providers/proxy: add initial header token auth (#4421)

* initial implementation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check for openid/profile claims Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include jwks sources in proxy provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add web ui for jwks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only show sources with JWKS data configured Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix introspection tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start basic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs, update admonitions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add client_id to api, add tab for auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-13 16:22:03 +01:00 · 2023-01-13 16:22:03 +01:00 · cd12e177ea
parent 31c6ea9fda
commit cd12e177ea
54 changed files with 830 additions and 162 deletions
--- a/authentik/providers/oauth2/tests/test_introspect.py
+++ b/authentik/providers/oauth2/tests/test_introspect.py
@ -8,6 +8,7 @@ from django.urls import reverse
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
 from authentik.providers.oauth2.models import IDToken, OAuth2Provider, RefreshToken
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -57,6 +58,8 @@ class TesOAuth2Introspection(OAuthTestCase):
        self.assertJSONEqual(
            res.content.decode(),
            {
                "acr": ACR_AUTHENTIK_DEFAULT,
                "auth_time": None,
                "aud": None,
                "sub": "bar",
                "exp": None,
@ -64,6 +67,7 @@ class TesOAuth2Introspection(OAuthTestCase):
                "iss": "foo",
                "active": True,
                "client_id": self.provider.client_id,
                "scope": " ".join(self.token.scope),
            },
        )
--- a/authentik/providers/oauth2/views/introspection.py
+++ b/authentik/providers/oauth2/views/introspection.py
@ -52,9 +52,8 @@ class TokenIntrospectionParams:
        if not provider:
            raise TokenIntrospectionError
-        try:
+        token: RefreshToken = RefreshToken.objects.filter(provider=provider, **token_filter).first()
-            token: RefreshToken = RefreshToken.objects.get(provider=provider, **token_filter)
+        if not token:
        except RefreshToken.DoesNotExist:
            LOGGER.debug("Token does not exist", token=raw_token)
            raise TokenIntrospectionError()
@ -74,15 +73,12 @@ class TokenIntrospectionView(View):
        """Introspection handler"""
        try:
            self.params = TokenIntrospectionParams.from_request(request)
-
+            response = {}
            response_dic = {}
            if self.params.id_token:
-                token_dict = self.params.id_token.to_dict()
+                response.update(self.params.id_token.to_dict())
-                for k in ("aud", "sub", "exp", "iat", "iss"):
+            response["active"] = True
-                    response_dic[k] = token_dict[k]
+            response["scope"] = " ".join(self.params.token.scope)
-            response_dic["active"] = True
+            response["client_id"] = self.params.token.provider.client_id
-            response_dic["client_id"] = self.params.token.provider.client_id
+            return TokenResponse(response)
            return TokenResponse(response_dic)
        except TokenIntrospectionError:
            return TokenResponse({"active": False})
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -37,6 +37,7 @@ class OpenIDConnectConfigurationSerializer(PassiveSerializer):
 class ProxyProviderSerializer(ProviderSerializer):
    """ProxyProvider Serializer"""
    client_id = CharField(read_only=True)
    redirect_uris = CharField(read_only=True)
    outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
@ -77,6 +78,7 @@ class ProxyProviderSerializer(ProviderSerializer):
        model = ProxyProvider
        fields = ProviderSerializer.Meta.fields + [
            "client_id",
            "internal_host",
            "external_host",
            "internal_host_ssl_validation",
@ -88,6 +90,7 @@ class ProxyProviderSerializer(ProviderSerializer):
            "mode",
            "redirect_uris",
            "cookie_domain",
            "jwks_sources",
            "token_validity",
            "outpost_set",
        ]
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@ -126,6 +126,7 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
        """Ensure all OAuth2-related settings are correct"""
        self.client_type = ClientTypes.CONFIDENTIAL
        self.signing_key = None
        self.include_claims_in_id_token = True
        scopes = ScopeMapping.objects.filter(
            managed__in=[
                "goauthentik.io/providers/oauth2/scope-openid",
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@ -1,5 +1,7 @@
 """OAuth Source Serializer"""
 from django.urls.base import reverse_lazy
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema, extend_schema_field
 from requests import RequestException
@ -111,13 +113,20 @@ class OAuthSourceSerializer(SourceSerializer):
        extra_kwargs = {"consumer_secret": {"write_only": True}}
-class OAuthSourceViewSet(UsedByMixin, ModelViewSet):
+class OAuthSourceFilter(FilterSet):
-    """Source Viewset"""
+    """OAuth Source filter set"""
-    queryset = OAuthSource.objects.all()
+    has_jwks = BooleanFilter(label="Only return sources with JWKS data", method="filter_has_jwks")
-    serializer_class = OAuthSourceSerializer
+
-    lookup_field = "slug"
+    # pylint: disable=unused-argument
-    filterset_fields = [
+    def filter_has_jwks(self, queryset, name, value):  # pragma: no cover
        """Only return sources with JWKS data"""
        return queryset.exclude(oidc_jwks__iexact="{}")
    class Meta:
        model = OAuthSource
        fields = [
            "name",
            "slug",
            "enabled",
@ -133,6 +142,15 @@ class OAuthSourceViewSet(UsedByMixin, ModelViewSet):
            "consumer_key",
            "additional_scopes",
        ]
 class OAuthSourceViewSet(UsedByMixin, ModelViewSet):
    """Source Viewset"""
    queryset = OAuthSource.objects.all()
    serializer_class = OAuthSourceSerializer
    lookup_field = "slug"
    filterset_class = OAuthSourceFilter
    search_fields = ["name", "slug"]
    ordering = ["name"]
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -120,7 +120,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 	}))
 	mux.Use(func(inner http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			c, _ := a.getClaims(r)
+			c, _ := a.checkAuth(rw, r)
 			user := ""
 			if c != nil {
 				user = c.PreferredUsername
--- a/internal/outpost/proxyv2/application/auth.go
+++ b/internal/outpost/proxyv2/application/auth.go
@ -0,0 +1,78 @@
 package application
 import (
 	"fmt"
 	"net/http"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
 )
 const HeaderAuthorization = "Authorization"
 const AuthBearer = "Bearer "
 // checkAuth Get claims which are currently in session
 // Returns an error if the session can't be loaded or the claims can't be parsed/type-cast
 func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claims, error) {
 	s, _ := a.sessions.Get(r, constants.SessionName)
 	c := a.getClaimsFromSession(r)
 	if c != nil {
 		return c, nil
 	}
 	if rw == nil {
 		return nil, fmt.Errorf("no response writer")
 	}
 	// Check bearer token if set
 	bearer := a.checkAuthHeaderBearer(r)
 	if bearer != "" {
 		a.log.Trace("checking bearer token")
 		tc := a.attemptBearerAuth(r, bearer)
 		if tc != nil {
 			s.Values[constants.SessionClaims] = tc.Claims
 			err := s.Save(r, rw)
 			if err != nil {
 				return nil, err
 			}
 			r.Header.Del(HeaderAuthorization)
 			return &tc.Claims, nil
 		}
 		a.log.Trace("no/invalid bearer token")
 	}
 	// Check basic auth if set
 	username, password, basicSet := r.BasicAuth()
 	if basicSet {
 		a.log.Trace("checking basic auth")
 		tc := a.attemptBasicAuth(username, password)
 		if tc != nil {
 			s.Values[constants.SessionClaims] = *tc
 			err := s.Save(r, rw)
 			if err != nil {
 				return nil, err
 			}
 			r.Header.Del(HeaderAuthorization)
 			return tc, nil
 		}
 		a.log.Trace("no/invalid basic auth")
 	}
 	return nil, fmt.Errorf("failed to get claims from session")
 }
 func (a *Application) getClaimsFromSession(r *http.Request) *Claims {
 	s, err := a.sessions.Get(r, constants.SessionName)
 	if err != nil {
 		// err == user has no session/session is not valid, reject
 		return nil
 	}
 	claims, ok := s.Values[constants.SessionClaims]
 	if claims == nil || !ok {
 		// no claims saved, reject
 		return nil
 	}
 	c, ok := claims.(Claims)
 	if !ok {
 		return nil
 	}
 	return &c
 }
--- a/internal/outpost/proxyv2/application/auth_basic.go
+++ b/internal/outpost/proxyv2/application/auth_basic.go
@ -0,0 +1,59 @@
 package application
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/url"
 	"strings"
 )
 type TokenResponse struct {
 	AccessToken string `json:"access_token"`
 	IDToken     string `json:"id_token"`
 }
 func (a *Application) attemptBasicAuth(username, password string) *Claims {
 	values := url.Values{
 		"grant_type": []string{"client_credentials"},
 		"client_id":  []string{a.oauthConfig.ClientID},
 		"username":   []string{username},
 		"password":   []string{password},
 		"scope":      []string{strings.Join(a.oauthConfig.Scopes, " ")},
 	}
 	req, err := http.NewRequest("POST", a.endpoint.TokenURL, strings.NewReader(values.Encode()))
 	if err != nil {
 		a.log.WithError(err).Warning("failed to create token request")
 		return nil
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	res, err := a.httpClient.Do(req)
 	if err != nil || res.StatusCode > 200 {
 		a.log.WithError(err).Warning("failed to send token request")
 		return nil
 	}
 	var token TokenResponse
 	err = json.NewDecoder(res.Body).Decode(&token)
 	if err != nil {
 		a.log.WithError(err).Warning("failed to parse token response")
 		return nil
 	}
 	// Parse and verify ID Token payload.
 	idToken, err := a.tokenVerifier.Verify(context.Background(), token.IDToken)
 	if err != nil {
 		a.log.WithError(err).Warning("failed to verify token")
 		return nil
 	}
 	// Extract custom claims
 	var claims *Claims
 	if err := idToken.Claims(&claims); err != nil {
 		a.log.WithError(err).Warning("failed to convert token to claims")
 		return nil
 	}
 	if claims.Proxy == nil {
 		claims.Proxy = &ProxyClaims{}
 	}
 	claims.RawToken = token.IDToken
 	return claims
 }
--- a/internal/outpost/proxyv2/application/auth_bearer.go
+++ b/internal/outpost/proxyv2/application/auth_bearer.go
@ -0,0 +1,62 @@
 package application
 import (
 	"encoding/json"
 	"net/http"
 	"net/url"
 	"strings"
 )
 func (a *Application) checkAuthHeaderBearer(r *http.Request) string {
 	auth := r.Header.Get(HeaderAuthorization)
 	if auth == "" {
 		return ""
 	}
 	if len(auth) < len(AuthBearer) || !strings.EqualFold(auth[:len(AuthBearer)], AuthBearer) {
 		return ""
 	}
 	return auth[len(AuthBearer):]
 }
 type TokenIntrospectionResponse struct {
 	Claims
 	Scope    string `json:"scope"`
 	Active   bool   `json:"active"`
 	ClientID string `json:"client_id"`
 }
 func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenIntrospectionResponse {
 	values := url.Values{
 		"client_id":     []string{a.oauthConfig.ClientID},
 		"client_secret": []string{a.oauthConfig.ClientSecret},
 		"token":         []string{token},
 	}
 	req, err := http.NewRequest("POST", a.endpoint.TokenIntrospection, strings.NewReader(values.Encode()))
 	if err != nil {
 		a.log.WithError(err).Warning("failed to create introspection request")
 		return nil
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	res, err := a.httpClient.Do(req)
 	if err != nil || res.StatusCode > 200 {
 		a.log.WithError(err).Warning("failed to send introspection request")
 		return nil
 	}
 	intro := TokenIntrospectionResponse{}
 	err = json.NewDecoder(res.Body).Decode(&intro)
 	if err != nil {
 		a.log.WithError(err).Warning("failed to parse introspection response")
 		return nil
 	}
 	if !intro.Active {
 		a.log.Warning("token is not active")
 		return nil
 	}
 	if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") {
 		a.log.Error("token missing openid or profile scope")
 		return nil
 	}
 	intro.RawToken = token
 	a.log.Trace("successfully introspected bearer token")
 	return &intro
 }
--- a/internal/outpost/proxyv2/application/endpoint.go
+++ b/internal/outpost/proxyv2/application/endpoint.go
@ -12,6 +12,7 @@ import (
 type OIDCEndpoint struct {
 	oauth2.Endpoint
 	TokenIntrospection string
 	EndSessionEndpoint string
 	JwksUri            string
 }
@ -67,5 +68,6 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
 	ep.AuthURL = authU.String()
 	ep.EndSessionEndpoint = endU.String()
 	ep.JwksUri = jwksU.String()
 	ep.TokenIntrospection = p.OidcConfiguration.IntrospectionEndpoint
 	return ep
 }
--- a/internal/outpost/proxyv2/application/error.go
+++ b/internal/outpost/proxyv2/application/error.go
@ -14,7 +14,7 @@ type ErrorPageData struct {
 }
 func (a *Application) ErrorPage(rw http.ResponseWriter, r *http.Request, err string) {
-	claims, _ := a.getClaims(r)
+	claims, _ := a.checkAuth(rw, r)
 	data := ErrorPageData{
 		Title:       "Bad Gateway",
 		Message:     "Error proxying to upstream server",
--- a/internal/outpost/proxyv2/application/mode_common.go
+++ b/internal/outpost/proxyv2/application/mode_common.go
@ -15,7 +15,6 @@ import (
 func (a *Application) addHeaders(headers http.Header, c *Claims) {
 	// https://goauthentik.io/docs/providers/proxy/proxy
 	headers.Set("X-authentik-username", c.PreferredUsername)
 	headers.Set("X-authentik-groups", strings.Join(c.Groups, "|"))
 	headers.Set("X-authentik-email", c.Email)
--- a/internal/outpost/proxyv2/application/mode_forward.go
+++ b/internal/outpost/proxyv2/application/mode_forward.go
@ -49,7 +49,7 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
 		return
 	}
 	// Check if we're authenticated, or the request path is on the allowlist
-	claims, err := a.getClaims(r)
+	claims, err := a.checkAuth(rw, r)
 	if claims != nil && err == nil {
 		a.addHeaders(rw.Header(), claims)
 		rw.Header().Set("User-Agent", r.Header.Get("User-Agent"))
@ -100,7 +100,7 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request
 		return
 	}
 	// Check if we're authenticated, or the request path is on the allowlist
-	claims, err := a.getClaims(r)
+	claims, err := a.checkAuth(rw, r)
 	if claims != nil && err == nil {
 		a.addHeaders(rw.Header(), claims)
 		rw.Header().Set("User-Agent", r.Header.Get("User-Agent"))
@ -139,7 +139,7 @@ func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request
 		return
 	}
-	claims, err := a.getClaims(r)
+	claims, err := a.checkAuth(rw, r)
 	if claims != nil && err == nil {
 		a.addHeaders(rw.Header(), claims)
 		rw.Header().Set("User-Agent", r.Header.Get("User-Agent"))
@ -175,7 +175,7 @@ func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request
 	r.URL.Host = r.Host
 	fwd := r.URL
 	// Check if we're authenticated, or the request path is on the allowlist
-	claims, err := a.getClaims(r)
+	claims, err := a.checkAuth(rw, r)
 	if claims != nil && err == nil {
 		a.addHeaders(rw.Header(), claims)
 		rw.Header().Set("User-Agent", r.Header.Get("User-Agent"))
--- a/internal/outpost/proxyv2/application/mode_proxy.go
+++ b/internal/outpost/proxyv2/application/mode_proxy.go
@ -33,10 +33,11 @@ func (a *Application) configureProxy() error {
 	rp.ErrorHandler = a.newProxyErrorHandler()
 	rp.ModifyResponse = a.proxyModifyResponse
 	a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		claims, err := a.getClaims(r)
+		claims, err := a.checkAuth(rw, r)
 		if claims == nil && a.IsAllowlisted(r.URL) {
 			a.log.Trace("path can be accessed without authentication")
 		} else if claims == nil && err != nil {
 			a.log.WithError(err).Trace("no claims")
 			a.redirectToStart(rw, r)
 			return
 		} else {
@ -67,7 +68,7 @@ func (a *Application) configureProxy() error {
 func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 	return func(r *http.Request) {
 		r.Header.Set("X-Forwarded-Host", r.Host)
-		claims, _ := a.getClaims(r)
+		claims, _ := a.checkAuth(nil, r)
 		r.URL.Scheme = ou.Scheme
 		r.URL.Host = ou.Host
 		if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
--- a/internal/outpost/proxyv2/application/oauth.go
+++ b/internal/outpost/proxyv2/application/oauth.go
@ -50,7 +50,7 @@ func (a *Application) handleAuthStart(rw http.ResponseWriter, r *http.Request) {
 	// and if we do we don't do anything here
 	currentState, ok := s.Values[constants.SessionOAuthState].(string)
 	if ok {
-		claims, err := a.getClaims(r)
+		claims, err := a.checkAuth(rw, r)
 		if err != nil && claims != nil {
 			a.log.Trace("auth start request with existing authenticated session")
 			a.redirect(rw, r)
--- a/internal/outpost/proxyv2/application/oauth_callback.go
+++ b/internal/outpost/proxyv2/application/oauth_callback.go
@ -50,6 +50,9 @@ func (a *Application) redeemCallback(savedState string, u *url.URL, c context.Co
 	if err := idToken.Claims(&claims); err != nil {
 		return nil, err
 	}
 	if claims.Proxy == nil {
 		claims.Proxy = &ProxyClaims{}
 	}
 	claims.RawToken = rawIDToken
 	return claims, nil
 }
--- a/internal/outpost/proxyv2/application/utils.go
+++ b/internal/outpost/proxyv2/application/utils.go
@ -1,7 +1,6 @@
 package application
 import (
 	"fmt"
 	"net/http"
 	"net/url"
 	"path"
@ -77,26 +76,6 @@ func (a *Application) redirect(rw http.ResponseWriter, r *http.Request) {
 	http.Redirect(rw, r, redirect, http.StatusFound)
 }
 // getClaims Get claims which are currently in session
 // Returns an error if the session can't be loaded or the claims can't be parsed/type-cast
 func (a *Application) getClaims(r *http.Request) (*Claims, error) {
 	s, err := a.sessions.Get(r, constants.SessionName)
 	if err != nil {
 		// err == user has no session/session is not valid, reject
 		return nil, fmt.Errorf("invalid session")
 	}
 	claims, ok := s.Values[constants.SessionClaims]
 	if claims == nil || !ok {
 		// no claims saved, reject
 		return nil, fmt.Errorf("invalid session")
 	}
 	c, ok := claims.(Claims)
 	if !ok {
 		return nil, fmt.Errorf("invalid session")
 	}
 	return &c, nil
 }
 // toString Generic to string function, currently supports actual strings and integers
 func toString(in interface{}) string {
 	switch v := in.(type) {
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-01-11 13:08+0000\n"
+"POT-Creation-Date: 2023-01-13 14:37+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -18,7 +18,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-#: authentik/admin/api/tasks.py:115
+#: authentik/admin/api/tasks.py:126
 #, python-format
 msgid "Successfully re-scheduled Task %(name)s!"
 msgstr ""
@ -952,11 +952,11 @@ msgstr ""
 msgid "authentik API Access on behalf of your user"
 msgstr ""
-#: authentik/providers/proxy/api.py:51
+#: authentik/providers/proxy/api.py:52
 msgid "User and password attributes must be set when basic auth is enabled."
 msgstr ""
-#: authentik/providers/proxy/api.py:61
+#: authentik/providers/proxy/api.py:62
 msgid "Internal host cannot be empty when forward auth is disabled."
 msgstr ""
@ -991,11 +991,11 @@ msgstr ""
 msgid "HTTP-Basic Password Key"
 msgstr ""
-#: authentik/providers/proxy/models.py:151
+#: authentik/providers/proxy/models.py:152
 msgid "Proxy Provider"
 msgstr ""
-#: authentik/providers/proxy/models.py:152
+#: authentik/providers/proxy/models.py:153
 msgid "Proxy Providers"
 msgstr ""
--- a/schema.yml
+++ b/schema.yml
@ -16202,6 +16202,11 @@ paths:
        schema:
          type: string
          format: uuid
      - in: query
        name: has_jwks
        schema:
          type: boolean
        description: Only return sources with JWKS data
      - in: query
        name: name
        schema:
@ -34360,6 +34365,14 @@ components:
            Exclusive with internal_host.
        cookie_domain:
          type: string
        jwks_sources:
          type: array
          items:
            type: string
            format: uuid
            title: Any JWT signed by the JWK of the selected source can be used to
              authenticate.
          title: Any JWT signed by the JWK of the selected source can be used to authenticate.
        token_validity:
          type: string
          minLength: 1
@ -35729,6 +35742,9 @@ components:
        meta_model_name:
          type: string
          readOnly: true
        client_id:
          type: string
          readOnly: true
        internal_host:
          type: string
          format: uri
@ -35771,6 +35787,14 @@ components:
          readOnly: true
        cookie_domain:
          type: string
        jwks_sources:
          type: array
          items:
            type: string
            format: uuid
            title: Any JWT signed by the JWK of the selected source can be used to
              authenticate.
          title: Any JWT signed by the JWK of the selected source can be used to authenticate.
        token_validity:
          type: string
          description: 'Tokens not valid on or after current time + this value (Format:
@ -35784,6 +35808,7 @@ components:
      - assigned_application_name
      - assigned_application_slug
      - authorization_flow
      - client_id
      - component
      - external_host
      - meta_model_name
@ -35849,6 +35874,14 @@ components:
            Exclusive with internal_host.
        cookie_domain:
          type: string
        jwks_sources:
          type: array
          items:
            type: string
            format: uuid
            title: Any JWT signed by the JWK of the selected source can be used to
              authenticate.
          title: Any JWT signed by the JWK of the selected source can be used to authenticate.
        token_validity:
          type: string
          minLength: 1
--- a/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
@ -400,6 +400,7 @@ ${this.instance?.redirectUris}</textarea
                                new SourcesApi(DEFAULT_CONFIG)
                                    .sourcesOauthList({
                                        ordering: "name",
                                        hasJwks: true,
                                    })
                                    .then((sources) => {
                                        return sources.results.map((source) => {
--- a/web/src/admin/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderForm.ts
@ -31,6 +31,7 @@ import {
    ProvidersApi,
    ProxyMode,
    ProxyProvider,
    SourcesApi,
 } from "@goauthentik/api";
@customElement("ak-provider-proxy-form")
@ -385,7 +386,10 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
                        >
                        </ak-search-select>
                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal label=${t`Scopes`} name="propertyMappings">
+                    <ak-form-element-horizontal
                        label=${t`Additional scopes`}
                        name="propertyMappings"
                    >
                        <select class="pf-c-form-control" multiple>
                            ${until(
                                new PropertymappingsApi(DEFAULT_CONFIG)
@ -440,7 +444,11 @@ ${this.instance?.skipPathRegex}</textarea
                            ${t`When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.`}
                        </p>
                    </ak-form-element-horizontal>
-
+                </div>
            </ak-form-group>
            <ak-form-group>
                <span slot="header">${t`Authentication settings`}</span>
                <div slot="body" class="pf-c-form">
                    <ak-form-element-horizontal name="basicAuthEnabled">
                        <label class="pf-c-switch">
                            <input
@ -458,14 +466,47 @@ ${this.instance?.skipPathRegex}</textarea
                                </span>
                            </span>
                            <span class="pf-c-switch__label"
-                                >${t`Set HTTP-Basic Authentication`}</span
+                                >${t`Send HTTP-Basic Authentication`}</span
                            >
                        </label>
                        <p class="pf-c-form__helper-text">
-                            ${t`Set a custom HTTP-Basic Authentication header based on values from authentik.`}
+                            ${t`Send a custom HTTP-Basic Authentication header based on values from authentik.`}
                        </p>
                    </ak-form-element-horizontal>
                    ${this.showHttpBasic ? this.renderHttpBasic() : html``}
                    <ak-form-element-horizontal label=${t`Trusted OIDC Sources`} name="jwksSources">
                        <select class="pf-c-form-control" multiple>
                            ${until(
                                new SourcesApi(DEFAULT_CONFIG)
                                    .sourcesOauthList({
                                        ordering: "name",
                                        hasJwks: true,
                                    })
                                    .then((sources) => {
                                        return sources.results.map((source) => {
                                            const selected = (
                                                this.instance?.jwksSources || []
                                            ).some((su) => {
                                                return su == source.pk;
                                            });
                                            return html`<option
                                                value=${source.pk}
                                                ?selected=${selected}
                                            >
                                                ${source.name} (${source.slug})
                                            </option>`;
                                        });
                                    }),
                                html`<option>${t`Loading...`}</option>`,
                            )}
                        </select>
                        <p class="pf-c-form__helper-text">
                            ${t`JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.`}
                        </p>
                        <p class="pf-c-form__helper-text">
                            ${t`Hold control/command to select multiple items.`}
                        </p>
                    </ak-form-element-horizontal>
                </div>
            </ak-form-group>
        </form>`;
--- a/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
@ -10,10 +10,12 @@ import MDNginxStandalone from "@goauthentik/docs/providers/proxy/_nginx_standalo
 import MDTraefikCompose from "@goauthentik/docs/providers/proxy/_traefik_compose.md";
 import MDTraefikIngress from "@goauthentik/docs/providers/proxy/_traefik_ingress.md";
 import MDTraefikStandalone from "@goauthentik/docs/providers/proxy/_traefik_standalone.md";
 import MDHeaderAuthentication from "@goauthentik/docs/providers/proxy/header_authentication.md";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/CodeMirror";
 import { PFColor } from "@goauthentik/elements/Label";
 import "@goauthentik/elements/Markdown";
 import "@goauthentik/elements/Markdown";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
@ -32,6 +34,7 @@ import PFContent from "@patternfly/patternfly/components/Content/content.css";
 import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
 import PFForm from "@patternfly/patternfly/components/Form/form.css";
 import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
 import PFList from "@patternfly/patternfly/components/List/list.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
@ -90,6 +93,7 @@ export class ProxyProviderViewPage extends AKElement {
            PFPage,
            PFGrid,
            PFContent,
            PFList,
            PFForm,
            PFFormControl,
            PFCard,
@ -182,6 +186,9 @@ export class ProxyProviderViewPage extends AKElement {
            <section slot="page-overview" data-tab-title="${t`Overview`}">
                ${this.renderTabOverview()}
            </section>
            <section slot="page-authentication" data-tab-title="${t`Authentication`}">
                ${this.renderTabAuthentication()}
            </section>
            <section
                slot="page-changelog"
                data-tab-title="${t`Changelog`}"
@ -200,6 +207,37 @@ export class ProxyProviderViewPage extends AKElement {
        </ak-tabs>`;
    }
    renderTabAuthentication(): TemplateResult {
        if (!this.provider) {
            return html``;
        }
        return html`<div
            class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter"
        >
            <div class="pf-c-card pf-l-grid__item pf-m-12-col">
                <div class="pf-c-card__body">
                    <dl class="pf-c-description-list pf-m-3-col-on-lg">
                        <div class="pf-c-description-list__group">
                            <dt class="pf-c-description-list__term">
                                <span class="pf-c-description-list__text">${t`Client ID`}</span>
                            </dt>
                            <dd class="pf-c-description-list__description">
                                <div class="pf-c-description-list__text">
                                    <pre>${this.provider.clientId}</pre>
                                </div>
                            </dd>
                        </div>
                    </dl>
                </div>
            </div>
            <div class="pf-c-card pf-l-grid__item pf-m-12-col">
                <div class="pf-c-card__body">
                    <ak-markdown .md=${MDHeaderAuthentication}></ak-markdown>
                </div>
            </div>
        </div>`;
    }
    renderTabOverview(): TemplateResult {
        if (!this.provider) {
            return html``;
@ -316,21 +354,24 @@ export class ProxyProviderViewPage extends AKElement {
                <div class="pf-c-card pf-l-grid__item pf-m-12-col">
                    <div class="pf-c-card__title">${t`Protocol Settings`}</div>
                    <div class="pf-c-card__body">
-                        <form class="pf-c-form">
+                        <dl class="pf-c-description-list pf-m-3-col-on-lg">
-                            <div class="pf-c-form__group">
+                            <div class="pf-c-description-list__group">
-                                <label class="pf-c-form__label">
+                                <dt class="pf-c-description-list__term">
-                                    <span class="pf-c-form__label-text"
+                                    <span class="pf-c-description-list__text"
                                        >${t`Allowed Redirect URIs`}</span
                                    >
-                                </label>
+                                </dt>
-                                <input
+                                <dd class="pf-c-description-list__description">
-                                    class="pf-c-form-control"
+                                    <div class="pf-c-description-list__text">
-                                    readonly
+                                        <ul class="pf-c-list">
-                                    type="text"
+                                            ${this.provider.redirectUris.split("\n").map((url) => {
-                                    value=${this.provider.redirectUris}
+                                                return html`<li><pre>${url}</pre></li>`;
-                                />
+                                            })}
                                        </ul>
                                    </div>
-                        </form>
+                                </dd>
                            </div>
                        </dl>
                    </div>
                </div>
                <div class="pf-c-card pf-l-grid__item pf-m-12-col">
--- a/web/src/elements/Alert.ts
+++ b/web/src/elements/Alert.ts
@ -27,9 +27,7 @@ export class Alert extends AKElement {
    }
    render(): TemplateResult {
-        return html`<div
+        return html`<div class="pf-c-alert ${this.inline ? "pf-m-inline" : ""} ${this.level}">
            class="pf-c-alert ${this.inline ? html`pf-m-inline` : html``} ${this.level}"
        >
            <div class="pf-c-alert__icon">
                <i class="fas fa-exclamation-circle"></i>
            </div>
--- a/web/src/elements/Markdown.ts
+++ b/web/src/elements/Markdown.ts
@ -1,5 +1,6 @@
 import { docLink } from "@goauthentik/common/global";
 import "@goauthentik/elements/Alert";
 import { Level } from "@goauthentik/elements/Alert";
 import { AKElement } from "@goauthentik/elements/Base";
 import { CSSResult, TemplateResult, html } from "lit";
@ -40,9 +41,13 @@ export class Markdown extends AKElement {
    replaceAdmonitions(input: string): string {
        const admonitionStart = /:::(\w+)<br\s\/>/gm;
        const admonitionEnd = /:::/gm;
-        return input
+        return (
-            .replaceAll(admonitionStart, "<ak-alert level='$1'>")
+            input
-            .replaceAll(admonitionEnd, "</ak-alert>");
+                .replaceAll(admonitionStart, "<ak-alert level='pf-m-$1'>")
                .replaceAll(admonitionEnd, "</ak-alert>")
                // Workaround for admonitions using caution instead of warning
                .replaceAll("pf-m-caution", Level.Warning)
        );
    }
    replaceList(input: string): string {
--- a/web/src/locales/de.po
+++ b/web/src/locales/de.po
@ -352,6 +352,10 @@ msgstr "Zusätzlicher Gruppen-DN, dem Basis-DN vorangestellt."
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Zusätzliche Bereichszuordnungen, die an den Proxy übergeben werden."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Additional scopes"
 msgstr ""
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "Zusätzliche Anwendungsbereiche (Scopes), die an den OAuth-Provider übergeben werden, getrennt durch ein Leerzeichen."
@ -687,6 +691,7 @@ msgstr "Authentifizierung mit Plex..."
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Authentifizierung"
@ -709,6 +714,10 @@ msgstr "Authentifizierungsablauf"
 msgid "Authentication method"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Authentication settings"
 msgstr ""
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@ -1218,6 +1227,7 @@ msgstr "Token kopieren"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "Client-ID"
@ -2108,6 +2118,10 @@ msgstr "Duo-Authentifikator"
 msgid "Duo push-notifications"
 msgstr "Duo Push-Benachrichtigungen"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "Duration"
 msgstr ""
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Dauer, nach der ein Ereignis aus der Datenbank gelöscht wird."
@ -2909,6 +2923,7 @@ msgstr "Interne Konten ausblenden"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -3261,6 +3276,7 @@ msgstr ""
 #~ msgstr "JWTs, welche mit den hier konfigurierten Zertifikaten signiert werden, können zur Authentifizierung beim Provider benutzt werden."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
@ -3451,6 +3467,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -5160,7 +5177,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "Gültigkeitsbereich, den der Client angeben kann, um auf diese Eigenschaften zuzugreifen."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@ -5314,6 +5330,14 @@ msgstr "Auswahl der Backends, mit denen das Kennwort getestet werden soll."
 msgid "Send Email again."
 msgstr "E-Mail erneut senden."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send HTTP-Basic Authentication"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@ -5402,12 +5426,12 @@ msgid "Sessions"
 msgstr "Sitzungen"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
-msgstr "HTTP-Basisauthentifizierung einstellen"
+#~ msgstr "HTTP-Basisauthentifizierung einstellen"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "Legen Sie einen benutzerdefinierten HTTP-Basic Authentication-Header fest, der auf den Werten von authentik basiert."
+#~ msgstr "Legen Sie einen benutzerdefinierten HTTP-Basic Authentication-Header fest, der auf den Werten von authentik basiert."
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@ -6540,6 +6564,7 @@ msgid "Transports"
 msgstr "Zustellungsarten"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
@ -7623,6 +7648,10 @@ msgstr "{0} - {1} von {2}"
 msgid "{0} is available!"
 msgstr "{0} ist verfügbar!"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "{0} seconds"
 msgstr ""
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} ungelesen"
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@ -334,6 +334,10 @@ msgstr "Additional group DN, prepended to the Base DN."
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Additional scope mappings, which are passed to the proxy."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Additional scopes"
 msgstr "Additional scopes"
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "Additional scopes to be passed to the OAuth Provider, separated by space."
@ -673,6 +677,7 @@ msgstr "Authenticating with Plex..."
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Authentication"
@ -695,6 +700,10 @@ msgstr "Authentication flow"
 msgid "Authentication method"
 msgstr "Authentication method"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Authentication settings"
 msgstr "Authentication settings"
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr "Authentication without user interaction, or machine-to-machine authentication."
@ -1214,6 +1223,7 @@ msgstr "Click to copy token"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "Client ID"
@ -2130,6 +2140,10 @@ msgstr "Duo authenticator"
 msgid "Duo push-notifications"
 msgstr "Duo push-notifications"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "Duration"
 msgstr "Duration"
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Duration after which events will be deleted from the database."
@ -2951,6 +2965,7 @@ msgstr "Hide service-accounts"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -3313,6 +3328,7 @@ msgstr "JWKS URL"
 #~ msgstr "JWTs signed by certificates configured here can be used to authenticate to the provider."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
@ -3506,6 +3522,7 @@ msgstr "Loading options..."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -5264,7 +5281,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "Scope which the client can specify to access these properties."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@ -5421,6 +5437,14 @@ msgstr "Selection of backends to test the password against."
 msgid "Send Email again."
 msgstr "Send Email again."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send HTTP-Basic Authentication"
 msgstr "Send HTTP-Basic Authentication"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr "Send a custom HTTP-Basic Authentication header based on values from authentik."
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@ -5515,12 +5539,12 @@ msgid "Sessions"
 msgstr "Sessions"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
-msgstr "Set HTTP-Basic Authentication"
+#~ msgstr "Set HTTP-Basic Authentication"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgstr "Set a custom HTTP-Basic Authentication header based on values from authentik."
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@ -6688,6 +6712,7 @@ msgid "Transports"
 msgstr "Transports"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr "Trusted OIDC Sources"
@ -7786,6 +7811,10 @@ msgstr "{0} - {1} of {2}"
 msgid "{0} is available!"
 msgstr "{0} is available!"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "{0} seconds"
 msgstr "{0} seconds"
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} unread"
--- a/web/src/locales/es.po
+++ b/web/src/locales/es.po
@ -330,6 +330,10 @@ msgstr "DN de grupo adicional, antepuesto al DN base."
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Mapeos de ámbito adicional, que se pasan al proxy."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Additional scopes"
 msgstr ""
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "Ámbitos adicionales que se pasarán al proveedor de OAuth, separados por espacios."
@ -665,6 +669,7 @@ msgstr "Autenticando con Plex..."
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Autenticación"
@ -687,6 +692,10 @@ msgstr "Flujo de autenticación"
 msgid "Authentication method"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Authentication settings"
 msgstr ""
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@ -1194,6 +1203,7 @@ msgstr "Haga clic para copiar el token"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "ID de cliente"
@ -2084,6 +2094,10 @@ msgstr "Autenticador Duo"
 msgid "Duo push-notifications"
 msgstr "Notificaciones push Duo"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "Duration"
 msgstr ""
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Duración tras la cual los eventos se eliminarán de la base de datos."
@ -2885,6 +2899,7 @@ msgstr "Ocultar cuentas de servicio"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -3237,6 +3252,7 @@ msgstr ""
 #~ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
@ -3427,6 +3443,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -5136,7 +5153,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "Ámbito que el cliente puede especificar para acceder a estas propiedades."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@ -5290,6 +5306,14 @@ msgstr "Selección de backends para probar la contraseña."
 msgid "Send Email again."
 msgstr "Vuelve a enviar el correo electrónico."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send HTTP-Basic Authentication"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@ -5378,12 +5402,12 @@ msgid "Sessions"
 msgstr "Sesiones"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
-msgstr "Establecer la autenticación básica de HTTP"
+#~ msgstr "Establecer la autenticación básica de HTTP"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "Establezca un encabezado de autenticación básica HTTP personalizado en función de los valores de authentik."
+#~ msgstr "Establezca un encabezado de autenticación básica HTTP personalizado en función de los valores de authentik."
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@ -6516,6 +6540,7 @@ msgid "Transports"
 msgstr "Transportes"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
@ -7599,6 +7624,10 @@ msgstr "{0} - {1} de {2}"
 msgid "{0} is available!"
 msgstr "{0} está disponible."
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "{0} seconds"
 msgstr ""
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} sin leer"
--- a/web/src/locales/fr_FR.po
+++ b/web/src/locales/fr_FR.po
@ -335,6 +335,10 @@ msgstr "DN à préfixer au DN de base pour les groupes"
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Additional scopes"
 msgstr ""
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr ""
@ -670,6 +674,7 @@ msgstr "Authentification avec Plex..."
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Authentification"
@ -692,6 +697,10 @@ msgstr "Flux d'authentification"
 msgid "Authentication method"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Authentication settings"
 msgstr ""
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@ -1199,6 +1208,7 @@ msgstr "Cliquer pour copier le jeton"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "ID client"
@ -2087,6 +2097,10 @@ msgstr "Authentificateur Duo"
 msgid "Duo push-notifications"
 msgstr "Notification push Duo"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "Duration"
 msgstr ""
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Expiration des évènements à l'issue de laquelle ils seront supprimés de la base de donnée."
@ -2888,6 +2902,7 @@ msgstr "Cacher les comptes de service"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -3238,6 +3253,7 @@ msgstr ""
 #~ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
@ -3428,6 +3444,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -5137,7 +5154,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "Portée que le client peut spécifier pour accéder à ces propriétés."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@ -5291,6 +5307,14 @@ msgstr "Sélection de backends pour tester le mot de passe."
 msgid "Send Email again."
 msgstr "Renvoyer l’email."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send HTTP-Basic Authentication"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@ -5379,12 +5403,12 @@ msgid "Sessions"
 msgstr "Sessions"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
-msgstr "Définir l'authentification HTTP-Basic"
+#~ msgstr "Définir l'authentification HTTP-Basic"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "Définir un en-tête d'authentification HTTP-Basic personnalisé basé sur les valeurs de authentik."
+#~ msgstr "Définir un en-tête d'authentification HTTP-Basic personnalisé basé sur les valeurs de authentik."
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@ -6507,6 +6531,7 @@ msgid "Transports"
 msgstr "Transports"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
@ -7588,6 +7613,10 @@ msgstr "{0} - {1} sur {2}"
 msgid "{0} is available!"
 msgstr "{0} est disponible !"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "{0} seconds"
 msgstr ""
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} non lu"
--- a/web/src/locales/pl.po
+++ b/web/src/locales/pl.po
@ -334,6 +334,10 @@ msgstr "Dodatkowa DN grupy, poprzedzona podstawową DN."
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Dodatkowe mapowania zakresu, które są przekazywane do serwera proxy."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Additional scopes"
 msgstr ""
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "Dodatkowe zakresy do przekazania do dostawcy OAuth, oddzielone spacją."
@ -669,6 +673,7 @@ msgstr "Uwierzytelnianie z Plex..."
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Uwierzytelnianie"
@ -691,6 +696,10 @@ msgstr "Przepływ uwierzytelniania"
 msgid "Authentication method"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Authentication settings"
 msgstr ""
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@ -1200,6 +1209,7 @@ msgstr "Kliknij, aby skopiować token"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "Client ID"
@ -2090,6 +2100,10 @@ msgstr "Uwierzytelniacz Duo"
 msgid "Duo push-notifications"
 msgstr "Powiadomienia push Duo"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "Duration"
 msgstr ""
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Czas, po którym zdarzenia zostaną usunięte z bazy danych."
@ -2891,6 +2905,7 @@ msgstr "Ukryj konta serwisowe"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -3245,6 +3260,7 @@ msgstr ""
 #~ msgstr "JWTs podpisane przez certyfikaty skonfigurowane tutaj mogą służyć do uwierzytelniania u dostawcy."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
@ -3435,6 +3451,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -5146,7 +5163,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "Zakres, który klient może określić, aby uzyskać dostęp do tych właściwości."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@ -5300,6 +5316,14 @@ msgstr "Wybór backendów do testowania hasła."
 msgid "Send Email again."
 msgstr "Wyślij e-mail ponownie."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send HTTP-Basic Authentication"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@ -5388,12 +5412,12 @@ msgid "Sessions"
 msgstr "Sesje"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
-msgstr "Ustaw HTTP-Basic Authentication"
+#~ msgstr "Ustaw HTTP-Basic Authentication"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "Ustaw niestandardowy nagłówek HTTP-Basic Authentication na podstawie wartości z authentik."
+#~ msgstr "Ustaw niestandardowy nagłówek HTTP-Basic Authentication na podstawie wartości z authentik."
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@ -6526,6 +6550,7 @@ msgid "Transports"
 msgstr "Transporty"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr "Zaufane źródła OIDC"
@ -7611,6 +7636,10 @@ msgstr "{0} - {1} z {2}"
 msgid "{0} is available!"
 msgstr "{0} jest dostępny!"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "{0} seconds"
 msgstr ""
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} nieprzeczytane"
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@ -330,6 +330,10 @@ msgstr ""
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Additional scopes"
 msgstr ""
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr ""
@ -665,6 +669,7 @@ msgstr ""
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr ""
@ -687,6 +692,10 @@ msgstr ""
 msgid "Authentication method"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Authentication settings"
 msgstr ""
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@ -1202,6 +1211,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr ""
@ -2116,6 +2126,10 @@ msgstr ""
 msgid "Duo push-notifications"
 msgstr ""
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "Duration"
 msgstr ""
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr ""
@ -2937,6 +2951,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -3295,6 +3310,7 @@ msgstr ""
 #~ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
@ -3488,6 +3504,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -5244,7 +5261,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@ -5401,6 +5417,14 @@ msgstr ""
 msgid "Send Email again."
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send HTTP-Basic Authentication"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@ -5495,12 +5519,12 @@ msgid "Sessions"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
-msgstr ""
+#~ msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr ""
+#~ msgstr ""
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@ -6658,6 +6682,7 @@ msgid "Transports"
 msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
@ -7750,6 +7775,10 @@ msgstr ""
 msgid "{0} is available!"
 msgstr ""
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "{0} seconds"
 msgstr ""
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr ""
--- a/web/src/locales/tr.po
+++ b/web/src/locales/tr.po
@ -330,6 +330,10 @@ msgstr "Ek grup DN, Base DN için eklenmiş."
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "Proxy'ye iletilen ek kapsam eşlemeleri."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Additional scopes"
 msgstr ""
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "OAuth Sağlayıcıya iletilecek ek kapsamlar, boşlukla ayrılmış."
@ -665,6 +669,7 @@ msgstr "Plex ile kimlik doğrulaması..."
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "Kimlik Doğrulama"
@ -687,6 +692,10 @@ msgstr "Kimlik doğrulama akışı"
 msgid "Authentication method"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Authentication settings"
 msgstr ""
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@ -1194,6 +1203,7 @@ msgstr "Belirteci kopyalamak için tıklayın"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "Müşteri Kimliği"
@ -2084,6 +2094,10 @@ msgstr "Duo kimlik doğrulayıcı"
 msgid "Duo push-notifications"
 msgstr "Duo push-bildirimleri"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "Duration"
 msgstr ""
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "Olayların veritabanından silineceği süre."
@ -2885,6 +2899,7 @@ msgstr "Hizmet hesaplarını gizle"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -3237,6 +3252,7 @@ msgstr ""
 #~ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
@ -3427,6 +3443,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -5136,7 +5153,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "İstemcinin bu özelliklere erişmek için belirtebileceği kapsam."
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@ -5290,6 +5306,14 @@ msgstr "Parolayı test etmek için arka uçların seçimi."
 msgid "Send Email again."
 msgstr "E-postayı tekrar gönder."
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send HTTP-Basic Authentication"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@ -5378,12 +5402,12 @@ msgid "Sessions"
 msgstr "Oturumlar"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
-msgstr "HTTP-Temel Kimlik Doğrulamasını Ayarla"
+#~ msgstr "HTTP-Temel Kimlik Doğrulamasını Ayarla"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "authentik değerlerine göre özel bir HTTP-Basic Kimlik Doğrulama başlığı ayarlayın."
+#~ msgstr "authentik değerlerine göre özel bir HTTP-Basic Kimlik Doğrulama başlığı ayarlayın."
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@ -6516,6 +6540,7 @@ msgid "Transports"
 msgstr "Aktarıcılar"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
@ -7599,6 +7624,10 @@ msgstr "{2} içinden {0} - {1}"
 msgid "{0} is available!"
 msgstr "{0} kullanılabilir!"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "{0} seconds"
 msgstr ""
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} okunmamış"
--- a/web/src/locales/zh-Hans.po
+++ b/web/src/locales/zh-Hans.po
@ -336,6 +336,10 @@ msgstr "额外的组 DN，添加到 Base DN 起始处。"
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "传递给代理的额外作用域映射。"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Additional scopes"
 msgstr ""
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "要传递给 OAuth 提供商的额外作用域，用空格分隔。"
@ -671,6 +675,7 @@ msgstr "正在使用 Plex 进行身份验证..."
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "身份验证"
@ -693,6 +698,10 @@ msgstr "身份验证流程"
 msgid "Authentication method"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Authentication settings"
 msgstr ""
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@ -1202,6 +1211,7 @@ msgstr "点击复制令牌"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "客户端 ID"
@ -2092,6 +2102,10 @@ msgstr "Duo 身份验证器"
 msgid "Duo push-notifications"
 msgstr "Duo 推送通知"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "Duration"
 msgstr ""
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "事件从数据库中删除的时间，超过这个时间就会被删除。"
@ -2893,6 +2907,7 @@ msgstr "隐藏服务账户"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -3245,6 +3260,7 @@ msgstr ""
 #~ msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
@ -3435,6 +3451,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -5144,7 +5161,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "客户端可以指定的访问这些属性的范围。"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@ -5298,6 +5314,14 @@ msgstr "选择用于测试密码的后端。"
 msgid "Send Email again."
 msgstr "再次发送电子邮件。"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send HTTP-Basic Authentication"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@ -5386,12 +5410,12 @@ msgid "Sessions"
 msgstr "会话"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
-msgstr "设置 HTTP-Basic 身份验证"
+#~ msgstr "设置 HTTP-Basic 身份验证"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
+#~ msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@ -6524,6 +6548,7 @@ msgid "Transports"
 msgstr "传输"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr "信任的 OIDC 来源"
@ -7609,6 +7634,10 @@ msgstr "{0} - {1} / {2}"
 msgid "{0} is available!"
 msgstr "{0} 可用！"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "{0} seconds"
 msgstr ""
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} 未读"
--- a/web/src/locales/zh-Hant.po
+++ b/web/src/locales/zh-Hant.po
@ -336,6 +336,10 @@ msgstr "额外的Group DN，优先于Base DN。"
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "传递给代理的其他作用域映射。"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Additional scopes"
 msgstr ""
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "要传递给 OAuth 提供程序的其他作用域，用空格分隔。"
@ -671,6 +675,7 @@ msgstr "正在使用 Plex 进行身份验证..."
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "身份验证"
@ -693,6 +698,10 @@ msgstr "身份验证流程"
 msgid "Authentication method"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Authentication settings"
 msgstr ""
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@ -1202,6 +1211,7 @@ msgstr "点击复制令牌"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "客户端 ID"
@ -2092,6 +2102,10 @@ msgstr "Duo 身份验证器"
 msgid "Duo push-notifications"
 msgstr "二重奏推送通知"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "Duration"
 msgstr ""
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "事件将从数据库中删除的持续时间。"
@ -2893,6 +2907,7 @@ msgstr "隐藏服务账户"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -3245,6 +3260,7 @@ msgstr ""
 #~ msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
@ -3435,6 +3451,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -5144,7 +5161,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "客户端可以指定的访问这些属性的范围。"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@ -5298,6 +5314,14 @@ msgstr "选择用于测试密码的后端。"
 msgid "Send Email again."
 msgstr "再次发送电子邮件。"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send HTTP-Basic Authentication"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@ -5386,12 +5410,12 @@ msgid "Sessions"
 msgstr "会话"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
-msgstr "设置 HTTP 基本身份验证"
+#~ msgstr "设置 HTTP 基本身份验证"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
+#~ msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@ -6524,6 +6548,7 @@ msgid "Transports"
 msgstr "传输"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
@ -7609,6 +7634,10 @@ msgstr "{0} - {1} of {2}"
 msgid "{0} is available!"
 msgstr "{0} 可用！"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "{0} seconds"
 msgstr ""
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} 未读"
--- a/web/src/locales/zh_TW.po
+++ b/web/src/locales/zh_TW.po
@ -336,6 +336,10 @@ msgstr "额外的Group DN，优先于Base DN。"
 msgid "Additional scope mappings, which are passed to the proxy."
 msgstr "传递给代理的其他作用域映射。"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Additional scopes"
 msgstr ""
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #~ msgid "Additional scopes to be passed to the OAuth Provider, separated by space."
 #~ msgstr "要传递给 OAuth 提供程序的其他作用域，用空格分隔。"
@ -671,6 +675,7 @@ msgstr "正在使用 Plex 进行身份验证..."
 #: src/admin/flows/FlowForm.ts
 #: src/admin/flows/utils.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 msgid "Authentication"
 msgstr "身份验证"
@ -693,6 +698,10 @@ msgstr "身份验证流程"
 msgid "Authentication method"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Authentication settings"
 msgstr ""
 #: src/admin/applications/wizard/oauth/TypeOAuthApplicationWizardPage.ts
 msgid "Authentication without user interaction, or machine-to-machine authentication."
 msgstr ""
@ -1202,6 +1211,7 @@ msgstr "点击复制令牌"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
 #: src/admin/providers/proxy/ProxyProviderViewPage.ts
 #: src/admin/sources/plex/PlexSourceForm.ts
 msgid "Client ID"
 msgstr "客户端 ID"
@ -2092,6 +2102,10 @@ msgstr "Duo 身份验证器"
 msgid "Duo push-notifications"
 msgstr "二重奏推送通知"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "Duration"
 msgstr ""
 #: src/admin/tenants/TenantForm.ts
 msgid "Duration after which events will be deleted from the database."
 msgstr "事件将从数据库中删除的持续时间。"
@ -2893,6 +2907,7 @@ msgstr "隐藏服务账户"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -3245,6 +3260,7 @@ msgstr ""
 #~ msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""
@ -3435,6 +3451,7 @@ msgstr ""
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/providers/saml/SAMLProviderForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
 #: src/admin/sources/ldap/LDAPSourceForm.ts
@ -5144,7 +5161,6 @@ msgid "Scope which the client can specify to access these properties."
 msgstr "客户端可以指定的访问这些属性的范围。"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 #: src/admin/sources/oauth/OAuthSourceForm.ts
 #: src/elements/oauth/UserRefreshList.ts
 msgid "Scopes"
@ -5298,6 +5314,14 @@ msgstr "选择用于测试密码的后端。"
 msgid "Send Email again."
 msgstr "再次发送电子邮件。"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send HTTP-Basic Authentication"
 msgstr ""
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Send a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""
 #: src/admin/users/RelatedUserList.ts
 #: src/admin/users/UserListPage.ts
 msgid "Send link"
@ -5386,12 +5410,12 @@ msgid "Sessions"
 msgstr "会话"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set HTTP-Basic Authentication"
+#~ msgid "Set HTTP-Basic Authentication"
-msgstr "设置 HTTP 基本身份验证"
+#~ msgstr "设置 HTTP 基本身份验证"
 #: src/admin/providers/proxy/ProxyProviderForm.ts
-msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
+#~ msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
-msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
+#~ msgstr "根据来自 authentik 的值设置自定义 HTTP-Basic 身份验证标头。"
 #: src/admin/groups/GroupForm.ts
 #: src/admin/outposts/OutpostForm.ts
@ -6524,6 +6548,7 @@ msgid "Transports"
 msgstr "传输"
 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 #: src/admin/providers/proxy/ProxyProviderForm.ts
 msgid "Trusted OIDC Sources"
 msgstr ""
@ -7609,6 +7634,10 @@ msgstr "{0} - {1} of {2}"
 msgid "{0} is available!"
 msgstr "{0} 可用！"
 #: src/admin/system-tasks/SystemTaskListPage.ts
 msgid "{0} seconds"
 msgstr ""
 #: src/elements/notifications/NotificationDrawer.ts
 msgid "{0} unread"
 msgstr "{0} 未读"
--- a/website/developer-docs/api/making-schema-changes.md
+++ b/website/developer-docs/api/making-schema-changes.md
@ -18,6 +18,6 @@ The web client is used by the web-interface and web-FlowExecutor to communicate
 Since the client is normally distributed as an npm package, running `make gen-client-ts` will overwrite the locally installed client with the newly built one.
-:::warning
+:::caution
 Running `npm i` in the `/web` folder after using `make gen-client-ts` will overwrite the custom client and revert to the upstream client.
 :::
--- a/website/developer-docs/blueprints/v1/tags.md
+++ b/website/developer-docs/blueprints/v1/tags.md
@ -199,7 +199,7 @@ example:
 Full example:
-:::warning
+:::caution
 Note that an `!Enumeration` tag's iterable can never be an `!Item` or `!Value` tag with a depth of `0`. Minimum depth allowed is `1`. This is because a depth of `0` refers to the `!Enumeration` tag the `!Item` or `!Value` tag is in, and an `!Enumeration` tag cannot iterate over itself.
 :::
--- a/website/docs/installation/configuration.md
+++ b/website/docs/installation/configuration.md
@ -297,6 +297,6 @@ Defaults to 4.
 To modify additional settings further than the options above allow, you can create a custom python file and mount it to `/data/user_settings.py`. This file will be loaded on startup by both the server and the worker. All default settings are [here](https://github.com/goauthentik/authentik/blob/main/authentik/root/settings.py)
-:::warning
+:::caution
 Using these custom settings is not supported and can prevent your authentik instance from starting. Use with caution.
 :::
--- a/website/docs/policies/expression.mdx
+++ b/website/docs/policies/expression.mdx
@ -64,7 +64,7 @@ import Objects from "../expressions/_objects.md";
    -   `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes)
-        :::warning
+        :::caution
        When a policy is executed in the context of a flow, this will be set to the user initiaing request, and will only be changed by a `user_login` stage. For that reason, using this value in authentication flow policies may not return the expected user. Use `context['pending_user']` instead; User Identification and other stages update this value during flow execution.
        If the user is not authenticated, this will be set to a user called _AnonymousUser_, which is an instance of [authentik.core.models.User](https://docs.djangoproject.com/en/4.1/ref/contrib/auth/#django.contrib.auth.models.User) (authentik uses django-guardian for per-object permissions, [see](https://django-guardian.readthedocs.io/en/stable/)).
--- a/website/docs/providers/proxy/header_authentication.md
+++ b/website/docs/providers/proxy/header_authentication.md
@ -0,0 +1,50 @@
 ---
 title: Header authentication
 ---
 ### Send HTTP Basic authentication
 Proxy providers have the option to _Send HTTP-Basic Authentication_ to the upstream authentication. When the option in the provider is enabled, two attributes must be specified. These attributes are the keys of values which can be saved on a user or group level that contain the credentials.
 For example, with _HTTP-Basic Username Key_ set to `app_username` and _HTTP-Basic Password Key_ set to `app_password`, these attributes would have to be set either on a user or a group the user is member of:
 ```yaml
 app_username: admin
 app_password: admin-password
 ```
 These credentials are only retrieved when the user authenticates to the proxy.
 If the user does not have a matching attribute, authentik falls back to using the user's email address as username, and the password will be empty if not found.
 ### Receiving HTTP Basic authentication
 :::info
 Requires authentik 2023.1
 :::
 Proxy providers can receive HTTP basic authentication credentials. The password is expected to be an _App password_, as the credentials are used internally with the [OAuth2 machine-to-machine authentication flow](../oauth2/client_credentials.md).
 Access control is done with the policies bound to the application being accessed.
 If the received credentials are invalid, a normal authentication flow is initiated. If the credentials are correct, the Authorization header is removed to prevent sending the credentials to the proxied application.
 :::danger
 It is **strongly** recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit.
 :::
 ### Receiving HTTP Bearer authentication
 :::info
 Requires authentik 2023.1
 :::
 Proxy providers can receive HTTP bearer authentication credentials. The token is expected to be a JWT token issued for the proxy provider. This is described [here](../oauth2/client_credentials.md), using the _client_id_ value shown in the admin interface. Both static and JWT authentication methods are supported.
 Access control is done with the policies bound to the application being accessed.
 If the received credentials are invalid, a normal authentication flow is initiated. If the credentials are correct, the Authorization header is removed to prevent sending the credentials to the proxied application.
 :::caution
 It is recommended that the client sending requests with HTTP-Bearer authentication persists the cookies returned by the outpost. For bearer authentication this has a smaller impact than for Basic authentication, but each request is still verified with the authentik server.
 :::
--- a/website/docs/providers/proxy/index.md
+++ b/website/docs/providers/proxy/index.md
@ -24,9 +24,12 @@ The proxy outpost sets the following user-specific headers:
    The hashed identifier of the currently logged in user.
-Additionally, you can set `additionalHeaders` on groups or users to set additional headers.
+Additionally, you can set `additionalHeaders` attribute on groups or users to set additional headers:
-If you enable _Set HTTP-Basic Authentication_ option, the HTTP Authorization header is being set.
+```yaml
 additionalHeaders:
    X-test-header: test-value
 ```
 Besides these user-specific headers, some application specific headers are also set:
--- a/website/integrations/services/home-assistant/index.md
+++ b/website/integrations/services/home-assistant/index.md
@ -12,7 +12,7 @@ From https://www.home-assistant.io/
 Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.
 :::
-:::warning
+:::caution
 You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477).
 :::
--- a/website/integrations/services/jellyfin/index.md
+++ b/website/integrations/services/jellyfin/index.md
@ -20,7 +20,7 @@ Jellyfin does not have any native external authentication support as of the writ
 Currently there are two plugins for Jelyfin that provide external authenticaion, an OIDC plugin and an LDAP plugin. This guide focuses on the use of the LDAP plugin.
 :::
-:::warning
+:::caution
 An LDAP outpost must be deployed to use the Jellyfin LDAP plugin
 :::
--- a/website/integrations/services/nextcloud/index.md
+++ b/website/integrations/services/nextcloud/index.md
@ -12,11 +12,11 @@ From https://en.wikipedia.org/wiki/Nextcloud
 Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.
 :::
-:::warning
+:::caution
 This setup only works, when Nextcloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.
 :::
-:::warning
+:::info
 In case something goes wrong with the configuration, you can use the URL `http://nextcloud.company/login?direct=1` to log in using the built-in authentication.
 :::
--- a/website/integrations/services/node-red/index.md
+++ b/website/integrations/services/node-red/index.md
@ -14,7 +14,7 @@ Node-RED is a programming tool for wiring together hardware devices, APIs and on
 It provides a browser-based editor that makes it easy to wire together flows using the wide range of nodes in the palette that can be deployed to its runtime in a single-click.
 :::
-:::warning
+:::caution
 This requires modification of the Node-RED settings.js and installing additional Passport-js packages, see [Securing Node-RED](https://nodered.org/docs/user-guide/runtime/securing-node-red#oauthopenid-based-authentication) documentation for further details.
 :::
--- a/website/integrations/services/paperless-ng/index.md
+++ b/website/integrations/services/paperless-ng/index.md
@ -12,7 +12,7 @@ Modified from https://github.com/jonaswinkler/paperless-ng
 Paperless-ng is an application that indexes your scanned documents and allows you to easily search for documents and store metadata alongside your documents. It was a fork from the original Paperless that is no longer maintained.
 :::
-:::warning
+:::caution
 This setup uses HTTP headers to log you in simply by providing your username as a header. Your authentik username and Paperless username MUST match. If you intend for this to be accessed externally, this requires careful setup of your reverse proxy server to not forward these headers from other sources.
 The author of Paperless-ng recommends you do not expose Paperless outside your network, as it was not designed for that. Instead, they "recommend that if you do want to use it, run it locally on a server in your own home."
--- a/website/integrations/services/pfsense/index.md
+++ b/website/integrations/services/pfsense/index.md
@ -59,7 +59,7 @@ In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` t
 ## pfSense unsecure setup (without SSL)
-:::warning
+:::caution
 This setup should only be used for testing purpose, because passwords will be sent in clear text to authentik.
 :::
--- a/website/integrations/services/proxmox-ve/index.md
+++ b/website/integrations/services/proxmox-ve/index.md
@ -12,7 +12,7 @@ From https://pve.proxmox.com/wiki/Main_Page
 Proxmox Virtual Environment is an open source server virtualization management solution based on QEMU/KVM and LXC. You can manage virtual machines, containers, highly available clusters, storage and networks with an integrated, easy-to-use web interface or via CLI. Proxmox VE code is licensed under the GNU Affero General Public License, version 3. The project is developed and maintained by Proxmox Server Solutions GmbH.
 :::
-:::warning
+:::caution
 This requires Proxmox VE 7.0 or newer.
 :::
--- a/website/integrations/services/qnap-nas/index.md
+++ b/website/integrations/services/qnap-nas/index.md
@ -38,7 +38,7 @@ Create a new service account for all of your hosts to use to connect
 to LDAP and perform searches. Make sure this service account is added
 to `ldap.searchGroup`.
-:::warning
+:::caution
 It seems that QNAP LDAP client configuration has issues with too long password.
 Max password length <= 66 characters.
 :::
@ -111,7 +111,7 @@ Attributes:
 Configure the following values and "Apply"
 ![qnap domain security](./qnap-ldap-configuration.png)
-:::warning
+:::caution
 With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values.
 :::
--- a/website/integrations/services/snipe-it/index.md
+++ b/website/integrations/services/snipe-it/index.md
@ -11,11 +11,11 @@ From https://snipeitapp.com
 A free open source IT asset/license management system.
 :::
-:::warning
+:::caution
 This setup assumes you will be using HTTPS as Snipe-It dynamically generates the ACS and other settings based on the complete URL.
 :::
-:::warning
+:::caution
 In case something goes wrong with the configuration, you can use the URL `http://inventory.company/login?nosaml` to log in using the
 built-in authentication.
 :::
--- a/website/integrations/services/truecommand/index.md
+++ b/website/integrations/services/truecommand/index.md
@ -14,7 +14,7 @@ e uptime and future planning. TrueCommand also identifies and pinpoints errors o
 me when resolving issues.
 :::
-:::warning
+:::caution
 This setup assumes you will be using HTTPS as TrueCommand generates ACS and Redirect URLs based on the complete URL.
 :::
--- a/website/integrations/services/ubuntu-landscape/index.md
+++ b/website/integrations/services/ubuntu-landscape/index.md
@ -12,7 +12,7 @@ From https://en.wikipedia.org/wiki/Landscape_(software)
 Landscape is a systems management tool developed by Canonical. It can be run on-premises or in the cloud depending on the needs of the user. It is primarily designed for use with Ubuntu derivatives such as Desktop, Server, and Core.
 :::
-:::warning
+:::caution
 This requires authentik 0.10.3 or newer.
 :::
--- a/website/integrations/services/vmware-vcenter/index.md
+++ b/website/integrations/services/vmware-vcenter/index.md
@ -12,11 +12,11 @@ From https://en.wikipedia.org/wiki/VCenter
 vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts.
 :::
-:::warning
+:::caution
 This requires authentik 0.10.3 or newer.
 :::
-:::warning
+:::caution
 This requires VMware vCenter 7.0.0 or newer.
 :::
@ -68,7 +68,7 @@ Create an application which uses this provider. Optionally apply access restrict
 Set the Launch URL to `https://vcenter.company/ui/login/oauth2`. This will skip vCenter's User Prompt and directly log you in.
-:::warning
+:::caution
 This Launch URL only works for vCenter < 7.0u2. If you're running 7.0u2 or later, set the launch URL to `https://vcenter.company/ui/login`
 :::
--- a/website/integrations/sources/apple/index.md
+++ b/website/integrations/sources/apple/index.md
@ -8,11 +8,11 @@ Allows users to authenticate using their Apple ID.
 ## Preparation
-:::warning
+:::caution
 An Apple developer account is required.
 :::
-:::warning
+:::caution
 Apple mandates the use of a [registered TLD](https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains), as such this source will not work with .local and other non-public TLDs.
 :::
--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -64,6 +64,7 @@ module.exports = {
                    },
                    items: [
                        "providers/proxy/custom_headers",
                        "providers/proxy/header_authentication",
                        "providers/proxy/forward_auth",
                    ],
                },