.0.5"
     },
     "devDependencies": {
         "@rollup/plugin-typescript": "^8.2.0",
diff --git a/web/rollup.config.js b/web/rollup.config.js
index 3e366b3f1..c818414bc 100644
--- a/web/rollup.config.js
+++ b/web/rollup.config.js
@@ -48,4 +48,33 @@ export default [
         },
         external: ["django"]
     },
+    {
+        input: "./src/flow.ts",
+        output: [
+            {
+                format: "es",
+                dir: "dist",
+                sourcemap: true,
+            },
+        ],
+        plugins: [
+            cssimport(),
+            typescript(),
+            externalGlobals({
+                django: "django"
+            }),
+            resolve({ browser: true }),
+            commonjs(),
+            sourcemaps(),
+            terser(),
+            copy({
+                targets: [...resources],
+                copyOnce: false,
+            }),
+        ],
+        watch: {
+            clearScreen: false,
+        },
+        external: ["django"]
+    },
 ];
diff --git a/web/src/api/Config.ts b/web/src/api/Config.ts
index c5066ed7e..cac6dc067 100644
--- a/web/src/api/Config.ts
+++ b/web/src/api/Config.ts
@@ -3,7 +3,6 @@ import * as Sentry from "@sentry/browser";
 import { Integrations } from "@sentry/tracing";
 import { VERSION } from "../constants";
 import { SentryIgnoredError } from "../common/errors";
-import { CaptureConsole as CaptureConsoleIntegration } from "@sentry/integrations";
 
 export class Config {
     branding_logo: string;
@@ -25,7 +24,6 @@ export class Config {
                     release: `authentik@${VERSION}`,
                     integrations: [
                         new Integrations.BrowserTracing(),
-                        new CaptureConsoleIntegration(),
                     ],
                     tracesSampleRate: 0.6,
                     environment: config.error_reporting_environment,
diff --git a/web/src/api/Flows.ts b/web/src/api/Flows.ts
index cbf4909d5..226fed3a3 100644
--- a/web/src/api/Flows.ts
+++ b/web/src/api/Flows.ts
@@ -1,6 +1,40 @@
 import { DefaultClient, AKResponse, QueryArguments, BaseInheritanceModel } from "./Client";
 import { TypeCreate } from "./Providers";
 
+export enum ChallengeTypes {
+    native = "native",
+    response = "response",
+    shell = "shell",
+    redirect = "redirect",
+}
+
+export interface Error {
+    code: string;
+    string: string;
+}
+
+export interface ErrorDict {
+    [key: string]: Error[];
+}
+
+export interface Challenge {
+    type: ChallengeTypes;
+    component?: string;
+    title?: string;
+    response_errors?: ErrorDict;
+}
+export interface WithUserInfoChallenge extends Challenge {
+    pending_user: string;
+    pending_user_avatar: string;
+}
+
+export interface ShellChallenge extends Challenge {
+    body: string;
+}
+export interface RedirectChallenge extends Challenge {
+    to: string;
+}
+
 export enum FlowDesignation {
     Authentication = "authentication",
     Authorization = "authorization",
@@ -40,10 +74,15 @@ export class Flow {
     }
 
     static cached(): Promise<number> {
-        return DefaultClient.fetch<{ count: number }>(["flows", "all", "cached"]).then(r => {
+        return DefaultClient.fetch<{ count: number }>(["flows", "instances", "cached"]).then(r => {
             return r.count;
         });
     }
+
+    static executor(slug: string): Promise<Challenge> {
+        return DefaultClient.fetch(["flows", "executor", slug]);
+    }
+
     static adminUrl(rest: string): string {
         return `/administration/flows/${rest}`;
     }
diff --git a/web/src/api/Prompts.ts b/web/src/api/Prompts.ts
index b688f4812..ee2100717 100644
--- a/web/src/api/Prompts.ts
+++ b/web/src/api/Prompts.ts
@@ -25,6 +25,6 @@ export class Prompt {
     }
 
     static adminUrl(rest: string): string {
-        return `/administration/stages/prompts/${rest}`;
+        return `/administration/stages_prompts/${rest}`;
     }
 }
diff --git a/web/src/authentik.css b/web/src/authentik.css
index 7ad666e7f..de8a26a0e 100644
--- a/web/src/authentik.css
+++ b/web/src/authentik.css
@@ -85,6 +85,11 @@ select[multiple] {
     z-index: auto !important;
 }
 
+/* Fix spacing between messages */
+ak-message {
+    display: block;
+}
+
 @media (prefers-color-scheme: dark) {
     :root {
         --ak-dark-foreground: #fafafa;
@@ -230,12 +235,18 @@ select[multiple] {
     .pf-c-login__main {
         background-color: var(--ak-dark-background);
     }
-    .pf-c-login__main-body {
+    .pf-c-login__main-body,
+    .pf-c-login__main-header,
+    .pf-c-login__main-header-desc {
         color: var(--ak-dark-foreground);
     }
     .pf-c-login__main-footer-links-item-link > img {
         filter: invert(1);
     }
+    .pf-c-login__main-footer-band {
+        background-color: var(--ak-dark-background-lighter);
+        color: var(--ak-dark-foreground);
+    }
     .form-control-static {
         color: var(--ak-dark-foreground);
     }
diff --git a/web/src/elements/AdminLoginsChart.ts b/web/src/elements/AdminLoginsChart.ts
index 898d59d0a..63d1b3c35 100644
--- a/web/src/elements/AdminLoginsChart.ts
+++ b/web/src/elements/AdminLoginsChart.ts
@@ -47,7 +47,7 @@ export class AdminLoginsChart extends LitElement {
                     level_tag: "error",
                     message: "Unexpected error"
                 });
-                console.log(e);
+                console.error(e);
             })
             .then((r) => {
                 const canvas = <HTMLCanvasElement>this.shadowRoot?.querySelector("canvas");
diff --git a/web/src/elements/Expand.ts b/web/src/elements/Expand.ts
index 3cb684702..524eaf702 100644
--- a/web/src/elements/Expand.ts
+++ b/web/src/elements/Expand.ts
@@ -19,7 +19,6 @@ export class Expand extends LitElement {
     }
 
     render(): TemplateResult {
-        console.log(this.expanded);
         return html`<div class="pf-c-expandable-section ${this.expanded ? "pf-m-expanded" : ""}">
             <button type="button" class="pf-c-expandable-section__toggle" aria-expanded="${this.expanded}" @click=${() => {
                 this.expanded = !this.expanded;
diff --git a/web/src/elements/buttons/ModalButton.ts b/web/src/elements/buttons/ModalButton.ts
index 226565871..1991d260c 100644
--- a/web/src/elements/buttons/ModalButton.ts
+++ b/web/src/elements/buttons/ModalButton.ts
@@ -108,7 +108,7 @@ export class ModalButton extends LitElement {
                             level_tag: "error",
                             message: "Unexpected error"
                         });
-                        console.log(e);
+                        console.error(e);
                     });
             });
         });
@@ -136,7 +136,7 @@ export class ModalButton extends LitElement {
                         level_tag: "error",
                         message: "Unexpected error"
                     });
-                    console.log(e);
+                    console.error(e);
                 });
         }
     }
diff --git a/web/src/elements/buttons/SpinnerButton.ts b/web/src/elements/buttons/SpinnerButton.ts
index 2a5982922..5213e3e75 100644
--- a/web/src/elements/buttons/SpinnerButton.ts
+++ b/web/src/elements/buttons/SpinnerButton.ts
@@ -5,6 +5,7 @@ import GlobalsStyle from "@patternfly/patternfly/base/patternfly-globals.css";
 import ButtonStyle from "@patternfly/patternfly/components/Button/button.css";
 // @ts-ignore
 import SpinnerStyle from "@patternfly/patternfly/components/Spinner/spinner.css";
+import { SpinnerSize } from "../Spinner";
 import { PRIMARY_CLASS, PROGRESS_CLASS } from "../../constants";
 import { ColorStyles } from "../../common/styles";
 
@@ -72,15 +73,7 @@ export class SpinnerButton extends LitElement {
         >
             ${this.isRunning
                 ? html` <span class="pf-c-button__progress">
-                            <span
-                                class="pf-c-spinner pf-m-md"
-                                role="progressbar"
-                                aria-valuetext="Loading..."
-                            >
-                                <span class="pf-c-spinner__clipper"></span>
-                                <span class="pf-c-spinner__lead-ball"></span>
-                                <span class="pf-c-spinner__tail-ball"></span>
-                            </span>
+                            <ak-spinner size=${SpinnerSize.Medium}></ak-spinner>
                         </span>`
                 : ""}
             <slot></slot>
diff --git a/web/src/elements/router/RouterOutlet.ts b/web/src/elements/router/RouterOutlet.ts
index 6439bb0d2..796511c34 100644
--- a/web/src/elements/router/RouterOutlet.ts
+++ b/web/src/elements/router/RouterOutlet.ts
@@ -69,9 +69,9 @@ export class RouterOutlet extends LitElement {
             console.debug(`authentik/router: route "${activeUrl}" not defined`);
             const route = new Route(
                 RegExp(""),
-                html`<div class="pf-c-page__main">
-                    <ak-router-404 url=${activeUrl}></ak-router-404>
-                </div>`
+                html`<ak-site-shell class="pf-c-page__main" url=${activeUrl}>
+                    <div slot="body"></div>
+                </ak-site-shell>`
             );
             matchedRoute = new RouteMatch(route);
             matchedRoute.arguments = route.url.exec(activeUrl)?.groups || {};
diff --git a/web/src/elements/stages/authenticator_static/AuthenticatorStaticStage.ts b/web/src/elements/stages/authenticator_static/AuthenticatorStaticStage.ts
new file mode 100644
index 000000000..ffd00c812
--- /dev/null
+++ b/web/src/elements/stages/authenticator_static/AuthenticatorStaticStage.ts
@@ -0,0 +1,81 @@
+import { gettext } from "django";
+import { css, CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { WithUserInfoChallenge } from "../../../api/Flows";
+import { COMMON_STYLES } from "../../../common/styles";
+import { BaseStage } from "../base";
+import "../form";
+
+export interface AuthenticatorStaticChallenge extends WithUserInfoChallenge {
+    codes: number[];
+}
+
+@customElement("ak-stage-authenticator-static")
+export class AuthenticatorStaticStage extends BaseStage {
+
+    @property({ attribute: false })
+    challenge?: AuthenticatorStaticChallenge;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES.concat(css`
+            /* Static OTP Tokens */
+            .ak-otp-tokens {
+                list-style: circle;
+                columns: 2;
+                -webkit-columns: 2;
+                -moz-columns: 2;
+                margin-left: var(--pf-global--spacer--xs);
+            }
+            .ak-otp-tokens li {
+                font-size: var(--pf-global--FontSize--2xl);
+                font-family: monospace;
+            }
+        `);
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge.title}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                <form class="pf-c-form" @submit=${(e: Event) => { this.submitForm(e); }}>
+                    <div class="pf-c-form__group">
+                        <div class="form-control-static">
+                            <div class="left">
+                                <img class="pf-c-avatar" src="${this.challenge.pending_user_avatar}" alt="${gettext("User's avatar")}">
+                                ${this.challenge.pending_user}
+                            </div>
+                            <div class="right">
+                                <a href="/flows/-/cancel/">${gettext("Not you?")}</a>
+                            </div>
+                        </div>
+                    </div>
+                    <ak-form-element
+                        label="${gettext("Tokens")}"
+                        ?required="${true}"
+                        class="pf-c-form__group">
+                        <ul class="ak-otp-tokens">
+                            ${this.challenge.codes.map((token) => {
+                                return html`<li>${token}</li>`;
+                            })}
+                        </ul>
+                    </ak-form-element>
+
+                    <div class="pf-c-form__group pf-m-action">
+                        <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
+                            ${gettext("Continue")}
+                        </button>
+                    </div>
+                </form>
+            </div>
+            <footer class="pf-c-login__main-footer">
+                <ul class="pf-c-login__main-footer-links">
+                </ul>
+            </footer>`;
+    }
+
+}
diff --git a/web/src/elements/stages/authenticator_totp/AuthenticatorTOTPStage.ts b/web/src/elements/stages/authenticator_totp/AuthenticatorTOTPStage.ts
new file mode 100644
index 000000000..474964320
--- /dev/null
+++ b/web/src/elements/stages/authenticator_totp/AuthenticatorTOTPStage.ts
@@ -0,0 +1,94 @@
+import { gettext } from "django";
+import { CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { WithUserInfoChallenge } from "../../../api/Flows";
+import { COMMON_STYLES } from "../../../common/styles";
+import { BaseStage } from "../base";
+import "webcomponent-qr-code";
+import "../form";
+import { showMessage } from "../../messages/MessageContainer";
+
+export interface AuthenticatorTOTPChallenge extends WithUserInfoChallenge {
+    config_url: string;
+}
+
+@customElement("ak-stage-authenticator-totp")
+export class AuthenticatorTOTPStage extends BaseStage {
+
+    @property({ attribute: false })
+    challenge?: AuthenticatorTOTPChallenge;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES;
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge.title}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                <form class="pf-c-form" @submit=${(e: Event) => { this.submitForm(e); }}>
+                    <div class="pf-c-form__group">
+                        <div class="form-control-static">
+                            <div class="left">
+                                <img class="pf-c-avatar" src="${this.challenge.pending_user_avatar}" alt="${gettext("User's avatar")}">
+                                ${this.challenge.pending_user}
+                            </div>
+                            <div class="right">
+                                <a href="/flows/-/cancel/">${gettext("Not you?")}</a>
+                            </div>
+                        </div>
+                    </div>
+                    <input type="hidden" name="otp_uri" value=${this.challenge.config_url} />
+                    <ak-form-element>
+                        <!-- @ts-ignore -->
+                        <qr-code data="${this.challenge.config_url}"></qr-code>
+                        <button type="button" class="pf-c-button pf-m-secondary pf-m-progress pf-m-in-progress" @click=${(e: Event) => {
+                            e.preventDefault();
+                            if (!this.challenge?.config_url) return;
+                            navigator.clipboard.writeText(this.challenge?.config_url).then(() => {
+                                showMessage({
+                                    level_tag: "success",
+                                    message: gettext("Successfully copied TOTP Config.")
+                                });
+                            });
+                        }}>
+                            <span class="pf-c-button__progress"><i class="fas fa-copy"></i></span>
+                            ${gettext("Copy")}
+                        </button>
+                    </ak-form-element>
+                    <ak-form-element
+                        label="${gettext("Code")}"
+                        ?required="${true}"
+                        class="pf-c-form__group"
+                        .errors=${(this.challenge?.response_errors || {})["code"]}>
+                        <!-- @ts-ignore -->
+                        <input type="text"
+                            name="code"
+                            inputmode="numeric"
+                            pattern="[0-9]*"
+                            placeholder="${gettext("Please enter your TOTP Code")}"
+                            autofocus=""
+                            autocomplete="one-time-code"
+                            class="pf-c-form-control"
+                            required="">
+                    </ak-form-element>
+
+                    <div class="pf-c-form__group pf-m-action">
+                        <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
+                            ${gettext("Continue")}
+                        </button>
+                    </div>
+                </form>
+            </div>
+            <footer class="pf-c-login__main-footer">
+                <ul class="pf-c-login__main-footer-links">
+                </ul>
+            </footer>`;
+    }
+
+}
diff --git a/web/src/elements/stages/authenticator_validate/AuthenticatorValidateStage.ts b/web/src/elements/stages/authenticator_validate/AuthenticatorValidateStage.ts
new file mode 100644
index 000000000..e9acacf76
--- /dev/null
+++ b/web/src/elements/stages/authenticator_validate/AuthenticatorValidateStage.ts
@@ -0,0 +1,160 @@
+import { gettext } from "django";
+import { css, CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { WithUserInfoChallenge } from "../../../api/Flows";
+import { COMMON_STYLES } from "../../../common/styles";
+import { BaseStage, StageHost } from "../base";
+import "./AuthenticatorValidateStageWebAuthn";
+import "./AuthenticatorValidateStageCode";
+
+export enum DeviceClasses {
+    STATIC = "static",
+    TOTP = "totp",
+    WEBAUTHN = "webauthn",
+}
+
+export interface DeviceChallenge {
+    device_class: DeviceClasses;
+    device_uid: string;
+    challenge: unknown;
+}
+
+export interface AuthenticatorValidateStageChallenge extends WithUserInfoChallenge {
+    device_challenges: DeviceChallenge[];
+}
+
+export interface AuthenticatorValidateStageChallengeResponse {
+    code: string;
+    webauthn: string;
+}
+
+@customElement("ak-stage-authenticator-validate")
+export class AuthenticatorValidateStage extends BaseStage implements StageHost {
+
+    @property({ attribute: false })
+    challenge?: AuthenticatorValidateStageChallenge;
+
+    @property({attribute: false})
+    selectedDeviceChallenge?: DeviceChallenge;
+
+    submit(formData?: FormData): Promise<void> {
+        return this.host?.submit(formData) || Promise.resolve();
+    }
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES.concat(css`
+            ul > li:not(:last-child) {
+                padding-bottom: 1rem;
+            }
+            .authenticator-button {
+                display: flex;
+                align-items: center;
+                width: 100%;
+            }
+            i {
+                font-size: 1.5rem;
+                padding: 1rem 0;
+                width: 5rem;
+            }
+            .right {
+                display: flex;
+                flex-direction: column;
+                justify-content: space-between;
+                height: 100%;
+                text-align: left;
+            }
+            .right > * {
+                height: 50%;
+            }
+        `);
+    }
+
+    renderDevicePickerSingle(deviceChallenge: DeviceChallenge): TemplateResult {
+        switch (deviceChallenge.device_class) {
+            case DeviceClasses.WEBAUTHN:
+                return html`<i class="fas fa-mobile-alt"></i>
+                    <div class="right">
+                        <p>${gettext("Authenticator")}</p>
+                        <small>${gettext("Use a security key to prove your identity.")}</small>
+                    </div>`;
+            case DeviceClasses.TOTP:
+                return html`<i class="fas fa-clock"></i>
+                    <div class="right">
+                        <p>${gettext("Traditional authenticator")}</p>
+                        <small>${gettext("Use a code-based authenticator.")}</small>
+                    </div>`;
+            case DeviceClasses.STATIC:
+                return html`<i class="fas fa-key"></i>
+                    <div class="right">
+                        <p>${gettext("Recovery keys")}</p>
+                        <small>${gettext("In case you can't access any other method.")}</small>
+                    </div>`;
+            default:
+                break;
+        }
+        return html``;
+    }
+
+    renderDevicePicker(): TemplateResult {
+        return html`
+        <ul>
+            ${this.challenge?.device_challenges.map((challenges) => {
+                return html`<li>
+                    <button class="pf-c-button authenticator-button" type="button" @click=${() => {
+                        this.selectedDeviceChallenge = challenges;
+                    }}>
+                        ${this.renderDevicePickerSingle(challenges)}
+                    </button>
+                </li>`;
+            })}
+        </ul>`;
+    }
+
+    renderDeviceChallenge(): TemplateResult {
+        if (!this.selectedDeviceChallenge) {
+            return html``;
+        }
+        switch (this.selectedDeviceChallenge?.device_class) {
+        case DeviceClasses.STATIC:
+        case DeviceClasses.TOTP:
+            return html`<ak-stage-authenticator-validate-code
+                .host=${this}
+                .challenge=${this.challenge}
+                .deviceChallenge=${this.selectedDeviceChallenge}>
+            </ak-stage-authenticator-validate-code>`;
+        case DeviceClasses.WEBAUTHN:
+            return html`<ak-stage-authenticator-validate-webauthn
+                .host=${this}
+                .challenge=${this.challenge}
+                .deviceChallenge=${this.selectedDeviceChallenge}>
+            </ak-stage-authenticator-validate-webauthn>`;
+        }
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        // User only has a single device class, so we don't show a picker
+        if (this.challenge?.device_challenges.length === 1) {
+            this.selectedDeviceChallenge = this.challenge.device_challenges[0];
+        }
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge.title}
+                </h1>
+                ${this.selectedDeviceChallenge ? "" : html`<p class="pf-c-login__main-header-desc">
+                    ${gettext("Select an identification method.")}
+                    </p>`}
+            </header>
+            ${this.selectedDeviceChallenge ?
+                this.renderDeviceChallenge() :
+                html`<div class="pf-c-login__main-body">
+                    ${this.renderDevicePicker()}
+                </div>
+                <footer class="pf-c-login__main-footer">
+                    <ul class="pf-c-login__main-footer-links">
+                    </ul>
+                </footer>`}`;
+    }
+
+}
diff --git a/web/src/elements/stages/authenticator_validate/AuthenticatorValidateStageCode.ts b/web/src/elements/stages/authenticator_validate/AuthenticatorValidateStageCode.ts
new file mode 100644
index 000000000..712c9677b
--- /dev/null
+++ b/web/src/elements/stages/authenticator_validate/AuthenticatorValidateStageCode.ts
@@ -0,0 +1,76 @@
+import { gettext } from "django";
+import { CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { COMMON_STYLES } from "../../../common/styles";
+import { BaseStage } from "../base";
+import { AuthenticatorValidateStage, AuthenticatorValidateStageChallenge, DeviceChallenge } from "./AuthenticatorValidateStage";
+import "../form";
+
+@customElement("ak-stage-authenticator-validate-code")
+export class AuthenticatorValidateStageWebCode extends BaseStage {
+
+    @property({ attribute: false })
+    challenge?: AuthenticatorValidateStageChallenge;
+
+    @property({ attribute: false })
+    deviceChallenge?: DeviceChallenge;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES;
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        return html`<div class="pf-c-login__main-body">
+            <form class="pf-c-form" @submit=${(e: Event) => { this.submitForm(e); }}>
+                <div class="pf-c-form__group">
+                    <div class="form-control-static">
+                        <div class="left">
+                            <img class="pf-c-avatar" src="${this.challenge.pending_user_avatar}" alt="${gettext("User's avatar")}">
+                            ${this.challenge.pending_user}
+                        </div>
+                        <div class="right">
+                            <a href="/flows/-/cancel/">${gettext("Not you?")}</a>
+                        </div>
+                    </div>
+                </div>
+                <ak-form-element
+                    label="${gettext("Code")}"
+                    ?required="${true}"
+                    class="pf-c-form__group"
+                    .errors=${(this.challenge?.response_errors || {})["code"]}>
+                    <!-- @ts-ignore -->
+                    <input type="text"
+                        name="code"
+                        inputmode="numeric"
+                        pattern="[0-9]*"
+                        placeholder="${gettext("Please enter your TOTP Code")}"
+                        autofocus=""
+                        autocomplete="one-time-code"
+                        class="pf-c-form-control"
+                        required="">
+                </ak-form-element>
+
+                <div class="pf-c-form__group pf-m-action">
+                    <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
+                        ${gettext("Continue")}
+                    </button>
+                </div>
+            </form>
+        </div>
+        <footer class="pf-c-login__main-footer">
+            <ul class="pf-c-login__main-footer-links">
+                <li class="pf-c-login__main-footer-links-item">
+                    <button class="pf-c-button pf-m-secondary pf-m-block" @click=${() => {
+                        if (!this.host) return;
+                        (this.host as AuthenticatorValidateStage).selectedDeviceChallenge = undefined;
+                    }}>
+                        ${gettext("Return to device picker")}
+                    </button>
+                </li>
+            </ul>
+        </footer>`;
+    }
+
+}
diff --git a/web/src/elements/stages/authenticator_webauthn/WebAuthnAuth.ts b/web/src/elements/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn.ts
similarity index 59%
rename from web/src/elements/stages/authenticator_webauthn/WebAuthnAuth.ts
rename to web/src/elements/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn.ts
index ce3266947..276352e15 100644
--- a/web/src/elements/stages/authenticator_webauthn/WebAuthnAuth.ts
+++ b/web/src/elements/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn.ts
@@ -1,10 +1,19 @@
 import { gettext } from "django";
-import { customElement, html, LitElement, property, TemplateResult } from "lit-element";
+import { CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { COMMON_STYLES } from "../../../common/styles";
 import { SpinnerSize } from "../../Spinner";
-import { getCredentialRequestOptionsFromServer, postAssertionToServer, transformAssertionForServer, transformCredentialRequestOptions } from "./utils";
+import { transformAssertionForServer, transformCredentialRequestOptions } from "../authenticator_webauthn/utils";
+import { BaseStage } from "../base";
+import { AuthenticatorValidateStage, AuthenticatorValidateStageChallenge, DeviceChallenge } from "./AuthenticatorValidateStage";
 
-@customElement("ak-stage-webauthn-auth")
-export class WebAuthnAuth extends LitElement {
+@customElement("ak-stage-authenticator-validate-webauthn")
+export class AuthenticatorValidateStageWebAuthn extends BaseStage {
+
+    @property({attribute: false})
+    challenge?: AuthenticatorValidateStageChallenge;
+
+    @property({attribute: false})
+    deviceChallenge?: DeviceChallenge;
 
     @property({ type: Boolean })
     authenticateRunning = false;
@@ -12,19 +21,15 @@ export class WebAuthnAuth extends LitElement {
     @property()
     authenticateMessage = "";
 
-    async authenticate(): Promise<void> {
-        // post the login data to the server to retrieve the PublicKeyCredentialRequestOptions
-        let credentialRequestOptionsFromServer;
-        try {
-            credentialRequestOptionsFromServer = await getCredentialRequestOptionsFromServer();
-        } catch (err) {
-            throw new Error(gettext(`Error when getting request options from server: ${err}`));
-        }
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES;
+    }
 
+    async authenticate(): Promise<void> {
         // convert certain members of the PublicKeyCredentialRequestOptions into
         // byte arrays as expected by the spec.
-        const transformedCredentialRequestOptions = transformCredentialRequestOptions(
-            credentialRequestOptionsFromServer);
+        const credentialRequestOptions = <PublicKeyCredentialRequestOptions>this.deviceChallenge?.challenge;
+        const transformedCredentialRequestOptions = transformCredentialRequestOptions(credentialRequestOptions);
 
         // request the authenticator to create an assertion signature using the
         // credential private key
@@ -42,26 +47,16 @@ export class WebAuthnAuth extends LitElement {
 
         // we now have an authentication assertion! encode the byte arrays contained
         // in the assertion data as strings for posting to the server
-        const transformedAssertionForServer = transformAssertionForServer(assertion);
+        const transformedAssertionForServer = transformAssertionForServer(<PublicKeyCredential>assertion);
 
         // post the assertion to the server for verification.
         try {
-            await postAssertionToServer(transformedAssertionForServer);
+            const formData = new FormData();
+            formData.set("webauthn", JSON.stringify(transformedAssertionForServer));
+            await this.host?.submit(formData);
         } catch (err) {
             throw new Error(gettext(`Error when validating assertion on server: ${err}`));
         }
-
-        this.finishStage();
-    }
-
-    finishStage(): void {
-        // Mark this stage as done
-        this.dispatchEvent(
-            new CustomEvent("ak-flow-submit", {
-                bubbles: true,
-                composed: true,
-            })
-        );
     }
 
     firstUpdated(): void {
@@ -82,7 +77,7 @@ export class WebAuthnAuth extends LitElement {
     }
 
     render(): TemplateResult {
-        return html`<div class="">
+        return html`<div class="pf-c-login__main-body">
             ${this.authenticateRunning ?
                 html`<div class="pf-c-empty-state__content">
                         <div class="pf-l-bullseye">
@@ -100,7 +95,19 @@ export class WebAuthnAuth extends LitElement {
                         ${gettext("Retry authentication")}
                     </button>
                 </div>`}
-        </div>`;
+        </div>
+        <footer class="pf-c-login__main-footer">
+            <ul class="pf-c-login__main-footer-links">
+                <li class="pf-c-login__main-footer-links-item">
+                    <button class="pf-c-button pf-m-secondary pf-m-block" @click=${() => {
+                        if (!this.host) return;
+                        (this.host as AuthenticatorValidateStage).selectedDeviceChallenge = undefined;
+                    }}>
+                        ${gettext("Return to device picker")}
+                    </button>
+                </li>
+            </ul>
+        </footer>`;
     }
 
 }
diff --git a/web/src/elements/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage.ts b/web/src/elements/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage.ts
new file mode 100644
index 000000000..70e355466
--- /dev/null
+++ b/web/src/elements/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage.ts
@@ -0,0 +1,120 @@
+import { gettext } from "django";
+import { customElement, html, property, TemplateResult } from "lit-element";
+import { WithUserInfoChallenge } from "../../../api/Flows";
+import { SpinnerSize } from "../../Spinner";
+import { BaseStage } from "../base";
+import { Assertion, transformCredentialCreateOptions, transformNewAssertionForServer } from "./utils";
+
+export interface WebAuthnAuthenticatorRegisterChallenge extends WithUserInfoChallenge {
+    registration: PublicKeyCredentialCreationOptions;
+}
+
+export interface WebAuthnAuthenticatorRegisterChallengeResponse {
+    response: Assertion;
+}
+
+@customElement("ak-stage-authenticator-webauthn")
+export class WebAuthnAuthenticatorRegisterStage extends BaseStage {
+
+    @property({ attribute: false })
+    challenge?: WebAuthnAuthenticatorRegisterChallenge;
+
+    @property({type: Boolean})
+    registerRunning = false;
+
+    @property()
+    registerMessage = "";
+
+    createRenderRoot(): Element | ShadowRoot {
+        return this;
+    }
+
+    async register(): Promise<void> {
+        if (!this.challenge) {
+            return;
+        }
+        // convert certain members of the PublicKeyCredentialCreateOptions into
+        // byte arrays as expected by the spec.
+        const publicKeyCredentialCreateOptions = transformCredentialCreateOptions(this.challenge?.registration);
+
+        // request the authenticator(s) to create a new credential keypair.
+        let credential;
+        try {
+            credential = <PublicKeyCredential> await navigator.credentials.create({
+                publicKey: publicKeyCredentialCreateOptions
+            });
+            if (!credential) {
+                throw new Error("Credential is empty");
+            }
+        } catch (err) {
+            throw new Error(gettext(`Error creating credential: ${err}`));
+        }
+
+        // we now have a new credential! We now need to encode the byte arrays
+        // in the credential into strings, for posting to our server.
+        const newAssertionForServer = transformNewAssertionForServer(credential);
+
+        // post the transformed credential data to the server for validation
+        // and storing the public key
+        try {
+            const formData = new FormData();
+            formData.set("response", JSON.stringify(newAssertionForServer));
+            await this.host?.submit(formData);
+        } catch (err) {
+            throw new Error(gettext(`Server validation of credential failed: ${err}`));
+        }
+    }
+
+    async registerWrapper(): Promise<void> {
+        if (this.registerRunning) {
+            return;
+        }
+        this.registerRunning = true;
+        this.register().catch((e) => {
+            console.error(e);
+            this.registerMessage = e.toString();
+        }).finally(() => {
+            this.registerRunning = false;
+        });
+    }
+
+    firstUpdated(): void {
+        this.registerWrapper();
+    }
+
+    render(): TemplateResult {
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge?.title}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                ${this.registerRunning ?
+                    html`<div class="pf-c-empty-state__content">
+                            <div class="pf-l-bullseye">
+                                <div class="pf-l-bullseye__item">
+                                    <ak-spinner size="${SpinnerSize.XLarge}"></ak-spinner>
+                                </div>
+                            </div>
+                        </div>`:
+                    html`
+                    <div class="pf-c-form__group pf-m-action">
+                        ${this.challenge?.response_errors ?
+                            html`<p class="pf-m-block">${this.challenge.response_errors["response"][0].string}</p>`:
+                            html``}
+                        <p class="pf-m-block">${this.registerMessage}</p>
+                        <button class="pf-c-button pf-m-primary pf-m-block" @click=${() => {
+                            this.registerWrapper();
+                        }}>
+                            ${gettext("Register device")}
+                        </button>
+                    </div>`}
+            </div>
+        </div>
+        <footer class="pf-c-login__main-footer">
+            <ul class="pf-c-login__main-footer-links">
+            </ul>
+        </footer>`;
+    }
+
+}
diff --git a/web/src/elements/stages/authenticator_webauthn/WebAuthnRegister.ts b/web/src/elements/stages/authenticator_webauthn/WebAuthnRegister.ts
deleted file mode 100644
index 393bccdf2..000000000
--- a/web/src/elements/stages/authenticator_webauthn/WebAuthnRegister.ts
+++ /dev/null
@@ -1,113 +0,0 @@
-import { gettext } from "django";
-import { customElement, html, LitElement, property, TemplateResult } from "lit-element";
-import { SpinnerSize } from "../../Spinner";
-import { getCredentialCreateOptionsFromServer, postNewAssertionToServer, transformCredentialCreateOptions, transformNewAssertionForServer } from "./utils";
-
-@customElement("ak-stage-webauthn-register")
-export class WebAuthnRegister extends LitElement {
-
-    @property({type: Boolean})
-    registerRunning = false;
-
-    @property()
-    registerMessage = "";
-
-    createRenderRoot(): Element | ShadowRoot {
-        return this;
-    }
-
-    async register(): Promise<void> {
-        // post the data to the server to generate the PublicKeyCredentialCreateOptions
-        let credentialCreateOptionsFromServer;
-        try {
-            credentialCreateOptionsFromServer = await getCredentialCreateOptionsFromServer();
-        } catch (err) {
-            throw new Error(gettext(`Failed to generate credential request options: ${err}`));
-        }
-
-        // convert certain members of the PublicKeyCredentialCreateOptions into
-        // byte arrays as expected by the spec.
-        const publicKeyCredentialCreateOptions = transformCredentialCreateOptions(credentialCreateOptionsFromServer);
-
-        // request the authenticator(s) to create a new credential keypair.
-        let credential;
-        try {
-            credential = <PublicKeyCredential> await navigator.credentials.create({
-                publicKey: publicKeyCredentialCreateOptions
-            });
-            if (!credential) {
-                throw new Error("Credential is empty");
-            }
-        } catch (err) {
-            throw new Error(gettext(`Error creating credential: ${err}`));
-        }
-
-        // we now have a new credential! We now need to encode the byte arrays
-        // in the credential into strings, for posting to our server.
-        const newAssertionForServer = transformNewAssertionForServer(credential);
-
-        // post the transformed credential data to the server for validation
-        // and storing the public key
-        try {
-            await postNewAssertionToServer(newAssertionForServer);
-        } catch (err) {
-            throw new Error(gettext(`Server validation of credential failed: ${err}`));
-        }
-        this.finishStage();
-    }
-
-    async registerWrapper(): Promise<void> {
-        if (this.registerRunning) {
-            return;
-        }
-        this.registerRunning = true;
-        this.register().catch((e) => {
-            console.error(e);
-            this.registerMessage = e.toString();
-        }).finally(() => {
-            this.registerRunning = false;
-        });
-    }
-
-    finishStage(): void {
-        // Mark this stage as done
-        this.dispatchEvent(
-            new CustomEvent("ak-flow-submit", {
-                bubbles: true,
-                composed: true,
-            })
-        );
-    }
-
-    firstUpdated(): void {
-        this.registerWrapper();
-    }
-
-    render(): TemplateResult {
-        return html`<div class="">
-            ${this.registerRunning ?
-                html`<div class="pf-c-empty-state__content">
-                        <div class="pf-l-bullseye">
-                            <div class="pf-l-bullseye__item">
-                                <ak-spinner size="${SpinnerSize.XLarge}"></ak-spinner>
-                            </div>
-                        </div>
-                    </div>`:
-                html`
-                <div class="pf-c-form__group pf-m-action">
-                    <p class="pf-m-block">${this.registerMessage}</p>
-                    <button class="pf-c-button pf-m-primary pf-m-block" @click=${() => {
-                        this.registerWrapper();
-                    }}>
-                        ${gettext("Register device")}
-                    </button>
-                    <button class="pf-c-button pf-m-secondary pf-m-block" @click=${() => {
-                        this.finishStage();
-                    }}>
-                        ${gettext("Skip")}
-                    </button>
-                </div>`}
-        </div>`;
-    }
-
-}
diff --git a/web/src/elements/stages/authenticator_webauthn/utils.ts b/web/src/elements/stages/authenticator_webauthn/utils.ts
index 686f0e441..e6c064a6d 100644
--- a/web/src/elements/stages/authenticator_webauthn/utils.ts
+++ b/web/src/elements/stages/authenticator_webauthn/utils.ts
@@ -21,20 +21,6 @@ export function hexEncode(buf: Uint8Array): string {
         .join("");
 }
 
-export interface GenericResponse {
-    fail?: string;
-    success?: string;
-    [key: string]: string | number | GenericResponse | undefined;
-}
-
-async function fetchJSON(url: string, options: RequestInit): Promise<GenericResponse> {
-    const response = await fetch(url, options);
-    const body = await response.json();
-    if (body.fail)
-        throw body.fail;
-    return body;
-}
-
 /**
  * Transforms items in the credentialCreateOptions generated on the server
  * into byte arrays expected by the navigator.credentials.create() call
@@ -84,52 +70,6 @@ export function transformNewAssertionForServer(newAssertion: PublicKeyCredential
     };
 }
 
-/**
- * Post the assertion to the server for validation and logging the user in.
- * @param {Object} assertionDataForServer
- */
-export async function postNewAssertionToServer(assertionDataForServer: Assertion): Promise<GenericResponse> {
-    const formData = new FormData();
-    Object.entries(assertionDataForServer).forEach(([key, value]) => {
-        formData.set(key, value);
-    });
-
-    return await fetchJSON(
-        "/-/user/authenticator/webauthn/verify-credential-info/", {
-        method: "POST",
-        body: formData
-    });
-}
-
-/**
- * Get PublicKeyCredentialRequestOptions for this user from the server
- * formData of the registration form
- * @param {FormData} formData
- */
-export async function getCredentialCreateOptionsFromServer(): Promise<GenericResponse> {
-    return await fetchJSON(
-        "/-/user/authenticator/webauthn/begin-activate/",
-        {
-            method: "POST",
-        }
-    );
-}
-
-
-/**
- * Get PublicKeyCredentialRequestOptions for this user from the server
- * formData of the registration form
- * @param {FormData} formData
- */
-export async function getCredentialRequestOptionsFromServer(): Promise<GenericResponse> {
-    return await fetchJSON(
-        "/-/user/authenticator/webauthn/begin-assertion/",
-        {
-            method: "POST",
-        }
-    );
-}
-
 function u8arr(input: string): Uint8Array {
     return Uint8Array.from(atob(input.replace(/_/g, "/").replace(/-/g, "+")), c => c.charCodeAt(0));
 }
@@ -182,20 +122,3 @@ export function transformAssertionForServer(newAssertion: PublicKeyCredential):
         assertionClientExtensions: JSON.stringify(assertionClientExtensions)
     };
 }
-
-/**
- * Post the assertion to the server for validation and logging the user in.
- * @param {Object} assertionDataForServer
- */
-export async function postAssertionToServer(assertionDataForServer: Assertion): Promise<GenericResponse> {
-    const formData = new FormData();
-    Object.entries(assertionDataForServer).forEach(([key, value]) => {
-        formData.set(key, value);
-    });
-
-    return await fetchJSON(
-        "/-/user/authenticator/webauthn/verify-assertion/", {
-            method: "POST",
-            body: formData
-    });
-}
diff --git a/web/src/elements/stages/autosubmit/AutosubmitStage.ts b/web/src/elements/stages/autosubmit/AutosubmitStage.ts
new file mode 100644
index 000000000..6979cb892
--- /dev/null
+++ b/web/src/elements/stages/autosubmit/AutosubmitStage.ts
@@ -0,0 +1,56 @@
+import { gettext } from "django";
+import { CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { WithUserInfoChallenge } from "../../../api/Flows";
+import { COMMON_STYLES } from "../../../common/styles";
+import { BaseStage } from "../base";
+import "../../Spinner";
+
+export interface AutosubmitChallenge extends WithUserInfoChallenge {
+    url: string;
+    attrs: { [key: string]: string };
+}
+
+@customElement("ak-stage-autosubmit")
+export class AutosubmitStage extends BaseStage {
+
+    @property({ attribute: false })
+    challenge?: AutosubmitChallenge;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES;
+    }
+
+    updated(): void {
+        this.shadowRoot?.querySelectorAll("form").forEach((form) => {form.submit();});
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge.title}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                <form class="pf-c-form" action="${this.challenge.url}" method="POST">
+                    ${Object.entries(this.challenge.attrs).map(([ key, value ]) => {
+                        return html`<input type="hidden" name="${key}" value="${value}">`;
+                    })}
+                    <ak-spinner></ak-spinner>
+
+                    <div class="pf-c-form__group pf-m-action">
+                        <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
+                            ${gettext("Continue")}
+                        </button>
+                    </div>
+                </form>
+            </div>
+            <footer class="pf-c-login__main-footer">
+                <ul class="pf-c-login__main-footer-links">
+                </ul>
+            </footer>`;
+    }
+
+}
diff --git a/web/src/elements/stages/base.ts b/web/src/elements/stages/base.ts
new file mode 100644
index 000000000..1e9b1db54
--- /dev/null
+++ b/web/src/elements/stages/base.ts
@@ -0,0 +1,17 @@
+import { LitElement } from "lit-element";
+
+export interface StageHost {
+    submit(formData?: FormData): Promise<void>;
+}
+
+export class BaseStage extends LitElement {
+
+    host?: StageHost;
+
+    submitForm(e: Event): void {
+        e.preventDefault();
+        const form = new FormData(this.shadowRoot?.querySelector("form") || undefined);
+        this.host?.submit(form);
+    }
+
+}
diff --git a/web/src/elements/stages/captcha/CaptchaStage.ts b/web/src/elements/stages/captcha/CaptchaStage.ts
new file mode 100644
index 000000000..2ead2070b
--- /dev/null
+++ b/web/src/elements/stages/captcha/CaptchaStage.ts
@@ -0,0 +1,87 @@
+import { gettext } from "django";
+import { CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { WithUserInfoChallenge } from "../../../api/Flows";
+import { COMMON_STYLES } from "../../../common/styles";
+import { SpinnerSize } from "../../Spinner";
+import { BaseStage } from "../base";
+import "../form";
+
+export interface CaptchaChallenge extends WithUserInfoChallenge {
+    site_key: string;
+}
+
+@customElement("ak-stage-captcha")
+export class CaptchaStage extends BaseStage {
+
+    @property({ attribute: false })
+    challenge?: CaptchaChallenge;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES;
+    }
+
+    submitFormAlt(token: string): void {
+        const form = new FormData();
+        form.set("token", token);
+        this.host?.submit(form);
+    }
+
+    firstUpdated(): void {
+        const script = document.createElement("script");
+        script.src = "https://www.google.com/recaptcha/api.js";//?render=${this.challenge?.site_key}`;
+        script.async = true;
+        script.defer = true;
+        const captchaContainer = document.createElement("div");
+        document.body.appendChild(captchaContainer);
+        script.onload = () => {
+            console.debug("authentik/stages/captcha: script loaded");
+            grecaptcha.ready(() => {
+                if (!this.challenge?.site_key) return;
+                console.debug("authentik/stages/captcha: ready");
+                const captchaId = grecaptcha.render(captchaContainer, {
+                    sitekey: this.challenge.site_key,
+                    callback: (token) => {
+                        this.submitFormAlt(token);
+                    },
+                    size: "invisible",
+                });
+                grecaptcha.execute(captchaId);
+            });
+        };
+        document.head.appendChild(script);
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge.title}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                <form class="pf-c-form">
+                    <div class="pf-c-form__group">
+                        <div class="form-control-static">
+                            <div class="left">
+                                <img class="pf-c-avatar" src="${this.challenge.pending_user_avatar}" alt="${gettext("User's avatar")}">
+                                ${this.challenge.pending_user}
+                            </div>
+                            <div class="right">
+                                <a href="/flows/-/cancel/">${gettext("Not you?")}</a>
+                            </div>
+                        </div>
+                    </div>
+                    <div class="ak-loading">
+                        <ak-spinner size=${SpinnerSize.XLarge}></ak-spinner>
+                    </div>
+                </form>
+            </div>
+            <footer class="pf-c-login__main-footer">
+                <ul class="pf-c-login__main-footer-links">
+                </ul>
+            </footer>`;
+    }
+
+}
diff --git a/web/src/elements/stages/consent/ConsentStage.ts b/web/src/elements/stages/consent/ConsentStage.ts
new file mode 100644
index 000000000..ea5c2410b
--- /dev/null
+++ b/web/src/elements/stages/consent/ConsentStage.ts
@@ -0,0 +1,77 @@
+import { gettext } from "django";
+import { CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { WithUserInfoChallenge } from "../../../api/Flows";
+import { COMMON_STYLES } from "../../../common/styles";
+import { BaseStage } from "../base";
+
+export interface Permission {
+    name: string;
+    id: string;
+}
+
+export interface ConsentChallenge extends WithUserInfoChallenge {
+
+    header_text: string;
+    permissions?: Permission[];
+
+}
+
+@customElement("ak-stage-consent")
+export class ConsentStage extends BaseStage {
+
+    @property({ attribute: false })
+    challenge?: ConsentChallenge;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES;
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge.title}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                <form class="pf-c-form" @submit=${(e: Event) => { this.submitForm(e); }}>
+                    <div class="pf-c-form__group">
+                        <div class="form-control-static">
+                            <div class="left">
+                                <img class="pf-c-avatar" src="${this.challenge.pending_user_avatar}" alt="${gettext("User's avatar")}">
+                                ${this.challenge.pending_user}
+                            </div>
+                            <div class="right">
+                                <a href="/flows/-/cancel/">${gettext("Not you?")}</a>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div class="pf-c-form__group">
+                        <p id="header-text">
+                            ${this.challenge.header_text}
+                        </p>
+                        <p>${gettext("Application requires following permissions")}</p>
+                        <ul class="pf-c-list" id="permmissions">
+                            ${(this.challenge.permissions || []).map((permission) => {
+                                return html`<li data-permission-code="${permission.id}">${permission.name}</li>`;
+                            })}
+                        </ul>
+                    </div>
+
+                    <div class="pf-c-form__group pf-m-action">
+                        <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
+                            ${gettext("Continue")}
+                        </button>
+                    </div>
+                </form>
+            </div>
+            <footer class="pf-c-login__main-footer">
+                <ul class="pf-c-login__main-footer-links">
+                </ul>
+            </footer>`;
+    }
+
+}
diff --git a/web/src/elements/stages/email/EmailStage.ts b/web/src/elements/stages/email/EmailStage.ts
new file mode 100644
index 000000000..d98c27dd7
--- /dev/null
+++ b/web/src/elements/stages/email/EmailStage.ts
@@ -0,0 +1,49 @@
+import { gettext } from "django";
+import { CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { Challenge } from "../../../api/Flows";
+import { COMMON_STYLES } from "../../../common/styles";
+import { BaseStage } from "../base";
+
+export type EmailChallenge = Challenge
+
+@customElement("ak-stage-email")
+export class EmailStage extends BaseStage {
+
+    @property({ attribute: false })
+    challenge?: EmailChallenge;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES;
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge.title}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                <form class="pf-c-form" @submit=${(e: Event) => { this.submitForm(e); }}>
+                    <div class="pf-c-form__group">
+                        <p>
+                            ${gettext("Check your Emails for a password reset link.")}
+                        </p>
+                    </div>
+
+                    <div class="pf-c-form__group pf-m-action">
+                        <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
+                            ${gettext("Send Email again.")}
+                        </button>
+                    </div>
+                </form>
+            </div>
+            <footer class="pf-c-login__main-footer">
+                <ul class="pf-c-login__main-footer-links">
+                </ul>
+            </footer>`;
+    }
+
+}
diff --git a/web/src/elements/stages/form.ts b/web/src/elements/stages/form.ts
new file mode 100644
index 000000000..db6aba755
--- /dev/null
+++ b/web/src/elements/stages/form.ts
@@ -0,0 +1,50 @@
+import { customElement, LitElement, CSSResult, property, css } from "lit-element";
+import { TemplateResult, html } from "lit-html";
+import { Error } from "../../api/Flows";
+import { COMMON_STYLES } from "../../common/styles";
+
+@customElement("ak-form-element")
+export class FormElement extends LitElement {
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES.concat(
+            css`
+                slot {
+                    display: flex;
+                    flex-direction: row;
+                    align-items: center;
+                    justify-content: space-around;
+                }
+            `
+        );
+    }
+
+    @property()
+    label?: string;
+
+    @property({ type: Boolean })
+    required = false;
+
+    @property({ attribute: false })
+    errors?: Error[];
+
+    updated(): void {
+        this.querySelectorAll<HTMLInputElement>("input[autofocus]").forEach(input => {
+            input.focus();
+        });
+    }
+
+    render(): TemplateResult {
+        return html`<div class="pf-c-form__group">
+                <label class="pf-c-form__label">
+                    <span class="pf-c-form__label-text">${this.label}</span>
+                    ${this.required ? html`<span class="pf-c-form__label-required" aria-hidden="true">*</span>` : html``}
+                </label>
+                <slot></slot>
+                ${(this.errors || []).map((error) => {
+                        return html`<p class="pf-c-form__helper-text pf-m-error">${error.string}</p>`;
+                    })}
+            </div>`;
+    }
+
+}
diff --git a/web/src/elements/stages/identification/IdentificationStage.ts b/web/src/elements/stages/identification/IdentificationStage.ts
new file mode 100644
index 000000000..51d6d3a6d
--- /dev/null
+++ b/web/src/elements/stages/identification/IdentificationStage.ts
@@ -0,0 +1,115 @@
+import { gettext } from "django";
+import { CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { Challenge } from "../../../api/Flows";
+import { COMMON_STYLES } from "../../../common/styles";
+import { BaseStage } from "../base";
+import "../form";
+
+export interface IdentificationChallenge extends Challenge {
+
+    input_type: string;
+    primary_action: string;
+    sources?: UILoginButton[];
+
+    application_pre?: string;
+
+    enroll_url?: string;
+    recovery_url?: string;
+
+}
+
+export interface UILoginButton {
+    name: string;
+    url: string;
+    icon_url?: string;
+}
+
+@customElement("ak-stage-identification")
+export class IdentificationStage extends BaseStage {
+
+    @property({attribute: false})
+    challenge?: IdentificationChallenge;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES;
+    }
+
+    renderSource(source: UILoginButton): TemplateResult {
+        let icon = html`<i class="pf-icon pf-icon-arrow" title="${source.name}"></i>`;
+        if (source.icon_url) {
+            icon = html`<img src="${source.icon_url}" alt="${source.name}">`;
+        }
+        return html`<li class="pf-c-login__main-footer-links-item">
+                <a href="${source.url}" class="pf-c-login__main-footer-links-item-link">
+                    ${icon}
+                </a>
+            </li>`;
+    }
+
+    renderFooter(): TemplateResult {
+        if (!this.challenge?.enroll_url && !this.challenge?.recovery_url) {
+            return html``;
+        }
+        return html`<div class="pf-c-login__main-footer-band">
+                ${this.challenge.enroll_url ? html`
+                <p class="pf-c-login__main-footer-band-item">
+                    ${gettext("Need an account?")}
+                    <a id="enroll" href="${this.challenge.enroll_url}">${gettext("Sign up.")}</a>
+                </p>` : html``}
+                ${this.challenge.recovery_url ? html`
+                <p class="pf-c-login__main-footer-band-item">
+                    ${gettext("Need an account?")}
+                    <a id="recovery" href="${this.challenge.recovery_url}">${gettext("Forgot username or password?")}</a>
+                </p>` : html``}
+            </div>`;
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge.title}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                <form class="pf-c-form" @submit=${(e: Event) => {this.submitForm(e);}}>
+                    ${this.challenge.application_pre ?
+                        html`<p>
+                            ${gettext(`Login to continue to ${this.challenge.application_pre}.`)}
+                        </p>`:
+                        html``}
+
+                    <ak-form-element
+                        label="${gettext("Email or Username")}"
+                        ?required="${true}"
+                        class="pf-c-form__group"
+                        .errors=${(this.challenge?.response_errors || {})["uid_field"]}>
+                        <input type="text"
+                            name="uid_field"
+                            placeholder="Email or Username"
+                            autofocus=""
+                            autocomplete="username"
+                            class="pf-c-form-control"
+                            required="">
+                    </ak-form-element>
+
+                    <div class="pf-c-form__group pf-m-action">
+                        <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
+                            ${this.challenge.primary_action}
+                        </button>
+                    </div>
+                </form>
+            </div>
+            <footer class="pf-c-login__main-footer">
+                <ul class="pf-c-login__main-footer-links">
+                    ${(this.challenge.sources || []).map((source) => {
+                        return this.renderSource(source);
+                    })}
+                </ul>
+                ${this.renderFooter()}
+            </footer>`;
+    }
+
+}
diff --git a/web/src/elements/stages/password/PasswordStage.ts b/web/src/elements/stages/password/PasswordStage.ts
new file mode 100644
index 000000000..8b6045d72
--- /dev/null
+++ b/web/src/elements/stages/password/PasswordStage.ts
@@ -0,0 +1,76 @@
+import { gettext } from "django";
+import { CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { WithUserInfoChallenge } from "../../../api/Flows";
+import { COMMON_STYLES } from "../../../common/styles";
+import { BaseStage } from "../base";
+import "../form";
+
+export interface PasswordChallenge extends WithUserInfoChallenge {
+    recovery_url?: string;
+}
+
+@customElement("ak-stage-password")
+export class PasswordStage extends BaseStage {
+
+    @property({attribute: false})
+    challenge?: PasswordChallenge;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES;
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge.title}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                <form class="pf-c-form" @submit=${(e: Event) => {this.submitForm(e);}}>
+                    <div class="pf-c-form__group">
+                        <div class="form-control-static">
+                            <div class="left">
+                                <img class="pf-c-avatar" src="${this.challenge.pending_user_avatar}" alt="${gettext("User's avatar")}">
+                                ${this.challenge.pending_user}
+                            </div>
+                            <div class="right">
+                                <a href="/flows/-/cancel/">${gettext("Not you?")}</a>
+                            </div>
+                        </div>
+                    </div>
+
+                    <ak-form-element
+                        label="${gettext("Password")}"
+                        ?required="${true}"
+                        class="pf-c-form__group"
+                        .errors=${(this.challenge?.response_errors || {})["password"]}>
+                        <input type="password"
+                            name="password"
+                            placeholder="${gettext("Please enter your password")}"
+                            autofocus=""
+                            autocomplete="current-password"
+                            class="pf-c-form-control"
+                            required="">
+                    </ak-form-element>
+
+                    ${this.challenge.recovery_url ?
+                        html`<a href="${this.challenge.recovery_url}">
+                        ${gettext("Forgot password?")}</a>` : ""}
+
+                    <div class="pf-c-form__group pf-m-action">
+                        <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
+                            ${gettext("Continue")}
+                        </button>
+                    </div>
+                </form>
+            </div>
+            <footer class="pf-c-login__main-footer">
+                <ul class="pf-c-login__main-footer-links">
+                </ul>
+            </footer>`;
+    }
+
+}
diff --git a/web/src/elements/stages/prompt/PromptStage.ts b/web/src/elements/stages/prompt/PromptStage.ts
new file mode 100644
index 000000000..22d4455e9
--- /dev/null
+++ b/web/src/elements/stages/prompt/PromptStage.ts
@@ -0,0 +1,146 @@
+import { gettext } from "django";
+import { CSSResult, customElement, html, property, TemplateResult } from "lit-element";
+import { unsafeHTML } from "lit-html/directives/unsafe-html";
+import { Challenge } from "../../../api/Flows";
+import { COMMON_STYLES } from "../../../common/styles";
+import { BaseStage } from "../base";
+import "../form";
+
+export interface Prompt {
+    field_key: string;
+    label: string;
+    type: string;
+    required: boolean;
+    placeholder: string;
+    order: number;
+}
+
+export interface PromptChallenge extends Challenge {
+    fields: Prompt[];
+}
+
+@customElement("ak-stage-prompt")
+export class PromptStage extends BaseStage {
+
+    @property({attribute: false})
+    challenge?: PromptChallenge;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES;
+    }
+
+    renderPromptInner(prompt: Prompt): string {
+        switch (prompt.type) {
+            case "text":
+                return `<input
+                    type="text"
+                    name="${prompt.field_key}"
+                    placeholder="${prompt.placeholder}"
+                    autocomplete="off"
+                    class="pf-c-form-control"
+                    ?required=${prompt.required}
+                    value="">`;
+            case "username":
+                return `<input
+                    type="text"
+                    name="${prompt.field_key}"
+                    placeholder="${prompt.placeholder}"
+                    autocomplete="username"
+                    class="pf-c-form-control"
+                    ?required=${prompt.required}
+                    value="">`;
+            case "email":
+                return `<input
+                    type="email"
+                    name="${prompt.field_key}"
+                    placeholder="${prompt.placeholder}"
+                    class="pf-c-form-control"
+                    ?required=${prompt.required}
+                    value="">`;
+            case "password":
+                return `<input
+                    type="password"
+                    name="${prompt.field_key}"
+                    placeholder="${prompt.placeholder}"
+                    autocomplete="new-password"
+                    class="pf-c-form-control"
+                    ?required=${prompt.required}>`;
+            case "number":
+                return `<input
+                    type="number"
+                    name="${prompt.field_key}"
+                    placeholder="${prompt.placeholder}"
+                    class="pf-c-form-control"
+                    ?required=${prompt.required}>`;
+            case "checkbox":
+                return `<input
+                    type="checkbox"
+                    name="${prompt.field_key}"
+                    placeholder="${prompt.placeholder}"
+                    class="pf-c-form-control"
+                    ?required=${prompt.required}>`;
+            case "date":
+                return `<input
+                    type="date"
+                    name="${prompt.field_key}"
+                    placeholder="${prompt.placeholder}"
+                    class="pf-c-form-control"
+                    ?required=${prompt.required}>`;
+            case "date-time":
+                return `<input
+                    type="datetime"
+                    name="${prompt.field_key}"
+                    placeholder="${prompt.placeholder}"
+                    class="pf-c-form-control"
+                    ?required=${prompt.required}>`;
+            case "separator":
+                return "<hr>";
+            case "hidden":
+                return `<input
+                    type="hidden"
+                    name="${prompt.field_key}"
+                    value="${prompt.placeholder}"
+                    class="pf-c-form-control"
+                    ?required=${prompt.required}>`;
+            case "static":
+                return `<p
+                    class="pf-c-form-control">${prompt.placeholder}
+                </p>`;
+        }
+        return "";
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return html`<ak-loading-state></ak-loading-state>`;
+        }
+        return html`<header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    ${this.challenge.title}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                <form class="pf-c-form" @submit=${(e: Event) => {this.submitForm(e);}}>
+                    ${this.challenge.fields.map((prompt) => {
+                        return html`<ak-form-element
+                            label="${prompt.label}"
+                            ?required="${prompt.required}"
+                            class="pf-c-form__group"
+                            .errors=${(this.challenge?.response_errors || {})[prompt.field_key]}>
+                            ${unsafeHTML(this.renderPromptInner(prompt))}
+                        </ak-form-element>`;
+                    })}
+                    <div class="pf-c-form__group pf-m-action">
+                        <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
+                            ${gettext("Continue")}
+                        </button>
+                    </div>
+                </form>
+            </div>
+            <footer class="pf-c-login__main-footer">
+                <ul class="pf-c-login__main-footer-links">
+                </ul>
+            </footer>`;
+    }
+
+}
diff --git a/web/src/elements/table/Table.ts b/web/src/elements/table/Table.ts
index f8e59a146..f6c4a2b22 100644
--- a/web/src/elements/table/Table.ts
+++ b/web/src/elements/table/Table.ts
@@ -134,11 +134,7 @@ export abstract class Table<T> extends LitElement {
                     <div class="pf-c-empty-state pf-m-sm">
                         <div class="pf-c-empty-state__content">
                             <div class="pf-c-empty-state__icon">
-                                <span class="pf-c-spinner" role="progressbar">
-                                    <span class="pf-c-spinner__clipper"></span>
-                                    <span class="pf-c-spinner__lead-ball"></span>
-                                    <span class="pf-c-spinner__tail-ball"></span>
-                                </span>
+                                <ak-spinner></ak-spinner>
                             </div>
                             <h2 class="pf-c-title pf-m-lg">${gettext("Loading")}</h2>
                         </div>
diff --git a/web/src/flow.ts b/web/src/flow.ts
new file mode 100644
index 000000000..202eaae2f
--- /dev/null
+++ b/web/src/flow.ts
@@ -0,0 +1,3 @@
+import "construct-style-sheets-polyfill";
+
+import "./pages/generic/FlowExecutor";
diff --git a/web/src/main.ts b/web/src/main.ts
index 88b4eba36..9d0176228 100644
--- a/web/src/main.ts
+++ b/web/src/main.ts
@@ -22,7 +22,6 @@ import "./elements/Spinner";
 import "./elements/Tabs";
 import "./elements/router/RouterOutlet";
 
-import "./pages/generic/FlowShellCard";
 import "./pages/generic/SiteShell";
 
 import "./pages/admin-overview/AdminOverviewPage";
@@ -32,7 +31,4 @@ import "./pages/applications/ApplicationViewPage";
 import "./pages/tokens/UserTokenList";
 import "./pages/LibraryPage";
 
-import "./elements/stages/authenticator_webauthn/WebAuthnRegister";
-import "./elements/stages/authenticator_webauthn/WebAuthnAuth";
-
 import "./interfaces/AdminInterface";
diff --git a/web/src/pages/admin-overview/AdminOverviewPage.ts b/web/src/pages/admin-overview/AdminOverviewPage.ts
index 00292009a..49df2ab09 100644
--- a/web/src/pages/admin-overview/AdminOverviewPage.ts
+++ b/web/src/pages/admin-overview/AdminOverviewPage.ts
@@ -38,9 +38,9 @@ export class AdminOverviewPage extends LitElement {
                 </ak-aggregate-card>
                 <ak-admin-status-card-provider class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-plugged" header="Providers" headerLink="#/core/providers/">
                 </ak-admin-status-card-provider>
-                <ak-admin-status-card-policy-unbound class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-infrastructure" header="Policies" headerLink="#/administration/policies/">
+                <ak-admin-status-card-policy-unbound class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-infrastructure" header="Policies" headerLink="#/policy/policies">
                 </ak-admin-status-card-policy-unbound>
-                <ak-admin-status-card-user-count class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-user" header="Users" headerLink="#/administration/users/">
+                <ak-admin-status-card-user-count class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-user" header="Users" headerLink="#/identity/users">
                 </ak-admin-status-card-user-count>
                 <ak-admin-status-version class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-bundle" header="Version" headerLink="https://github.com/BeryJu/authentik/releases">
                 </ak-admin-status-version>
diff --git a/web/src/pages/flows/BoundStagesList.ts b/web/src/pages/flows/BoundStagesList.ts
index a1b95c3db..b0bc4ecb7 100644
--- a/web/src/pages/flows/BoundStagesList.ts
+++ b/web/src/pages/flows/BoundStagesList.ts
@@ -44,7 +44,13 @@ export class BoundStagesList extends Table<FlowStageBinding> {
             html`
             <ak-modal-button href="${FlowStageBinding.adminUrl(`${item.pk}/update/`)}">
                 <ak-spinner-button slot="trigger" class="pf-m-secondary">
-                    ${gettext("Edit")}
+                    ${gettext("Edit Binding")}
+                </ak-spinner-button>
+                <div slot="modal"></div>
+            </ak-modal-button>
+            <ak-modal-button href="${Stage.adminUrl(`${item.stage}/update/`)}">
+                <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                    ${gettext("Edit Stage")}
                 </ak-spinner-button>
                 <div slot="modal"></div>
             </ak-modal-button>
diff --git a/web/src/pages/generic/FlowExecutor.ts b/web/src/pages/generic/FlowExecutor.ts
new file mode 100644
index 000000000..552df1b32
--- /dev/null
+++ b/web/src/pages/generic/FlowExecutor.ts
@@ -0,0 +1,192 @@
+import { gettext } from "django";
+import { LitElement, html, customElement, property, TemplateResult, CSSResult, css } from "lit-element";
+import { unsafeHTML } from "lit-html/directives/unsafe-html";
+import { getCookie } from "../../utils";
+import "../../elements/stages/authenticator_static/AuthenticatorStaticStage";
+import "../../elements/stages/authenticator_totp/AuthenticatorTOTPStage";
+import "../../elements/stages/authenticator_validate/AuthenticatorValidateStage";
+import "../../elements/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage";
+import "../../elements/stages/autosubmit/AutosubmitStage";
+import "../../elements/stages/captcha/CaptchaStage";
+import "../../elements/stages/consent/ConsentStage";
+import "../../elements/stages/email/EmailStage";
+import "../../elements/stages/identification/IdentificationStage";
+import "../../elements/stages/password/PasswordStage";
+import "../../elements/stages/prompt/PromptStage";
+import { ShellChallenge, Challenge, ChallengeTypes, Flow, RedirectChallenge } from "../../api/Flows";
+import { DefaultClient } from "../../api/Client";
+import { IdentificationChallenge } from "../../elements/stages/identification/IdentificationStage";
+import { PasswordChallenge } from "../../elements/stages/password/PasswordStage";
+import { ConsentChallenge } from "../../elements/stages/consent/ConsentStage";
+import { EmailChallenge } from "../../elements/stages/email/EmailStage";
+import { AutosubmitChallenge } from "../../elements/stages/autosubmit/AutosubmitStage";
+import { PromptChallenge } from "../../elements/stages/prompt/PromptStage";
+import { AuthenticatorTOTPChallenge } from "../../elements/stages/authenticator_totp/AuthenticatorTOTPStage";
+import { AuthenticatorStaticChallenge } from "../../elements/stages/authenticator_static/AuthenticatorStaticStage";
+import { AuthenticatorValidateStageChallenge } from "../../elements/stages/authenticator_validate/AuthenticatorValidateStage";
+import { WebAuthnAuthenticatorRegisterChallenge } from "../../elements/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage";
+import { CaptchaChallenge } from "../../elements/stages/captcha/CaptchaStage";
+import { COMMON_STYLES } from "../../common/styles";
+import { SpinnerSize } from "../../elements/Spinner";
+import { StageHost } from "../../elements/stages/base";
+
+@customElement("ak-flow-executor")
+export class FlowExecutor extends LitElement implements StageHost {
+    @property()
+    flowSlug = "";
+
+    @property({attribute: false})
+    challenge?: Challenge;
+
+    @property({type: Boolean})
+    loading = false;
+
+    static get styles(): CSSResult[] {
+        return COMMON_STYLES.concat(css`
+            .ak-loading {
+                display: flex;
+                height: 100%;
+                width: 100%;
+                justify-content: center;
+                align-items: center;
+                position: absolute;
+                background-color: #0303039e;
+            }
+            .ak-hidden {
+                display: none;
+            }
+            :host {
+                position: relative;
+            }
+        `);
+    }
+
+    constructor() {
+        super();
+        this.addEventListener("ak-flow-submit", () => {
+            this.submit();
+        });
+    }
+
+    submit(formData?: FormData): Promise<void> {
+        const csrftoken = getCookie("authentik_csrf");
+        const request = new Request(DefaultClient.makeUrl(["flows", "executor", this.flowSlug]), {
+            headers: {
+                "X-CSRFToken": csrftoken,
+            },
+        });
+        this.loading = true;
+        return fetch(request, {
+            method: "POST",
+            mode: "same-origin",
+            body: formData,
+        })
+            .then((response) => {
+                return response.json();
+            })
+            .then((data) => {
+                this.challenge = data;
+            })
+            .catch((e) => {
+                this.errorMessage(e);
+            })
+            .finally(() => {
+                this.loading = false;
+            });
+    }
+
+    firstUpdated(): void {
+        this.loading = true;
+        Flow.executor(this.flowSlug).then((challenge) => {
+            this.challenge = challenge;
+        }).catch((e) => {
+            // Catch JSON or Update errors
+            this.errorMessage(e);
+        }).finally(() => {
+            this.loading = false;
+        });
+    }
+
+    errorMessage(error: string): void {
+        this.challenge = <ShellChallenge>{
+            type: ChallengeTypes.shell,
+            body: `<style>
+                    .ak-exception {
+                        font-family: monospace;
+                        overflow-x: scroll;
+                    }
+                </style>
+                <header class="pf-c-login__main-header">
+                    <h1 class="pf-c-title pf-m-3xl">
+                        ${gettext("Whoops!")}
+                    </h1>
+                </header>
+                <div class="pf-c-login__main-body">
+                    <h3>${gettext("Something went wrong! Please try again later.")}</h3>
+                    <pre class="ak-exception">${error}</pre>
+                </div>`
+        };
+    }
+
+    renderLoading(): TemplateResult {
+        return html`<div class="ak-loading">
+            <ak-spinner size=${SpinnerSize.XLarge}></ak-spinner>
+        </div>`;
+    }
+
+    renderChallenge(): TemplateResult {
+        if (!this.challenge) {
+            return html``;
+        }
+        switch (this.challenge.type) {
+            case ChallengeTypes.redirect:
+                console.debug(`authentik/flows: redirecting to ${(this.challenge as RedirectChallenge).to}`);
+                window.location.assign((this.challenge as RedirectChallenge).to);
+                break;
+            case ChallengeTypes.shell:
+                return html`${unsafeHTML((this.challenge as ShellChallenge).body)}`;
+            case ChallengeTypes.native:
+                switch (this.challenge.component) {
+                    case "ak-stage-identification":
+                        return html`<ak-stage-identification .host=${this} .challenge=${this.challenge as IdentificationChallenge}></ak-stage-identification>`;
+                    case "ak-stage-password":
+                        return html`<ak-stage-password .host=${this} .challenge=${this.challenge as PasswordChallenge}></ak-stage-password>`;
+                    case "ak-stage-captcha":
+                        return html`<ak-stage-captcha .host=${this} .challenge=${this.challenge as CaptchaChallenge}></ak-stage-captcha>`;
+                    case "ak-stage-consent":
+                        return html`<ak-stage-consent .host=${this} .challenge=${this.challenge as ConsentChallenge}></ak-stage-consent>`;
+                    case "ak-stage-email":
+                        return html`<ak-stage-email .host=${this} .challenge=${this.challenge as EmailChallenge}></ak-stage-email>`;
+                    case "ak-stage-autosubmit":
+                        return html`<ak-stage-autosubmit .host=${this} .challenge=${this.challenge as AutosubmitChallenge}></ak-stage-autosubmit>`;
+                    case "ak-stage-prompt":
+                        return html`<ak-stage-prompt .host=${this} .challenge=${this.challenge as PromptChallenge}></ak-stage-prompt>`;
+                    case "ak-stage-authenticator-totp":
+                        return html`<ak-stage-authenticator-totp .host=${this} .challenge=${this.challenge as AuthenticatorTOTPChallenge}></ak-stage-authenticator-totp>`;
+                    case "ak-stage-authenticator-static":
+                        return html`<ak-stage-authenticator-static .host=${this} .challenge=${this.challenge as AuthenticatorStaticChallenge}></ak-stage-authenticator-static>`;
+                    case "ak-stage-authenticator-webauthn":
+                        return html`<ak-stage-authenticator-webauthn .host=${this} .challenge=${this.challenge as WebAuthnAuthenticatorRegisterChallenge}></ak-stage-authenticator-webauthn>`;
+                    case "ak-stage-authenticator-validate":
+                        return html`<ak-stage-authenticator-validate .host=${this} .challenge=${this.challenge as AuthenticatorValidateStageChallenge}></ak-stage-authenticator-validate>`;
+                    default:
+                        break;
+                }
+                break;
+            default:
+                console.debug(`authentik/flows: unexpected data type ${this.challenge.type}`);
+                break;
+        }
+        return html``;
+    }
+
+    render(): TemplateResult {
+        if (!this.challenge) {
+            return this.renderLoading();
+        }
+        return html`
+            ${this.loading ? this.renderLoading() : html``}
+            ${this.renderChallenge()}
+        `;
+    }
+}
diff --git a/web/src/pages/generic/FlowShellCard.ts b/web/src/pages/generic/FlowShellCard.ts
deleted file mode 100644
index 313175835..000000000
--- a/web/src/pages/generic/FlowShellCard.ts
+++ /dev/null
@@ -1,197 +0,0 @@
-import { LitElement, html, customElement, property, TemplateResult } from "lit-element";
-import { SentryIgnoredError } from "../../common/errors";
-import { getCookie } from "../../utils";
-
-enum ResponseType {
-    redirect = "redirect",
-    template = "template",
-}
-
-interface Response {
-    type: ResponseType;
-    to?: string;
-    body?: string;
-}
-
-@customElement("ak-flow-shell-card")
-export class FlowShellCard extends LitElement {
-    @property()
-    flowBodyUrl = "";
-
-    @property()
-    flowBody?: string;
-
-    createRenderRoot(): Element | ShadowRoot {
-        return this;
-    }
-
-    constructor() {
-        super();
-        this.addEventListener("ak-flow-submit", () => {
-            const csrftoken = getCookie("authentik_csrf");
-            const request = new Request(this.flowBodyUrl, {
-                headers: {
-                    "X-CSRFToken": csrftoken,
-                },
-            });
-            fetch(request, {
-                method: "POST",
-                mode: "same-origin"
-            })
-                .then((response) => {
-                    return response.json();
-                })
-                .then((data) => {
-                    this.updateCard(data);
-                })
-                .catch((e) => {
-                    this.errorMessage(e);
-                });
-        });
-    }
-
-    firstUpdated(): void {
-        fetch(this.flowBodyUrl)
-            .then((r) => {
-                if (r.status === 404) {
-                    // Fallback when the flow does not exist, just redirect to the root
-                    window.location.pathname = "/";
-                } else if (!r.ok) {
-                    throw new SentryIgnoredError(r.statusText);
-                }
-                return r;
-            })
-            .then((r) => {
-                return r.json();
-            })
-            .then((r) => {
-                this.updateCard(r);
-            })
-            .catch((e) => {
-                // Catch JSON or Update errors
-                this.errorMessage(e);
-            });
-    }
-
-    async updateCard(data: Response): Promise<void> {
-        switch (data.type) {
-        case ResponseType.redirect:
-            console.debug(`authentik/flows: redirecting to ${data.to}`);
-            window.location.assign(data.to || "");
-            break;
-        case ResponseType.template:
-            this.flowBody = data.body;
-            await this.requestUpdate();
-            this.checkAutofocus();
-            this.loadFormCode();
-            this.setFormSubmitHandlers();
-            break;
-        default:
-            console.debug(`authentik/flows: unexpected data type ${data.type}`);
-            break;
-        }
-    }
-
-    loadFormCode(): void {
-        this.querySelectorAll("script").forEach((script) => {
-            const newScript = document.createElement("script");
-            newScript.src = script.src;
-            document.head.appendChild(newScript);
-        });
-    }
-
-    checkAutofocus(): void {
-        const autofocusElement = <HTMLElement>this.querySelector("[autofocus]");
-        if (autofocusElement !== null) {
-            autofocusElement.focus();
-        }
-    }
-
-    updateFormAction(form: HTMLFormElement): boolean {
-        for (let index = 0; index < form.elements.length; index++) {
-            const element = <HTMLInputElement>form.elements[index];
-            if (element.value === form.action) {
-                console.debug(
-                    "authentik/flows: Found Form action URL in form elements, not changing form action."
-                );
-                return false;
-            }
-        }
-        form.action = this.flowBodyUrl;
-        console.debug(`authentik/flows: updated form.action ${this.flowBodyUrl}`);
-        return true;
-    }
-
-    checkAutosubmit(form: HTMLFormElement): void {
-        if ("autosubmit" in form.attributes) {
-            return form.submit();
-        }
-    }
-
-    setFormSubmitHandlers(): void {
-        this.querySelectorAll("form").forEach((form) => {
-            console.debug(`authentik/flows: Checking for autosubmit attribute ${form}`);
-            this.checkAutosubmit(form);
-            console.debug(`authentik/flows: Setting action for form ${form}`);
-            this.updateFormAction(form);
-            console.debug(`authentik/flows: Adding handler for form ${form}`);
-            form.addEventListener("submit", (e) => {
-                e.preventDefault();
-                const formData = new FormData(form);
-                this.flowBody = undefined;
-                fetch(this.flowBodyUrl, {
-                    method: "post",
-                    body: formData,
-                })
-                    .then((response) => {
-                        return response.json();
-                    })
-                    .then((data) => {
-                        this.updateCard(data);
-                    })
-                    .catch((e) => {
-                        this.errorMessage(e);
-                    });
-            });
-            form.classList.add("ak-flow-wrapped");
-        });
-    }
-
-    errorMessage(error: string): void {
-        this.flowBody = `
-            <style>
-                .ak-exception {
-                    font-family: monospace;
-                    overflow-x: scroll;
-                }
-            </style>
-            <header class="pf-c-login__main-header">
-                <h1 class="pf-c-title pf-m-3xl">
-                    Whoops!
-                </h1>
-            </header>
-            <div class="pf-c-login__main-body">
-                <h3>
-                    Something went wrong! Please try again later.
-                </h3>
-                <pre class="ak-exception">${error}</pre>
-            </div>`;
-    }
-
-    loading(): TemplateResult {
-        return html` <div class="pf-c-login__main-body ak-loading">
-            <span class="pf-c-spinner" role="progressbar" aria-valuetext="Loading...">
-                <span class="pf-c-spinner__clipper"></span>
-                <span class="pf-c-spinner__lead-ball"></span>
-                <span class="pf-c-spinner__tail-ball"></span>
-            </span>
-        </div>`;
-    }
-
-    render(): TemplateResult {
-        if (this.flowBody) {
-            return html(<TemplateStringsArray>(<unknown>[this.flowBody]));
-        }
-        return this.loading();
-    }
-}
diff --git a/web/src/pages/generic/SiteShell.ts b/web/src/pages/generic/SiteShell.ts
index 687fc8d78..0e7eda4a4 100644
--- a/web/src/pages/generic/SiteShell.ts
+++ b/web/src/pages/generic/SiteShell.ts
@@ -138,7 +138,7 @@ export class SiteShell extends LitElement {
                             level_tag: "error",
                             message: "Unexpected error"
                         });
-                        console.log(e);
+                        console.error(e);
                     });
             });
         });
diff --git a/website/static/flows/enrollment-2-stage.akflow b/website/static/flows/enrollment-2-stage.akflow
index 924a83c67..68b726154 100644
--- a/website/static/flows/enrollment-2-stage.akflow
+++ b/website/static/flows/enrollment-2-stage.akflow
@@ -21,7 +21,7 @@
             "attrs": {
                 "field_key": "username",
                 "label": "Username",
-                "type": "text",
+                "type": "username",
                 "required": true,
                 "placeholder": "Username",
                 "order": 0
diff --git a/website/static/flows/enrollment-email-verification.akflow b/website/static/flows/enrollment-email-verification.akflow
index 2c75d1759..ebf7af9d1 100644
--- a/website/static/flows/enrollment-email-verification.akflow
+++ b/website/static/flows/enrollment-email-verification.akflow
@@ -21,7 +21,7 @@
             "attrs": {
                 "field_key": "username",
                 "label": "Username",
-                "type": "text",
+                "type": "username",
                 "required": true,
                 "placeholder": "Username",
                 "order": 0