diff --git a/authentik/providers/oauth2/tests/test_introspect.py b/authentik/providers/oauth2/tests/test_introspect.py
index 40dea7bc5..83be7ff69 100644
--- a/authentik/providers/oauth2/tests/test_introspect.py
+++ b/authentik/providers/oauth2/tests/test_introspect.py
@@ -8,6 +8,7 @@ from django.urls import reverse
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id, generate_key
+from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
 from authentik.providers.oauth2.models import IDToken, OAuth2Provider, RefreshToken
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
@@ -57,6 +58,8 @@ class TesOAuth2Introspection(OAuthTestCase):
         self.assertJSONEqual(
             res.content.decode(),
             {
+                "acr": ACR_AUTHENTIK_DEFAULT,
+                "auth_time": None,
                 "aud": None,
                 "sub": "bar",
                 "exp": None,
@@ -64,6 +67,7 @@ class TesOAuth2Introspection(OAuthTestCase):
                 "iss": "foo",
                 "active": True,
                 "client_id": self.provider.client_id,
+                "scope": " ".join(self.token.scope),
             },
         )
 
diff --git a/authentik/providers/oauth2/views/introspection.py b/authentik/providers/oauth2/views/introspection.py
index 3a74d052d..d1a93a1f1 100644
--- a/authentik/providers/oauth2/views/introspection.py
+++ b/authentik/providers/oauth2/views/introspection.py
@@ -52,9 +52,8 @@ class TokenIntrospectionParams:
         if not provider:
             raise TokenIntrospectionError
 
-        try:
-            token: RefreshToken = RefreshToken.objects.get(provider=provider, **token_filter)
-        except RefreshToken.DoesNotExist:
+        token: RefreshToken = RefreshToken.objects.filter(provider=provider, **token_filter).first()
+        if not token:
             LOGGER.debug("Token does not exist", token=raw_token)
             raise TokenIntrospectionError()
 
@@ -74,15 +73,12 @@ class TokenIntrospectionView(View):
         """Introspection handler"""
         try:
             self.params = TokenIntrospectionParams.from_request(request)
-
-            response_dic = {}
+            response = {}
             if self.params.id_token:
-                token_dict = self.params.id_token.to_dict()
-                for k in ("aud", "sub", "exp", "iat", "iss"):
-                    response_dic[k] = token_dict[k]
-            response_dic["active"] = True
-            response_dic["client_id"] = self.params.token.provider.client_id
-
-            return TokenResponse(response_dic)
+                response.update(self.params.id_token.to_dict())
+            response["active"] = True
+            response["scope"] = " ".join(self.params.token.scope)
+            response["client_id"] = self.params.token.provider.client_id
+            return TokenResponse(response)
         except TokenIntrospectionError:
             return TokenResponse({"active": False})
diff --git a/authentik/providers/proxy/api.py b/authentik/providers/proxy/api.py
index 0054000f5..552badf58 100644
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@@ -37,6 +37,7 @@ class OpenIDConnectConfigurationSerializer(PassiveSerializer):
 class ProxyProviderSerializer(ProviderSerializer):
     """ProxyProvider Serializer"""
 
+    client_id = CharField(read_only=True)
     redirect_uris = CharField(read_only=True)
     outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
 
@@ -77,6 +78,7 @@ class ProxyProviderSerializer(ProviderSerializer):
 
         model = ProxyProvider
         fields = ProviderSerializer.Meta.fields + [
+            "client_id",
             "internal_host",
             "external_host",
             "internal_host_ssl_validation",
@@ -88,6 +90,7 @@ class ProxyProviderSerializer(ProviderSerializer):
             "mode",
             "redirect_uris",
             "cookie_domain",
+            "jwks_sources",
             "token_validity",
             "outpost_set",
         ]
diff --git a/authentik/providers/proxy/models.py b/authentik/providers/proxy/models.py
index 38fe5c171..687770874 100644
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@@ -126,6 +126,7 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
         """Ensure all OAuth2-related settings are correct"""
         self.client_type = ClientTypes.CONFIDENTIAL
         self.signing_key = None
+        self.include_claims_in_id_token = True
         scopes = ScopeMapping.objects.filter(
             managed__in=[
                 "goauthentik.io/providers/oauth2/scope-openid",
diff --git a/authentik/sources/oauth/api/source.py b/authentik/sources/oauth/api/source.py
index 9dce61578..ac7207790 100644
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@@ -1,5 +1,7 @@
 """OAuth Source Serializer"""
 from django.urls.base import reverse_lazy
+from django_filters.filters import BooleanFilter
+from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema, extend_schema_field
 from requests import RequestException
@@ -111,28 +113,44 @@ class OAuthSourceSerializer(SourceSerializer):
         extra_kwargs = {"consumer_secret": {"write_only": True}}
 
 
+class OAuthSourceFilter(FilterSet):
+    """OAuth Source filter set"""
+
+    has_jwks = BooleanFilter(label="Only return sources with JWKS data", method="filter_has_jwks")
+
+    # pylint: disable=unused-argument
+    def filter_has_jwks(self, queryset, name, value):  # pragma: no cover
+        """Only return sources with JWKS data"""
+        return queryset.exclude(oidc_jwks__iexact="{}")
+
+    class Meta:
+
+        model = OAuthSource
+        fields = [
+            "name",
+            "slug",
+            "enabled",
+            "authentication_flow",
+            "enrollment_flow",
+            "policy_engine_mode",
+            "user_matching_mode",
+            "provider_type",
+            "request_token_url",
+            "authorization_url",
+            "access_token_url",
+            "profile_url",
+            "consumer_key",
+            "additional_scopes",
+        ]
+
+
 class OAuthSourceViewSet(UsedByMixin, ModelViewSet):
     """Source Viewset"""
 
     queryset = OAuthSource.objects.all()
     serializer_class = OAuthSourceSerializer
     lookup_field = "slug"
-    filterset_fields = [
-        "name",
-        "slug",
-        "enabled",
-        "authentication_flow",
-        "enrollment_flow",
-        "policy_engine_mode",
-        "user_matching_mode",
-        "provider_type",
-        "request_token_url",
-        "authorization_url",
-        "access_token_url",
-        "profile_url",
-        "consumer_key",
-        "additional_scopes",
-    ]
+    filterset_class = OAuthSourceFilter
     search_fields = ["name", "slug"]
     ordering = ["name"]
 
diff --git a/internal/outpost/proxyv2/application/application.go b/internal/outpost/proxyv2/application/application.go
index db67087a9..73e7d4f13 100644
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@@ -120,7 +120,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 	}))
 	mux.Use(func(inner http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			c, _ := a.getClaims(r)
+			c, _ := a.checkAuth(rw, r)
 			user := ""
 			if c != nil {
 				user = c.PreferredUsername
diff --git a/internal/outpost/proxyv2/application/auth.go b/internal/outpost/proxyv2/application/auth.go
new file mode 100644
index 000000000..1ccaa3999
--- /dev/null
+++ b/internal/outpost/proxyv2/application/auth.go
@@ -0,0 +1,78 @@
+package application
+
+import (
+	"fmt"
+	"net/http"
+
+	"goauthentik.io/internal/outpost/proxyv2/constants"
+)
+
+const HeaderAuthorization = "Authorization"
+const AuthBearer = "Bearer "
+
+// checkAuth Get claims which are currently in session
+// Returns an error if the session can't be loaded or the claims can't be parsed/type-cast
+func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claims, error) {
+	s, _ := a.sessions.Get(r, constants.SessionName)
+
+	c := a.getClaimsFromSession(r)
+	if c != nil {
+		return c, nil
+	}
+
+	if rw == nil {
+		return nil, fmt.Errorf("no response writer")
+	}
+	// Check bearer token if set
+	bearer := a.checkAuthHeaderBearer(r)
+	if bearer != "" {
+		a.log.Trace("checking bearer token")
+		tc := a.attemptBearerAuth(r, bearer)
+		if tc != nil {
+			s.Values[constants.SessionClaims] = tc.Claims
+			err := s.Save(r, rw)
+			if err != nil {
+				return nil, err
+			}
+			r.Header.Del(HeaderAuthorization)
+			return &tc.Claims, nil
+		}
+		a.log.Trace("no/invalid bearer token")
+	}
+	// Check basic auth if set
+	username, password, basicSet := r.BasicAuth()
+	if basicSet {
+		a.log.Trace("checking basic auth")
+		tc := a.attemptBasicAuth(username, password)
+		if tc != nil {
+			s.Values[constants.SessionClaims] = *tc
+			err := s.Save(r, rw)
+			if err != nil {
+				return nil, err
+			}
+			r.Header.Del(HeaderAuthorization)
+			return tc, nil
+		}
+		a.log.Trace("no/invalid basic auth")
+	}
+
+	return nil, fmt.Errorf("failed to get claims from session")
+}
+
+func (a *Application) getClaimsFromSession(r *http.Request) *Claims {
+	s, err := a.sessions.Get(r, constants.SessionName)
+	if err != nil {
+		// err == user has no session/session is not valid, reject
+		return nil
+	}
+	claims, ok := s.Values[constants.SessionClaims]
+	if claims == nil || !ok {
+		// no claims saved, reject
+		return nil
+	}
+	c, ok := claims.(Claims)
+	if !ok {
+		return nil
+	}
+	return &c
+}
diff --git a/internal/outpost/proxyv2/application/auth_basic.go b/internal/outpost/proxyv2/application/auth_basic.go
new file mode 100644
index 000000000..2cf2a5027
--- /dev/null
+++ b/internal/outpost/proxyv2/application/auth_basic.go
@@ -0,0 +1,59 @@
+package application
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type TokenResponse struct {
+	AccessToken string `json:"access_token"`
+	IDToken     string `json:"id_token"`
+}
+
+func (a *Application) attemptBasicAuth(username, password string) *Claims {
+	values := url.Values{
+		"grant_type": []string{"client_credentials"},
+		"client_id":  []string{a.oauthConfig.ClientID},
+		"username":   []string{username},
+		"password":   []string{password},
+		"scope":      []string{strings.Join(a.oauthConfig.Scopes, " ")},
+	}
+	req, err := http.NewRequest("POST", a.endpoint.TokenURL, strings.NewReader(values.Encode()))
+	if err != nil {
+		a.log.WithError(err).Warning("failed to create token request")
+		return nil
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	res, err := a.httpClient.Do(req)
+	if err != nil || res.StatusCode > 200 {
+		a.log.WithError(err).Warning("failed to send token request")
+		return nil
+	}
+	var token TokenResponse
+	err = json.NewDecoder(res.Body).Decode(&token)
+	if err != nil {
+		a.log.WithError(err).Warning("failed to parse token response")
+		return nil
+	}
+	// Parse and verify ID Token payload.
+	idToken, err := a.tokenVerifier.Verify(context.Background(), token.IDToken)
+	if err != nil {
+		a.log.WithError(err).Warning("failed to verify token")
+		return nil
+	}
+
+	// Extract custom claims
+	var claims *Claims
+	if err := idToken.Claims(&claims); err != nil {
+		a.log.WithError(err).Warning("failed to convert token to claims")
+		return nil
+	}
+	if claims.Proxy == nil {
+		claims.Proxy = &ProxyClaims{}
+	}
+	claims.RawToken = token.IDToken
+	return claims
+}
diff --git a/internal/outpost/proxyv2/application/auth_bearer.go b/internal/outpost/proxyv2/application/auth_bearer.go
new file mode 100644
index 000000000..7d188f990
--- /dev/null
+++ b/internal/outpost/proxyv2/application/auth_bearer.go
@@ -0,0 +1,62 @@
+package application
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+func (a *Application) checkAuthHeaderBearer(r *http.Request) string {
+	auth := r.Header.Get(HeaderAuthorization)
+	if auth == "" {
+		return ""
+	}
+	if len(auth) < len(AuthBearer) || !strings.EqualFold(auth[:len(AuthBearer)], AuthBearer) {
+		return ""
+	}
+	return auth[len(AuthBearer):]
+}
+
+type TokenIntrospectionResponse struct {
+	Claims
+	Scope    string `json:"scope"`
+	Active   bool   `json:"active"`
+	ClientID string `json:"client_id"`
+}
+
+func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenIntrospectionResponse {
+	values := url.Values{
+		"client_id":     []string{a.oauthConfig.ClientID},
+		"client_secret": []string{a.oauthConfig.ClientSecret},
+		"token":         []string{token},
+	}
+	req, err := http.NewRequest("POST", a.endpoint.TokenIntrospection, strings.NewReader(values.Encode()))
+	if err != nil {
+		a.log.WithError(err).Warning("failed to create introspection request")
+		return nil
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	res, err := a.httpClient.Do(req)
+	if err != nil || res.StatusCode > 200 {
+		a.log.WithError(err).Warning("failed to send introspection request")
+		return nil
+	}
+	intro := TokenIntrospectionResponse{}
+	err = json.NewDecoder(res.Body).Decode(&intro)
+	if err != nil {
+		a.log.WithError(err).Warning("failed to parse introspection response")
+		return nil
+	}
+	if !intro.Active {
+		a.log.Warning("token is not active")
+		return nil
+	}
+	if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") {
+		a.log.Error("token missing openid or profile scope")
+		return nil
+	}
+	intro.RawToken = token
+	a.log.Trace("successfully introspected bearer token")
+	return &intro
+}
diff --git a/internal/outpost/proxyv2/application/endpoint.go b/internal/outpost/proxyv2/application/endpoint.go
index d82b43eaf..55c623d25 100644
--- a/internal/outpost/proxyv2/application/endpoint.go
+++ b/internal/outpost/proxyv2/application/endpoint.go
@@ -12,6 +12,7 @@ import (
 
 type OIDCEndpoint struct {
 	oauth2.Endpoint
+	TokenIntrospection string
 	EndSessionEndpoint string
 	JwksUri            string
 }
@@ -67,5 +68,6 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
 	ep.AuthURL = authU.String()
 	ep.EndSessionEndpoint = endU.String()
 	ep.JwksUri = jwksU.String()
+	ep.TokenIntrospection = p.OidcConfiguration.IntrospectionEndpoint
 	return ep
 }
diff --git a/internal/outpost/proxyv2/application/error.go b/internal/outpost/proxyv2/application/error.go
index 56c922054..327e24a4f 100644
--- a/internal/outpost/proxyv2/application/error.go
+++ b/internal/outpost/proxyv2/application/error.go
@@ -14,7 +14,7 @@ type ErrorPageData struct {
 }
 
 func (a *Application) ErrorPage(rw http.ResponseWriter, r *http.Request, err string) {
-	claims, _ := a.getClaims(r)
+	claims, _ := a.checkAuth(rw, r)
 	data := ErrorPageData{
 		Title:       "Bad Gateway",
 		Message:     "Error proxying to upstream server",
diff --git a/internal/outpost/proxyv2/application/mode_common.go b/internal/outpost/proxyv2/application/mode_common.go
index 8a0a61d21..5e30f1501 100644
--- a/internal/outpost/proxyv2/application/mode_common.go
+++ b/internal/outpost/proxyv2/application/mode_common.go
@@ -15,7 +15,6 @@ import (
 
 func (a *Application) addHeaders(headers http.Header, c *Claims) {
 	// https://goauthentik.io/docs/providers/proxy/proxy
-
 	headers.Set("X-authentik-username", c.PreferredUsername)
 	headers.Set("X-authentik-groups", strings.Join(c.Groups, "|"))
 	headers.Set("X-authentik-email", c.Email)
diff --git a/internal/outpost/proxyv2/application/mode_forward.go b/internal/outpost/proxyv2/application/mode_forward.go
index 37ba929fb..757d7fbe6 100644
--- a/internal/outpost/proxyv2/application/mode_forward.go
+++ b/internal/outpost/proxyv2/application/mode_forward.go
@@ -49,7 +49,7 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
 		return
 	}
 	// Check if we're authenticated, or the request path is on the allowlist
-	claims, err := a.getClaims(r)
+	claims, err := a.checkAuth(rw, r)
 	if claims != nil && err == nil {
 		a.addHeaders(rw.Header(), claims)
 		rw.Header().Set("User-Agent", r.Header.Get("User-Agent"))
@@ -100,7 +100,7 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request
 		return
 	}
 	// Check if we're authenticated, or the request path is on the allowlist
-	claims, err := a.getClaims(r)
+	claims, err := a.checkAuth(rw, r)
 	if claims != nil && err == nil {
 		a.addHeaders(rw.Header(), claims)
 		rw.Header().Set("User-Agent", r.Header.Get("User-Agent"))
@@ -139,7 +139,7 @@ func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request
 		return
 	}
 
-	claims, err := a.getClaims(r)
+	claims, err := a.checkAuth(rw, r)
 	if claims != nil && err == nil {
 		a.addHeaders(rw.Header(), claims)
 		rw.Header().Set("User-Agent", r.Header.Get("User-Agent"))
@@ -175,7 +175,7 @@ func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request
 	r.URL.Host = r.Host
 	fwd := r.URL
 	// Check if we're authenticated, or the request path is on the allowlist
-	claims, err := a.getClaims(r)
+	claims, err := a.checkAuth(rw, r)
 	if claims != nil && err == nil {
 		a.addHeaders(rw.Header(), claims)
 		rw.Header().Set("User-Agent", r.Header.Get("User-Agent"))
diff --git a/internal/outpost/proxyv2/application/mode_proxy.go b/internal/outpost/proxyv2/application/mode_proxy.go
index af967e1e3..db534d914 100644
--- a/internal/outpost/proxyv2/application/mode_proxy.go
+++ b/internal/outpost/proxyv2/application/mode_proxy.go
@@ -33,10 +33,11 @@ func (a *Application) configureProxy() error {
 	rp.ErrorHandler = a.newProxyErrorHandler()
 	rp.ModifyResponse = a.proxyModifyResponse
 	a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		claims, err := a.getClaims(r)
+		claims, err := a.checkAuth(rw, r)
 		if claims == nil && a.IsAllowlisted(r.URL) {
 			a.log.Trace("path can be accessed without authentication")
 		} else if claims == nil && err != nil {
+			a.log.WithError(err).Trace("no claims")
 			a.redirectToStart(rw, r)
 			return
 		} else {
@@ -67,7 +68,7 @@ func (a *Application) configureProxy() error {
 func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 	return func(r *http.Request) {
 		r.Header.Set("X-Forwarded-Host", r.Host)
-		claims, _ := a.getClaims(r)
+		claims, _ := a.checkAuth(nil, r)
 		r.URL.Scheme = ou.Scheme
 		r.URL.Host = ou.Host
 		if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go
index 69b4f6495..19ab591cc 100644
--- a/internal/outpost/proxyv2/application/oauth.go
+++ b/internal/outpost/proxyv2/application/oauth.go
@@ -50,7 +50,7 @@ func (a *Application) handleAuthStart(rw http.ResponseWriter, r *http.Request) {
 	// and if we do we don't do anything here
 	currentState, ok := s.Values[constants.SessionOAuthState].(string)
 	if ok {
-		claims, err := a.getClaims(r)
+		claims, err := a.checkAuth(rw, r)
 		if err != nil && claims != nil {
 			a.log.Trace("auth start request with existing authenticated session")
 			a.redirect(rw, r)
diff --git a/internal/outpost/proxyv2/application/oauth_callback.go b/internal/outpost/proxyv2/application/oauth_callback.go
index 73dd6b618..36ec3a3a5 100644
--- a/internal/outpost/proxyv2/application/oauth_callback.go
+++ b/internal/outpost/proxyv2/application/oauth_callback.go
@@ -50,6 +50,9 @@ func (a *Application) redeemCallback(savedState string, u *url.URL, c context.Co
 	if err := idToken.Claims(&claims); err != nil {
 		return nil, err
 	}
+	if claims.Proxy == nil {
+		claims.Proxy = &ProxyClaims{}
+	}
 	claims.RawToken = rawIDToken
 	return claims, nil
 }
diff --git a/internal/outpost/proxyv2/application/utils.go b/internal/outpost/proxyv2/application/utils.go
index 79147d336..b0c946284 100644
--- a/internal/outpost/proxyv2/application/utils.go
+++ b/internal/outpost/proxyv2/application/utils.go
@@ -1,7 +1,6 @@
 package application
 
 import (
-	"fmt"
 	"net/http"
 	"net/url"
 	"path"
@@ -77,26 +76,6 @@ func (a *Application) redirect(rw http.ResponseWriter, r *http.Request) {
 	http.Redirect(rw, r, redirect, http.StatusFound)
 }
 
-// getClaims Get claims which are currently in session
-// Returns an error if the session can't be loaded or the claims can't be parsed/type-cast
-func (a *Application) getClaims(r *http.Request) (*Claims, error) {
-	s, err := a.sessions.Get(r, constants.SessionName)
-	if err != nil {
-		// err == user has no session/session is not valid, reject
-		return nil, fmt.Errorf("invalid session")
-	}
-	claims, ok := s.Values[constants.SessionClaims]
-	if claims == nil || !ok {
-		// no claims saved, reject
-		return nil, fmt.Errorf("invalid session")
-	}
-	c, ok := claims.(Claims)
-	if !ok {
-		return nil, fmt.Errorf("invalid session")
-	}
-	return &c, nil
-}
-
 // toString Generic to string function, currently supports actual strings and integers
 func toString(in interface{}) string {
 	switch v := in.(type) {
diff --git a/locale/en/LC_MESSAGES/django.po b/locale/en/LC_MESSAGES/django.po
index 4548fb733..747613c00 100644
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-01-11 13:08+0000\n"
+"POT-Creation-Date: 2023-01-13 14:37+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 
-#: authentik/admin/api/tasks.py:115
+#: authentik/admin/api/tasks.py:126
 #, python-format
 msgid "Successfully re-scheduled Task %(name)s!"
 msgstr ""
@@ -952,11 +952,11 @@ msgstr ""
 msgid "authentik API Access on behalf of your user"
 msgstr ""
 
-#: authentik/providers/proxy/api.py:51
+#: authentik/providers/proxy/api.py:52
 msgid "User and password attributes must be set when basic auth is enabled."
 msgstr ""
 
-#: authentik/providers/proxy/api.py:61
+#: authentik/providers/proxy/api.py:62
 msgid "Internal host cannot be empty when forward auth is disabled."
 msgstr ""
 
@@ -991,11 +991,11 @@ msgstr ""
 msgid "HTTP-Basic Password Key"
 msgstr ""
 
-#: authentik/providers/proxy/models.py:151
+#: authentik/providers/proxy/models.py:152
 msgid "Proxy Provider"
 msgstr ""
 
-#: authentik/providers/proxy/models.py:152
+#: authentik/providers/proxy/models.py:153
 msgid "Proxy Providers"
 msgstr ""
 
diff --git a/schema.yml b/schema.yml
index 4db618ae8..e7064fdc1 100644
--- a/schema.yml
+++ b/schema.yml
@@ -16202,6 +16202,11 @@ paths:
         schema:
           type: string
           format: uuid
+      - in: query
+        name: has_jwks
+        schema:
+          type: boolean
+        description: Only return sources with JWKS data
       - in: query
         name: name
         schema:
@@ -34360,6 +34365,14 @@ components:
             Exclusive with internal_host.
         cookie_domain:
           type: string
+        jwks_sources:
+          type: array
+          items:
+            type: string
+            format: uuid
+            title: Any JWT signed by the JWK of the selected source can be used to
+              authenticate.
+          title: Any JWT signed by the JWK of the selected source can be used to authenticate.
         token_validity:
           type: string
           minLength: 1
@@ -35729,6 +35742,9 @@ components:
         meta_model_name:
           type: string
           readOnly: true
+        client_id:
+          type: string
+          readOnly: true
         internal_host:
           type: string
           format: uri
@@ -35771,6 +35787,14 @@ components:
           readOnly: true
         cookie_domain:
           type: string
+        jwks_sources:
+          type: array
+          items:
+            type: string
+            format: uuid
+            title: Any JWT signed by the JWK of the selected source can be used to
+              authenticate.
+          title: Any JWT signed by the JWK of the selected source can be used to authenticate.
         token_validity:
           type: string
           description: 'Tokens not valid on or after current time + this value (Format:
@@ -35784,6 +35808,7 @@ components:
       - assigned_application_name
       - assigned_application_slug
       - authorization_flow
+      - client_id
       - component
       - external_host
       - meta_model_name
@@ -35849,6 +35874,14 @@ components:
             Exclusive with internal_host.
         cookie_domain:
           type: string
+        jwks_sources:
+          type: array
+          items:
+            type: string
+            format: uuid
+            title: Any JWT signed by the JWK of the selected source can be used to
+              authenticate.
+          title: Any JWT signed by the JWK of the selected source can be used to authenticate.
         token_validity:
           type: string
           minLength: 1
diff --git a/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts b/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
index 980253ef0..9158cde2b 100644
--- a/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
@@ -400,6 +400,7 @@ ${this.instance?.redirectUris}</textarea
                                 new SourcesApi(DEFAULT_CONFIG)
                                     .sourcesOauthList({
                                         ordering: "name",
+                                        hasJwks: true,
                                     })
                                     .then((sources) => {
                                         return sources.results.map((source) => {
diff --git a/web/src/admin/providers/proxy/ProxyProviderForm.ts b/web/src/admin/providers/proxy/ProxyProviderForm.ts
index 62b3457dc..933e307ca 100644
--- a/web/src/admin/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderForm.ts
@@ -31,6 +31,7 @@ import {
     ProvidersApi,
     ProxyMode,
     ProxyProvider,
+    SourcesApi,
 } from "@goauthentik/api";
 
 @customElement("ak-provider-proxy-form")
@@ -385,7 +386,10 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
                         >
                         </ak-search-select>
                     </ak-form-element-horizontal>
-                    <ak-form-element-horizontal label=${t`Scopes`} name="propertyMappings">
+                    <ak-form-element-horizontal
+                        label=${t`Additional scopes`}
+                        name="propertyMappings"
+                    >
                         <select class="pf-c-form-control" multiple>
                             ${until(
                                 new PropertymappingsApi(DEFAULT_CONFIG)
@@ -440,7 +444,11 @@ ${this.instance?.skipPathRegex}</textarea
                             ${t`When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.`}
                         </p>
                     </ak-form-element-horizontal>
-
+                </div>
+            </ak-form-group>
+            <ak-form-group>
+                <span slot="header">${t`Authentication settings`}</span>
+                <div slot="body" class="pf-c-form">
                     <ak-form-element-horizontal name="basicAuthEnabled">
                         <label class="pf-c-switch">
                             <input
@@ -458,14 +466,47 @@ ${this.instance?.skipPathRegex}</textarea
                                 </span>
                             </span>
                             <span class="pf-c-switch__label"
-                                >${t`Set HTTP-Basic Authentication`}</span
+                                >${t`Send HTTP-Basic Authentication`}</span
                             >
                         </label>
                         <p class="pf-c-form__helper-text">
-                            ${t`Set a custom HTTP-Basic Authentication header based on values from authentik.`}
+                            ${t`Send a custom HTTP-Basic Authentication header based on values from authentik.`}
                         </p>
                     </ak-form-element-horizontal>
                     ${this.showHttpBasic ? this.renderHttpBasic() : html``}
+                    <ak-form-element-horizontal label=${t`Trusted OIDC Sources`} name="jwksSources">
+                        <select class="pf-c-form-control" multiple>
+                            ${until(
+                                new SourcesApi(DEFAULT_CONFIG)
+                                    .sourcesOauthList({
+                                        ordering: "name",
+                                        hasJwks: true,
+                                    })
+                                    .then((sources) => {
+                                        return sources.results.map((source) => {
+                                            const selected = (
+                                                this.instance?.jwksSources || []
+                                            ).some((su) => {
+                                                return su == source.pk;
+                                            });
+                                            return html`<option
+                                                value=${source.pk}
+                                                ?selected=${selected}
+                                            >
+                                                ${source.name} (${source.slug})
+                                            </option>`;
+                                        });
+                                    }),
+                                html`<option>${t`Loading...`}</option>`,
+                            )}
+                        </select>
+                        <p class="pf-c-form__helper-text">
+                            ${t`JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.`}
+                        </p>
+                        <p class="pf-c-form__helper-text">
+                            ${t`Hold control/command to select multiple items.`}
+                        </p>
+                    </ak-form-element-horizontal>
                 </div>
             </ak-form-group>
         </form>`;
diff --git a/web/src/admin/providers/proxy/ProxyProviderViewPage.ts b/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
index fbbbf165a..eed6cfc3c 100644
--- a/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
@@ -10,10 +10,12 @@ import MDNginxStandalone from "@goauthentik/docs/providers/proxy/_nginx_standalo
 import MDTraefikCompose from "@goauthentik/docs/providers/proxy/_traefik_compose.md";
 import MDTraefikIngress from "@goauthentik/docs/providers/proxy/_traefik_ingress.md";
 import MDTraefikStandalone from "@goauthentik/docs/providers/proxy/_traefik_standalone.md";
+import MDHeaderAuthentication from "@goauthentik/docs/providers/proxy/header_authentication.md";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/CodeMirror";
 import { PFColor } from "@goauthentik/elements/Label";
 import "@goauthentik/elements/Markdown";
+import "@goauthentik/elements/Markdown";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
@@ -32,6 +34,7 @@ import PFContent from "@patternfly/patternfly/components/Content/content.css";
 import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
 import PFForm from "@patternfly/patternfly/components/Form/form.css";
 import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
+import PFList from "@patternfly/patternfly/components/List/list.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
@@ -90,6 +93,7 @@ export class ProxyProviderViewPage extends AKElement {
             PFPage,
             PFGrid,
             PFContent,
+            PFList,
             PFForm,
             PFFormControl,
             PFCard,
@@ -182,6 +186,9 @@ export class ProxyProviderViewPage extends AKElement {
             <section slot="page-overview" data-tab-title="${t`Overview`}">
                 ${this.renderTabOverview()}
             </section>
+            <section slot="page-authentication" data-tab-title="${t`Authentication`}">
+                ${this.renderTabAuthentication()}
+            </section>
             <section
                 slot="page-changelog"
                 data-tab-title="${t`Changelog`}"
@@ -200,6 +207,37 @@ export class ProxyProviderViewPage extends AKElement {
         </ak-tabs>`;
     }
 
+    renderTabAuthentication(): TemplateResult {
+        if (!this.provider) {
+            return html``;
+        }
+        return html`<div
+            class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter"
+        >
+            <div class="pf-c-card pf-l-grid__item pf-m-12-col">
+                <div class="pf-c-card__body">
+                    <dl class="pf-c-description-list pf-m-3-col-on-lg">
+                        <div class="pf-c-description-list__group">
+                            <dt class="pf-c-description-list__term">
+                                <span class="pf-c-description-list__text">${t`Client ID`}</span>
+                            </dt>
+                            <dd class="pf-c-description-list__description">
+                                <div class="pf-c-description-list__text">
+                                    <pre>${this.provider.clientId}</pre>
+                                </div>
+                            </dd>
+                        </div>
+                    </dl>
+                </div>
+            </div>
+            <div class="pf-c-card pf-l-grid__item pf-m-12-col">
+                <div class="pf-c-card__body">
+                    <ak-markdown .md=${MDHeaderAuthentication}></ak-markdown>
+                </div>
+            </div>
+        </div>`;
+    }
+
     renderTabOverview(): TemplateResult {
         if (!this.provider) {
             return html``;
@@ -316,21 +354,24 @@ export class ProxyProviderViewPage extends AKElement {
                 <div class="pf-c-card pf-l-grid__item pf-m-12-col">
                     <div class="pf-c-card__title">${t`Protocol Settings`}</div>
                     <div class="pf-c-card__body">
-                        <form class="pf-c-form">
-                            <div class="pf-c-form__group">
-                                <label class="pf-c-form__label">
-                                    <span class="pf-c-form__label-text"
+                        <dl class="pf-c-description-list pf-m-3-col-on-lg">
+                            <div class="pf-c-description-list__group">
+                                <dt class="pf-c-description-list__term">
+                                    <span class="pf-c-description-list__text"
                                         >${t`Allowed Redirect URIs`}</span
                                     >
-                                </label>
-                                <input
-                                    class="pf-c-form-control"
-                                    readonly
-                                    type="text"
-                                    value=${this.provider.redirectUris}
-                                />
+                                </dt>
+                                <dd class="pf-c-description-list__description">
+                                    <div class="pf-c-description-list__text">
+                                        <ul class="pf-c-list">
+                                            ${this.provider.redirectUris.split("\n").map((url) => {
+                                                return html`<li><pre>${url}</pre></li>`;
+                                            })}
+                                        </ul>
+                                    </div>
+                                </dd>
                             </div>
-                        </form>
+                        </dl>
                     </div>
                 </div>
                 <div class="pf-c-card pf-l-grid__item pf-m-12-col">
diff --git a/web/src/elements/Alert.ts b/web/src/elements/Alert.ts
index bdcd80379..d5c3dcfbe 100644
--- a/web/src/elements/Alert.ts
+++ b/web/src/elements/Alert.ts
@@ -27,9 +27,7 @@ export class Alert extends AKElement {
     }
 
     render(): TemplateResult {
-        return html`<div
-            class="pf-c-alert ${this.inline ? html`pf-m-inline` : html``} ${this.level}"
-        >
+        return html`<div class="pf-c-alert ${this.inline ? "pf-m-inline" : ""} ${this.level}">
             <div class="pf-c-alert__icon">
                 <i class="fas fa-exclamation-circle"></i>
             </div>
diff --git a/web/src/elements/Markdown.ts b/web/src/elements/Markdown.ts
index a40a3f809..1076f433f 100644
--- a/web/src/elements/Markdown.ts
+++ b/web/src/elements/Markdown.ts
@@ -1,5 +1,6 @@
 import { docLink } from "@goauthentik/common/global";
 import "@goauthentik/elements/Alert";
+import { Level } from "@goauthentik/elements/Alert";
 import { AKElement } from "@goauthentik/elements/Base";
 
 import { CSSResult, TemplateResult, html } from "lit";
@@ -40,9 +41,13 @@ export class Markdown extends AKElement {
     replaceAdmonitions(input: string): string {
         const admonitionStart = /:::(\w+)<br\s\/>/gm;
         const admonitionEnd = /:::/gm;
-        return input
-            .replaceAll(admonitionStart, "<ak-alert level='$1'>")
-            .replaceAll(admonitionEnd, "</ak-alert>");
+        return (
+            input
+                .replaceAll(admonitionStart, "<ak-alert level='pf-m-$1'>")
+                .replaceAll(admonitionEnd, "</ak-alert>")
+                // Workaround for admonitions using caution instead of warning
+                .replaceAll("pf-m-caution", Level.Warning)
+        );
     }
 
     replaceList(input: string): string {
diff --git a/web/src/locales/de.po b/web/src/locales/de.po
index 18467e36c..f00233be6 100644
--- a/web/src/locales/de.po
+++ b/web/src/locales/de.po
@@ -352,6 +352,10 @@ msgstr "Zusätzlicher Gruppen-DN, dem Basis-DN vorangestellt."
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Zusätzliche Bereichszuordnungen, die an den Proxy übergeben werden."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Additional scopes"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "Zusätzliche Anwendungsbereiche (Scopes), die an den OAuth-Provider übergeben werden, getrennt durch ein Leerzeichen."
@@ -687,6 +691,7 @@ msgstr "Authentifizierung mit Plex..."
 
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Authentifizierung"
 
@@ -709,6 +714,10 @@ msgstr "Authentifizierungsablauf"
 msgid "Authentication method"
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication settings"
+msgstr ""
+
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@@ -1218,6 +1227,7 @@ msgstr "Token kopieren"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "Client-ID"
@@ -2108,6 +2118,10 @@ msgstr "Duo-Authentifikator"
 msgid "Duo push-notifications"
 msgstr "Duo Push-Benachrichtigungen"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "Duration"
+msgstr ""
+
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Dauer, nach der ein Ereignis aus der Datenbank gelöscht wird."
@@ -2909,6 +2923,7 @@ msgstr "Interne Konten ausblenden"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -3261,6 +3276,7 @@ msgstr ""
 #~ msgstr "JWTs, welche mit den hier konfigurierten Zertifikaten signiert werden, können zur Authentifizierung beim Provider benutzt werden."
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
 
@@ -3451,6 +3467,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -5160,7 +5177,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "Gültigkeitsbereich, den der Client angeben kann, um auf diese Eigenschaften zuzugreifen."
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@@ -5314,6 +5330,14 @@ msgstr "Auswahl der Backends, mit denen das Kennwort getestet werden soll."
 msgid "Send Email again."
 msgstr "E-Mail erneut senden."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send HTTP-Basic Authentication"
+msgstr ""
+
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
+msgstr ""
+
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@@ -5402,12 +5426,12 @@ msgid "Sessions"
 msgstr "Sitzungen"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
-msgstr "HTTP-Basisauthentifizierung einstellen"
+#~ msgid "Set HTTP-Basic Authentication"
+#~ msgstr "HTTP-Basisauthentifizierung einstellen"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "Legen Sie einen benutzerdefinierten HTTP-Basic Authentication-Header fest, der auf den Werten von authentik basiert."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr "Legen Sie einen benutzerdefinierten HTTP-Basic Authentication-Header fest, der auf den Werten von authentik basiert."
 
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@@ -6540,6 +6564,7 @@ msgid "Transports"
 msgstr "Zustellungsarten"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
 
@@ -7623,6 +7648,10 @@ msgstr "{0} - {1} von {2}"
 msgid "{0} is available!"
 msgstr "{0} ist verfügbar!"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "{0} seconds"
+msgstr ""
+
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} ungelesen"
diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index 90a38714d..8a9435617 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -334,6 +334,10 @@ msgstr "Additional group DN, prepended to the Base DN."
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Additional scope mappings, which are passed to the proxy."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Additional scopes"
+msgstr "Additional scopes"
+
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "Additional scopes to be passed to the OAuth Provider, separated by space."
@@ -673,6 +677,7 @@ msgstr "Authenticating with Plex..."
 
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Authentication"
 
@@ -695,6 +700,10 @@ msgstr "Authentication flow"
 msgid "Authentication method"
 msgstr "Authentication method"
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication settings"
+msgstr "Authentication settings"
+
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr "Authentication without user interaction, or machine-to-machine authentication."
@@ -1214,6 +1223,7 @@ msgstr "Click to copy token"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "Client ID"
@@ -2130,6 +2140,10 @@ msgstr "Duo authenticator"
 msgid "Duo push-notifications"
 msgstr "Duo push-notifications"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "Duration"
+msgstr "Duration"
+
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Duration after which events will be deleted from the database."
@@ -2951,6 +2965,7 @@ msgstr "Hide service-accounts"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -3313,6 +3328,7 @@ msgstr "JWKS URL"
 #~ msgstr "JWTs signed by certificates configured here can be used to authenticate to the provider."
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 
@@ -3506,6 +3522,7 @@ msgstr "Loading options..."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -5264,7 +5281,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "Scope which the client can specify to access these properties."
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@@ -5421,6 +5437,14 @@ msgstr "Selection of backends to test the password against."
 msgid "Send Email again."
 msgstr "Send Email again."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send HTTP-Basic Authentication"
+msgstr "Send HTTP-Basic Authentication"
+
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
+msgstr "Send a custom HTTP-Basic Authentication header based on values from authentik."
+
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@@ -5515,12 +5539,12 @@ msgid "Sessions"
 msgstr "Sessions"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
-msgstr "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
+#~ msgstr "Set HTTP-Basic Authentication"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr "Set a custom HTTP-Basic Authentication header based on values from authentik."
 
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@@ -6688,6 +6712,7 @@ msgid "Transports"
 msgstr "Transports"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr "Trusted OIDC Sources"
 
@@ -7786,6 +7811,10 @@ msgstr "{0} - {1} of {2}"
 msgid "{0} is available!"
 msgstr "{0} is available!"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "{0} seconds"
+msgstr "{0} seconds"
+
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} unread"
diff --git a/web/src/locales/es.po b/web/src/locales/es.po
index fe7729271..d759ad061 100644
--- a/web/src/locales/es.po
+++ b/web/src/locales/es.po
@@ -330,6 +330,10 @@ msgstr "DN de grupo adicional, antepuesto al DN base."
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Mapeos de ámbito adicional, que se pasan al proxy."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Additional scopes"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "Ámbitos adicionales que se pasarán al proveedor de OAuth, separados por espacios."
@@ -665,6 +669,7 @@ msgstr "Autenticando con Plex..."
 
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Autenticación"
 
@@ -687,6 +692,10 @@ msgstr "Flujo de autenticación"
 msgid "Authentication method"
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication settings"
+msgstr ""
+
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@@ -1194,6 +1203,7 @@ msgstr "Haga clic para copiar el token"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "ID de cliente"
@@ -2084,6 +2094,10 @@ msgstr "Autenticador Duo"
 msgid "Duo push-notifications"
 msgstr "Notificaciones push Duo"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "Duration"
+msgstr ""
+
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Duración tras la cual los eventos se eliminarán de la base de datos."
@@ -2885,6 +2899,7 @@ msgstr "Ocultar cuentas de servicio"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -3237,6 +3252,7 @@ msgstr ""
 #~ msgstr ""
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
 
@@ -3427,6 +3443,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -5136,7 +5153,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "Ámbito que el cliente puede especificar para acceder a estas propiedades."
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@@ -5290,6 +5306,14 @@ msgstr "Selección de backends para probar la contraseña."
 msgid "Send Email again."
 msgstr "Vuelve a enviar el correo electrónico."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send HTTP-Basic Authentication"
+msgstr ""
+
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
+msgstr ""
+
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@@ -5378,12 +5402,12 @@ msgid "Sessions"
 msgstr "Sesiones"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
-msgstr "Establecer la autenticación básica de HTTP"
+#~ msgid "Set HTTP-Basic Authentication"
+#~ msgstr "Establecer la autenticación básica de HTTP"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "Establezca un encabezado de autenticación básica HTTP personalizado en función de los valores de authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr "Establezca un encabezado de autenticación básica HTTP personalizado en función de los valores de authentik."
 
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@@ -6516,6 +6540,7 @@ msgid "Transports"
 msgstr "Transportes"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
 
@@ -7599,6 +7624,10 @@ msgstr "{0} - {1} de {2}"
 msgid "{0} is available!"
 msgstr "{0} está disponible."
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "{0} seconds"
+msgstr ""
+
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} sin leer"
diff --git a/web/src/locales/fr_FR.po b/web/src/locales/fr_FR.po
index 886e884c3..3d16ffa33 100644
--- a/web/src/locales/fr_FR.po
+++ b/web/src/locales/fr_FR.po
@@ -335,6 +335,10 @@ msgstr "DN à préfixer au DN de base pour les groupes"
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Additional scopes"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr ""
@@ -670,6 +674,7 @@ msgstr "Authentification avec Plex..."
 
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Authentification"
 
@@ -692,6 +697,10 @@ msgstr "Flux d'authentification"
 msgid "Authentication method"
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication settings"
+msgstr ""
+
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@@ -1199,6 +1208,7 @@ msgstr "Cliquer pour copier le jeton"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "ID client"
@@ -2087,6 +2097,10 @@ msgstr "Authentificateur Duo"
 msgid "Duo push-notifications"
 msgstr "Notification push Duo"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "Duration"
+msgstr ""
+
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Expiration des évènements à l'issue de laquelle ils seront supprimés de la base de donnée."
@@ -2888,6 +2902,7 @@ msgstr "Cacher les comptes de service"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -3238,6 +3253,7 @@ msgstr ""
 #~ msgstr ""
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
 
@@ -3428,6 +3444,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -5137,7 +5154,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "Portée que le client peut spécifier pour accéder à ces propriétés."
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@@ -5291,6 +5307,14 @@ msgstr "Sélection de backends pour tester le mot de passe."
 msgid "Send Email again."
 msgstr "Renvoyer l’email."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send HTTP-Basic Authentication"
+msgstr ""
+
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
+msgstr ""
+
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@@ -5379,12 +5403,12 @@ msgid "Sessions"
 msgstr "Sessions"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
-msgstr "Définir l'authentification HTTP-Basic"
+#~ msgid "Set HTTP-Basic Authentication"
+#~ msgstr "Définir l'authentification HTTP-Basic"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "Définir un en-tête d'authentification HTTP-Basic personnalisé basé sur les valeurs de authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr "Définir un en-tête d'authentification HTTP-Basic personnalisé basé sur les valeurs de authentik."
 
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@@ -6507,6 +6531,7 @@ msgid "Transports"
 msgstr "Transports"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
 
@@ -7588,6 +7613,10 @@ msgstr "{0} - {1} sur {2}"
 msgid "{0} is available!"
 msgstr "{0} est disponible !"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "{0} seconds"
+msgstr ""
+
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} non lu"
diff --git a/web/src/locales/pl.po b/web/src/locales/pl.po
index 3af0f3cde..23d90f2db 100644
--- a/web/src/locales/pl.po
+++ b/web/src/locales/pl.po
@@ -334,6 +334,10 @@ msgstr "Dodatkowa DN grupy, poprzedzona podstawową DN."
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Dodatkowe mapowania zakresu, które są przekazywane do serwera proxy."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Additional scopes"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "Dodatkowe zakresy do przekazania do dostawcy OAuth, oddzielone spacją."
@@ -669,6 +673,7 @@ msgstr "Uwierzytelnianie z Plex..."
 
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Uwierzytelnianie"
 
@@ -691,6 +696,10 @@ msgstr "Przepływ uwierzytelniania"
 msgid "Authentication method"
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication settings"
+msgstr ""
+
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@@ -1200,6 +1209,7 @@ msgstr "Kliknij, aby skopiować token"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "Client ID"
@@ -2090,6 +2100,10 @@ msgstr "Uwierzytelniacz Duo"
 msgid "Duo push-notifications"
 msgstr "Powiadomienia push Duo"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "Duration"
+msgstr ""
+
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Czas, po którym zdarzenia zostaną usunięte z bazy danych."
@@ -2891,6 +2905,7 @@ msgstr "Ukryj konta serwisowe"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -3245,6 +3260,7 @@ msgstr ""
 #~ msgstr "JWTs podpisane przez certyfikaty skonfigurowane tutaj mogą służyć do uwierzytelniania u dostawcy."
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
 
@@ -3435,6 +3451,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -5146,7 +5163,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "Zakres, który klient może określić, aby uzyskać dostęp do tych właściwości."
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@@ -5300,6 +5316,14 @@ msgstr "Wybór backendów do testowania hasła."
 msgid "Send Email again."
 msgstr "Wyślij e-mail ponownie."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send HTTP-Basic Authentication"
+msgstr ""
+
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
+msgstr ""
+
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@@ -5388,12 +5412,12 @@ msgid "Sessions"
 msgstr "Sesje"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
-msgstr "Ustaw HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
+#~ msgstr "Ustaw HTTP-Basic Authentication"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "Ustaw niestandardowy nagłówek HTTP-Basic Authentication na podstawie wartości z authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr "Ustaw niestandardowy nagłówek HTTP-Basic Authentication na podstawie wartości z authentik."
 
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@@ -6526,6 +6550,7 @@ msgid "Transports"
 msgstr "Transporty"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr "Zaufane źródła OIDC"
 
@@ -7611,6 +7636,10 @@ msgstr "{0} - {1} z {2}"
 msgid "{0} is available!"
 msgstr "{0} jest dostępny!"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "{0} seconds"
+msgstr ""
+
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} nieprzeczytane"
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index d124d46b3..14f6dcf87 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -330,6 +330,10 @@ msgstr ""
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Additional scopes"
+msgstr ""
+
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr ""
@@ -665,6 +669,7 @@ msgstr ""
 
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr ""
 
@@ -687,6 +692,10 @@ msgstr ""
 msgid "Authentication method"
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication settings"
+msgstr ""
+
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@@ -1202,6 +1211,7 @@ msgstr ""
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr ""
@@ -2116,6 +2126,10 @@ msgstr ""
 msgid "Duo push-notifications"
 msgstr ""
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "Duration"
+msgstr ""
+
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr ""
@@ -2937,6 +2951,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -3295,6 +3310,7 @@ msgstr ""
 #~ msgstr ""
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
 
@@ -3488,6 +3504,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -5244,7 +5261,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr ""
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@@ -5401,6 +5417,14 @@ msgstr ""
 msgid "Send Email again."
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send HTTP-Basic Authentication"
+msgstr ""
+
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
+msgstr ""
+
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@@ -5495,12 +5519,12 @@ msgid "Sessions"
 msgstr ""
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
-msgstr ""
+#~ msgid "Set HTTP-Basic Authentication"
+#~ msgstr ""
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr ""
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr ""
 
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@@ -6658,6 +6682,7 @@ msgid "Transports"
 msgstr ""
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
 
@@ -7750,6 +7775,10 @@ msgstr ""
 msgid "{0} is available!"
 msgstr ""
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "{0} seconds"
+msgstr ""
+
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr ""
diff --git a/web/src/locales/tr.po b/web/src/locales/tr.po
index 3b0b3508f..441c94c1d 100644
--- a/web/src/locales/tr.po
+++ b/web/src/locales/tr.po
@@ -330,6 +330,10 @@ msgstr "Ek grup DN, Base DN için eklenmiş."
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Proxy'ye iletilen ek kapsam eşlemeleri."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Additional scopes"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "OAuth Sağlayıcıya iletilecek ek kapsamlar, boşlukla ayrılmış."
@@ -665,6 +669,7 @@ msgstr "Plex ile kimlik doğrulaması..."
 
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Kimlik Doğrulama"
 
@@ -687,6 +692,10 @@ msgstr "Kimlik doğrulama akışı"
 msgid "Authentication method"
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication settings"
+msgstr ""
+
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@@ -1194,6 +1203,7 @@ msgstr "Belirteci kopyalamak için tıklayın"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "Müşteri Kimliği"
@@ -2084,6 +2094,10 @@ msgstr "Duo kimlik doğrulayıcı"
 msgid "Duo push-notifications"
 msgstr "Duo push-bildirimleri"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "Duration"
+msgstr ""
+
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Olayların veritabanından silineceği süre."
@@ -2885,6 +2899,7 @@ msgstr "Hizmet hesaplarını gizle"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -3237,6 +3252,7 @@ msgstr ""
 #~ msgstr ""
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
 
@@ -3427,6 +3443,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -5136,7 +5153,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "İstemcinin bu özelliklere erişmek için belirtebileceği kapsam."
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@@ -5290,6 +5306,14 @@ msgstr "Parolayı test etmek için arka uçların seçimi."
 msgid "Send Email again."
 msgstr "E-postayı tekrar gönder."
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send HTTP-Basic Authentication"
+msgstr ""
+
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
+msgstr ""
+
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@@ -5378,12 +5402,12 @@ msgid "Sessions"
 msgstr "Oturumlar"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
-msgstr "HTTP-Temel Kimlik Doğrulamasını Ayarla"
+#~ msgid "Set HTTP-Basic Authentication"
+#~ msgstr "HTTP-Temel Kimlik Doğrulamasını Ayarla"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "authentik değerlerine göre özel bir HTTP-Basic Kimlik Doğrulama başlığı ayarlayın."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr "authentik değerlerine göre özel bir HTTP-Basic Kimlik Doğrulama başlığı ayarlayın."
 
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@@ -6516,6 +6540,7 @@ msgid "Transports"
 msgstr "Aktarıcılar"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
 
@@ -7599,6 +7624,10 @@ msgstr "{2} içinden {0} - {1}"
 msgid "{0} is available!"
 msgstr "{0} kullanılabilir!"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "{0} seconds"
+msgstr ""
+
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} okunmamış"
diff --git a/web/src/locales/zh-Hans.po b/web/src/locales/zh-Hans.po
index 997e797d8..b20b3998a 100644
--- a/web/src/locales/zh-Hans.po
+++ b/web/src/locales/zh-Hans.po
@@ -336,6 +336,10 @@ msgstr "额外的组 DN，添加到 Base DN 起始处。"
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "传递给代理的额外作用域映射。"
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Additional scopes"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "要传递给 OAuth 提供商的额外作用域，用空格分隔。"
@@ -671,6 +675,7 @@ msgstr "正在使用 Plex 进行身份验证..."
 
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "身份验证"
 
@@ -693,6 +698,10 @@ msgstr "身份验证流程"
 msgid "Authentication method"
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication settings"
+msgstr ""
+
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@@ -1202,6 +1211,7 @@ msgstr "点击复制令牌"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "客户端 ID"
@@ -2092,6 +2102,10 @@ msgstr "Duo 身份验证器"
 msgid "Duo push-notifications"
 msgstr "Duo 推送通知"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "Duration"
+msgstr ""
+
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "事件从数据库中删除的时间，超过这个时间就会被删除。"
@@ -2893,6 +2907,7 @@ msgstr "隐藏服务账户"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -3245,6 +3260,7 @@ msgstr ""
 #~ msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
 
@@ -3435,6 +3451,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -5144,7 +5161,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "客户端可以指定的访问这些属性的范围。"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@@ -5298,6 +5314,14 @@ msgstr "选择用于测试密码的后端。"
 msgid "Send Email again."
 msgstr "再次发送电子邮件。"
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send HTTP-Basic Authentication"
+msgstr ""
+
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
+msgstr ""
+
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@@ -5386,12 +5410,12 @@ msgid "Sessions"
 msgstr "会话"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
-msgstr "设置 HTTP-Basic 身份验证"
+#~ msgid "Set HTTP-Basic Authentication"
+#~ msgstr "设置 HTTP-Basic 身份验证"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
 
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@@ -6524,6 +6548,7 @@ msgid "Transports"
 msgstr "传输"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr "信任的 OIDC 来源"
 
@@ -7609,6 +7634,10 @@ msgstr "{0} - {1} / {2}"
 msgid "{0} is available!"
 msgstr "{0} 可用！"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "{0} seconds"
+msgstr ""
+
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} 未读"
diff --git a/web/src/locales/zh-Hant.po b/web/src/locales/zh-Hant.po
index c480e80a9..f6f087f77 100644
--- a/web/src/locales/zh-Hant.po
+++ b/web/src/locales/zh-Hant.po
@@ -336,6 +336,10 @@ msgstr "额外的Group DN，优先于Base DN。"
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "传递给代理的其他作用域映射。"
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Additional scopes"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "要传递给 OAuth 提供程序的其他作用域，用空格分隔。"
@@ -671,6 +675,7 @@ msgstr "正在使用 Plex 进行身份验证..."
 
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "身份验证"
 
@@ -693,6 +698,10 @@ msgstr "身份验证流程"
 msgid "Authentication method"
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication settings"
+msgstr ""
+
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@@ -1202,6 +1211,7 @@ msgstr "点击复制令牌"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "客户端 ID"
@@ -2092,6 +2102,10 @@ msgstr "Duo 身份验证器"
 msgid "Duo push-notifications"
 msgstr "二重奏推送通知"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "Duration"
+msgstr ""
+
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "事件将从数据库中删除的持续时间。"
@@ -2893,6 +2907,7 @@ msgstr "隐藏服务账户"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -3245,6 +3260,7 @@ msgstr ""
 #~ msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
 
@@ -3435,6 +3451,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -5144,7 +5161,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "客户端可以指定的访问这些属性的范围。"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@@ -5298,6 +5314,14 @@ msgstr "选择用于测试密码的后端。"
 msgid "Send Email again."
 msgstr "再次发送电子邮件。"
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send HTTP-Basic Authentication"
+msgstr ""
+
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
+msgstr ""
+
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@@ -5386,12 +5410,12 @@ msgid "Sessions"
 msgstr "会话"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
-msgstr "设置 HTTP 基本身份验证"
+#~ msgid "Set HTTP-Basic Authentication"
+#~ msgstr "设置 HTTP 基本身份验证"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
 
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@@ -6524,6 +6548,7 @@ msgid "Transports"
 msgstr "传输"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
 
@@ -7609,6 +7634,10 @@ msgstr "{0} - {1} of {2}"
 msgid "{0} is available!"
 msgstr "{0} 可用！"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "{0} seconds"
+msgstr ""
+
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} 未读"
diff --git a/web/src/locales/zh_TW.po b/web/src/locales/zh_TW.po
index 8be28b729..03192f4b3 100644
--- a/web/src/locales/zh_TW.po
+++ b/web/src/locales/zh_TW.po
@@ -336,6 +336,10 @@ msgstr "额外的Group DN，优先于Base DN。"
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "传递给代理的其他作用域映射。"
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Additional scopes"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "要传递给 OAuth 提供程序的其他作用域，用空格分隔。"
@@ -671,6 +675,7 @@ msgstr "正在使用 Plex 进行身份验证..."
 
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "身份验证"
 
@@ -693,6 +698,10 @@ msgstr "身份验证流程"
 msgid "Authentication method"
 msgstr ""
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication settings"
+msgstr ""
+
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@@ -1202,6 +1211,7 @@ msgstr "点击复制令牌"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+#: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "客户端 ID"
@@ -2092,6 +2102,10 @@ msgstr "Duo 身份验证器"
 msgid "Duo push-notifications"
 msgstr "二重奏推送通知"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "Duration"
+msgstr ""
+
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "事件将从数据库中删除的持续时间。"
@@ -2893,6 +2907,7 @@ msgstr "隐藏服务账户"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -3245,6 +3260,7 @@ msgstr ""
 #~ msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
 
@@ -3435,6 +3451,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@@ -5144,7 +5161,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "客户端可以指定的访问这些属性的范围。"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-#: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@@ -5298,6 +5314,14 @@ msgstr "选择用于测试密码的后端。"
 msgid "Send Email again."
 msgstr "再次发送电子邮件。"
 
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send HTTP-Basic Authentication"
+msgstr ""
+
+#: src/admin/providers/proxy/ProxyProviderForm.ts
+msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
+msgstr ""
+
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@@ -5386,12 +5410,12 @@ msgid "Sessions"
 msgstr "会话"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
-msgstr "设置 HTTP 基本身份验证"
+#~ msgid "Set HTTP-Basic Authentication"
+#~ msgstr "设置 HTTP 基本身份验证"
 
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
 
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@@ -6524,6 +6548,7 @@ msgid "Transports"
 msgstr "传输"
 
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+#: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
 
@@ -7609,6 +7634,10 @@ msgstr "{0} - {1} of {2}"
 msgid "{0} is available!"
 msgstr "{0} 可用！"
 
+#: src/admin/system-tasks/SystemTaskListPage.ts
+msgid "{0} seconds"
+msgstr ""
+
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} 未读"
diff --git a/website/developer-docs/api/making-schema-changes.md b/website/developer-docs/api/making-schema-changes.md
index bdd1611f0..e9b70edfe 100644
--- a/website/developer-docs/api/making-schema-changes.md
+++ b/website/developer-docs/api/making-schema-changes.md
@@ -18,6 +18,6 @@ The web client is used by the web-interface and web-FlowExecutor to communicate
 
 Since the client is normally distributed as an npm package, running `make gen-client-ts` will overwrite the locally installed client with the newly built one.
 
-:::warning
+:::caution
 Running `npm i` in the `/web` folder after using `make gen-client-ts` will overwrite the custom client and revert to the upstream client.
 :::
diff --git a/website/developer-docs/blueprints/v1/tags.md b/website/developer-docs/blueprints/v1/tags.md
index 4bb54cd84..91e2c47c7 100644
--- a/website/developer-docs/blueprints/v1/tags.md
+++ b/website/developer-docs/blueprints/v1/tags.md
@@ -199,7 +199,7 @@ example:
 
 Full example:
 
-:::warning
+:::caution
 Note that an `!Enumeration` tag's iterable can never be an `!Item` or `!Value` tag with a depth of `0`. Minimum depth allowed is `1`. This is because a depth of `0` refers to the `!Enumeration` tag the `!Item` or `!Value` tag is in, and an `!Enumeration` tag cannot iterate over itself.
 :::
 
diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md
index fd41adbd9..edaac9f3b 100644
--- a/website/docs/installation/configuration.md
+++ b/website/docs/installation/configuration.md
@@ -297,6 +297,6 @@ Defaults to 4.
 
 To modify additional settings further than the options above allow, you can create a custom python file and mount it to `/data/user_settings.py`. This file will be loaded on startup by both the server and the worker. All default settings are [here](https://github.com/goauthentik/authentik/blob/main/authentik/root/settings.py)
 
-:::warning
+:::caution
 Using these custom settings is not supported and can prevent your authentik instance from starting. Use with caution.
 :::
diff --git a/website/docs/policies/expression.mdx b/website/docs/policies/expression.mdx
index 968613fe6..729f6e637 100644
--- a/website/docs/policies/expression.mdx
+++ b/website/docs/policies/expression.mdx
@@ -64,7 +64,7 @@ import Objects from "../expressions/_objects.md";
 
     -   `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes)
 
-        :::warning
+        :::caution
         When a policy is executed in the context of a flow, this will be set to the user initiaing request, and will only be changed by a `user_login` stage. For that reason, using this value in authentication flow policies may not return the expected user. Use `context['pending_user']` instead; User Identification and other stages update this value during flow execution.
 
         If the user is not authenticated, this will be set to a user called _AnonymousUser_, which is an instance of [authentik.core.models.User](https://docs.djangoproject.com/en/4.1/ref/contrib/auth/#django.contrib.auth.models.User) (authentik uses django-guardian for per-object permissions, [see](https://django-guardian.readthedocs.io/en/stable/)).
diff --git a/website/docs/providers/proxy/header_authentication.md b/website/docs/providers/proxy/header_authentication.md
new file mode 100644
index 000000000..67321924a
--- /dev/null
+++ b/website/docs/providers/proxy/header_authentication.md
@@ -0,0 +1,50 @@
+---
+title: Header authentication
+---
+
+### Send HTTP Basic authentication
+
+Proxy providers have the option to _Send HTTP-Basic Authentication_ to the upstream authentication. When the option in the provider is enabled, two attributes must be specified. These attributes are the keys of values which can be saved on a user or group level that contain the credentials.
+
+For example, with _HTTP-Basic Username Key_ set to `app_username` and _HTTP-Basic Password Key_ set to `app_password`, these attributes would have to be set either on a user or a group the user is member of:
+
+```yaml
+app_username: admin
+app_password: admin-password
+```
+
+These credentials are only retrieved when the user authenticates to the proxy.
+
+If the user does not have a matching attribute, authentik falls back to using the user's email address as username, and the password will be empty if not found.
+
+### Receiving HTTP Basic authentication
+
+:::info
+Requires authentik 2023.1
+:::
+
+Proxy providers can receive HTTP basic authentication credentials. The password is expected to be an _App password_, as the credentials are used internally with the [OAuth2 machine-to-machine authentication flow](../oauth2/client_credentials.md).
+
+Access control is done with the policies bound to the application being accessed.
+
+If the received credentials are invalid, a normal authentication flow is initiated. If the credentials are correct, the Authorization header is removed to prevent sending the credentials to the proxied application.
+
+:::danger
+It is **strongly** recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit.
+:::
+
+### Receiving HTTP Bearer authentication
+
+:::info
+Requires authentik 2023.1
+:::
+
+Proxy providers can receive HTTP bearer authentication credentials. The token is expected to be a JWT token issued for the proxy provider. This is described [here](../oauth2/client_credentials.md), using the _client_id_ value shown in the admin interface. Both static and JWT authentication methods are supported.
+
+Access control is done with the policies bound to the application being accessed.
+
+If the received credentials are invalid, a normal authentication flow is initiated. If the credentials are correct, the Authorization header is removed to prevent sending the credentials to the proxied application.
+
+:::caution
+It is recommended that the client sending requests with HTTP-Bearer authentication persists the cookies returned by the outpost. For bearer authentication this has a smaller impact than for Basic authentication, but each request is still verified with the authentik server.
+:::
diff --git a/website/docs/providers/proxy/index.md b/website/docs/providers/proxy/index.md
index e295d4e74..023852843 100644
--- a/website/docs/providers/proxy/index.md
+++ b/website/docs/providers/proxy/index.md
@@ -24,9 +24,12 @@ The proxy outpost sets the following user-specific headers:
 
     The hashed identifier of the currently logged in user.
 
-Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
+Additionally, you can set `additionalHeaders` attribute on groups or users to set additional headers:
 
-If you enable _Set HTTP-Basic Authentication_ option, the HTTP Authorization header is being set.
+```yaml
+additionalHeaders:
+    X-test-header: test-value
+```
 
 Besides these user-specific headers, some application specific headers are also set:
 
diff --git a/website/integrations/services/home-assistant/index.md b/website/integrations/services/home-assistant/index.md
index 11760e4b3..f95183283 100644
--- a/website/integrations/services/home-assistant/index.md
+++ b/website/integrations/services/home-assistant/index.md
@@ -12,7 +12,7 @@ From https://www.home-assistant.io/
 Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.
 :::
 
-:::warning
+:::caution
 You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477).
 :::
 
diff --git a/website/integrations/services/jellyfin/index.md b/website/integrations/services/jellyfin/index.md
index faa6e496a..267209620 100644
--- a/website/integrations/services/jellyfin/index.md
+++ b/website/integrations/services/jellyfin/index.md
@@ -20,7 +20,7 @@ Jellyfin does not have any native external authentication support as of the writ
 Currently there are two plugins for Jelyfin that provide external authenticaion, an OIDC plugin and an LDAP plugin. This guide focuses on the use of the LDAP plugin.
 :::
 
-:::warning
+:::caution
 An LDAP outpost must be deployed to use the Jellyfin LDAP plugin
 :::
 
diff --git a/website/integrations/services/nextcloud/index.md b/website/integrations/services/nextcloud/index.md
index 095afb4c5..d108bf243 100644
--- a/website/integrations/services/nextcloud/index.md
+++ b/website/integrations/services/nextcloud/index.md
@@ -12,11 +12,11 @@ From https://en.wikipedia.org/wiki/Nextcloud
 Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.
 :::
 
-:::warning
+:::caution
 This setup only works, when Nextcloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.
 :::
 
-:::warning
+:::info
 In case something goes wrong with the configuration, you can use the URL `http://nextcloud.company/login?direct=1` to log in using the built-in authentication.
 :::
 
diff --git a/website/integrations/services/node-red/index.md b/website/integrations/services/node-red/index.md
index f4d494925..5312fa99c 100644
--- a/website/integrations/services/node-red/index.md
+++ b/website/integrations/services/node-red/index.md
@@ -14,7 +14,7 @@ Node-RED is a programming tool for wiring together hardware devices, APIs and on
 It provides a browser-based editor that makes it easy to wire together flows using the wide range of nodes in the palette that can be deployed to its runtime in a single-click.
 :::
 
-:::warning
+:::caution
 This requires modification of the Node-RED settings.js and installing additional Passport-js packages, see [Securing Node-RED](https://nodered.org/docs/user-guide/runtime/securing-node-red#oauthopenid-based-authentication) documentation for further details.
 :::
 
diff --git a/website/integrations/services/paperless-ng/index.md b/website/integrations/services/paperless-ng/index.md
index af2c81a1f..5d1fd366b 100644
--- a/website/integrations/services/paperless-ng/index.md
+++ b/website/integrations/services/paperless-ng/index.md
@@ -12,7 +12,7 @@ Modified from https://github.com/jonaswinkler/paperless-ng
 Paperless-ng is an application that indexes your scanned documents and allows you to easily search for documents and store metadata alongside your documents. It was a fork from the original Paperless that is no longer maintained.
 :::
 
-:::warning
+:::caution
 This setup uses HTTP headers to log you in simply by providing your username as a header. Your authentik username and Paperless username MUST match. If you intend for this to be accessed externally, this requires careful setup of your reverse proxy server to not forward these headers from other sources.
 
 The author of Paperless-ng recommends you do not expose Paperless outside your network, as it was not designed for that. Instead, they "recommend that if you do want to use it, run it locally on a server in your own home."
diff --git a/website/integrations/services/pfsense/index.md b/website/integrations/services/pfsense/index.md
index d1719c4cf..6a0eb85dc 100644
--- a/website/integrations/services/pfsense/index.md
+++ b/website/integrations/services/pfsense/index.md
@@ -59,7 +59,7 @@ In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` t
 
 ## pfSense unsecure setup (without SSL)
 
-:::warning
+:::caution
 This setup should only be used for testing purpose, because passwords will be sent in clear text to authentik.
 :::
 
diff --git a/website/integrations/services/proxmox-ve/index.md b/website/integrations/services/proxmox-ve/index.md
index 10476ef8e..8a8ad22cb 100644
--- a/website/integrations/services/proxmox-ve/index.md
+++ b/website/integrations/services/proxmox-ve/index.md
@@ -12,7 +12,7 @@ From https://pve.proxmox.com/wiki/Main_Page
 Proxmox Virtual Environment is an open source server virtualization management solution based on QEMU/KVM and LXC. You can manage virtual machines, containers, highly available clusters, storage and networks with an integrated, easy-to-use web interface or via CLI. Proxmox VE code is licensed under the GNU Affero General Public License, version 3. The project is developed and maintained by Proxmox Server Solutions GmbH.
 :::
 
-:::warning
+:::caution
 This requires Proxmox VE 7.0 or newer.
 :::
 
diff --git a/website/integrations/services/qnap-nas/index.md b/website/integrations/services/qnap-nas/index.md
index 7fc30aa7c..7580dab95 100644
--- a/website/integrations/services/qnap-nas/index.md
+++ b/website/integrations/services/qnap-nas/index.md
@@ -38,7 +38,7 @@ Create a new service account for all of your hosts to use to connect
 to LDAP and perform searches. Make sure this service account is added
 to `ldap.searchGroup`.
 
-:::warning
+:::caution
 It seems that QNAP LDAP client configuration has issues with too long password.
 Max password length <= 66 characters.
 :::
@@ -111,7 +111,7 @@ Attributes:
 Configure the following values and "Apply"
 ![qnap domain security](./qnap-ldap-configuration.png)
 
-:::warning
+:::caution
 With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values.
 :::
 
diff --git a/website/integrations/services/snipe-it/index.md b/website/integrations/services/snipe-it/index.md
index 360d329a4..efcd6653f 100644
--- a/website/integrations/services/snipe-it/index.md
+++ b/website/integrations/services/snipe-it/index.md
@@ -11,11 +11,11 @@ From https://snipeitapp.com
 A free open source IT asset/license management system.
 :::
 
-:::warning
+:::caution
 This setup assumes you will be using HTTPS as Snipe-It dynamically generates the ACS and other settings based on the complete URL.
 :::
 
-:::warning
+:::caution
 In case something goes wrong with the configuration, you can use the URL `http://inventory.company/login?nosaml` to log in using the
 built-in authentication.
 :::
diff --git a/website/integrations/services/truecommand/index.md b/website/integrations/services/truecommand/index.md
index d30d02a46..ddff63582 100644
--- a/website/integrations/services/truecommand/index.md
+++ b/website/integrations/services/truecommand/index.md
@@ -14,7 +14,7 @@ e uptime and future planning. TrueCommand also identifies and pinpoints errors o
 me when resolving issues.
 :::
 
-:::warning
+:::caution
 This setup assumes you will be using HTTPS as TrueCommand generates ACS and Redirect URLs based on the complete URL.
 :::
 
diff --git a/website/integrations/services/ubuntu-landscape/index.md b/website/integrations/services/ubuntu-landscape/index.md
index b9590de9c..325e5330f 100644
--- a/website/integrations/services/ubuntu-landscape/index.md
+++ b/website/integrations/services/ubuntu-landscape/index.md
@@ -12,7 +12,7 @@ From https://en.wikipedia.org/wiki/Landscape_(software)
 Landscape is a systems management tool developed by Canonical. It can be run on-premises or in the cloud depending on the needs of the user. It is primarily designed for use with Ubuntu derivatives such as Desktop, Server, and Core.
 :::
 
-:::warning
+:::caution
 This requires authentik 0.10.3 or newer.
 :::
 
diff --git a/website/integrations/services/vmware-vcenter/index.md b/website/integrations/services/vmware-vcenter/index.md
index 348944eb1..cf377c2b9 100644
--- a/website/integrations/services/vmware-vcenter/index.md
+++ b/website/integrations/services/vmware-vcenter/index.md
@@ -12,11 +12,11 @@ From https://en.wikipedia.org/wiki/VCenter
 vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts.
 :::
 
-:::warning
+:::caution
 This requires authentik 0.10.3 or newer.
 :::
 
-:::warning
+:::caution
 This requires VMware vCenter 7.0.0 or newer.
 :::
 
@@ -68,7 +68,7 @@ Create an application which uses this provider. Optionally apply access restrict
 
 Set the Launch URL to `https://vcenter.company/ui/login/oauth2`. This will skip vCenter's User Prompt and directly log you in.
 
-:::warning
+:::caution
 This Launch URL only works for vCenter < 7.0u2. If you're running 7.0u2 or later, set the launch URL to `https://vcenter.company/ui/login`
 :::
 
diff --git a/website/integrations/sources/apple/index.md b/website/integrations/sources/apple/index.md
index a573322dc..a2120f65e 100644
--- a/website/integrations/sources/apple/index.md
+++ b/website/integrations/sources/apple/index.md
@@ -8,11 +8,11 @@ Allows users to authenticate using their Apple ID.
 
 ## Preparation
 
-:::warning
+:::caution
 An Apple developer account is required.
 :::
 
-:::warning
+:::caution
 Apple mandates the use of a [registered TLD](https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains), as such this source will not work with .local and other non-public TLDs.
 :::
 
diff --git a/website/sidebars.js b/website/sidebars.js
index 75fda36b0..0cb085903 100644
--- a/website/sidebars.js
+++ b/website/sidebars.js
@@ -64,6 +64,7 @@ module.exports = {
                     },
                     items: [
                         "providers/proxy/custom_headers",
+                        "providers/proxy/header_authentication",
                         "providers/proxy/forward_auth",
                     ],
                 },