Merge branch 'master' into outpost-ldap

2021-04-29 20:13:47 +02:00 · 2021-04-29 20:13:47 +02:00 · b55cb2b40c
parent 4d858c64e0 25c001f2cd
commit b55cb2b40c
44 changed files with 1592 additions and 4002 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -10,21 +10,25 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
-        env:
+        uses: docker/login-action@v1
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+        with:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          username: ${{ secrets.DOCKER_PASSWORD }}
-        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+          password: ${{ secrets.DOCKER_USERNAME }}
      - name: Building Docker Image
-        run: docker build
+        uses: docker/build-push-action@v2
-          --no-cache
+        with:
-          -t beryju/authentik:2021.4.4
+          push: true
-          -t beryju/authentik:latest
+          tags: |
-          -f Dockerfile .
+            beryju/authentik-proxy:2021.4.4,
-      - name: Push Docker Container to Registry (versioned)
+            beryju/authentik-proxy:latest,
-        run: docker push beryju/authentik:2021.4.4
+            ghcr.io/goauthentik/authentik:2021.4.4,
-      - name: Push Docker Container to Registry (latest)
+            ghcr.io/goauthentik/authentik:latest
-        run: docker push beryju/authentik:latest
+          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v8
  build-proxy:
    runs-on: ubuntu-latest
    steps:
@ -38,23 +42,27 @@ jobs:
          go get -u github.com/go-swagger/go-swagger/cmd/swagger
          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
          go build -v .
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
-        env:
+        uses: docker/login-action@v1
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+        with:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          username: ${{ secrets.DOCKER_PASSWORD }}
-        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+          password: ${{ secrets.DOCKER_USERNAME }}
      - name: Building Docker Image
-        run: |
+        uses: docker/build-push-action@v2
-          cd outpost/
+        with:
-          docker build \
+          push: true
-          --no-cache \
+          tags: |
-          -t beryju/authentik-proxy:2021.4.4 \
+            beryju/authentik-proxy:2021.4.4,
-          -t beryju/authentik-proxy:latest \
+            beryju/authentik-proxy:latest,
-          -f proxy.Dockerfile .
+            ghcr.io/goauthentik/proxy:2021.4.4,
-      - name: Push Docker Container to Registry (versioned)
+            ghcr.io/goauthentik/proxy:latest
-        run: docker push beryju/authentik-proxy:2021.4.4
+          context: proxy/
-      - name: Push Docker Container to Registry (latest)
+          file: proxy/proxy.Dockerfile
-        run: docker push beryju/authentik-proxy:latest
+          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v8
  build-static:
    runs-on: ubuntu-latest
    steps:
@ -62,23 +70,26 @@ jobs:
      - name: prepare ts api client
        run: |
          docker run --rm -v $(pwd):/local openapitools/openapi-generator-cli generate -i /local/swagger.yaml -g typescript-fetch -o /local/web/api --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
-        env:
+        uses: docker/login-action@v1
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+        with:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          username: ${{ secrets.DOCKER_PASSWORD }}
-        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+          password: ${{ secrets.DOCKER_USERNAME }}
      - name: Building Docker Image
-        run: |
+        uses: docker/build-push-action@v2
-          cd web/
+        with:
-          docker build \
+          push: true
-          --no-cache \
+          tags: |
-          -t beryju/authentik-static:2021.4.4 \
+            beryju/authentik-static:2021.4.4,
-          -t beryju/authentik-static:latest \
+            beryju/authentik-static:latest,
-          -f Dockerfile .
+            ghcr.io/goauthentik/static:2021.4.4,
-      - name: Push Docker Container to Registry (versioned)
+            ghcr.io/goauthentik/static:latest
-        run: docker push beryju/authentik-static:2021.4.4
+          context: web/
-      - name: Push Docker Container to Registry (latest)
+          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v8
        run: docker push beryju/authentik-static:latest
  test-release:
    needs:
      - build-server
@ -103,7 +114,7 @@ jobs:
    steps:
      - uses: actions/checkout@v1
      - name: Create a Sentry.io release
-        uses: tclindner/sentry-releases-action@v1.2.0
+        uses: getsentry/action-release@v1
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
          SENTRY_ORG: beryjuorg
--- a/.gitignore
+++ b/.gitignore
@ -202,3 +202,5 @@ selenium_screenshots/
 backups/
 media/
 *mmdb
 .idea/
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -116,25 +116,24 @@
        },
        "boto3": {
            "hashes": [
-                "sha256:4caf01511a07e229855b964d43ddbc6b3db1fd88a3747a4a7ca6d398ce04f3d3",
+                "sha256:edd2f14f64e0afd2373cd9b2c839004c751afedc593ea3baca3ab36f7206644d"
                "sha256:fcd1a0318919bddf4efd0a8858214ed07d08a870d79d20f9b2d6df5d3092b8d8"
            ],
            "index": "pypi",
-            "version": "==1.17.58"
+            "version": "==1.17.60"
        },
        "botocore": {
            "hashes": [
-                "sha256:0de54af6af58d59237377f1bbe43edc4395d88848cddbe00f546703d4026c638",
+                "sha256:bb63a112ef415638328e4535b75dbc32ebd88f06b7937ce1d297aa5b5527335a",
-                "sha256:2830596e0d92d82abaf78a7926e49a3b7a80c93cdc75e95717a1dd4ea9027283"
+                "sha256:e19947a8978e99467e7b1843308d1adc8febaa4e221021d4befdaec83d993ee7"
            ],
-            "version": "==1.20.58"
+            "version": "==1.20.60"
        },
        "cachetools": {
            "hashes": [
-                "sha256:1d9d5f567be80f7c07d765e21b814326d78c61eb0c3a637dffc0e5d1796cb2e2",
+                "sha256:2cc0b89715337ab6dbba85b5b50effe2b0c74e035d83ee8ed637cf52f12ae001",
-                "sha256:f469e29e7aa4cff64d8de4aad95ce76de8ea1125a16c68e0d93f65c3c3dc92e9"
+                "sha256:61b5ed1e22a0924aed1d23b478f37e8d52549ff8a961de2909c69bf950020cff"
            ],
-            "version": "==4.2.1"
+            "version": "==4.2.2"
        },
        "cbor2": {
            "hashes": [
@ -351,11 +350,11 @@
        },
        "django-otp": {
            "hashes": [
-                "sha256:381a15e65293b8b06d47b7d6b306e0b7af2e104137ac92f6c566d3b9b90b6244",
+                "sha256:04852c5301befb02d1d8ba4a31d375eb08d7c2cb6fe86b5f840867435ab1309c",
-                "sha256:f4ab096b424c33ffe69453620356e1b7517f30dfb9ba13bfeaa1d1f20faddc13"
+                "sha256:3916fc7652c2f934b1cf3807dd8ed257ce7605c10dfefa27fadda5628d9a9c9e"
            ],
            "index": "pypi",
-            "version": "==1.0.3"
+            "version": "==1.0.4"
        },
        "django-prometheus": {
            "hashes": [
@ -444,6 +443,7 @@
        },
        "gunicorn": {
            "hashes": [
                "sha256:9dcc4547dbb1cb284accfb15ab5667a0e5d1881cc443e0677b4882a4067a807e",
                "sha256:e0a968b5ba15f8a328fdfd7ab1fcb5af4470c28aaf7e55df02a99bc13138e6e8"
            ],
            "index": "pypi",
@ -917,11 +917,11 @@
        },
        "pyjwt": {
            "hashes": [
-                "sha256:a5c70a06e1f33d81ef25eecd50d50bd30e34de1ca8b2b9fa3fe0daaabcf69bf7",
+                "sha256:934d73fbba91b0483d3857d1aff50e96b2a892384ee2c17417ed3203f173fca1",
-                "sha256:b70b15f89dc69b993d8a8d32c299032d5355c82f9b5b7e851d1a6d706dffe847"
+                "sha256:fba44e7898bbca160a2b2b501f492824fc8382485d3a6f11ba5d0c1937ce6130"
            ],
            "index": "pypi",
-            "version": "==2.0.1"
+            "version": "==2.1.0"
        },
        "pyopenssl": {
            "hashes": [
--- a/authentik/core/templates/error/generic.html
+++ b/authentik/core/templates/error/generic.html
@ -12,7 +12,7 @@
 {% endblock %}
 {% block body %}
-<section class="pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+<section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
    <div class="pf-c-empty-state">
        <div class="pf-c-empty-state__content">
            <i class="fas fa-exclamation-circle pf-c-empty-state__icon" aria-hidden="true"></i>
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -10,7 +10,7 @@
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-interface-admin>
-    <section class="ak-initial-load pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@ -14,7 +14,7 @@
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-flow-executor>
-    <section class="ak-initial-load pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -34,7 +34,10 @@ email:
  from: authentik@localhost
 outposts:
-  docker_image_base: "beryju/authentik" # this is prepended to -proxy:version
+  # Placeholders:
  # %(type)s: Outpost type; proxy, ldap, etc
  # %(version)s: Current version; 2021.4.1
  docker_image_base: "beryju/authentik-%(type)s:%(version)s"
 authentik:
  avatars: gravatar  # gravatar or none
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -9,6 +9,7 @@ from channels.middleware import BaseMiddleware
 from channels_redis.core import ChannelFull
 from django.core.exceptions import SuspiciousOperation, ValidationError
 from django.db import InternalError, OperationalError, ProgrammingError
 from django.http.response import Http404
 from django_redis.exceptions import ConnectionInterrupted
 from docker.errors import DockerException
 from ldap3.core.exceptions import LDAPException
@ -78,6 +79,8 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        LDAPException,
        # Docker errors
        DockerException,
        # End-user errors
        Http404,
    )
    if "exc_info" in hint:
        _, exc_value, _ = hint["exc_info"]
--- a/authentik/outposts/controllers/base.py
+++ b/authentik/outposts/controllers/base.py
@ -4,6 +4,8 @@ from dataclasses import dataclass
 from structlog.stdlib import get_logger
 from structlog.testing import capture_logs
 from authentik import __version__
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.outposts.models import Outpost, OutpostServiceConnection
@ -55,3 +57,10 @@ class BaseController:
    def get_static_deployment(self) -> str:
        """Return a static deployment configuration"""
        raise NotImplementedError
    def get_container_image(self) -> str:
        """Get container image to use for this outpost"""
        image_name_template: str = CONFIG.y("outposts.docker_image_base")
        return image_name_template.format(
            {"type": self.outpost.type, "version": __version__}
        )
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -8,7 +8,6 @@ from docker.models.containers import Container
 from yaml import safe_dump
 from authentik import __version__
 from authentik.lib.config import CONFIG
 from authentik.outposts.controllers.base import BaseController, ControllerException
 from authentik.outposts.models import (
    DockerServiceConnection,
@ -60,8 +59,7 @@ class DockerController(BaseController):
            return self.client.containers.get(container_name), False
        except NotFound:
            self.logger.info("Container does not exist, creating")
-            image_prefix = CONFIG.y("outposts.docker_image_base")
+            image_name = self.get_container_image()
            image_name = f"{image_prefix}-{self.outpost.type}:{__version__}"
            self.client.images.pull(image_name)
            container_args = {
                "image": image_name,
@ -134,7 +132,8 @@ class DockerController(BaseController):
    def down(self):
        try:
            container, _ = self._get_container()
-            container.kill()
+            if container.status == "running":
                container.kill()
            container.remove()
        except DockerException as exc:
            raise ControllerException from exc
@ -145,12 +144,12 @@ class DockerController(BaseController):
            f"{port.port}:{port.port}/{port.protocol.lower()}"
            for port in self.deployment_ports
        ]
-        image_prefix = CONFIG.y("outposts.docker_image_base")
+        image_name = self.get_container_image()
        compose = {
            "version": "3.5",
            "services": {
                f"authentik_{self.outpost.type}": {
-                    "image": f"{image_prefix}-{self.outpost.type}:{__version__}",
+                    "image": image_name,
                    "ports": ports,
                    "environment": {
                        "AUTHENTIK_HOST": self.outpost.config.authentik_host,
--- a/authentik/outposts/controllers/k8s/deployment.py
+++ b/authentik/outposts/controllers/k8s/deployment.py
@ -16,8 +16,6 @@ from kubernetes.client import (
    V1SecretKeySelector,
 )
 from authentik import __version__
 from authentik.lib.config import CONFIG
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import (
    KubernetesObjectReconciler,
@ -75,7 +73,7 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
            )
        meta = self.get_object_meta(name=self.name)
        secret_name = f"authentik-outpost-{self.controller.outpost.uuid.hex}-api"
-        image_prefix = CONFIG.y("outposts.docker_image_base")
+        image_name = self.controller.get_container_image()
        return V1Deployment(
            metadata=meta,
            spec=V1DeploymentSpec(
@ -87,7 +85,7 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
                        containers=[
                            V1Container(
                                name=str(self.outpost.type),
-                                image=f"{image_prefix}-{self.outpost.type}:{__version__}",
+                                image=image_name,
                                ports=container_ports,
                                env=[
                                    V1EnvVar(
--- a/authentik/providers/oauth2/api/provider.py
+++ b/authentik/providers/oauth2/api/provider.py
@ -38,6 +38,7 @@ class OAuth2ProviderSerializer(ProviderSerializer):
            "client_type",
            "client_id",
            "client_secret",
            "access_code_validity",
            "token_validity",
            "include_claims_in_id_token",
            "jwt_alg",
--- a/authentik/providers/oauth2/migrations/0012_oauth2provider_access_code_validity.py
+++ b/authentik/providers/oauth2/migrations/0012_oauth2provider_access_code_validity.py
@ -0,0 +1,24 @@
 # Generated by Django 3.2 on 2021-04-28 18:17
 from django.db import migrations, models
 import authentik.lib.utils.time
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0011_managed"),
    ]
    operations = [
        migrations.AddField(
            model_name="oauth2provider",
            name="access_code_validity",
            field=models.TextField(
                default="minutes=1",
                help_text="Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).",
                validators=[authentik.lib.utils.time.timedelta_string_validator],
            ),
        ),
    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -175,6 +175,16 @@ class OAuth2Provider(Provider):
        ),
    )
    access_code_validity = models.TextField(
        default="minutes=1",
        validators=[timedelta_string_validator],
        help_text=_(
            (
                "Access codes not valid on or after current time + this value "
                "(Format: hours=1;minutes=2;seconds=3)."
            )
        ),
    )
    token_validity = models.TextField(
        default="minutes=10",
        validators=[timedelta_string_validator],
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -219,7 +219,7 @@ class OAuthAuthorizationParams:
            code.code_challenge_method = self.code_challenge_method
        code.expires_at = timezone.now() + timedelta_from_string(
-            self.provider.token_validity
+            self.provider.access_code_validity
        )
        code.scope = self.scope
        code.nonce = self.nonce
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -52,6 +52,7 @@ class ProxyProviderSerializer(ProviderSerializer):
            "basic_auth_enabled",
            "basic_auth_password_attribute",
            "basic_auth_user_attribute",
            "forward_auth_mode",
        ]
@ -86,6 +87,7 @@ class ProxyOutpostConfigSerializer(ModelSerializer):
            "basic_auth_enabled",
            "basic_auth_password_attribute",
            "basic_auth_user_attribute",
            "forward_auth_mode",
        ]
    @swagger_serializer_method(serializer_or_field=OpenIDConnectConfigurationSerializer)
--- a/authentik/providers/proxy/migrations/0011_proxyprovider_forward_auth_mode.py
+++ b/authentik/providers/proxy/migrations/0011_proxyprovider_forward_auth_mode.py
@ -0,0 +1,35 @@
 # Generated by Django 3.2 on 2021-04-27 18:47
 from django.db import migrations, models
 import authentik.lib.models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_proxy", "0010_auto_20201214_0942"),
    ]
    operations = [
        migrations.AddField(
            model_name="proxyprovider",
            name="forward_auth_mode",
            field=models.BooleanField(
                default=False,
                help_text="Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with internal_host.",
            ),
        ),
        migrations.AlterField(
            model_name="proxyprovider",
            name="internal_host",
            field=models.TextField(
                blank=True,
                validators=[
                    authentik.lib.models.DomainlessURLValidator(
                        schemes=("http", "https")
                    )
                ],
            ),
        ),
    ]
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@ -42,7 +42,8 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
    Protocols by using a Reverse-Proxy."""
    internal_host = models.TextField(
-        validators=[DomainlessURLValidator(schemes=("http", "https"))]
+        validators=[DomainlessURLValidator(schemes=("http", "https"))],
        blank=True,
    )
    external_host = models.TextField(
        validators=[DomainlessURLValidator(schemes=("http", "https"))]
@ -52,6 +53,13 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
        help_text=_("Validate SSL Certificates of upstream servers"),
        verbose_name=_("Internal host SSL Validation"),
    )
    forward_auth_mode = models.BooleanField(
        default=False,
        help_text=_(
            "Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with "
            "internal_host."
        ),
    )
    skip_path_regex = models.TextField(
        default="",
--- a/authentik/stages/invitation/stage.py
+++ b/authentik/stages/invitation/stage.py
@ -1,8 +1,11 @@
 """invitation stage logic"""
 from typing import Optional
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404
 from authentik.flows.stage import StageView
 from authentik.flows.views import SESSION_KEY_GET
 from authentik.stages.invitation.models import Invitation, InvitationStage
 from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
@ -14,16 +17,26 @@ INVITATION_IN_EFFECT = "invitation_in_effect"
 class InvitationStageView(StageView):
    """Finalise Authentication flow by logging the user in"""
    def get_token(self) -> Optional[str]:
        """Get token from saved get-arguments or prompt_data"""
        if INVITATION_TOKEN_KEY in self.request.session.get(SESSION_KEY_GET, {}):
            return self.request.session[SESSION_KEY_GET][INVITATION_TOKEN_KEY]
        if INVITATION_TOKEN_KEY in self.executor.plan.context.get(
            PLAN_CONTEXT_PROMPT, {}
        ):
            return self.executor.plan.context[PLAN_CONTEXT_PROMPT][INVITATION_TOKEN_KEY]
        return None
    def get(self, request: HttpRequest) -> HttpResponse:
        """Apply data to the current flow based on a URL"""
        stage: InvitationStage = self.executor.current_stage
-        if INVITATION_TOKEN_KEY not in request.GET:
+        token = self.get_token()
        if not token:
            # No Invitation was given, raise error or continue
            if stage.continue_flow_without_invitation:
                return self.executor.stage_ok()
            return self.executor.stage_invalid()
        token = request.GET[INVITATION_TOKEN_KEY]
        invite: Invitation = get_object_or_404(Invitation, pk=token)
        self.executor.plan.context[PLAN_CONTEXT_PROMPT] = invite.fixed_data
        self.executor.plan.context[INVITATION_IN_EFFECT] = True
--- a/authentik/stages/invitation/tests.py
+++ b/authentik/stages/invitation/tests.py
@ -4,6 +4,7 @@ from unittest.mock import MagicMock, patch
 from django.test import Client, TestCase
 from django.urls import reverse
 from django.utils.encoding import force_str
 from django.utils.http import urlencode
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.test import APITestCase
@ -94,15 +95,11 @@ class TestUserLoginStage(TestCase):
        self.stage.continue_flow_without_invitation = False
        self.stage.save()
-    def test_with_invitation(self):
+    def test_with_invitation_get(self):
        """Test with invitation, check data in session"""
        plan = FlowPlan(
            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
        )
        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
        plan.context[
            PLAN_CONTEXT_AUTHENTICATION_BACKEND
        ] = "django.contrib.auth.backends.ModelBackend"
        session = self.client.session
        session[SESSION_KEY_PLAN] = plan
        session.save()
@ -116,9 +113,39 @@ class TestUserLoginStage(TestCase):
            base_url = reverse(
                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
            )
-            response = self.client.get(
+            args = urlencode({INVITATION_TOKEN_KEY: invite.pk.hex})
-                base_url + f"?{INVITATION_TOKEN_KEY}={invite.pk.hex}"
+            response = self.client.get(base_url + f"?query={args}")
        session = self.client.session
        plan: FlowPlan = session[SESSION_KEY_PLAN]
        self.assertEqual(plan.context[PLAN_CONTEXT_PROMPT], data)
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(
            force_str(response.content),
            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
        )
    def test_with_invitation_prompt_data(self):
        """Test with invitation, check data in session"""
        data = {"foo": "bar"}
        invite = Invitation.objects.create(
            created_by=get_anonymous_user(), fixed_data=data
        )
        plan = FlowPlan(
            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
        )
        plan.context[PLAN_CONTEXT_PROMPT] = {INVITATION_TOKEN_KEY: invite.pk.hex}
        session = self.client.session
        session[SESSION_KEY_PLAN] = plan
        session.save()
        with patch("authentik.flows.views.FlowExecutorView.cancel", MagicMock()):
            base_url = reverse(
                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
            )
            response = self.client.get(base_url)
        session = self.client.session
        plan: FlowPlan = session[SESSION_KEY_PLAN]
--- a/helm/README.md
+++ b/helm/README.md
@ -4,6 +4,7 @@
 |-----------------------------------|-------------------------|-------------|
 | image.name                        | beryju/authentik        | Image used to run the authentik server and worker |
 | image.name_static                 | beryju/authentik-static | Image used to run the authentik static server (CSS and JS Files) |
 | image.name_outposts               | beryju/authentik-%(type)s:%(version)s | Image used for managed outposts. Placeholders: %(type)s: Outpost type; proxy, ldap, etc. %(version)s: Current version; 2021.4.1 |
 | image.tag                         | 2021.4.4                | Image tag |
 | image.pullPolicy                  | IfNotPresent            | Image Pull Policy used for all deployments |
 | serverReplicas                    | 1                       | Replicas for the Server deployment |
--- a/helm/values.yaml
+++ b/helm/values.yaml
@ -4,7 +4,10 @@
 image:
  name: beryju/authentik
  name_static: beryju/authentik-static
-  name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
+  # Image used for managed outposts. Placeholders:
  # %(type)s: Outpost type; proxy, ldap, etc
  # %(version)s: Current version; 2021.4.1
  name_outposts: "beryju/authentik-%(type)s:%(version)s"
  tag: 2021.4.4
  pullPolicy: IfNotPresent
--- a/outpost/Makefile
+++ b/outpost/Makefile
@ -1,4 +1,4 @@
-all: clean generate build
+all: clean generate
 generate:
 	go get -u github.com/go-swagger/go-swagger/cmd/swagger
@ -11,5 +11,3 @@ clean:
 	go mod tidy
 	go clean .
 build:
 	go build -v .
--- a/outpost/pkg/proxy/api_bundle.go
+++ b/outpost/pkg/proxy/api_bundle.go
@ -31,6 +31,10 @@ type providerBundle struct {
 	log *log.Entry
 }
 func intToPointer(i int) *int {
 	return &i
 }
 func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *options.Options {
 	externalHost, err := url.Parse(*provider.ExternalHost)
 	if err != nil {
@ -61,13 +65,24 @@ func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *opti
 		providerOpts.SkipAuthRegex = skipRegexes
 	}
-	providerOpts.UpstreamServers = []options.Upstream{
+	if provider.ForwardAuthMode {
-		{
+		providerOpts.UpstreamServers = []options.Upstream{
-			ID:                    "default",
+			{
-			URI:                   *provider.InternalHost,
+				ID:         "static",
-			Path:                  "/",
+				Static:     true,
-			InsecureSkipTLSVerify: provider.InternalHostSslValidation,
+				StaticCode: intToPointer(202),
-		},
+				Path:       "/",
 			},
 		}
 	} else {
 		providerOpts.UpstreamServers = []options.Upstream{
 			{
 				ID:                    "default",
 				URI:                   provider.InternalHost,
 				Path:                  "/",
 				InsecureSkipTLSVerify: provider.InternalHostSslValidation,
 			},
 		}
 	}
 	if provider.Certificate != nil {
--- a/outpost/pkg/proxy/proxy.go
+++ b/outpost/pkg/proxy/proxy.go
@ -63,6 +63,7 @@ type OAuthProxy struct {
 	AuthOnlyPath      string
 	UserInfoPath      string
 	forwardAuthMode            bool
 	redirectURL                *url.URL // the url to receive requests at
 	whitelistDomains           []string
 	provider                   providers.Provider
@ -132,6 +133,7 @@ func NewOAuthProxy(opts *options.Options, provider *models.ProxyOutpostConfig) (
 		CookieRefresh:  opts.Cookie.Refresh,
 		CookieSameSite: opts.Cookie.SameSite,
 		forwardAuthMode:   provider.ForwardAuthMode,
 		RobotsPath:        "/robots.txt",
 		SignInPath:        fmt.Sprintf("%s/sign_in", opts.ProxyPrefix),
 		SignOutPath:       fmt.Sprintf("%s/sign_out", opts.ProxyPrefix),
@ -335,12 +337,29 @@ func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
 func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request) {
 	session, err := p.getAuthenticatedSession(rw, req)
 	if err != nil {
 		if p.forwardAuthMode {
 			if _, ok := req.URL.Query()["nginx"]; ok {
 				rw.WriteHeader(401)
 				return
 			}
 			if _, ok := req.URL.Query()["traefik"]; ok {
 				host := getHost(req)
 				http.Redirect(rw, req, fmt.Sprintf("//%s%s", host, p.OAuthStartPath), http.StatusTemporaryRedirect)
 				return
 			}
 		}
 		http.Error(rw, "unauthorized request", http.StatusUnauthorized)
 		return
 	}
 	// we are authenticated
 	p.addHeadersForProxying(rw, req, session)
 	if p.forwardAuthMode {
 		for headerKey, headers := range req.Header {
 			for _, value := range headers {
 				rw.Header().Set(headerKey, value)
 			}
 		}
 	}
 	rw.WriteHeader(http.StatusAccepted)
 }
@ -435,7 +454,6 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
 		authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password))
 		req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)}
 	}
 	rw.Header().Set("GAP-Auth", session.PreferredUsername)
 	// Check if user has additional headers set that we should sent
 	if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]string); ok {
 		if additionalHeaders == nil {
--- a/swagger.yaml
+++ b/swagger.yaml
@ -15873,6 +15873,12 @@ definitions:
        title: Client Secret
        type: string
        maxLength: 255
      access_code_validity:
        title: Access code validity
        description: 'Access codes not valid on or after current time + this value
          (Format: hours=1;minutes=2;seconds=3).'
        type: string
        minLength: 1
      token_validity:
        title: Token validity
        description: 'Tokens not valid on or after current time + this value (Format:
@ -16125,7 +16131,6 @@ definitions:
  ProxyOutpostConfig:
    required:
      - name
      - internal_host
      - external_host
    type: object
    properties:
@ -16140,7 +16145,6 @@ definitions:
      internal_host:
        title: Internal host
        type: string
        minLength: 1
      external_host:
        title: External host
        type: string
@ -16189,6 +16193,11 @@ definitions:
        description: User/Group Attribute used for the user part of the HTTP-Basic
          Header. If not set, the user's Email address is used.
        type: string
      forward_auth_mode:
        title: Forward auth mode
        description: Enable support for forwardAuth in traefik and nginx auth_request.
          Exclusive with internal_host.
        type: boolean
  ServiceConnection:
    required:
      - name
@ -17156,7 +17165,6 @@ definitions:
    required:
      - name
      - authorization_flow
      - internal_host
      - external_host
    type: object
    properties:
@ -17202,7 +17210,6 @@ definitions:
      internal_host:
        title: Internal host
        type: string
        minLength: 1
      external_host:
        title: External host
        type: string
@ -17236,6 +17243,11 @@ definitions:
        description: User/Group Attribute used for the user part of the HTTP-Basic
          Header. If not set, the user's Email address is used.
        type: string
      forward_auth_mode:
        title: Forward auth mode
        description: Enable support for forwardAuth in traefik and nginx auth_request.
          Exclusive with internal_host.
        type: boolean
  SAMLProvider:
    required:
      - name
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -1866,13 +1866,13 @@
            }
        },
        "@sentry/browser": {
-            "version": "6.3.1",
+            "version": "6.3.3",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-6.3.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-6.3.3.tgz",
-            "integrity": "sha512-Ri4tYsyuJIeLQnvQUqbpGzailUYpbjFSYM0+yEM63gPsjiXdg+W8yKHluA6cs6FLWVN3oWfwHW7Kd61echlGuw==",
+            "integrity": "sha512-M3l4xdpU4fTNERnuXZ46ceMa+bAMdUOaSYbmflYt5GSkBuYS/eC8nAaCj//4CMT4JMwT3oUKYI5k6wDIKgyKMQ==",
            "requires": {
-                "@sentry/core": "6.3.1",
+                "@sentry/core": "6.3.3",
-                "@sentry/types": "6.3.1",
+                "@sentry/types": "6.3.3",
-                "@sentry/utils": "6.3.1",
+                "@sentry/utils": "6.3.3",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -1884,14 +1884,14 @@
            }
        },
        "@sentry/core": {
-            "version": "6.3.1",
+            "version": "6.3.3",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-6.3.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-6.3.3.tgz",
-            "integrity": "sha512-aVuvVbaehGeN86jZlLDGGkhEtprdOtB6lvYLfGy40Dj1Tkh2mGWE550QsRXAXAqYvQzIYwQR23r6m3o8FujgVg==",
+            "integrity": "sha512-wbmXmhWHpbFLmXf9DBUOp9H5Ao+T8Ztn5KXoxDwBnsYXtgVIzQfdpRbtcNtvJJ/UPZ3H3rRHQ8zQTb5Ni99xYQ==",
            "requires": {
-                "@sentry/hub": "6.3.1",
+                "@sentry/hub": "6.3.3",
-                "@sentry/minimal": "6.3.1",
+                "@sentry/minimal": "6.3.3",
-                "@sentry/types": "6.3.1",
+                "@sentry/types": "6.3.3",
-                "@sentry/utils": "6.3.1",
+                "@sentry/utils": "6.3.3",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -1903,12 +1903,12 @@
            }
        },
        "@sentry/hub": {
-            "version": "6.3.1",
+            "version": "6.3.3",
-            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.3.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.3.3.tgz",
-            "integrity": "sha512-2er+OeVlsdVZkhl9kXQAANwgjwoCdM1etK2iFuhzX8xkMaJlAuZLyQInv2U1BbXBlIfWjvzRM8B95hCWvVrR3Q==",
+            "integrity": "sha512-vrJHrDKTCAL63dkNNll18Q1c7YjuIYYv5jY56RNUQpm+7sX4v+iw9giOI+iLbPKaGpEyraa17FeF/xO0SqIp9Q==",
            "requires": {
-                "@sentry/types": "6.3.1",
+                "@sentry/types": "6.3.3",
-                "@sentry/utils": "6.3.1",
+                "@sentry/utils": "6.3.3",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -1920,12 +1920,12 @@
            }
        },
        "@sentry/minimal": {
-            "version": "6.3.1",
+            "version": "6.3.3",
-            "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.3.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.3.3.tgz",
-            "integrity": "sha512-0eN9S7HvXsCQEjX/qXHTMgvSb3mwrnZEWS9Qz/Bz5ig9pEGXKgJ1om5NTTHVHhXqd3wFCjdvIo6slufLHoCtSw==",
+            "integrity": "sha512-MKspEQ5hhTMrbeiNvkRGgm/NX2gM/Mni0vDJjuqQFi2Cd3RwA4ZVO6yRr6XzFPtTGgDsrXg75lQ8rma96Qs8/g==",
            "requires": {
-                "@sentry/hub": "6.3.1",
+                "@sentry/hub": "6.3.3",
-                "@sentry/types": "6.3.1",
+                "@sentry/types": "6.3.3",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -1937,51 +1937,17 @@
            }
        },
        "@sentry/tracing": {
-            "version": "6.3.1",
+            "version": "6.3.3",
-            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-6.3.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-6.3.3.tgz",
-            "integrity": "sha512-qveDmoWsXy9qLEblZJwJ1OU/zZRlEd/q7Jhd0Hnwlob8Ci96huABEbYyGdJs18BKVHEFU3gSdVfvrikUE/W17g==",
+            "integrity": "sha512-xtiUfgxDnxgcmwVeZiwOwlwSfT0zCCQWVRRUz6YOnuageEkJpJAXqGgpTTkB5tDrmt7E7Ikq5XF4qzQGMGQLWw==",
            "requires": {
-                "@sentry/hub": "6.3.1",
+                "@sentry/hub": "6.3.3",
-                "@sentry/minimal": "6.3.1",
+                "@sentry/minimal": "6.3.3",
-                "@sentry/types": "6.3.1",
+                "@sentry/types": "6.3.3",
-                "@sentry/utils": "6.3.1",
+                "@sentry/utils": "6.3.3",
                "tslib": "^1.9.3"
            },
            "dependencies": {
                "@sentry/hub": {
                    "version": "6.3.1",
                    "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.3.1.tgz",
                    "integrity": "sha512-2er+OeVlsdVZkhl9kXQAANwgjwoCdM1etK2iFuhzX8xkMaJlAuZLyQInv2U1BbXBlIfWjvzRM8B95hCWvVrR3Q==",
                    "requires": {
                        "@sentry/types": "6.3.1",
                        "@sentry/utils": "6.3.1",
                        "tslib": "^1.9.3"
                    }
                },
                "@sentry/minimal": {
                    "version": "6.3.1",
                    "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.3.1.tgz",
                    "integrity": "sha512-0eN9S7HvXsCQEjX/qXHTMgvSb3mwrnZEWS9Qz/Bz5ig9pEGXKgJ1om5NTTHVHhXqd3wFCjdvIo6slufLHoCtSw==",
                    "requires": {
                        "@sentry/hub": "6.3.1",
                        "@sentry/types": "6.3.1",
                        "tslib": "^1.9.3"
                    }
                },
                "@sentry/types": {
                    "version": "6.3.1",
                    "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.3.1.tgz",
                    "integrity": "sha512-BEBn8JX1yaooCAuonbaMci9z0RjwwMbQ3Eny/eyDdd+rjXprZCZaStZnCvSThbNBqAJ8YaUqY2YBMnEwJxarAw=="
                },
                "@sentry/utils": {
                    "version": "6.3.1",
                    "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.3.1.tgz",
                    "integrity": "sha512-cdtl/QWC9FtinAuW3w8QfvSfh/Q9ui5vwvjzVHiS1ga/U38edi2XX+cttY39ZYwz0SQG99cE10GOIhd1p7/mAA==",
                    "requires": {
                        "@sentry/types": "6.3.1",
                        "tslib": "^1.9.3"
                    }
                },
                "tslib": {
                    "version": "1.14.1",
                    "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
@ -1990,16 +1956,16 @@
            }
        },
        "@sentry/types": {
-            "version": "6.3.1",
+            "version": "6.3.3",
-            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.3.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.3.3.tgz",
-            "integrity": "sha512-BEBn8JX1yaooCAuonbaMci9z0RjwwMbQ3Eny/eyDdd+rjXprZCZaStZnCvSThbNBqAJ8YaUqY2YBMnEwJxarAw=="
+            "integrity": "sha512-UPHzhwqdjta7LCFfqNvJ5g79lRiXOxtgnIp7zlBkHU6yZs4fPnlBadljyi2gGFguN+C+XAukrbXUAq2mb+Mhdw=="
        },
        "@sentry/utils": {
-            "version": "6.3.1",
+            "version": "6.3.3",
-            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.3.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.3.3.tgz",
-            "integrity": "sha512-cdtl/QWC9FtinAuW3w8QfvSfh/Q9ui5vwvjzVHiS1ga/U38edi2XX+cttY39ZYwz0SQG99cE10GOIhd1p7/mAA==",
+            "integrity": "sha512-Kz546LeF6Ff/FU53XUVaairMQYFc6sIHBvE5ReZmfDRpaR+qZnfIbWhfoIbSwyBbtF+T8/gcU7mcZpZQmM5jLw==",
            "requires": {
-                "@sentry/types": "6.3.1",
+                "@sentry/types": "6.3.3",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -4482,9 +4448,9 @@
            }
        },
        "lit-html": {
-            "version": "1.3.0",
+            "version": "1.4.0",
-            "resolved": "https://registry.npmjs.org/lit-html/-/lit-html-1.3.0.tgz",
+            "resolved": "https://registry.npmjs.org/lit-html/-/lit-html-1.4.0.tgz",
-            "integrity": "sha512-0Q1bwmaFH9O14vycPHw8C/IeHMk/uSDldVLIefu/kfbTBGIc44KGH6A8p1bDfxUfHdc8q6Ct7kQklWoHgr4t1Q=="
+            "integrity": "sha512-cgaqPSgqHRaTH/P1DnWD/dQxudtrHqD0xo1AoyOGJZir2rXgsvTg77z6Pitwk9B+kL23EakD62HV3x8sT01aWQ=="
        },
        "locate-path": {
            "version": "5.0.0",
--- a/web/package.json
+++ b/web/package.json
@ -50,8 +50,8 @@
        "@rollup/plugin-babel": "^5.3.0",
        "@rollup/plugin-replace": "^2.4.2",
        "@rollup/plugin-typescript": "^8.2.1",
-        "@sentry/browser": "^6.3.1",
+        "@sentry/browser": "^6.3.3",
-        "@sentry/tracing": "^6.3.1",
+        "@sentry/tracing": "^6.3.3",
        "@types/chart.js": "^2.9.32",
        "@types/codemirror": "0.0.109",
        "@types/grecaptcha": "^3.0.1",
@ -70,7 +70,7 @@
        "eslint-plugin-lit": "^1.3.0",
        "flowchart.js": "^1.15.0",
        "lit-element": "^2.4.0",
-        "lit-html": "^1.3.0",
+        "lit-html": "^1.4.0",
        "moment": "^2.29.1",
        "rapidoc": "^9.0.0",
        "rollup": "^2.45.2",
--- a/web/src/authentik.css
+++ b/web/src/authentik.css
@ -97,9 +97,12 @@ html > form > input {
 body {
    background-color: var(--ak-dark-background) !important;
 }
-.ak-initial-load h1 {
+.ak-static-page h1 {
    color: var(--ak-dark-foreground);
 }
 .form-help-text {
    color: var(--pf-global--Color--100);
 }
@media (prefers-color-scheme: dark) {
    :root {
@ -239,6 +242,9 @@ body {
    .pf-c-check__label {
        color: var(--ak-dark-foreground);
    }
    .form-help-text {
        color: var(--ak-dark-foreground);
    }
    /* inputs help text */
    .pf-c-form__helper-text:not(.pf-m-error) {
        color: var(--ak-dark-foreground);
--- a/web/src/interfaces/admin/index.html
+++ b/web/src/interfaces/admin/index.html
@ -18,7 +18,7 @@
    <body>
        <ak-message-container></ak-message-container>
        <ak-interface-admin>
-            <section class="ak-initial-load pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+            <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
                <div class="pf-c-empty-state" style="height: 100vh;">
                    <div class="pf-c-empty-state__content">
                        <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="Loading...">
--- a/web/src/interfaces/flow/index.html
+++ b/web/src/interfaces/flow/index.html
@ -19,7 +19,7 @@
    <body>
        <ak-message-container></ak-message-container>
        <ak-flow-executor>
-            <section class="ak-initial-load pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+            <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
                <div class="pf-c-empty-state" style="height: 100vh;">
                    <div class="pf-c-empty-state__content">
                        <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="Loading...">
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@ -13,6 +13,13 @@ msgstr ""
 "Language-Team: \n"
 "Plural-Forms: \n"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:141
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:149
 #: src/pages/providers/saml/SAMLProviderForm.ts:202
 #: src/pages/stages/user_login/UserLoginStageForm.ts:71
 msgid "(Format: hours=-1;minutes=-2;seconds=-3)."
 msgstr "(Format: hours=-1;minutes=-2;seconds=-3)."
 #: src/pages/policies/BoundPoliciesList.ts:59
 msgid "-"
 msgstr "-"
@ -68,6 +75,10 @@ msgstr "API request failed"
 msgid "Access Key"
 msgstr "Access Key"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:136
 msgid "Access code validity"
 msgstr "Access code validity"
 #: src/pages/sources/oauth/OAuthSourceForm.ts:73
 msgid "Access token URL"
 msgstr "Access token URL"
@ -106,7 +117,7 @@ msgid "Additional user DN, prepended to the Base DN."
 msgstr "Additional user DN, prepended to the Base DN."
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
-#: src/pages/providers/proxy/ProxyProviderForm.ts:130
+#: src/pages/providers/proxy/ProxyProviderForm.ts:153
 #: src/pages/providers/saml/SAMLProviderForm.ts:117
 #: src/pages/sources/saml/SAMLSourceForm.ts:134
 msgid "Advanced protocol settings"
@ -125,7 +136,7 @@ msgstr "Affected model:"
 msgid "Alert"
 msgstr "Alert"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:153
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:163
 msgid "Algorithm used to sign the JWT Tokens."
 msgstr "Algorithm used to sign the JWT Tokens."
@ -220,7 +231,7 @@ msgstr "Are you sure you want to delete {0} {objName} ?"
 msgid "Are you sure you want to update {0} \"{1}\"?"
 msgstr "Are you sure you want to update {0} \"{1}\"?"
-#: src/pages/providers/saml/SAMLProviderForm.ts:208
+#: src/pages/providers/saml/SAMLProviderForm.ts:209
 msgid "Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
 msgstr "Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
@ -228,11 +239,7 @@ msgstr "Assertion not valid on or after current time + this value (Format: hours
 msgid "Assertion valid not before"
 msgstr "Assertion valid not before"
-#: src/pages/providers/saml/SAMLProviderForm.ts:201
+#: src/pages/providers/saml/SAMLProviderForm.ts:205
 msgid "Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3)."
 msgstr "Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3)."
 #: src/pages/providers/saml/SAMLProviderForm.ts:204
 msgid "Assertion valid not on or after"
 msgstr "Assertion valid not on or after"
@ -298,7 +305,7 @@ msgid "Authorization URL"
 msgstr "Authorization URL"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:62
-#: src/pages/providers/proxy/ProxyProviderForm.ts:80
+#: src/pages/providers/proxy/ProxyProviderForm.ts:104
 #: src/pages/providers/saml/SAMLProviderForm.ts:59
 #: src/pages/providers/saml/SAMLProviderImportForm.ts:44
 msgid "Authorization flow"
@ -342,19 +349,19 @@ msgstr "Backup status"
 msgid "Base DN"
 msgstr "Base DN"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:213
 msgid "Based on the Hashed User ID"
 msgstr "Based on the Hashed User ID"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:209
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:219
 msgid "Based on the User's Email. This is recommended over the UPN method."
 msgstr "Based on the User's Email. This is recommended over the UPN method."
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:212
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:222
 msgid "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
 msgstr "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:206
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:216
 msgid "Based on the username"
 msgstr "Based on the username"
@ -393,7 +400,7 @@ msgstr "Build hash: {0}"
 msgid "Built-in"
 msgstr "Built-in"
-#: src/pages/outposts/ServiceConnectionDockerForm.ts:89
+#: src/pages/outposts/ServiceConnectionDockerForm.ts:88
 msgid "CA which the endpoint's Certificate is verified against. Can be left empty for no validation."
 msgstr "CA which the endpoint's Certificate is verified against. Can be left empty for no validation."
@ -426,7 +433,7 @@ msgid "Case insensitive matching"
 msgstr "Case insensitive matching"
 #: src/pages/crypto/CertificateKeyPairForm.ts:51
-#: src/pages/providers/proxy/ProxyProviderForm.ts:134
+#: src/pages/providers/proxy/ProxyProviderForm.ts:157
 msgid "Certificate"
 msgstr "Certificate"
@ -450,7 +457,7 @@ msgstr "Certificate-Key Pair"
 msgid "Certificate-Key Pairs"
 msgstr "Certificate-Key Pairs"
-#: src/pages/outposts/ServiceConnectionDockerForm.ts:106
+#: src/pages/outposts/ServiceConnectionDockerForm.ts:104
 msgid "Certificate/Key used for authentication. Can be left empty for no authentication."
 msgstr "Certificate/Key used for authentication. Can be left empty for no authentication."
@ -592,11 +599,19 @@ msgstr "Configuration flow"
 msgid "Configure WebAuthn"
 msgstr "Configure WebAuthn"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:140
 msgid "Configure how long access codes are valid for."
 msgstr "Configure how long access codes are valid for."
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:148
 msgid "Configure how long refresh tokens and their id_tokens are valid for."
 msgstr "Configure how long refresh tokens and their id_tokens are valid for."
 #: src/pages/providers/saml/SAMLProviderForm.ts:193
 msgid "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
 msgstr "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:241
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:251
 msgid "Configure how the issuer field of the ID Token should be filled."
 msgstr "Configure how the issuer field of the ID Token should be filled."
@ -604,7 +619,11 @@ msgstr "Configure how the issuer field of the ID Token should be filled."
 msgid "Configure settings relevant to your user profile."
 msgstr "Configure settings relevant to your user profile."
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:216
+#: src/pages/providers/saml/SAMLProviderForm.ts:201
 msgid "Configure the maximum allowed time drift for an asseration."
 msgstr "Configure the maximum allowed time drift for an asseration."
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
 msgid "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
 msgstr "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
@ -846,7 +865,7 @@ msgstr "Creation Date"
 msgid "Customisation"
 msgstr "Customisation"
-#: src/pages/providers/saml/SAMLProviderForm.ts:255
+#: src/pages/providers/saml/SAMLProviderForm.ts:256
 #: src/pages/sources/saml/SAMLSourceForm.ts:212
 msgid "DSA-SHA1"
 msgstr "DSA-SHA1"
@ -956,8 +975,8 @@ msgid "Determines how authentik sends the response back to the Service Provider.
 msgstr "Determines how authentik sends the response back to the Service Provider."
 #: src/pages/stages/user_login/UserLoginStageForm.ts:70
-msgid "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)."
+msgid "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed."
-msgstr "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)."
+msgstr "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed."
 #: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:113
 msgid "Device classes which can be used to authenticate."
@ -967,7 +986,7 @@ msgstr "Device classes which can be used to authenticate."
 msgid "Device name"
 msgstr "Device name"
-#: src/pages/providers/saml/SAMLProviderForm.ts:219
+#: src/pages/providers/saml/SAMLProviderForm.ts:220
 #: src/pages/sources/saml/SAMLSourceForm.ts:176
 msgid "Digest algorithm"
 msgstr "Digest algorithm"
@ -1010,7 +1029,7 @@ msgstr "Download"
 msgid "Dummy stage used for testing. Shows a simple continue button and always passes."
 msgstr "Dummy stage used for testing. Shows a simple continue button and always passes."
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:234
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:244
 msgid "Each provider has a different issuer, based on the application slug."
 msgstr "Each provider has a different issuer, based on the application slug."
@ -1104,6 +1123,14 @@ msgstr "Enable Static Tokens"
 msgid "Enable TOTP"
 msgstr "Enable TOTP"
 #: src/pages/providers/proxy/ProxyProviderForm.ts:140
 msgid "Enable forward-auth mode"
 msgstr "Enable forward-auth mode"
 #: src/pages/providers/proxy/ProxyProviderForm.ts:144
 msgid "Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request."
 msgstr "Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request."
 #: src/pages/policies/BoundPoliciesList.ts:41
 #: src/pages/policies/PolicyBindingForm.ts:199
 #: src/pages/sources/ldap/LDAPSourceForm.ts:69
@ -1262,7 +1289,7 @@ msgstr "External Applications which use authentik as Identity-Provider, utilizin
 msgid "External Host"
 msgstr "External Host"
-#: src/pages/providers/proxy/ProxyProviderForm.ts:119
+#: src/pages/providers/proxy/ProxyProviderForm.ts:127
 msgid "External host"
 msgstr "External host"
@ -1357,7 +1384,7 @@ msgid "Flow used by an authenticated user to configure this Stage. If empty, use
 msgstr "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:76
-#: src/pages/providers/proxy/ProxyProviderForm.ts:94
+#: src/pages/providers/proxy/ProxyProviderForm.ts:118
 #: src/pages/providers/saml/SAMLProviderForm.ts:73
 #: src/pages/providers/saml/SAMLProviderImportForm.ts:57
 msgid "Flow used when authorizing this provider."
@ -1451,15 +1478,15 @@ msgstr "Group {0}"
 msgid "Groups"
 msgstr "Groups"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:150
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:160
 msgid "HS256 (Symmetric Encryption)"
 msgstr "HS256 (Symmetric Encryption)"
-#: src/pages/providers/proxy/ProxyProviderForm.ts:64
+#: src/pages/providers/proxy/ProxyProviderForm.ts:66
 msgid "HTTP-Basic Password Key"
 msgstr "HTTP-Basic Password Key"
-#: src/pages/providers/proxy/ProxyProviderForm.ts:58
+#: src/pages/providers/proxy/ProxyProviderForm.ts:60
 msgid "HTTP-Basic Username Key"
 msgstr "HTTP-Basic Username Key"
@ -1478,7 +1505,7 @@ msgstr "Hide managed mappings"
 #: src/pages/events/RuleForm.ts:93
 #: src/pages/groups/GroupForm.ts:131
 #: src/pages/outposts/OutpostForm.ts:98
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:178
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:188
 #: src/pages/providers/saml/SAMLProviderForm.ts:177
 #: src/pages/sources/ldap/LDAPSourceForm.ts:167
 #: src/pages/sources/ldap/LDAPSourceForm.ts:193
@ -1552,11 +1579,11 @@ msgstr "Import certificates of external providers or create certificates to sign
 msgid "In case you can't access any other method."
 msgstr "In case you can't access any other method."
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:236
 msgid "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
 msgstr "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:223
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:233
 msgid "Include claims in id_token"
 msgstr "Include claims in id_token"
@ -1568,11 +1595,11 @@ msgstr "Internal Host"
 msgid "Internal application name, used in URLs."
 msgstr "Internal application name, used in URLs."
-#: src/pages/providers/proxy/ProxyProviderForm.ts:103
+#: src/pages/providers/proxy/ProxyProviderForm.ts:78
 msgid "Internal host"
 msgstr "Internal host"
-#: src/pages/providers/proxy/ProxyProviderForm.ts:113
+#: src/pages/providers/proxy/ProxyProviderForm.ts:88
 msgid "Internal host SSL Validation"
 msgstr "Internal host SSL Validation"
@ -1600,15 +1627,15 @@ msgstr "Is superuser"
 msgid "Issuer"
 msgstr "Issuer"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:229
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:239
 msgid "Issuer mode"
 msgstr "Issuer mode"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:142
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:152
 msgid "JWT Algorithm"
 msgstr "JWT Algorithm"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:195
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:205
 msgid "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
 msgstr "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
@ -1697,8 +1724,8 @@ msgstr "Loading"
 #: src/pages/groups/GroupForm.ts:127
 #: src/pages/outposts/OutpostForm.ts:74
 #: src/pages/outposts/OutpostForm.ts:96
-#: src/pages/outposts/ServiceConnectionDockerForm.ts:87
+#: src/pages/outposts/ServiceConnectionDockerForm.ts:86
-#: src/pages/outposts/ServiceConnectionDockerForm.ts:104
+#: src/pages/outposts/ServiceConnectionDockerForm.ts:102
 #: src/pages/policies/PolicyBindingForm.ts:157
 #: src/pages/policies/PolicyBindingForm.ts:173
 #: src/pages/policies/PolicyBindingForm.ts:189
@ -1707,10 +1734,10 @@ msgstr "Loading"
 #: src/pages/policies/event_matcher/EventMatcherPolicyForm.ts:108
 #: src/pages/property-mappings/PropertyMappingTestForm.ts:61
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:175
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:193
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
-#: src/pages/providers/proxy/ProxyProviderForm.ts:92
+#: src/pages/providers/proxy/ProxyProviderForm.ts:116
-#: src/pages/providers/proxy/ProxyProviderForm.ts:145
+#: src/pages/providers/proxy/ProxyProviderForm.ts:168
 #: src/pages/providers/saml/SAMLProviderForm.ts:71
 #: src/pages/providers/saml/SAMLProviderForm.ts:133
 #: src/pages/providers/saml/SAMLProviderForm.ts:149
@ -1880,7 +1907,7 @@ msgstr "Monitor"
 #: src/pages/providers/ProviderListPage.ts:52
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:56
 #: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:73
-#: src/pages/providers/proxy/ProxyProviderForm.ts:74
+#: src/pages/providers/proxy/ProxyProviderForm.ts:98
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts:64
 #: src/pages/providers/saml/SAMLProviderForm.ts:53
 #: src/pages/providers/saml/SAMLProviderImportForm.ts:38
@ -2381,7 +2408,7 @@ msgid "Property mappings used to user creation."
 msgstr "Property mappings used to user creation."
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:81
-#: src/pages/providers/proxy/ProxyProviderForm.ts:99
+#: src/pages/providers/proxy/ProxyProviderForm.ts:123
 #: src/pages/providers/saml/SAMLProviderForm.ts:78
 #: src/pages/sources/oauth/OAuthSourceForm.ts:122
 #: src/pages/sources/saml/SAMLSourceForm.ts:76
@ -2440,30 +2467,30 @@ msgstr "Public key, acquired from https://www.google.com/recaptcha/intro/v3.html
 msgid "Publisher"
 msgstr "Publisher"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:147
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:157
 msgid "RS256 (Asymmetric Encryption)"
 msgstr "RS256 (Asymmetric Encryption)"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:181
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:191
 msgid "RSA Key"
 msgstr "RSA Key"
-#: src/pages/providers/saml/SAMLProviderForm.ts:243
+#: src/pages/providers/saml/SAMLProviderForm.ts:244
 #: src/pages/sources/saml/SAMLSourceForm.ts:200
 msgid "RSA-SHA1"
 msgstr "RSA-SHA1"
-#: src/pages/providers/saml/SAMLProviderForm.ts:246
+#: src/pages/providers/saml/SAMLProviderForm.ts:247
 #: src/pages/sources/saml/SAMLSourceForm.ts:203
 msgid "RSA-SHA256"
 msgstr "RSA-SHA256"
-#: src/pages/providers/saml/SAMLProviderForm.ts:249
+#: src/pages/providers/saml/SAMLProviderForm.ts:250
 #: src/pages/sources/saml/SAMLSourceForm.ts:206
 msgid "RSA-SHA384"
 msgstr "RSA-SHA384"
-#: src/pages/providers/saml/SAMLProviderForm.ts:252
+#: src/pages/providers/saml/SAMLProviderForm.ts:253
 #: src/pages/sources/saml/SAMLSourceForm.ts:209
 msgid "RSA-SHA512"
 msgstr "RSA-SHA512"
@ -2512,7 +2539,7 @@ msgstr "Refresh Code"
 msgid "Register device"
 msgstr "Register device"
-#: src/pages/providers/proxy/ProxyProviderForm.ts:153
+#: src/pages/providers/proxy/ProxyProviderForm.ts:176
 msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
 msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
@ -2591,22 +2618,22 @@ msgstr "Return to device picker"
 msgid "SAML Attribute Name"
 msgstr "SAML Attribute Name"
-#: src/pages/providers/saml/SAMLProviderForm.ts:224
+#: src/pages/providers/saml/SAMLProviderForm.ts:225
 #: src/pages/sources/saml/SAMLSourceForm.ts:181
 msgid "SHA1"
 msgstr "SHA1"
-#: src/pages/providers/saml/SAMLProviderForm.ts:227
+#: src/pages/providers/saml/SAMLProviderForm.ts:228
 #: src/pages/sources/saml/SAMLSourceForm.ts:184
 msgid "SHA256"
 msgstr "SHA256"
-#: src/pages/providers/saml/SAMLProviderForm.ts:230
+#: src/pages/providers/saml/SAMLProviderForm.ts:231
 #: src/pages/sources/saml/SAMLSourceForm.ts:187
 msgid "SHA384"
 msgstr "SHA384"
-#: src/pages/providers/saml/SAMLProviderForm.ts:233
+#: src/pages/providers/saml/SAMLProviderForm.ts:234
 #: src/pages/sources/saml/SAMLSourceForm.ts:190
 msgid "SHA512"
 msgstr "SHA512"
@ -2637,7 +2664,7 @@ msgstr "SMTP Username"
 msgid "SSO URL"
 msgstr "SSO URL"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:237
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:247
 msgid "Same identifier is used for all providers"
 msgstr "Same identifier is used for all providers"
@ -2651,7 +2678,7 @@ msgstr "Scope which the client can specify to access these properties."
 #: src/elements/oauth/UserCodeList.ts:31
 #: src/elements/oauth/UserRefreshList.ts:31
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:156
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:166
 msgid "Scopes"
 msgstr "Scopes"
@ -2686,7 +2713,7 @@ msgstr "Select an identification method."
 msgid "Select users to add"
 msgstr "Select users to add"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:177
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:187
 msgid "Select which scopes can be used by the client. The client stil has to specify the scope to access the data."
 msgstr "Select which scopes can be used by the client. The client stil has to specify the scope to access the data."
@ -2747,19 +2774,19 @@ msgstr "Service connection"
 msgid "Session duration"
 msgstr "Session duration"
-#: src/pages/providers/saml/SAMLProviderForm.ts:215
+#: src/pages/providers/saml/SAMLProviderForm.ts:216
 msgid "Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
 msgstr "Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
-#: src/pages/providers/saml/SAMLProviderForm.ts:211
+#: src/pages/providers/saml/SAMLProviderForm.ts:212
 msgid "Session valid not on or after"
 msgstr "Session valid not on or after"
-#: src/pages/providers/proxy/ProxyProviderForm.ts:163
+#: src/pages/providers/proxy/ProxyProviderForm.ts:186
 msgid "Set HTTP-Basic Authentication"
 msgstr "Set HTTP-Basic Authentication"
-#: src/pages/providers/proxy/ProxyProviderForm.ts:166
+#: src/pages/providers/proxy/ProxyProviderForm.ts:189
 msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr "Set a custom HTTP-Basic Authentication header based on values from authentik."
@ -2792,7 +2819,7 @@ msgstr "Shown as the Title in Flow pages."
 msgid "Sign up."
 msgstr "Sign up."
-#: src/pages/providers/saml/SAMLProviderForm.ts:238
+#: src/pages/providers/saml/SAMLProviderForm.ts:239
 #: src/pages/sources/saml/SAMLSourceForm.ts:195
 msgid "Signature algorithm"
 msgstr "Signature algorithm"
@ -2809,7 +2836,7 @@ msgstr "Signing keypair"
 msgid "Single Prompts that can be used for Prompt Stages."
 msgstr "Single Prompts that can be used for Prompt Stages."
-#: src/pages/providers/proxy/ProxyProviderForm.ts:150
+#: src/pages/providers/proxy/ProxyProviderForm.ts:173
 msgid "Skip path regex"
 msgstr "Skip path regex"
@ -2947,7 +2974,7 @@ msgstr "Stop impersonation"
 msgid "Subject"
 msgstr "Subject"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:198
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:208
 msgid "Subject mode"
 msgstr "Subject mode"
@ -3021,7 +3048,7 @@ msgid "Successfully created prompt."
 msgstr "Successfully created prompt."
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:49
-#: src/pages/providers/proxy/ProxyProviderForm.ts:49
+#: src/pages/providers/proxy/ProxyProviderForm.ts:51
 #: src/pages/providers/saml/SAMLProviderForm.ts:46
 msgid "Successfully created provider."
 msgstr "Successfully created provider."
@ -3157,7 +3184,7 @@ msgid "Successfully updated prompt."
 msgstr "Successfully updated prompt."
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:46
-#: src/pages/providers/proxy/ProxyProviderForm.ts:46
+#: src/pages/providers/proxy/ProxyProviderForm.ts:48
 #: src/pages/providers/saml/SAMLProviderForm.ts:43
 msgid "Successfully updated provider."
 msgstr "Successfully updated provider."
@ -3254,7 +3281,7 @@ msgstr "System Overview"
 msgid "System Tasks"
 msgstr "System Tasks"
-#: src/pages/outposts/ServiceConnectionDockerForm.ts:92
+#: src/pages/outposts/ServiceConnectionDockerForm.ts:91
 msgid "TLS Authentication Certificate"
 msgstr "TLS Authentication Certificate"
@ -3306,7 +3333,7 @@ msgstr "Text: Simple Text input"
 msgid "The URL \"{0}\" was not found."
 msgstr "The URL \"{0}\" was not found."
-#: src/pages/providers/proxy/ProxyProviderForm.ts:123
+#: src/pages/providers/proxy/ProxyProviderForm.ts:131
 msgid "The external URL you'll access the outpost at."
 msgstr "The external URL you'll access the outpost at."
@ -3395,7 +3422,7 @@ msgstr "Token count"
 msgid "Token expiry"
 msgstr "Token expiry"
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:136
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:144
 msgid "Token validity"
 msgstr "Token validity"
@ -3616,7 +3643,7 @@ msgstr "Update details"
 msgid "Update {0}"
 msgstr "Update {0}"
-#: src/pages/providers/proxy/ProxyProviderForm.ts:107
+#: src/pages/providers/proxy/ProxyProviderForm.ts:82
 msgid "Upstream host that the requests are forwarded to."
 msgstr "Upstream host that the requests are forwarded to."
@ -3702,11 +3729,11 @@ msgstr "User's avatar"
 msgid "User's display name."
 msgstr "User's display name."
-#: src/pages/providers/proxy/ProxyProviderForm.ts:67
+#: src/pages/providers/proxy/ProxyProviderForm.ts:69
 msgid "User/Group Attribute used for the password part of the HTTP-Basic Header."
 msgstr "User/Group Attribute used for the password part of the HTTP-Basic Header."
-#: src/pages/providers/proxy/ProxyProviderForm.ts:61
+#: src/pages/providers/proxy/ProxyProviderForm.ts:63
 msgid "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
 msgstr "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
@ -3747,7 +3774,7 @@ msgstr "Using source"
 msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
 msgstr "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
-#: src/pages/providers/proxy/ProxyProviderForm.ts:116
+#: src/pages/providers/proxy/ProxyProviderForm.ts:91
 msgid "Validate SSL Certificates of upstream servers."
 msgstr "Validate SSL Certificates of upstream servers."
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@ -13,6 +13,13 @@ msgstr ""
 "Language-Team: \n"
 "Plural-Forms: \n"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:141
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:149
 #: src/pages/providers/saml/SAMLProviderForm.ts:202
 #: src/pages/stages/user_login/UserLoginStageForm.ts:71
 msgid "(Format: hours=-1;minutes=-2;seconds=-3)."
 msgstr ""
 #: src/pages/policies/BoundPoliciesList.ts:59
 msgid "-"
 msgstr ""
@ -68,6 +75,10 @@ msgstr ""
 msgid "Access Key"
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:136
 msgid "Access code validity"
 msgstr ""
 #: src/pages/sources/oauth/OAuthSourceForm.ts:73
 msgid "Access token URL"
 msgstr ""
@ -106,7 +117,7 @@ msgid "Additional user DN, prepended to the Base DN."
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
-#: src/pages/providers/proxy/ProxyProviderForm.ts:130
+#: src/pages/providers/proxy/ProxyProviderForm.ts:153
 #: src/pages/providers/saml/SAMLProviderForm.ts:117
 #: src/pages/sources/saml/SAMLSourceForm.ts:134
 msgid "Advanced protocol settings"
@ -125,7 +136,7 @@ msgstr ""
 msgid "Alert"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:153
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:163
 msgid "Algorithm used to sign the JWT Tokens."
 msgstr ""
@ -216,7 +227,7 @@ msgstr ""
 msgid "Are you sure you want to update {0} \"{1}\"?"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:208
+#: src/pages/providers/saml/SAMLProviderForm.ts:209
 msgid "Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
 msgstr ""
@ -224,11 +235,7 @@ msgstr ""
 msgid "Assertion valid not before"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:201
+#: src/pages/providers/saml/SAMLProviderForm.ts:205
 msgid "Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3)."
 msgstr ""
 #: src/pages/providers/saml/SAMLProviderForm.ts:204
 msgid "Assertion valid not on or after"
 msgstr ""
@ -294,7 +301,7 @@ msgid "Authorization URL"
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:62
-#: src/pages/providers/proxy/ProxyProviderForm.ts:80
+#: src/pages/providers/proxy/ProxyProviderForm.ts:104
 #: src/pages/providers/saml/SAMLProviderForm.ts:59
 #: src/pages/providers/saml/SAMLProviderImportForm.ts:44
 msgid "Authorization flow"
@ -338,19 +345,19 @@ msgstr ""
 msgid "Base DN"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:213
 msgid "Based on the Hashed User ID"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:209
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:219
 msgid "Based on the User's Email. This is recommended over the UPN method."
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:212
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:222
 msgid "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:206
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:216
 msgid "Based on the username"
 msgstr ""
@ -389,7 +396,7 @@ msgstr ""
 msgid "Built-in"
 msgstr ""
-#: src/pages/outposts/ServiceConnectionDockerForm.ts:89
+#: src/pages/outposts/ServiceConnectionDockerForm.ts:88
 msgid "CA which the endpoint's Certificate is verified against. Can be left empty for no validation."
 msgstr ""
@ -422,7 +429,7 @@ msgid "Case insensitive matching"
 msgstr ""
 #: src/pages/crypto/CertificateKeyPairForm.ts:51
-#: src/pages/providers/proxy/ProxyProviderForm.ts:134
+#: src/pages/providers/proxy/ProxyProviderForm.ts:157
 msgid "Certificate"
 msgstr ""
@ -446,7 +453,7 @@ msgstr ""
 msgid "Certificate-Key Pairs"
 msgstr ""
-#: src/pages/outposts/ServiceConnectionDockerForm.ts:106
+#: src/pages/outposts/ServiceConnectionDockerForm.ts:104
 msgid "Certificate/Key used for authentication. Can be left empty for no authentication."
 msgstr ""
@ -586,11 +593,19 @@ msgstr ""
 msgid "Configure WebAuthn"
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:140
 msgid "Configure how long access codes are valid for."
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:148
 msgid "Configure how long refresh tokens and their id_tokens are valid for."
 msgstr ""
 #: src/pages/providers/saml/SAMLProviderForm.ts:193
 msgid "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:241
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:251
 msgid "Configure how the issuer field of the ID Token should be filled."
 msgstr ""
@ -598,7 +613,11 @@ msgstr ""
 msgid "Configure settings relevant to your user profile."
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:216
+#: src/pages/providers/saml/SAMLProviderForm.ts:201
 msgid "Configure the maximum allowed time drift for an asseration."
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
 msgid "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
 msgstr ""
@ -840,7 +859,7 @@ msgstr ""
 msgid "Customisation"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:255
+#: src/pages/providers/saml/SAMLProviderForm.ts:256
 #: src/pages/sources/saml/SAMLSourceForm.ts:212
 msgid "DSA-SHA1"
 msgstr ""
@ -948,7 +967,7 @@ msgid "Determines how authentik sends the response back to the Service Provider.
 msgstr ""
 #: src/pages/stages/user_login/UserLoginStageForm.ts:70
-msgid "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)."
+msgid "Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed."
 msgstr ""
 #: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:113
@ -959,7 +978,7 @@ msgstr ""
 msgid "Device name"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:219
+#: src/pages/providers/saml/SAMLProviderForm.ts:220
 #: src/pages/sources/saml/SAMLSourceForm.ts:176
 msgid "Digest algorithm"
 msgstr ""
@ -1002,7 +1021,7 @@ msgstr ""
 msgid "Dummy stage used for testing. Shows a simple continue button and always passes."
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:234
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:244
 msgid "Each provider has a different issuer, based on the application slug."
 msgstr ""
@ -1096,6 +1115,14 @@ msgstr ""
 msgid "Enable TOTP"
 msgstr ""
 #: src/pages/providers/proxy/ProxyProviderForm.ts:140
 msgid "Enable forward-auth mode"
 msgstr ""
 #: src/pages/providers/proxy/ProxyProviderForm.ts:144
 msgid "Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request."
 msgstr ""
 #: src/pages/policies/BoundPoliciesList.ts:41
 #: src/pages/policies/PolicyBindingForm.ts:199
 #: src/pages/sources/ldap/LDAPSourceForm.ts:69
@ -1254,7 +1281,7 @@ msgstr ""
 msgid "External Host"
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:119
+#: src/pages/providers/proxy/ProxyProviderForm.ts:127
 msgid "External host"
 msgstr ""
@ -1349,7 +1376,7 @@ msgid "Flow used by an authenticated user to configure this Stage. If empty, use
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:76
-#: src/pages/providers/proxy/ProxyProviderForm.ts:94
+#: src/pages/providers/proxy/ProxyProviderForm.ts:118
 #: src/pages/providers/saml/SAMLProviderForm.ts:73
 #: src/pages/providers/saml/SAMLProviderImportForm.ts:57
 msgid "Flow used when authorizing this provider."
@ -1443,15 +1470,15 @@ msgstr ""
 msgid "Groups"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:150
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:160
 msgid "HS256 (Symmetric Encryption)"
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:64
+#: src/pages/providers/proxy/ProxyProviderForm.ts:66
 msgid "HTTP-Basic Password Key"
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:58
+#: src/pages/providers/proxy/ProxyProviderForm.ts:60
 msgid "HTTP-Basic Username Key"
 msgstr ""
@ -1470,7 +1497,7 @@ msgstr ""
 #: src/pages/events/RuleForm.ts:93
 #: src/pages/groups/GroupForm.ts:131
 #: src/pages/outposts/OutpostForm.ts:98
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:178
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:188
 #: src/pages/providers/saml/SAMLProviderForm.ts:177
 #: src/pages/sources/ldap/LDAPSourceForm.ts:167
 #: src/pages/sources/ldap/LDAPSourceForm.ts:193
@ -1544,11 +1571,11 @@ msgstr ""
 msgid "In case you can't access any other method."
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:236
 msgid "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:223
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:233
 msgid "Include claims in id_token"
 msgstr ""
@ -1560,11 +1587,11 @@ msgstr ""
 msgid "Internal application name, used in URLs."
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:103
+#: src/pages/providers/proxy/ProxyProviderForm.ts:78
 msgid "Internal host"
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:113
+#: src/pages/providers/proxy/ProxyProviderForm.ts:88
 msgid "Internal host SSL Validation"
 msgstr ""
@ -1592,15 +1619,15 @@ msgstr ""
 msgid "Issuer"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:229
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:239
 msgid "Issuer mode"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:142
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:152
 msgid "JWT Algorithm"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:195
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:205
 msgid "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
 msgstr ""
@ -1689,8 +1716,8 @@ msgstr ""
 #: src/pages/groups/GroupForm.ts:127
 #: src/pages/outposts/OutpostForm.ts:74
 #: src/pages/outposts/OutpostForm.ts:96
-#: src/pages/outposts/ServiceConnectionDockerForm.ts:87
+#: src/pages/outposts/ServiceConnectionDockerForm.ts:86
-#: src/pages/outposts/ServiceConnectionDockerForm.ts:104
+#: src/pages/outposts/ServiceConnectionDockerForm.ts:102
 #: src/pages/policies/PolicyBindingForm.ts:157
 #: src/pages/policies/PolicyBindingForm.ts:173
 #: src/pages/policies/PolicyBindingForm.ts:189
@ -1699,10 +1726,10 @@ msgstr ""
 #: src/pages/policies/event_matcher/EventMatcherPolicyForm.ts:108
 #: src/pages/property-mappings/PropertyMappingTestForm.ts:61
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:175
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:193
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
-#: src/pages/providers/proxy/ProxyProviderForm.ts:92
+#: src/pages/providers/proxy/ProxyProviderForm.ts:116
-#: src/pages/providers/proxy/ProxyProviderForm.ts:145
+#: src/pages/providers/proxy/ProxyProviderForm.ts:168
 #: src/pages/providers/saml/SAMLProviderForm.ts:71
 #: src/pages/providers/saml/SAMLProviderForm.ts:133
 #: src/pages/providers/saml/SAMLProviderForm.ts:149
@ -1872,7 +1899,7 @@ msgstr ""
 #: src/pages/providers/ProviderListPage.ts:52
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:56
 #: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:73
-#: src/pages/providers/proxy/ProxyProviderForm.ts:74
+#: src/pages/providers/proxy/ProxyProviderForm.ts:98
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts:64
 #: src/pages/providers/saml/SAMLProviderForm.ts:53
 #: src/pages/providers/saml/SAMLProviderImportForm.ts:38
@ -2373,7 +2400,7 @@ msgid "Property mappings used to user creation."
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:81
-#: src/pages/providers/proxy/ProxyProviderForm.ts:99
+#: src/pages/providers/proxy/ProxyProviderForm.ts:123
 #: src/pages/providers/saml/SAMLProviderForm.ts:78
 #: src/pages/sources/oauth/OAuthSourceForm.ts:122
 #: src/pages/sources/saml/SAMLSourceForm.ts:76
@ -2432,30 +2459,30 @@ msgstr ""
 msgid "Publisher"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:147
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:157
 msgid "RS256 (Asymmetric Encryption)"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:181
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:191
 msgid "RSA Key"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:243
+#: src/pages/providers/saml/SAMLProviderForm.ts:244
 #: src/pages/sources/saml/SAMLSourceForm.ts:200
 msgid "RSA-SHA1"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:246
+#: src/pages/providers/saml/SAMLProviderForm.ts:247
 #: src/pages/sources/saml/SAMLSourceForm.ts:203
 msgid "RSA-SHA256"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:249
+#: src/pages/providers/saml/SAMLProviderForm.ts:250
 #: src/pages/sources/saml/SAMLSourceForm.ts:206
 msgid "RSA-SHA384"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:252
+#: src/pages/providers/saml/SAMLProviderForm.ts:253
 #: src/pages/sources/saml/SAMLSourceForm.ts:209
 msgid "RSA-SHA512"
 msgstr ""
@ -2504,7 +2531,7 @@ msgstr ""
 msgid "Register device"
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:153
+#: src/pages/providers/proxy/ProxyProviderForm.ts:176
 msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
 msgstr ""
@ -2583,22 +2610,22 @@ msgstr ""
 msgid "SAML Attribute Name"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:224
+#: src/pages/providers/saml/SAMLProviderForm.ts:225
 #: src/pages/sources/saml/SAMLSourceForm.ts:181
 msgid "SHA1"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:227
+#: src/pages/providers/saml/SAMLProviderForm.ts:228
 #: src/pages/sources/saml/SAMLSourceForm.ts:184
 msgid "SHA256"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:230
+#: src/pages/providers/saml/SAMLProviderForm.ts:231
 #: src/pages/sources/saml/SAMLSourceForm.ts:187
 msgid "SHA384"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:233
+#: src/pages/providers/saml/SAMLProviderForm.ts:234
 #: src/pages/sources/saml/SAMLSourceForm.ts:190
 msgid "SHA512"
 msgstr ""
@ -2629,7 +2656,7 @@ msgstr ""
 msgid "SSO URL"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:237
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:247
 msgid "Same identifier is used for all providers"
 msgstr ""
@ -2643,7 +2670,7 @@ msgstr ""
 #: src/elements/oauth/UserCodeList.ts:31
 #: src/elements/oauth/UserRefreshList.ts:31
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:156
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:166
 msgid "Scopes"
 msgstr ""
@ -2678,7 +2705,7 @@ msgstr ""
 msgid "Select users to add"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:177
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:187
 msgid "Select which scopes can be used by the client. The client stil has to specify the scope to access the data."
 msgstr ""
@ -2739,19 +2766,19 @@ msgstr ""
 msgid "Session duration"
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:215
+#: src/pages/providers/saml/SAMLProviderForm.ts:216
 msgid "Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:211
+#: src/pages/providers/saml/SAMLProviderForm.ts:212
 msgid "Session valid not on or after"
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:163
+#: src/pages/providers/proxy/ProxyProviderForm.ts:186
 msgid "Set HTTP-Basic Authentication"
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:166
+#: src/pages/providers/proxy/ProxyProviderForm.ts:189
 msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
@ -2784,7 +2811,7 @@ msgstr ""
 msgid "Sign up."
 msgstr ""
-#: src/pages/providers/saml/SAMLProviderForm.ts:238
+#: src/pages/providers/saml/SAMLProviderForm.ts:239
 #: src/pages/sources/saml/SAMLSourceForm.ts:195
 msgid "Signature algorithm"
 msgstr ""
@ -2801,7 +2828,7 @@ msgstr ""
 msgid "Single Prompts that can be used for Prompt Stages."
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:150
+#: src/pages/providers/proxy/ProxyProviderForm.ts:173
 msgid "Skip path regex"
 msgstr ""
@ -2939,7 +2966,7 @@ msgstr ""
 msgid "Subject"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:198
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:208
 msgid "Subject mode"
 msgstr ""
@ -3013,7 +3040,7 @@ msgid "Successfully created prompt."
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:49
-#: src/pages/providers/proxy/ProxyProviderForm.ts:49
+#: src/pages/providers/proxy/ProxyProviderForm.ts:51
 #: src/pages/providers/saml/SAMLProviderForm.ts:46
 msgid "Successfully created provider."
 msgstr ""
@ -3149,7 +3176,7 @@ msgid "Successfully updated prompt."
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:46
-#: src/pages/providers/proxy/ProxyProviderForm.ts:46
+#: src/pages/providers/proxy/ProxyProviderForm.ts:48
 #: src/pages/providers/saml/SAMLProviderForm.ts:43
 msgid "Successfully updated provider."
 msgstr ""
@ -3246,7 +3273,7 @@ msgstr ""
 msgid "System Tasks"
 msgstr ""
-#: src/pages/outposts/ServiceConnectionDockerForm.ts:92
+#: src/pages/outposts/ServiceConnectionDockerForm.ts:91
 msgid "TLS Authentication Certificate"
 msgstr ""
@ -3298,7 +3325,7 @@ msgstr ""
 msgid "The URL \"{0}\" was not found."
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:123
+#: src/pages/providers/proxy/ProxyProviderForm.ts:131
 msgid "The external URL you'll access the outpost at."
 msgstr ""
@ -3383,7 +3410,7 @@ msgstr ""
 msgid "Token expiry"
 msgstr ""
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:136
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:144
 msgid "Token validity"
 msgstr ""
@ -3604,7 +3631,7 @@ msgstr ""
 msgid "Update {0}"
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:107
+#: src/pages/providers/proxy/ProxyProviderForm.ts:82
 msgid "Upstream host that the requests are forwarded to."
 msgstr ""
@ -3690,11 +3717,11 @@ msgstr ""
 msgid "User's display name."
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:67
+#: src/pages/providers/proxy/ProxyProviderForm.ts:69
 msgid "User/Group Attribute used for the password part of the HTTP-Basic Header."
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:61
+#: src/pages/providers/proxy/ProxyProviderForm.ts:63
 msgid "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used."
 msgstr ""
@ -3735,7 +3762,7 @@ msgstr ""
 msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
 msgstr ""
-#: src/pages/providers/proxy/ProxyProviderForm.ts:116
+#: src/pages/providers/proxy/ProxyProviderForm.ts:91
 msgid "Validate SSL Certificates of upstream servers."
 msgstr ""
--- a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
@ -129,11 +129,21 @@ export class OAuth2ProviderFormPage extends Form<OAuth2Provider> {
                    ${t`Advanced protocol settings`}
                </span>
                <div slot="body" class="pf-c-form">
                    <ak-form-element-horizontal
                        label=${t`Access code validity`}
                        ?required=${true}
                        name="accessCodeValidity">
                        <input type="text" value="${first(this.provider?.accessCodeValidity, "minutes=1")}" class="pf-c-form-control" required>
                        <p class="pf-c-form__helper-text">${t`Configure how long access codes are valid for.`}</p>
                        <p class="pf-c-form__helper-text">${t`(Format: hours=-1;minutes=-2;seconds=-3).`}</p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${t`Token validity`}
                        ?required=${true}
                        name="tokenValidity">
-                        <input type="text" value="${this.provider?.tokenValidity || "minutes=10"}" class="pf-c-form-control" required>
+                        <input type="text" value="${first(this.provider?.tokenValidity, "minutes=10")}" class="pf-c-form-control" required>
                        <p class="pf-c-form__helper-text">${t`Configure how long refresh tokens and their id_tokens are valid for.`}</p>
                        <p class="pf-c-form__helper-text">${t`(Format: hours=-1;minutes=-2;seconds=-3).`}</p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${t`JWT Algorithm`}
--- a/web/src/pages/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/pages/providers/proxy/ProxyProviderForm.ts
@ -19,6 +19,7 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
        }).then(provider => {
            this.provider = provider;
            this.showHttpBasic = first(provider.basicAuthEnabled, true);
            this.showInternalServer = first(!provider.forwardAuthMode, true);
        });
    }
@ -28,6 +29,9 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
    @property({type: Boolean})
    showHttpBasic = true;
    @property({type: Boolean})
    showInternalServer = true;
    getSuccessMessage(): string {
        if (this.provider) {
            return t`Successfully updated provider.`;
@ -67,6 +71,28 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
            </ak-form-element-horizontal>`;
    }
    renderInternalServer(): TemplateResult {
        if (!this.showInternalServer) {
            return html``;
        }
        return html`<ak-form-element-horizontal
                    label=${t`Internal host`}
                    ?required=${true}
                    name="internalHost">
                    <input type="text" value="${ifDefined(this.provider?.internalHost)}" class="pf-c-form-control" required>
                    <p class="pf-c-form__helper-text">${t`Upstream host that the requests are forwarded to.`}</p>
                </ak-form-element-horizontal>
                <ak-form-element-horizontal name="internalHostSslValidation">
                    <div class="pf-c-check">
                        <input type="checkbox" class="pf-c-check__input" ?checked=${first(this.provider?.internalHostSslValidation, true)}>
                        <label class="pf-c-check__label">
                            ${t`Internal host SSL Validation`}
                        </label>
                    </div>
                    <p class="pf-c-form__helper-text">${t`Validate SSL Certificates of upstream servers.`}</p>
                </ak-form-element-horizontal>`;
    }
    renderForm(): TemplateResult {
        return html`<form class="pf-c-form pf-m-horizontal">
            <ak-form-element-horizontal
@ -97,22 +123,6 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
                    ${t`Protocol settings`}
                </span>
                <div slot="body" class="pf-c-form">
                    <ak-form-element-horizontal
                        label=${t`Internal host`}
                        ?required=${true}
                        name="internalHost">
                        <input type="text" value="${ifDefined(this.provider?.internalHost)}" class="pf-c-form-control" required>
                        <p class="pf-c-form__helper-text">${t`Upstream host that the requests are forwarded to.`}</p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal name="internalHostSslValidation">
                        <div class="pf-c-check">
                            <input type="checkbox" class="pf-c-check__input" ?checked=${first(this.provider?.internalHostSslValidation, true)}>
                            <label class="pf-c-check__label">
                                ${t`Internal host SSL Validation`}
                            </label>
                        </div>
                        <p class="pf-c-form__helper-text">${t`Validate SSL Certificates of upstream servers.`}</p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${t`External host`}
                        ?required=${true}
@ -120,6 +130,21 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
                        <input type="text" value="${ifDefined(this.provider?.externalHost)}" class="pf-c-form-control" required>
                        <p class="pf-c-form__helper-text">${t`The external URL you'll access the outpost at.`}</p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal name="forwardAuthMode">
                        <div class="pf-c-check">
                            <input type="checkbox" class="pf-c-check__input" ?checked=${first(this.provider?.forwardAuthMode, false)} @change=${(ev: Event) => {
                                const el = ev.target as HTMLInputElement;
                                this.showInternalServer = !el.checked;
                            }}>
                            <label class="pf-c-check__label">
                                ${t`Enable forward-auth mode`}
                            </label>
                        </div>
                        <p class="pf-c-form__helper-text">
                            ${t`Enable this if you don't want to use this provider as a proxy, and want to use it with Traefik's forwardAuth or nginx's auth_request.`}
                        </p>
                    </ak-form-element-horizontal>
                    ${this.renderInternalServer()}
                </div>
            </ak-form-group>
--- a/web/src/pages/providers/saml/SAMLProviderForm.ts
+++ b/web/src/pages/providers/saml/SAMLProviderForm.ts
@ -189,7 +189,8 @@ export class SAMLProviderFormPage extends Form<SAMLProvider> {
                        ?required=${true}
                        name="assertionValidNotBefore">
                        <input type="text" value="${this.provider?.assertionValidNotBefore || "minutes=-5"}" class="pf-c-form-control" required>
-                        <p class="pf-c-form__helper-text">${t`Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3).`}</p>
+                        <p class="pf-c-form__helper-text">${t`Configure the maximum allowed time drift for an asseration.`}</p>
                        <p class="pf-c-form__helper-text">${t`(Format: hours=-1;minutes=-2;seconds=-3).`}</p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${t`Assertion valid not on or after`}
--- a/web/src/pages/stages/user_login/UserLoginStageForm.ts
+++ b/web/src/pages/stages/user_login/UserLoginStageForm.ts
@ -4,9 +4,9 @@ import { customElement, property } from "lit-element";
 import { html, TemplateResult } from "lit-html";
 import { DEFAULT_CONFIG } from "../../../api/Config";
 import { Form } from "../../../elements/forms/Form";
 import { ifDefined } from "lit-html/directives/if-defined";
 import "../../../elements/forms/HorizontalFormElement";
 import "../../../elements/forms/FormGroup";
 import { first } from "../../../utils";
@customElement("ak-stage-user-login-form")
 export class UserLoginStageForm extends Form<UserLoginStage> {
@ -52,7 +52,7 @@ export class UserLoginStageForm extends Form<UserLoginStage> {
                label=${t`Name`}
                ?required=${true}
                name="name">
-                <input type="text" value="${ifDefined(this.stage?.name || "")}" class="pf-c-form-control" required>
+                <input type="text" value="${first(this.stage?.name, "")}" class="pf-c-form-control" required>
            </ak-form-element-horizontal>
            <ak-form-group .expanded=${true}>
                <span slot="header">
@ -62,9 +62,10 @@ export class UserLoginStageForm extends Form<UserLoginStage> {
                    <ak-form-element-horizontal
                        label=${t`Session duration`}
                        ?required=${true}
-                        name="privateKey">
+                        name="sessionDuration">
-                        <input type="text" value="${ifDefined(this.stage?.sessionDuration || "seconds=0")}" class="pf-c-form-control" required>
+                        <input type="text" value="${first(this.stage?.sessionDuration, "seconds=0")}" class="pf-c-form-control" required>
-                        <p class="pf-c-form__helper-text">${t`Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3).`}</p>
+                        <p class="pf-c-form__helper-text">${t`Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed.`}</p>
                        <p class="pf-c-form__helper-text">${t`(Format: hours=-1;minutes=-2;seconds=-3).`}</p>
                    </ak-form-element-horizontal>
                </div>
            </ak-form-group>
--- a/website/docs/installation/beta.mdx
+++ b/website/docs/installation/beta.mdx
@ -20,7 +20,7 @@ Add the following block to your `.env` file:
 AUTHENTIK_IMAGE=docker.beryju.org/authentik/server
 AUTHENTIK_IMAGE_STATIC=docker.beryju.org/authentik/static
 AUTHENTIK_TAG=gh-next
-AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE=docker.beryju.org/authentik/outpost
+AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE=docker.beryju.org/authentik/outpost-%(type)s:gh-next
 ```
 Afterwards, run the upgrade commands from the latest releasae notes.
@ -32,7 +32,7 @@ Add the following block to your `values.yml` file:
 image:
  name: docker.beryju.org/authentik/server
  name_static: docker.beryju.org/authentik/static
-  name_outposts: docker.beryju.org/authentik/outpost
+  name_outposts: docker.beryju.org/authentik/outpost-%(type)s:gh-next
  tag: gh-next
  # pullPolicy: Always to ensure you always get the latest version
  pullPolicy: Always
--- a/website/docs/installation/kubernetes.md
+++ b/website/docs/installation/kubernetes.md
@ -37,7 +37,10 @@ It is also recommended to configure global email credentials. These are used by
 image:
  name: beryju/authentik
  name_static: beryju/authentik-static
-  name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
+  # Image used for managed outposts. Placeholders:
  # %(type)s: Outpost type; proxy, ldap, etc
  # %(version)s: Current version; 2021.4.1
  name_outposts: "beryju/authentik-%(type)s:%(version)s"
  tag: 2021.4.4
 serverReplicas: 1
--- a/website/docs/outposts/proxy.md
+++ b/website/docs/outposts/proxy.md
@ -1,16 +0,0 @@
 ---
 title: Proxy Outpost
 ---
 The proxy outpost sets the following headers:
 ```
 X-Auth-Username: akadmin # The username of the currently logged in user
 X-Forwarded-Email: root@localhost # The email address of the currently logged in user
 X-Forwarded-Preferred-Username: akadmin  # The username of the currently logged in user
 X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
 ```
 Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
 If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
--- a/website/docs/outposts/proxy.mdx
+++ b/website/docs/outposts/proxy.mdx
@ -0,0 +1,229 @@
 ---
 title: Proxy Outpost
 ---
 The proxy outpost sets the following headers:
 ```
 X-Auth-Username: akadmin # The username of the currently logged in user
 X-Forwarded-Email: root@localhost # The email address of the currently logged in user
 X-Forwarded-Preferred-Username: akadmin  # The username of the currently logged in user
 X-Forwarded-User: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
 ```
 Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
 If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.
 # Forward auth
 To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to enable `Enable forward-auth mode` on the provider.
 ## Nginx
 import Tabs from '@theme/Tabs';
 import TabItem from '@theme/TabItem';
 <Tabs
  defaultValue="standalone-nginx"
  values={[
    {label: 'Standalone nginx', value: 'standalone-nginx'},
    {label: 'Ingress', value: 'ingress'},
  ]}>
  <TabItem value="standalone-nginx">
 ```
    location /akprox {
        proxy_pass http://*ip of your outpost*:4180;
        proxy_set_header X-Forwarded-Host $http_host;
        error_page 401 = @akprox_signin;
    }
    location @akprox_signin {
      internal;
      add_header Set-Cookie $auth_cookie;
      return 302 /akprox/start?rd=$escaped_request_uri;
    }
    location / {
        auth_request /akprox/auth?nginx;
        # All your other options...
    }
 ```
  </TabItem>
  <TabItem value="ingress">
 Create a new ingress for the outpost
 ```yaml
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
  name: authentik-outpost
 spec:
  rules:
  - host: *external host that you configured in authentik*
    http:
      paths:
      - backend:
          serviceName: authentik-outpost-*uuid of the service generated by authentik*
          servicePort: 4180
        path: /akprox
 ```
 This ingress handles authentication requests, and the sign-in flow.
 Add these annotations to the ingress you want to protect
 ```yaml
 metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: http://*external host that you configured in authentik*:4180/akprox/auth?nginx
    nginx.ingress.kubernetes.io/auth-signin: http://*external host that you configured in authentik*:4180/akprox/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-snippet: |
       proxy_set_header X-Forwarded-Host $http_host;
 ```
  </TabItem>
 </Tabs>
 ## Traefik
 <Tabs
  defaultValue="standalone-traefik"
  values={[
    {label: 'Standalone traefik', value: 'standalone-traefik'},
    {label: 'docker-compose', value: 'docker-compose'},
    {label: 'Ingress', value: 'ingress'},
  ]}>
  <TabItem value="standalone-traefik">
 ```yaml
 http:
  middlewares:
    authentik:
      forwardAuth:
        address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
        trustForwardHeader: true
        authResponseHeaders:
          - Set-Cookie
          - X-Auth-Username
          - X-Forwarded-Email
          - X-Forwarded-Preferred-Username
          - X-Forwarded-User
  routers:
    default-router:
      rule: "Host(`*external host that you configured in authentik*`)"
      middlewares:
        - name: authentik
      priority: 10
      services: # Unchanged
    default-router-auth
      match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
      priority: 15
      services: http://*ip of your outpost*:4180/akprox
 ```
  </TabItem>
  <TabItem value="docker-compose">
 ```yaml
 version: '3.7'
 services:
  traefik:
    image: traefik:v2.2
    container_name: traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      traefik.enable: true
      traefik.http.routers.api.rule: Host(`traefik.example.com`)
      traefik.http.routers.api.entrypoints: https
      traefik.http.routers.api.service: api@internal
      traefik.http.routers.api.tls: true
    ports:
      - 80:80
      - 443:443
    command:
      - '--api'
      - '--log=true'
      - '--log.level=DEBUG'
      - '--log.filepath=/var/log/traefik.log'
      - '--providers.docker=true'
      - '--providers.docker.exposedByDefault=false'
      - '--entrypoints.http=true'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.http.http.redirections.entrypoint.to=https'
      - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
      - '--entrypoints.https=true'
      - '--entrypoints.https.address=:443'
  authentik_proxy:
    image: beryju/authentik-proxy:2021.4.4
    ports:
      - 4180:4180
      - 4443:4443
    environment:
      AUTHENTIK_HOST: https://your-authentik.tld
      AUTHENTIK_INSECURE: "false"
      AUTHENTIK_TOKEN: token-generated-by-authentik
    labels:
      traefik.enable: true
      traefik.port: 4180
      traefik.http.routers.authentik.rule: Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)
      traefik.http.routers.authentik.entrypoints: https
      traefik.http.routers.authentik.tls: true
      traefik.http.middlewares.authentik.forwardauth.address: http://authentik_proxy:4180/akprox/auth?traefik
      traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
      traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-Auth-Username,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-User
    restart: unless-stopped
  whoami:
    image: containous/whoami
    labels:
      traefik.enable: true
      traefik.http.routers.whoami.rule: Host(`*external host that you configured in authentik*`)
      traefik.http.routers.whoami.entrypoints: https
      traefik.http.routers.whoami.tls: true
      traefik.http.routers.whoami.middlewares: authentik@docker
    restart: unless-stopped
 ```
  </TabItem>
  <TabItem value="ingress">
 Create a middleware:
 ```yaml
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: authentik
 spec:
  forwardAuth:
    address: http://authentik-outpost-*uuid of the service generated by authentik*:4180/akprox/auth?traefik
    trustForwardHeader: true
    authResponseHeaders:
      - Set-Cookie
      - X-Auth-Username
      - X-Forwarded-Email
      - X-Forwarded-Preferred-Username
      - X-Forwarded-User
 ```
 Add the following settings to your IngressRoute
 ```yaml
 spec:
  routes:
    - kind: Rule
      match: "Host(`*external host that you configured in authentik*`)"
      middlewares:
        - name: authentik
      priority: 10
      services: # Unchanged
    - kind: Rule
      match: "Host(`*external host that you configured in authentik*`) && PathPrefix(`/akprox/`)"
      priority: 15
      services:
        - kind: Service
          name: authentik-outpost-*uuid of the service generated by authentik*
          port: 4180
 ```
  </TabItem>
 </Tabs>
--- a/website/docs/releases/v2021.4.md
+++ b/website/docs/releases/v2021.4.md
@ -112,6 +112,22 @@ slug: "2021.4"
 - web/admin: only pre-select items when creating a new object
 - web/flows: fix Sentry not being loaded correctly
 ## Fixed in 2021.4.5
 - core: fix text on error pages being hard to read
 - outposts: only kill docker container if its running
 - root: add middleware to properly report websocket connection to sentry
 - root: don't use .error of structlog to not send to sentry
 - stages/email: catch ValueError when global email settings are invalid
 - stages/invitation: accept token from prompt_data
 - stages/invitation: fix token not being loaded correctly from query string
 - web: fix text-colour for form help text
 - web: ignore network errors for sentry
 - web/admin: don't show docker certs as required
 - web/flows: fix redirect loop when sentry is enabled on flow views
 - web/flows: include ShadyDOM, always enable ShadyDOM for flow interface, improve compatibility with password
 - web/flows/identification: fix phrasing account recovery
 ## Upgrading
 This release does not introduce any new requirements.
--- a/website/package-lock.json
+++ b/website/package-lock.json
--- a/website/package.json
+++ b/website/package.json
@ -11,7 +11,7 @@
        "serve": "docusaurus serve"
    },
    "dependencies": {
-        "@docusaurus/preset-classic": "2.0.0-alpha.73",
+        "@docusaurus/preset-classic": "2.0.0-alpha.74",
        "@mdx-js/react": "^1.6.22",
        "clsx": "^1.1.1",
        "postcss": "^8.2.13",