polices/hibp: remove deprecated (#4363)

* remove hibp Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * don't save event matcher apps in migrations Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * cleanup migrations Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update docs, update some phrasing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2023-01-05 13:19:26 +01:00 · 2023-01-05 13:19:26 +01:00 · e6b5810e03
parent 89b73a4d89
commit e6b5810e03
37 changed files with 230 additions and 1065 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -59,19 +59,18 @@ These are the current packages:
 authentik
 ├── admin - Administrative tasks and APIs, no models (Version updates, Metrics, system tasks)
 ├── api - General API Configuration (Routes, Schema and general API utilities)
+├── blueprints - Handle managed models and their state.
 ├── core - Core authentik functionality, central routes, core Models
 ├── crypto - Cryptography, currently used to generate and hold Certificates and Private Keys
 ├── events - Event Log, middleware and signals to generate signals
 ├── flows - Flows, the FlowPlanner and the FlowExecutor, used for all flows for authentication, authorization, etc
 ├── lib - Generic library of functions, few dependencies on other packages.
-├── managed - Handle managed models and their state.
 ├── outposts - Configure and deploy outposts on kubernetes and docker.
 ├── policies - General PolicyEngine
 │   ├── dummy - A Dummy policy used for testing
 │   ├── event_matcher - Match events based on different criteria
 │   ├── expiry - Check when a user's password was last set
 │   ├── expression - Execute any arbitrary python code
-│   ├── hibp - Check a password against HaveIBeenPwned
 │   ├── password - Check a password against several rules
 │   └── reputation - Check the user's/client's reputation
 ├── providers
--- a/authentik/api/v3/urls.py
+++ b/authentik/api/v3/urls.py
@ -45,7 +45,6 @@ from authentik.policies.dummy.api import DummyPolicyViewSet
 from authentik.policies.event_matcher.api import EventMatcherPolicyViewSet
 from authentik.policies.expiry.api import PasswordExpiryPolicyViewSet
 from authentik.policies.expression.api import ExpressionPolicyViewSet
-from authentik.policies.hibp.api import HaveIBeenPwendPolicyViewSet
 from authentik.policies.password.api import PasswordPolicyViewSet
 from authentik.policies.reputation.api import ReputationPolicyViewSet, ReputationViewSet
 from authentik.providers.ldap.api import LDAPOutpostConfigViewSet, LDAPProviderViewSet
@ -150,7 +149,6 @@ router.register("policies/all", PolicyViewSet)
 router.register("policies/bindings", PolicyBindingViewSet)
 router.register("policies/expression", ExpressionPolicyViewSet)
 router.register("policies/event_matcher", EventMatcherPolicyViewSet)
-router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
 router.register("policies/password_expiry", PasswordExpiryPolicyViewSet)
 router.register("policies/password", PasswordPolicyViewSet)
 router.register("policies/reputation/scores", ReputationViewSet)
--- a/authentik/policies/event_matcher/api.py
+++ b/authentik/policies/event_matcher/api.py
@ -1,14 +1,25 @@
 """Event Matcher Policy API"""
+from django.utils.translation import gettext as _
+from rest_framework.fields import ChoiceField
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
 from authentik.policies.api.policies import PolicySerializer
-from authentik.policies.event_matcher.models import EventMatcherPolicy
+from authentik.policies.event_matcher.models import EventMatcherPolicy, app_choices


 class EventMatcherPolicySerializer(PolicySerializer):
    """Event Matcher Policy Serializer"""

+    app = ChoiceField(
+        choices=app_choices(),
+        required=False,
+        help_text=_(
+            "Match events created by selected application. When left empty, "
+            "all applications are matched."
+        ),
+    )
+
    class Meta:
        model = EventMatcherPolicy
        fields = PolicySerializer.Meta.fields + [
--- a/authentik/policies/event_matcher/migrations/0021_alter_eventmatcherpolicy_app.py
+++ b/authentik/policies/event_matcher/migrations/0021_alter_eventmatcherpolicy_app.py
@ -0,0 +1,25 @@
+# Generated by Django 4.1.5 on 2023-01-05 09:24
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_policies_event_matcher",
+            "0020_eventmatcherpolicy_authentik_p_policy__e605cf_idx",
+        ),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="eventmatcherpolicy",
+            name="app",
+            field=models.TextField(
+                blank=True,
+                default="",
+                help_text="Match events created by selected application. When left empty, all applications are matched.",
+            ),
+        ),
+    ]
--- a/authentik/policies/event_matcher/models.py
+++ b/authentik/policies/event_matcher/models.py
@ -33,7 +33,6 @@ class EventMatcherPolicy(Policy):
        ),
    )
    app = models.TextField(
-        choices=app_choices(),
        blank=True,
        default="",
        help_text=_(
--- a/authentik/policies/hibp/init.py
+++ b/authentik/policies/hibp/init.py
--- a/authentik/policies/hibp/api.py
+++ b/authentik/policies/hibp/api.py
@ -1,24 +0,0 @@
-"""Source API Views"""
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.used_by import UsedByMixin
-from authentik.policies.api.policies import PolicySerializer
-from authentik.policies.hibp.models import HaveIBeenPwendPolicy
-
-
-class HaveIBeenPwendPolicySerializer(PolicySerializer):
-    """Have I Been Pwned Policy Serializer"""
-
-    class Meta:
-        model = HaveIBeenPwendPolicy
-        fields = PolicySerializer.Meta.fields + ["password_field", "allowed_count"]
-
-
-class HaveIBeenPwendPolicyViewSet(UsedByMixin, ModelViewSet):
-    """Source Viewset"""
-
-    queryset = HaveIBeenPwendPolicy.objects.all()
-    serializer_class = HaveIBeenPwendPolicySerializer
-    filterset_fields = "__all__"
-    search_fields = ["name", "password_field"]
-    ordering = ["name"]
--- a/authentik/policies/hibp/apps.py
+++ b/authentik/policies/hibp/apps.py
@ -1,11 +0,0 @@
-"""Authentik hibp app config"""
-
-from django.apps import AppConfig
-
-
-class AuthentikPolicyHIBPConfig(AppConfig):
-    """Authentik hibp app config"""
-
-    name = "authentik.policies.hibp"
-    label = "authentik_policies_hibp"
-    verbose_name = "authentik Policies.HaveIBeenPwned"
--- a/authentik/policies/hibp/migrations/0001_initial.py
+++ b/authentik/policies/hibp/migrations/0001_initial.py
@ -1,38 +0,0 @@
-# Generated by Django 3.0.6 on 2020-05-19 22:08
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ("authentik_policies", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="HaveIBeenPwendPolicy",
-            fields=[
-                (
-                    "policy_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_policies.Policy",
-                    ),
-                ),
-                ("allowed_count", models.IntegerField(default=0)),
-            ],
-            options={
-                "verbose_name": "Have I Been Pwned Policy",
-                "verbose_name_plural": "Have I Been Pwned Policies",
-            },
-            bases=("authentik_policies.policy",),
-        ),
-    ]
--- a/authentik/policies/hibp/migrations/0002_haveibeenpwendpolicy_password_field.py
+++ b/authentik/policies/hibp/migrations/0002_haveibeenpwendpolicy_password_field.py
@ -1,21 +0,0 @@
-# Generated by Django 3.0.8 on 2020-07-10 18:45
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_policies_hibp", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="haveibeenpwendpolicy",
-            name="password_field",
-            field=models.TextField(
-                default="password",
-                help_text="Field key to check, field keys defined in Prompt stages are available.",
-            ),
-        ),
-    ]
--- a/authentik/policies/hibp/migrations/0003_haveibeenpwendpolicy_authentik_p_policy__6957d7_idx.py
+++ b/authentik/policies/hibp/migrations/0003_haveibeenpwendpolicy_authentik_p_policy__6957d7_idx.py
@ -1,17 +0,0 @@
-# Generated by Django 4.1.2 on 2022-10-19 19:24
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_policies_hibp", "0002_haveibeenpwendpolicy_password_field"),
-    ]
-
-    operations = [
-        migrations.AddIndex(
-            model_name="haveibeenpwendpolicy",
-            index=models.Index(fields=["policy_ptr_id"], name="authentik_p_policy__6957d7_idx"),
-        ),
-    ]
--- a/authentik/policies/hibp/migrations/init.py
+++ b/authentik/policies/hibp/migrations/init.py
--- a/authentik/policies/hibp/models.py
+++ b/authentik/policies/hibp/models.py
@ -1,71 +0,0 @@
-"""authentik HIBP Models"""
-from hashlib import sha1
-
-from django.db import models
-from django.utils.translation import gettext as _
-from rest_framework.serializers import BaseSerializer
-from structlog.stdlib import get_logger
-
-from authentik.lib.utils.http import get_http_session
-from authentik.policies.models import Policy, PolicyResult
-from authentik.policies.types import PolicyRequest
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-LOGGER = get_logger()
-
-
-class HaveIBeenPwendPolicy(Policy):
-    """DEPRECATED. Check if password is on HaveIBeenPwned's list by uploading the first
-    5 characters of the SHA1 Hash."""
-
-    password_field = models.TextField(
-        default="password",
-        help_text=_("Field key to check, field keys defined in Prompt stages are available."),
-    )
-
-    allowed_count = models.IntegerField(default=0)
-
-    @property
-    def serializer(self) -> type[BaseSerializer]:
-        from authentik.policies.hibp.api import HaveIBeenPwendPolicySerializer
-
-        return HaveIBeenPwendPolicySerializer
-
-    @property
-    def component(self) -> str:
-        return "ak-policy-hibp-form"
-
-    def passes(self, request: PolicyRequest) -> PolicyResult:
-        """Check if password is in HIBP DB. Hashes given Password with SHA1, uses the first 5
-        characters of Password in request and checks if full hash is in response. Returns 0
-        if Password is not in result otherwise the count of how many times it was used."""
-        password = request.context.get(PLAN_CONTEXT_PROMPT, {}).get(
-            self.password_field, request.context.get(self.password_field)
-        )
-        if not password:
-            LOGGER.warning(
-                "Password field not set in Policy Request",
-                field=self.password_field,
-                fields=request.context.keys(),
-            )
-            return PolicyResult(False, _("Password not set in context"))
-        password = str(password)
-
-        pw_hash = sha1(password.encode("utf-8")).hexdigest()  # nosec
-        url = f"https://api.pwnedpasswords.com/range/{pw_hash[:5]}"
-        result = get_http_session().get(url).text
-        final_count = 0
-        for line in result.split("\r\n"):
-            full_hash, count = line.split(":")
-            if pw_hash[5:] == full_hash.lower():
-                final_count = int(count)
-        LOGGER.debug("got hibp result", count=final_count, hash=pw_hash[:5])
-        if final_count > self.allowed_count:
-            message = _("Password exists on %(count)d online lists." % {"count": final_count})
-            return PolicyResult(False, message)
-        return PolicyResult(True)
-
-    class Meta(Policy.PolicyMeta):
-
-        verbose_name = _("Have I Been Pwned Policy")
-        verbose_name_plural = _("Have I Been Pwned Policies")
--- a/authentik/policies/hibp/tests.py
+++ b/authentik/policies/hibp/tests.py
@ -1,44 +0,0 @@
-"""HIBP Policy tests"""
-from django.test import TestCase
-from guardian.shortcuts import get_anonymous_user
-
-from authentik.lib.generators import generate_key
-from authentik.policies.hibp.models import HaveIBeenPwendPolicy
-from authentik.policies.types import PolicyRequest, PolicyResult
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-
-class TestHIBPPolicy(TestCase):
-    """Test HIBP Policy"""
-
-    def test_invalid(self):
-        """Test without password"""
-        policy = HaveIBeenPwendPolicy.objects.create(
-            name="test_invalid",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        result: PolicyResult = policy.passes(request)
-        self.assertFalse(result.passing)
-        self.assertEqual(result.messages[0], "Password not set in context")
-
-    def test_false(self):
-        """Failing password case"""
-        policy = HaveIBeenPwendPolicy.objects.create(
-            name="test_false",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        request.context[PLAN_CONTEXT_PROMPT] = {"password": "password"}  # nosec
-        result: PolicyResult = policy.passes(request)
-        self.assertFalse(result.passing)
-        self.assertTrue(result.messages[0].startswith("Password exists on "))
-
-    def test_true(self):
-        """Positive password case"""
-        policy = HaveIBeenPwendPolicy.objects.create(
-            name="test_true",
-        )
-        request = PolicyRequest(get_anonymous_user())
-        request.context[PLAN_CONTEXT_PROMPT] = {"password": generate_key()}
-        result: PolicyResult = policy.passes(request)
-        self.assertTrue(result.passing)
-        self.assertEqual(result.messages, tuple())
--- a/authentik/policies/password/migrations/0005_passwordpolicy_check_have_i_been_pwned_and_more.py
+++ b/authentik/policies/password/migrations/0005_passwordpolicy_check_have_i_been_pwned_and_more.py
@ -1,34 +1,10 @@
 # Generated by Django 4.1.3 on 2022-11-14 09:23
-from django.apps.registry import Apps
 from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_hibp_policy(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
-
-    HaveIBeenPwendPolicy = apps.get_model("authentik_policies_hibp", "HaveIBeenPwendPolicy")
-    PasswordPolicy = apps.get_model("authentik_policies_password", "PasswordPolicy")
-
-    PolicyBinding = apps.get_model("authentik_policies", "PolicyBinding")
-
-    for old_policy in HaveIBeenPwendPolicy.objects.using(db_alias).all():
-        new_policy = PasswordPolicy.objects.using(db_alias).create(
-            name=old_policy.name,
-            hibp_allowed_count=old_policy.allowed_count,
-            password_field=old_policy.password_field,
-            execution_logging=old_policy.execution_logging,
-            check_static_rules=False,
-            check_have_i_been_pwned=True,
-        )
-        PolicyBinding.objects.using(db_alias).filter(policy=old_policy).update(policy=new_policy)
-        old_policy.delete()


 class Migration(migrations.Migration):

    dependencies = [
-        ("authentik_policies_hibp", "0003_haveibeenpwendpolicy_authentik_p_policy__6957d7_idx"),
        ("authentik_policies_password", "0004_passwordpolicy_authentik_p_policy__855e80_idx"),
    ]

@ -69,5 +45,4 @@ class Migration(migrations.Migration):
            name="error_message",
            field=models.TextField(blank=True),
        ),
-        migrations.RunPython(migrate_hibp_policy),
    ]
--- a/authentik/providers/oauth2/migrations/0009_oauth2provider_verification_keys_and_more.py
+++ b/authentik/providers/oauth2/migrations/0009_oauth2provider_verification_keys_and_more.py
@ -16,7 +16,7 @@ class Migration(migrations.Migration):
            model_name="oauth2provider",
            name="verification_keys",
            field=models.ManyToManyField(
-                help_text="DEPRECATED. JWTs created with the configured certificates can authenticate with this provider.",
+                help_text="JWTs created with the configured certificates can authenticate with this provider.",
                related_name="+",
                to="authentik_crypto.certificatekeypair",
                verbose_name="Allowed certificates for JWT-based client_credentials",
--- a/authentik/providers/oauth2/migrations/0011_oauth2provider_jwks_sources_and_more.py
+++ b/authentik/providers/oauth2/migrations/0011_oauth2provider_jwks_sources_and_more.py
@ -32,7 +32,7 @@ class Migration(migrations.Migration):
            field=models.ManyToManyField(
                blank=True,
                default=None,
-                help_text="DEPRECATED. JWTs created with the configured certificates can authenticate with this provider.",
+                help_text="JWTs created with the configured certificates can authenticate with this provider.",
                related_name="oauth2_providers",
                to="authentik_crypto.certificatekeypair",
                verbose_name="Allowed certificates for JWT-based client_credentials",
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -73,7 +73,6 @@ INSTALLED_APPS = [
    "authentik.policies.event_matcher",
    "authentik.policies.expiry",
    "authentik.policies.expression",
-    "authentik.policies.hibp",
    "authentik.policies.password",
    "authentik.policies.reputation",
    "authentik.policies",
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -69,7 +69,6 @@
                            "authentik_policies_event_matcher.eventmatcherpolicy",
                            "authentik_policies_expiry.passwordexpirypolicy",
                            "authentik_policies_expression.expressionpolicy",
-                            "authentik_policies_hibp.haveibeenpwendpolicy",
                            "authentik_policies_password.passwordpolicy",
                            "authentik_policies_reputation.reputation",
                            "authentik_policies_reputation.reputationpolicy",
--- a/lifecycle/system_migrations/to_2023_1_hibp_remove.py
+++ b/lifecycle/system_migrations/to_2023_1_hibp_remove.py
@ -0,0 +1,19 @@
+# flake8: noqa
+from lifecycle.migrate import BaseMigration
+
+SQL_STATEMENT = """BEGIN TRANSACTION;
+DROP TABLE "authentik_policies_hibp_haveibeenpwendpolicy";
+DELETE FROM django_migrations WHERE app = 'authentik_policies_hibp';
+END TRANSACTION;"""
+
+
+class Migration(BaseMigration):
+    def needs_migration(self) -> bool:
+        self.cur.execute(
+            "SELECT * FROM information_schema.tables WHERE table_name = 'authentik_policies_hibp_haveibeenpwendpolicy';"
+        )
+        return bool(self.cur.rowcount)
+
+    def run(self):
+        self.cur.execute(SQL_STATEMENT)
+        self.con.commit()
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-01-04 17:12+0000\n"
+"POT-Creation-Date: 2023-01-05 12:01+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -537,11 +537,17 @@ msgstr ""
 msgid "Dummy Policies"
 msgstr ""

-#: authentik/policies/event_matcher/models.py:80
+#: authentik/policies/event_matcher/api.py:18
+msgid ""
+"Match events created by selected application. When left empty, all "
+"applications are matched."
+msgstr ""
+
+#: authentik/policies/event_matcher/models.py:79
 msgid "Event Matcher Policy"
 msgstr ""

-#: authentik/policies/event_matcher/models.py:81
+#: authentik/policies/event_matcher/models.py:80
 msgid "Event Matcher Policies"
 msgstr ""

@ -569,30 +575,6 @@ msgstr ""
 msgid "Expression Policies"
 msgstr ""

-#: authentik/policies/hibp/models.py:23
-#: authentik/policies/password/models.py:27
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-
-#: authentik/policies/hibp/models.py:51
-#: authentik/policies/password/models.py:72
-msgid "Password not set in context"
-msgstr ""
-
-#: authentik/policies/hibp/models.py:64
-#: authentik/policies/password/models.py:134
-#, python-format
-msgid "Password exists on %(count)d online lists."
-msgstr ""
-
-#: authentik/policies/hibp/models.py:70
-msgid "Have I Been Pwned Policy"
-msgstr ""
-
-#: authentik/policies/hibp/models.py:71
-msgid "Have I Been Pwned Policies"
-msgstr ""
-
 #: authentik/policies/models.py:23
 msgid "ALL, all policies must pass"
 msgstr ""
@ -633,6 +615,10 @@ msgstr ""
 msgid "Policies"
 msgstr ""

+#: authentik/policies/password/models.py:27
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+
 #: authentik/policies/password/models.py:44
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -642,6 +628,15 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr ""

+#: authentik/policies/password/models.py:72
+msgid "Password not set in context"
+msgstr ""
+
+#: authentik/policies/password/models.py:134
+#, python-format
+msgid "Password exists on %(count)d online lists."
+msgstr ""
+
 #: authentik/policies/password/models.py:154
 msgid "Password is too weak."
 msgstr ""
@ -949,6 +944,14 @@ msgstr ""
 msgid "authentik API Access on behalf of your user"
 msgstr ""

+#: authentik/providers/proxy/api.py:51
+msgid "User and password attributes must be set when basic auth is enabled."
+msgstr ""
+
+#: authentik/providers/proxy/api.py:61
+msgid "Internal host cannot be empty when forward auth is disabled."
+msgstr ""
+
 #: authentik/providers/proxy/models.py:54
 msgid "Validate SSL Certificates of upstream servers"
 msgstr ""
--- a/schema.yml
+++ b/schema.yml
@ -10597,55 +10597,6 @@ paths:
        name: app
        schema:
          type: string
-          enum:
-          - authentik.admin
-          - authentik.api
-          - authentik.blueprints
-          - authentik.core
-          - authentik.crypto
-          - authentik.events
-          - authentik.flows
-          - authentik.lib
-          - authentik.outposts
-          - authentik.policies
-          - authentik.policies.dummy
-          - authentik.policies.event_matcher
-          - authentik.policies.expiry
-          - authentik.policies.expression
-          - authentik.policies.hibp
-          - authentik.policies.password
-          - authentik.policies.reputation
-          - authentik.providers.ldap
-          - authentik.providers.oauth2
-          - authentik.providers.proxy
-          - authentik.providers.saml
-          - authentik.recovery
-          - authentik.sources.ldap
-          - authentik.sources.oauth
-          - authentik.sources.plex
-          - authentik.sources.saml
-          - authentik.stages.authenticator_duo
-          - authentik.stages.authenticator_sms
-          - authentik.stages.authenticator_static
-          - authentik.stages.authenticator_totp
-          - authentik.stages.authenticator_validate
-          - authentik.stages.authenticator_webauthn
-          - authentik.stages.captcha
-          - authentik.stages.consent
-          - authentik.stages.deny
-          - authentik.stages.dummy
-          - authentik.stages.email
-          - authentik.stages.identification
-          - authentik.stages.invitation
-          - authentik.stages.password
-          - authentik.stages.prompt
-          - authentik.stages.user_delete
-          - authentik.stages.user_login
-          - authentik.stages.user_logout
-          - authentik.stages.user_write
-          - authentik.tenants
-        description: Match events created by selected application. When left empty,
-          all applications are matched.
      - in: query
        name: client_ip
        schema:
@ -11225,302 +11176,6 @@ paths:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
-  /policies/haveibeenpwned/:
-    get:
-      operationId: policies_haveibeenpwned_list
-      description: Source Viewset
-      parameters:
-      - in: query
-        name: allowed_count
-        schema:
-          type: integer
-      - in: query
-        name: created
-        schema:
-          type: string
-          format: date-time
-      - in: query
-        name: execution_logging
-        schema:
-          type: boolean
-      - in: query
-        name: last_updated
-        schema:
-          type: string
-          format: date-time
-      - in: query
-        name: name
-        schema:
-          type: string
-      - name: ordering
-        required: false
-        in: query
-        description: Which field to use when ordering the results.
-        schema:
-          type: string
-      - name: page
-        required: false
-        in: query
-        description: A page number within the paginated result set.
-        schema:
-          type: integer
-      - name: page_size
-        required: false
-        in: query
-        description: Number of results to return per page.
-        schema:
-          type: integer
-      - in: query
-        name: password_field
-        schema:
-          type: string
-      - in: query
-        name: policy_uuid
-        schema:
-          type: string
-          format: uuid
-      - name: search
-        required: false
-        in: query
-        description: A search term.
-        schema:
-          type: string
-      tags:
-      - policies
-      security:
-      - authentik: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/PaginatedHaveIBeenPwendPolicyList'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
-    post:
-      operationId: policies_haveibeenpwned_create
-      description: Source Viewset
-      tags:
-      - policies
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/HaveIBeenPwendPolicyRequest'
-        required: true
-      security:
-      - authentik: []
-      responses:
-        '201':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/HaveIBeenPwendPolicy'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
-  /policies/haveibeenpwned/{policy_uuid}/:
-    get:
-      operationId: policies_haveibeenpwned_retrieve
-      description: Source Viewset
-      parameters:
-      - in: path
-        name: policy_uuid
-        schema:
-          type: string
-          format: uuid
-        description: A UUID string identifying this Have I Been Pwned Policy.
-        required: true
-      tags:
-      - policies
-      security:
-      - authentik: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/HaveIBeenPwendPolicy'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
-    put:
-      operationId: policies_haveibeenpwned_update
-      description: Source Viewset
-      parameters:
-      - in: path
-        name: policy_uuid
-        schema:
-          type: string
-          format: uuid
-        description: A UUID string identifying this Have I Been Pwned Policy.
-        required: true
-      tags:
-      - policies
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/HaveIBeenPwendPolicyRequest'
-        required: true
-      security:
-      - authentik: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/HaveIBeenPwendPolicy'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
-    patch:
-      operationId: policies_haveibeenpwned_partial_update
-      description: Source Viewset
-      parameters:
-      - in: path
-        name: policy_uuid
-        schema:
-          type: string
-          format: uuid
-        description: A UUID string identifying this Have I Been Pwned Policy.
-        required: true
-      tags:
-      - policies
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/PatchedHaveIBeenPwendPolicyRequest'
-      security:
-      - authentik: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/HaveIBeenPwendPolicy'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
-    delete:
-      operationId: policies_haveibeenpwned_destroy
-      description: Source Viewset
-      parameters:
-      - in: path
-        name: policy_uuid
-        schema:
-          type: string
-          format: uuid
-        description: A UUID string identifying this Have I Been Pwned Policy.
-        required: true
-      tags:
-      - policies
-      security:
-      - authentik: []
-      responses:
-        '204':
-          description: No response body
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
-  /policies/haveibeenpwned/{policy_uuid}/used_by/:
-    get:
-      operationId: policies_haveibeenpwned_used_by_list
-      description: Get a list of all objects that use this object
-      parameters:
-      - in: path
-        name: policy_uuid
-        schema:
-          type: string
-          format: uuid
-        description: A UUID string identifying this Have I Been Pwned Policy.
-        required: true
-      tags:
-      - policies
-      security:
-      - authentik: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                type: array
-                items:
-                  $ref: '#/components/schemas/UsedBy'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
  /policies/password/:
    get:
      operationId: policies_password_list
@ -25093,7 +24748,6 @@ components:
      - authentik.policies.event_matcher
      - authentik.policies.expiry
      - authentik.policies.expression
-      - authentik.policies.hibp
      - authentik.policies.password
      - authentik.policies.reputation
      - authentik.policies
@ -28347,74 +28001,6 @@ components:
          additionalProperties: {}
      required:
      - name
-    HaveIBeenPwendPolicy:
-      type: object
-      description: Have I Been Pwned Policy Serializer
-      properties:
-        pk:
-          type: string
-          format: uuid
-          readOnly: true
-          title: Policy uuid
-        name:
-          type: string
-        execution_logging:
-          type: boolean
-          description: When this option is enabled, all executions of this policy
-            will be logged. By default, only execution errors are logged.
-        component:
-          type: string
-          readOnly: true
-        verbose_name:
-          type: string
-          readOnly: true
-        verbose_name_plural:
-          type: string
-          readOnly: true
-        meta_model_name:
-          type: string
-          readOnly: true
-        bound_to:
-          type: integer
-          readOnly: true
-        password_field:
-          type: string
-          description: Field key to check, field keys defined in Prompt stages are
-            available.
-        allowed_count:
-          type: integer
-          maximum: 2147483647
-          minimum: -2147483648
-      required:
-      - bound_to
-      - component
-      - meta_model_name
-      - name
-      - pk
-      - verbose_name
-      - verbose_name_plural
-    HaveIBeenPwendPolicyRequest:
-      type: object
-      description: Have I Been Pwned Policy Serializer
-      properties:
-        name:
-          type: string
-          minLength: 1
-        execution_logging:
-          type: boolean
-          description: When this option is enabled, all executions of this policy
-            will be logged. By default, only execution errors are logged.
-        password_field:
-          type: string
-          minLength: 1
-          description: Field key to check, field keys defined in Prompt stages are
-            available.
-        allowed_count:
-          type: integer
-          maximum: 2147483647
-          minimum: -2147483648
-      required:
-      - name
    IdentificationChallenge:
      type: object
      description: Identification challenges with all UI elements
@ -31154,41 +30740,6 @@ components:
      required:
      - pagination
      - results
-    PaginatedHaveIBeenPwendPolicyList:
-      type: object
-      properties:
-        pagination:
-          type: object
-          properties:
-            next:
-              type: number
-            previous:
-              type: number
-            count:
-              type: number
-            current:
-              type: number
-            total_pages:
-              type: number
-            start_index:
-              type: number
-            end_index:
-              type: number
-          required:
-          - next
-          - previous
-          - count
-          - current
-          - total_pages
-          - start_index
-          - end_index
-        results:
-          type: array
-          items:
-            $ref: '#/components/schemas/HaveIBeenPwendPolicy'
-      required:
-      - pagination
-      - results
    PaginatedIdentificationStageList:
      type: object
      properties:
@ -33961,26 +33512,6 @@ components:
        attributes:
          type: object
          additionalProperties: {}
-    PatchedHaveIBeenPwendPolicyRequest:
-      type: object
-      description: Have I Been Pwned Policy Serializer
-      properties:
-        name:
-          type: string
-          minLength: 1
-        execution_logging:
-          type: boolean
-          description: When this option is enabled, all executions of this policy
-            will be logged. By default, only execution errors are logged.
-        password_field:
-          type: string
-          minLength: 1
-          description: Field key to check, field keys defined in Prompt stages are
-            available.
-        allowed_count:
-          type: integer
-          maximum: 2147483647
-          minimum: -2147483648
    PatchedIdentificationStageRequest:
      type: object
      description: IdentificationStage Serializer
--- a/web/src/admin/policies/PolicyListPage.ts
+++ b/web/src/admin/policies/PolicyListPage.ts
@ -4,7 +4,6 @@ import "@goauthentik/admin/policies/dummy/DummyPolicyForm";
 import "@goauthentik/admin/policies/event_matcher/EventMatcherPolicyForm";
 import "@goauthentik/admin/policies/expiry/ExpiryPolicyForm";
 import "@goauthentik/admin/policies/expression/ExpressionPolicyForm";
-import "@goauthentik/admin/policies/hibp/HaveIBeenPwnedPolicyForm";
 import "@goauthentik/admin/policies/password/PasswordPolicyForm";
 import "@goauthentik/admin/policies/reputation/ReputationPolicyForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
--- a/web/src/admin/policies/PolicyWizard.ts
+++ b/web/src/admin/policies/PolicyWizard.ts
@ -3,7 +3,6 @@ import "@goauthentik/admin/policies/dummy/DummyPolicyForm";
 import "@goauthentik/admin/policies/event_matcher/EventMatcherPolicyForm";
 import "@goauthentik/admin/policies/expiry/ExpiryPolicyForm";
 import "@goauthentik/admin/policies/expression/ExpressionPolicyForm";
-import "@goauthentik/admin/policies/hibp/HaveIBeenPwnedPolicyForm";
 import "@goauthentik/admin/policies/password/PasswordPolicyForm";
 import "@goauthentik/admin/policies/reputation/ReputationPolicyForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
--- a/web/src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
+++ b/web/src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
@ -1,108 +0,0 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
-
-import { t } from "@lingui/macro";
-
-import { TemplateResult, html } from "lit";
-import { customElement } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import { HaveIBeenPwendPolicy, PoliciesApi } from "@goauthentik/api";
-
-@customElement("ak-policy-hibp-form")
-export class HaveIBeenPwnedPolicyForm extends ModelForm<HaveIBeenPwendPolicy, string> {
-    loadInstance(pk: string): Promise<HaveIBeenPwendPolicy> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesHaveibeenpwnedRetrieve({
-            policyUuid: pk,
-        });
-    }
-
-    getSuccessMessage(): string {
-        if (this.instance) {
-            return t`Successfully updated policy.`;
-        } else {
-            return t`Successfully created policy.`;
-        }
-    }
-
-    send = (data: HaveIBeenPwendPolicy): Promise<HaveIBeenPwendPolicy> => {
-        if (this.instance) {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesHaveibeenpwnedUpdate({
-                policyUuid: this.instance.pk || "",
-                haveIBeenPwendPolicyRequest: data,
-            });
-        } else {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesHaveibeenpwnedCreate({
-                haveIBeenPwendPolicyRequest: data,
-            });
-        }
-    };
-
-    renderForm(): TemplateResult {
-        return html`<form class="pf-c-form pf-m-horizontal">
-            <div class="form-help-text">
-                ${t`Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.
-                Note that only a part of the hash of the password is sent, the full comparison is done clientside.`}
-            </div>
-            <ak-form-element-horizontal label=${t`Name`} ?required=${true} name="name">
-                <input
-                    type="text"
-                    value="${ifDefined(this.instance?.name || "")}"
-                    class="pf-c-form-control"
-                    required
-                />
-            </ak-form-element-horizontal>
-            <ak-form-element-horizontal name="executionLogging">
-                <div class="pf-c-check">
-                    <input
-                        type="checkbox"
-                        class="pf-c-check__input"
-                        ?checked=${first(this.instance?.executionLogging, false)}
-                    />
-                    <label class="pf-c-check__label"> ${t`Execution logging`} </label>
-                </div>
-                <p class="pf-c-form__helper-text">
-                    ${t`When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged.`}
-                </p>
-            </ak-form-element-horizontal>
-            <ak-form-group .expanded=${true}>
-                <span slot="header"> ${t`Policy-specific settings`} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${t`Password field`}
-                        ?required=${true}
-                        name="passwordField"
-                    >
-                        <input
-                            type="text"
-                            value="${ifDefined(this.instance?.passwordField || "password")}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${t`Field key to check, field keys defined in Prompt stages are available.`}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${t`Allowed count`}
-                        ?required=${true}
-                        name="allowedCount"
-                    >
-                        <input
-                            type="number"
-                            value="${first(this.instance?.allowedCount, 0)}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${t`Allow up to N occurrences in the HIBP database.`}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-        </form>`;
-    }
-}
--- a/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
@ -417,10 +417,7 @@ ${this.instance?.redirectUris}</textarea
                            )}
                        </select>
                        <p class="pf-c-form__helper-text">
-                            ${t`Deprecated. Instead of using this field, configure the JWKS data/URL in Sources.`}
-                        </p>
-                        <p class="pf-c-form__helper-text">
-                            ${t`JWTs signed by certificates configured here can be used to authenticate to the provider.`}
+                            ${t`JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.`}
                        </p>
                        <p class="pf-c-form__helper-text">
                            ${t`Hold control/command to select multiple items.`}
--- a/web/src/locales/de.po
+++ b/web/src/locales/de.po
@ -406,7 +406,6 @@ msgstr "IDP-initiierte Anmeldungen zulassen"
 msgid "Allow friends to authenticate via Plex, even if you don't share any servers"
 msgstr "Freunden erlauben sich via Plex zu authentifizieren, auch wenn keine Server geteilt werden."

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allow up to N occurrences in the HIBP database."
 msgstr "Erlaube bis zu N Einträge in der HIBP Datenbank."
@ -419,7 +418,6 @@ msgstr "Erlauben Sie Benutzern die Verwendung von Anwendungen auf der Grundlage
 msgid "Allowed Redirect URIs"
 msgstr "Erlaubte Weiterleitungs-URIs"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allowed count"
 msgstr "Erlaubte Anzahl"
@ -1128,12 +1126,12 @@ msgid "Checkbox"
 msgstr "Checkbox"

 #: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
-msgid ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
-msgstr ""
-"Prüft einen Wert aus der Richtlinienanfrage gegen die Have I been Pwned API und lehnt die Anfrage basierend darauf ab.\n"
-"Beachten Sie, dass nur ein Teil des Hashs des Passworts gesendet wird, der vollständige Vergleich erfolgt clientseitig."
+#~ msgid ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgstr ""
+#~ "Prüft einen Wert aus der Richtlinienanfrage gegen die Have I been Pwned API und lehnt die Anfrage basierend darauf ab.\n"
+#~ "Beachten Sie, dass nur ein Teil des Hashs des Passworts gesendet wird, der vollständige Vergleich erfolgt clientseitig."

 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 msgid "Checks if the request's user's password has been changed in the last x days, and denys based on settings."
@ -1859,8 +1857,8 @@ msgid "Deny the user access"
 msgstr "Dem Benutzer den Zugang verweigern"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
-msgstr "Veraltet. Anstatt dieses Feld zu verwenden, konfigurieren Sie die JWKS-Daten/URL in Sources."
+#~ msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgstr "Veraltet. Anstatt dieses Feld zu verwenden, konfigurieren Sie die JWKS-Daten/URL in Sources."

 #: src/admin/applications/ApplicationForm.ts
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
@ -2341,7 +2339,6 @@ msgstr "Führt das Python-Snippet aus, um zu bestimmen, ob eine Anfrage zugelass
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Execution logging"
@ -2508,7 +2505,6 @@ msgstr "Feld"
 msgid "Field Key"
 msgstr "Schlüsselfeld"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "Zu prüfender Feldschlüssel, die in den Aufforderungsphasen definierten Feldschlüssel sind verfügbar."
@ -3221,8 +3217,12 @@ msgstr ""
 #~ msgstr "JWT Algorithmus"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
-msgstr "JWTs, welche mit den hier konfigurierten Zertifikaten signiert werden, können zur Authentifizierung beim Provider benutzt werden."
+#~ msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgstr "JWTs, welche mit den hier konfigurierten Zertifikaten signiert werden, können zur Authentifizierung beim Provider benutzt werden."
+
+#: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
+msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Key used to sign the tokens."
@ -3701,7 +3701,6 @@ msgstr "Meine Anwendungen"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 #: src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -4331,7 +4330,6 @@ msgstr "Passwort"
 #~ msgid "Password expiry policy"
 #~ msgstr "Richtlinie für Passwortablauf"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Password field"
 msgstr "Passwortfeld "
@ -4488,7 +4486,6 @@ msgstr "Richtlinie {0}"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Policy-specific settings"
 msgstr "Richtlinienspezifische Einstellungen"
@ -5749,7 +5746,6 @@ msgstr "Outpost erfolgreich erstellt."
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully created policy."
@ -5931,7 +5927,6 @@ msgstr "Passwort erfolgreich aktualisiert."
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully updated policy."
@ -7355,7 +7350,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@ -389,7 +389,6 @@ msgstr "Allow IDP-initiated logins"
 msgid "Allow friends to authenticate via Plex, even if you don't share any servers"
 msgstr "Allow friends to authenticate via Plex, even if you don't share any servers"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allow up to N occurrences in the HIBP database."
 msgstr "Allow up to N occurrences in the HIBP database."
@ -402,7 +401,6 @@ msgstr "Allow users to use Applications based on properties, enforce Password Cr
 msgid "Allowed Redirect URIs"
 msgstr "Allowed Redirect URIs"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allowed count"
 msgstr "Allowed count"
@ -1124,12 +1122,12 @@ msgid "Checkbox"
 msgstr "Checkbox"

 #: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
-msgid ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
-msgstr ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgid ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgstr ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."

 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 msgid "Checks if the request's user's password has been changed in the last x days, and denys based on settings."
@ -1871,8 +1869,8 @@ msgid "Deny the user access"
 msgstr "Deny the user access"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
-msgstr "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgstr "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."

 #: src/admin/applications/ApplicationForm.ts
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
@ -2376,7 +2374,6 @@ msgstr "Executes the python snippet to determine whether to allow or deny a requ
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Execution logging"
@ -2544,7 +2541,6 @@ msgstr "Field"
 msgid "Field Key"
 msgstr "Field Key"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "Field key to check, field keys defined in Prompt stages are available."
@ -3273,8 +3269,12 @@ msgstr "JWKS URL"
 #~ msgstr "JWT Algorithm"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
-msgstr "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgstr "JWTs signed by certificates configured here can be used to authenticate to the provider."
+
+#: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
+msgstr "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Key used to sign the tokens."
@ -3758,7 +3758,6 @@ msgstr "My applications"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 #: src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -4405,7 +4404,6 @@ msgstr "Password"
 #~ msgid "Password expiry policy"
 #~ msgstr "Password expiry policy"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Password field"
 msgstr "Password field"
@ -4573,7 +4571,6 @@ msgstr "Policy {0}"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Policy-specific settings"
 msgstr "Policy-specific settings"
@ -5878,7 +5875,6 @@ msgstr "Successfully created outpost."
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully created policy."
@ -6063,7 +6059,6 @@ msgstr "Successfully updated password."
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully updated policy."
@ -7514,7 +7509,6 @@ msgstr "When selected, the invite will only be usable with the flow. By default
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
--- a/web/src/locales/es.po
+++ b/web/src/locales/es.po
@ -384,7 +384,6 @@ msgstr "Permitir inicios de sesión iniciados por el proveedor IDP"
 msgid "Allow friends to authenticate via Plex, even if you don't share any servers"
 msgstr "Permite que tus amigos se autentiquen a través de Plex, incluso si no compartes ningún servidor"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allow up to N occurrences in the HIBP database."
 msgstr "Permite hasta N ocurrencias en la base de datos HIBP."
@ -397,7 +396,6 @@ msgstr "Permitir a los usuarios utilizar aplicaciones en función de las propied
 msgid "Allowed Redirect URIs"
 msgstr "URIs de redireccionamiento permitidas"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allowed count"
 msgstr "Recuento permitido"
@ -1104,12 +1102,12 @@ msgid "Checkbox"
 msgstr "Casilla de verificación"

 #: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
-msgid ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
-msgstr ""
-"Comprueba un valor de la solicitud de política contra la API 'Have I been Pwned' y rechaza la solicitud en función de eso.\n"
-"Tenga en cuenta que solo se envía una parte del hash de la contraseña, la comparación completa se realiza en el lado del cliente."
+#~ msgid ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgstr ""
+#~ "Comprueba un valor de la solicitud de política contra la API 'Have I been Pwned' y rechaza la solicitud en función de eso.\n"
+#~ "Tenga en cuenta que solo se envía una parte del hash de la contraseña, la comparación completa se realiza en el lado del cliente."

 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 msgid "Checks if the request's user's password has been changed in the last x days, and denys based on settings."
@ -1835,8 +1833,8 @@ msgid "Deny the user access"
 msgstr "Denegar el acceso al usuario"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
-msgstr ""
+#~ msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgstr ""

 #: src/admin/applications/ApplicationForm.ts
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
@ -2317,7 +2315,6 @@ msgstr "Ejecutar el fragmento Python para determinar si se permite o deniega una
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Execution logging"
@ -2484,7 +2481,6 @@ msgstr "Campo"
 msgid "Field Key"
 msgstr "Clave de campo"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "Clave de campo para comprobar, están disponibles las claves de campo definidas en las etapas de solicitud."
@ -3197,7 +3193,11 @@ msgstr ""
 #~ msgstr "Algoritmo JWT"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgstr ""
+
+#: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
@ -3677,7 +3677,6 @@ msgstr "Mis aplicaciones"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 #: src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -4307,7 +4306,6 @@ msgstr "Contraseña"
 #~ msgid "Password expiry policy"
 #~ msgstr ""

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Password field"
 msgstr "Campo de contraseña"
@ -4464,7 +4462,6 @@ msgstr "Política {0}"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Policy-specific settings"
 msgstr "Configuración específica de políticas"
@ -5725,7 +5722,6 @@ msgstr "Puesto avanzado creado correctamente."
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully created policy."
@ -5907,7 +5903,6 @@ msgstr "La contraseña se actualizó correctamente."
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully updated policy."
@ -7331,7 +7326,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
--- a/web/src/locales/fr_FR.po
+++ b/web/src/locales/fr_FR.po
@ -389,7 +389,6 @@ msgstr "Autoriser les logins initiés par l'IDP"
 msgid "Allow friends to authenticate via Plex, even if you don't share any servers"
 msgstr "Autoriser les amis à s'authentifier via Plex, même si vous ne partagez aucun serveur"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allow up to N occurrences in the HIBP database."
 msgstr "Autoriser jusqu'à N occurrences dans la base de données HIBP"
@ -402,7 +401,6 @@ msgstr "Permettre aux usagers l'utilisation d'applications sur la base de leurs
 msgid "Allowed Redirect URIs"
 msgstr "URL de redirection autorisées"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allowed count"
 msgstr "Total autoris"
@ -1109,12 +1107,12 @@ msgid "Checkbox"
 msgstr "Case à cocher"

 #: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
-msgid ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
-msgstr ""
-"Vérifie une valeur de la requête via l'API de Have I Been Pwned et refuse l'accès selon la réponse.\n"
-"À noter que seul une partie de l'hash du mot de passe est envoyée, la comparaison complète est faite en local."
+#~ msgid ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgstr ""
+#~ "Vérifie une valeur de la requête via l'API de Have I Been Pwned et refuse l'accès selon la réponse.\n"
+#~ "À noter que seul une partie de l'hash du mot de passe est envoyée, la comparaison complète est faite en local."

 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 msgid "Checks if the request's user's password has been changed in the last x days, and denys based on settings."
@ -1838,8 +1836,8 @@ msgid "Deny the user access"
 msgstr "Refuser l'accès à l'utilisateu"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
-msgstr ""
+#~ msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgstr ""

 #: src/admin/applications/ApplicationForm.ts
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
@ -2320,7 +2318,6 @@ msgstr "Exécute le fragment de code python pour décider d'autoriser ou non la
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Execution logging"
@ -2487,7 +2484,6 @@ msgstr "Champ"
 msgid "Field Key"
 msgstr "Clé du champ"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "Clé de champ à vérifier ; les clés de champ définies dans les étapes de d'invite sont disponibles."
@ -3198,7 +3194,11 @@ msgstr ""
 #~ msgstr "Algorithme JWT"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgstr ""
+
+#: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
@ -3678,7 +3678,6 @@ msgstr "Mes applications"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 #: src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -4308,7 +4307,6 @@ msgstr "Mot de passe"
 #~ msgid "Password expiry policy"
 #~ msgstr "Politique d'expiration du mot de passe"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Password field"
 msgstr "Champ mot de passe"
@ -4465,7 +4463,6 @@ msgstr "Poliitique {0}"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Policy-specific settings"
 msgstr "Paramètres spécifiques à la politique"
@ -5726,7 +5723,6 @@ msgstr "Avant-poste créé avec succès"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully created policy."
@ -5908,7 +5904,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully updated policy."
@ -7322,7 +7317,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
--- a/web/src/locales/pl.po
+++ b/web/src/locales/pl.po
@ -388,7 +388,6 @@ msgstr "Zezwalaj na logowanie inicjowane przez IDP"
 msgid "Allow friends to authenticate via Plex, even if you don't share any servers"
 msgstr "Zezwalaj znajomym na uwierzytelnianie przez Plex, nawet jeśli nie udostępniasz żadnych serwerów"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allow up to N occurrences in the HIBP database."
 msgstr "Dopuść do N wystąpień w bazie danych HIBP."
@ -401,7 +400,6 @@ msgstr "Zezwalaj użytkownikom na korzystanie z aplikacji na podstawie właściw
 msgid "Allowed Redirect URIs"
 msgstr "Dozwolone URI przekierowania"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allowed count"
 msgstr "Dozwolona liczba"
@ -1110,12 +1108,12 @@ msgid "Checkbox"
 msgstr "Pole wyboru"

 #: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
-msgid ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
-msgstr ""
-"Sprawdza wartość z żądania zasad względem interfejsu API Have I been Pwned i na tej podstawie odrzuca żądanie.\n"
-"Zwróć uwagę, że wysyłana jest tylko część skrótu hasła, pełne porównanie odbywa się po stronie klienta."
+#~ msgid ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgstr ""
+#~ "Sprawdza wartość z żądania zasad względem interfejsu API Have I been Pwned i na tej podstawie odrzuca żądanie.\n"
+#~ "Zwróć uwagę, że wysyłana jest tylko część skrótu hasła, pełne porównanie odbywa się po stronie klienta."

 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 msgid "Checks if the request's user's password has been changed in the last x days, and denys based on settings."
@ -1841,8 +1839,8 @@ msgid "Deny the user access"
 msgstr "Odmów użytkownikowi dostępu"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
-msgstr "Przestarzałe. Zamiast używać tego pola, skonfiguruj dane/adres URL JWKS w Źródłach."
+#~ msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgstr "Przestarzałe. Zamiast używać tego pola, skonfiguruj dane/adres URL JWKS w Źródłach."

 #: src/admin/applications/ApplicationForm.ts
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
@ -2323,7 +2321,6 @@ msgstr "Wykonuje fragment kodu Pythona, aby określić, czy zezwolić, czy odrzu
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Execution logging"
@ -2490,7 +2487,6 @@ msgstr "Pole"
 msgid "Field Key"
 msgstr "Klucz pola"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "Klucz pola do sprawdzenia, dostępne są klucze pola zdefiniowane w etapach monitu."
@ -3205,8 +3201,12 @@ msgstr ""
 #~ msgstr "Algorytm JWT"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
-msgstr "JWTs podpisane przez certyfikaty skonfigurowane tutaj mogą służyć do uwierzytelniania u dostawcy."
+#~ msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgstr "JWTs podpisane przez certyfikaty skonfigurowane tutaj mogą służyć do uwierzytelniania u dostawcy."
+
+#: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
+msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Key used to sign the tokens."
@ -3685,7 +3685,6 @@ msgstr "Moje aplikacje"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 #: src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -4315,7 +4314,6 @@ msgstr "Hasło"
 #~ msgid "Password expiry policy"
 #~ msgstr "Zasada wygaśnięcia hasła"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Password field"
 msgstr "Pole hasła"
@ -4474,7 +4472,6 @@ msgstr "Zasada {0}"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Policy-specific settings"
 msgstr "Ustawienia specyficzne zasady"
@ -5735,7 +5732,6 @@ msgstr "Pomyślnie utworzono placówkę."
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully created policy."
@ -5917,7 +5913,6 @@ msgstr "Pomyślnie zaktualizowano hasło."
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully updated policy."
@ -7343,7 +7338,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@ -385,7 +385,6 @@ msgstr ""
 msgid "Allow friends to authenticate via Plex, even if you don't share any servers"
 msgstr ""

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allow up to N occurrences in the HIBP database."
 msgstr ""
@ -398,7 +397,6 @@ msgstr ""
 msgid "Allowed Redirect URIs"
 msgstr ""

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allowed count"
 msgstr ""
@ -1114,10 +1112,10 @@ msgid "Checkbox"
 msgstr ""

 #: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
-msgid ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
-msgstr ""
+#~ msgid ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgstr ""

 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 msgid "Checks if the request's user's password has been changed in the last x days, and denys based on settings."
@ -1857,8 +1855,8 @@ msgid "Deny the user access"
 msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
-msgstr ""
+#~ msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgstr ""

 #: src/admin/applications/ApplicationForm.ts
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
@ -2362,7 +2360,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Execution logging"
@ -2530,7 +2527,6 @@ msgstr ""
 msgid "Field Key"
 msgstr ""

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr ""
@ -3255,7 +3251,11 @@ msgstr ""
 #~ msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgstr ""
+
+#: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
@ -3740,7 +3740,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 #: src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -4387,7 +4386,6 @@ msgstr ""
 #~ msgid "Password expiry policy"
 #~ msgstr ""

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Password field"
 msgstr ""
@ -4553,7 +4551,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Policy-specific settings"
 msgstr ""
@ -5858,7 +5855,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully created policy."
@ -6043,7 +6039,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully updated policy."
@ -7482,7 +7477,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
--- a/web/src/locales/tr.po
+++ b/web/src/locales/tr.po
@ -384,7 +384,6 @@ msgstr "IDP tarafından başlatılan oturumlara izin ver"
 msgid "Allow friends to authenticate via Plex, even if you don't share any servers"
 msgstr "Herhangi bir sunucu paylaşmasan bile arkadaşlarının Plex aracılığıyla kimlik doğrulamasına izin ver"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allow up to N occurrences in the HIBP database."
 msgstr "HIBP veritabanında N oluşumuna kadar izin ver."
@ -397,7 +396,6 @@ msgstr "Kullanıcıların özelliklere göre Uygulamaları kullanmasına, Parola
 msgid "Allowed Redirect URIs"
 msgstr "İzin Verilen Yeniden Yönlendirme URI'leri"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allowed count"
 msgstr "İzin verilen sayısı"
@ -1104,12 +1102,12 @@ msgid "Checkbox"
 msgstr "Onay Kutusu"

 #: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
-msgid ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
-msgstr ""
-"İlke isteğindeki bir değeri Pwned Oldum API'sine karşı denetler ve isteği buna dayanarak reddeder.\n"
-"Parolanın karma yalnızca bir kısmının gönderildiğini unutmayın, tam karşılaştırma istemci tarafında yapılır."
+#~ msgid ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgstr ""
+#~ "İlke isteğindeki bir değeri Pwned Oldum API'sine karşı denetler ve isteği buna dayanarak reddeder.\n"
+#~ "Parolanın karma yalnızca bir kısmının gönderildiğini unutmayın, tam karşılaştırma istemci tarafında yapılır."

 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 msgid "Checks if the request's user's password has been changed in the last x days, and denys based on settings."
@ -1835,8 +1833,8 @@ msgid "Deny the user access"
 msgstr "Kullanıcı erişimini engelle"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
-msgstr ""
+#~ msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgstr ""

 #: src/admin/applications/ApplicationForm.ts
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
@ -2317,7 +2315,6 @@ msgstr "Bir isteğe izin verip reddedilmeyeceğini belirlemek için python parç
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Execution logging"
@ -2484,7 +2481,6 @@ msgstr "Alan"
 msgid "Field Key"
 msgstr "Alan Anahtarı"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "Alan tuşu kontrol etmek için, İstem aşamalarında tanımlanan alan tuşları mevcuttur."
@ -3197,7 +3193,11 @@ msgstr ""
 #~ msgstr "JWT Algoritması"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgstr ""
+
+#: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
 msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
@ -3677,7 +3677,6 @@ msgstr "Uygulamalarım"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 #: src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -4307,7 +4306,6 @@ msgstr "Parola"
 #~ msgid "Password expiry policy"
 #~ msgstr ""

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Password field"
 msgstr "Parola alanı"
@ -4464,7 +4462,6 @@ msgstr "İlke {0}"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Policy-specific settings"
 msgstr "İlke özel ayarlar"
@ -5725,7 +5722,6 @@ msgstr "Üs başarıyla oluşturdu."
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully created policy."
@ -5907,7 +5903,6 @@ msgstr "Parola başarıyla güncellendi."
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully updated policy."
@ -7331,7 +7326,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
--- a/web/src/locales/zh-Hans.po
+++ b/web/src/locales/zh-Hans.po
@ -390,7 +390,6 @@ msgstr "允许 IDP 发起的登录"
 msgid "Allow friends to authenticate via Plex, even if you don't share any servers"
 msgstr "允许好友通过 Plex 进行身份验证，即使您不共享任何服务器。"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allow up to N occurrences in the HIBP database."
 msgstr "HIBP 数据库中最多允许 N 次出现。"
@ -403,7 +402,6 @@ msgstr "允许用户根据属性使用应用程序、强制使用密码标准以
 msgid "Allowed Redirect URIs"
 msgstr "允许的重定向 URI"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allowed count"
 msgstr "允许的计数"
@ -1112,12 +1110,12 @@ msgid "Checkbox"
 msgstr "复选框"

 #: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
-msgid ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
-msgstr ""
-"根据 Have I been Pwned API 检查策略请求中的值，以此拒绝请求。\n"
-"请注意，只有一部分密码哈希值被发送，完整的比较是在客户端完成的。"
+#~ msgid ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgstr ""
+#~ "根据 Have I been Pwned API 检查策略请求中的值，以此拒绝请求。\n"
+#~ "请注意，只有一部分密码哈希值被发送，完整的比较是在客户端完成的。"

 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 msgid "Checks if the request's user's password has been changed in the last x days, and denys based on settings."
@ -1843,8 +1841,8 @@ msgid "Deny the user access"
 msgstr "拒绝用户访问"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
-msgstr "已弃用。请在身份来源中配置 JWKS 数据 / URL 代替此字段。"
+#~ msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgstr "已弃用。请在身份来源中配置 JWKS 数据 / URL 代替此字段。"

 #: src/admin/applications/ApplicationForm.ts
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
@ -2325,7 +2323,6 @@ msgstr "执行 Python 代码段以确定是允许还是拒绝请求。"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Execution logging"
@ -2492,7 +2489,6 @@ msgstr "字段"
 msgid "Field Key"
 msgstr "字段键"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
@ -3205,8 +3201,12 @@ msgstr ""
 #~ msgstr "JWT 算法"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
-msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
+#~ msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
+
+#: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
+msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Key used to sign the tokens."
@ -3685,7 +3685,6 @@ msgstr "我的应用"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 #: src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -4315,7 +4314,6 @@ msgstr "密码"
 #~ msgid "Password expiry policy"
 #~ msgstr "密码过期策略"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Password field"
 msgstr "密码字段"
@ -4472,7 +4470,6 @@ msgstr "策略 {0}"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Policy-specific settings"
 msgstr "特定策略设置"
@ -5733,7 +5730,6 @@ msgstr "已成功创建前哨。"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully created policy."
@ -5915,7 +5911,6 @@ msgstr "已成功更新密码。"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully updated policy."
@ -7341,7 +7336,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
--- a/web/src/locales/zh-Hant.po
+++ b/web/src/locales/zh-Hant.po
@ -390,7 +390,6 @@ msgstr "允许 IDP 发起的登入"
 msgid "Allow friends to authenticate via Plex, even if you don't share any servers"
 msgstr "允许好友通过Plex进行身份验证，即使您不共享任何服务器"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allow up to N occurrences in the HIBP database."
 msgstr "HIBP 数据库中最多允许 N 次出现。"
@ -403,7 +402,6 @@ msgstr "允许用户根据属性使用应用程序、强制使用密码标准以
 msgid "Allowed Redirect URIs"
 msgstr "允许的重定向 URI"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allowed count"
 msgstr "允许计数"
@ -1112,12 +1110,12 @@ msgid "Checkbox"
 msgstr "复选框"

 #: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
-msgid ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
-msgstr ""
-"根据我是否拥有 API 检查策略请求中的值，然后根据该值拒绝请求。\n"
-"请注意，只有一部分密码哈希值被发送，完整的比较是在客户端完成的。"
+#~ msgid ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgstr ""
+#~ "根据我是否拥有 API 检查策略请求中的值，然后根据该值拒绝请求。\n"
+#~ "请注意，只有一部分密码哈希值被发送，完整的比较是在客户端完成的。"

 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 msgid "Checks if the request's user's password has been changed in the last x days, and denys based on settings."
@ -1843,8 +1841,8 @@ msgid "Deny the user access"
 msgstr "拒绝用户访问"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
-msgstr ""
+#~ msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgstr ""

 #: src/admin/applications/ApplicationForm.ts
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
@ -2325,7 +2323,6 @@ msgstr "执行 python 代码段以确定是允许还是拒绝请求。"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Execution logging"
@ -2492,7 +2489,6 @@ msgstr "字段"
 msgid "Field Key"
 msgstr "字段键"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "要检查的字段键，提示阶段中定义的字段键可用。"
@ -3205,8 +3201,12 @@ msgstr ""
 #~ msgstr "JWT 算法"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
-msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
+#~ msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
+
+#: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
+msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Key used to sign the tokens."
@ -3685,7 +3685,6 @@ msgstr "我的应用"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 #: src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -4315,7 +4314,6 @@ msgstr "密码"
 #~ msgid "Password expiry policy"
 #~ msgstr "密码过期策略"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Password field"
 msgstr "“密码” 字段"
@ -4472,7 +4470,6 @@ msgstr "策略 {0}"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Policy-specific settings"
 msgstr "特定于策略的设置"
@ -5733,7 +5730,6 @@ msgstr "已成功创建 Outpost。"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully created policy."
@ -5915,7 +5911,6 @@ msgstr "已成功更新密码。"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully updated policy."
@ -7341,7 +7336,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
--- a/web/src/locales/zh_TW.po
+++ b/web/src/locales/zh_TW.po
@ -390,7 +390,6 @@ msgstr "允许 IDP 发起的登入"
 msgid "Allow friends to authenticate via Plex, even if you don't share any servers"
 msgstr "允许好友通过Plex进行身份验证，即使您不共享任何服务器"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allow up to N occurrences in the HIBP database."
 msgstr "HIBP 数据库中最多允许 N 次出现。"
@ -403,7 +402,6 @@ msgstr "允许用户根据属性使用应用程序、强制使用密码标准以
 msgid "Allowed Redirect URIs"
 msgstr "允许的重定向 URI"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Allowed count"
 msgstr "允许计数"
@ -1112,12 +1110,12 @@ msgid "Checkbox"
 msgstr "复选框"

 #: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
-msgid ""
-"Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
-"Note that only a part of the hash of the password is sent, the full comparison is done clientside."
-msgstr ""
-"根据我是否拥有 API 检查策略请求中的值，然后根据该值拒绝请求。\n"
-"请注意，只有一部分密码哈希值被发送，完整的比较是在客户端完成的。"
+#~ msgid ""
+#~ "Checks a value from the policy request against the Have I been Pwned API, and denys the request based upon that.\n"
+#~ "Note that only a part of the hash of the password is sent, the full comparison is done clientside."
+#~ msgstr ""
+#~ "根据我是否拥有 API 检查策略请求中的值，然后根据该值拒绝请求。\n"
+#~ "请注意，只有一部分密码哈希值被发送，完整的比较是在客户端完成的。"

 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 msgid "Checks if the request's user's password has been changed in the last x days, and denys based on settings."
@ -1843,8 +1841,8 @@ msgid "Deny the user access"
 msgstr "拒绝用户访问"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
-msgstr ""
+#~ msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
+#~ msgstr ""

 #: src/admin/applications/ApplicationForm.ts
 #: src/admin/applications/wizard/InitialApplicationWizardPage.ts
@ -2325,7 +2323,6 @@ msgstr "执行 python 代码段以确定是允许还是拒绝请求。"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Execution logging"
@ -2492,7 +2489,6 @@ msgstr "字段"
 msgid "Field Key"
 msgstr "字段键"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Field key to check, field keys defined in Prompt stages are available."
 msgstr "要检查的字段键，提示阶段中定义的字段键可用。"
@ -3205,8 +3201,12 @@ msgstr ""
 #~ msgstr "JWT 算法"

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
-msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
-msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
+#~ msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
+#~ msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
+
+#: src/admin/providers/oauth2/OAuth2ProviderForm.ts
+msgid "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider."
+msgstr ""

 #: src/admin/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Key used to sign the tokens."
@ -3685,7 +3685,6 @@ msgstr "我的应用"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 #: src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -4315,7 +4314,6 @@ msgstr "密码"
 #~ msgid "Password expiry policy"
 #~ msgstr "密码过期策略"

-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 msgid "Password field"
 msgstr "“密码” 字段"
@ -4472,7 +4470,6 @@ msgstr "策略 {0}"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Policy-specific settings"
 msgstr "特定于策略的设置"
@ -5733,7 +5730,6 @@ msgstr "已成功创建 Outpost。"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully created policy."
@ -5915,7 +5911,6 @@ msgstr "已成功更新密码。"
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "Successfully updated policy."
@ -7341,7 +7336,6 @@ msgstr ""
 #: src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
 #: src/admin/policies/expiry/ExpiryPolicyForm.ts
 #: src/admin/policies/expression/ExpressionPolicyForm.ts
-#: src/admin/policies/hibp/HaveIBeenPwnedPolicyForm.ts
 #: src/admin/policies/password/PasswordPolicyForm.ts
 #: src/admin/policies/reputation/ReputationPolicyForm.ts
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
--- a/website/docs/releases/2023/v2023.1.md
+++ b/website/docs/releases/2023/v2023.1.md
@ -3,6 +3,12 @@ title: Release 2023.1
 slug: "/releases/2023.1"
 ---

+## Breaking changes
+
+-   Deprecated HaveIBeenPwned policy has been removed
+
+    This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options.
+
 ## New features

 -   SLO Support for SAML provider