feat: add default user mapping in custom oauth2 provider (#2819 )

feat: fix user cannot logout issue about bug in GetSessionToken()
fix: add FaceIdSigninBegin() to verify user information before face login (#2815 )
2025-07-10 01:56:49 +08:00 · 2024-03-18 23:01:17 +08:00 · 2024-03-18 02:11:39 +08:00 · 2024-03-18 00:04:12 +08:00 · 2024-03-17 23:03:50 +08:00 · 2024-03-17 22:20:21 +08:00
169 changed files with 8522 additions and 2179 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -108,6 +108,7 @@ jobs:
        working-directory: ./web
      - uses: cypress-io/github-action@v5
        with:
+          browser: chrome
          start: yarn start
          wait-on: 'http://localhost:7001'
          wait-on-timeout: 210
@ -127,7 +128,7 @@ jobs:
  release-and-push:
    name: Release And Push
    runs-on: ubuntu-latest
-    if: github.repository == 'casbin/casdoor' && github.event_name == 'push'
+    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push'
    needs: [ frontend, backend, linter, e2e ]
    steps:
      - name: Checkout
@ -182,14 +183,14 @@ jobs:

      - name: Log in to Docker Hub
        uses: docker/login-action@v1
-        if: github.repository == 'casbin/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
+        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Push to Docker Hub
        uses: docker/build-push-action@v3
-        if: github.repository == 'casbin/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
+        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
        with:
          context: .
          target: STANDARD
@ -199,7 +200,7 @@ jobs:

      - name: Push All In One Version to Docker Hub
        uses: docker/build-push-action@v3
-        if: github.repository == 'casbin/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
+        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
        with:
          context: .
          target: ALLINONE
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@ -7,7 +7,7 @@ on:
 jobs:
  synchronize-with-crowdin:
    runs-on: ubuntu-latest
-    if: github.repository == 'casbin/casdoor' && github.event_name == 'push'
+    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push'
    steps:

    - name: Checkout
--- a/README.md
+++ b/README.md
@ -87,8 +87,7 @@ https://casdoor.org/docs/category/integrations
 ## How to contact?

 - Discord: https://discord.gg/5rPsrAzK7S
- Forum: https://forum.casbin.com
- Contact: https://tawk.to/chat/623352fea34c2456412b8c51/1fuc7od6e
+- Contact: https://casdoor.org/help

 ## Contribute

--- a/authz/authz.go
+++ b/authz/authz.go
@ -98,6 +98,7 @@ p, *, *, GET, /api/get-all-objects, *, *
 p, *, *, GET, /api/get-all-actions, *, *
 p, *, *, GET, /api/get-all-roles, *, *
 p, *, *, GET, /api/get-invitation-info, *, *
+p, *, *, GET, /api/faceid-signin-begin, *, *
 `

 		sa := stringadapter.NewAdapter(ruleText)
@ -161,6 +162,11 @@ func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath
 				return true
 			}
 			return false
+		} else if urlPath == "/api/upload-resource" {
+			if subOwner == "app" && subName == "app-casibase" {
+				return true
+			}
+			return false
 		} else {
 			return false
 		}
--- a/conf/conf.go
+++ b/conf/conf.go
@ -71,7 +71,10 @@ func GetConfigInt64(key string) (int64, error) {

 func GetConfigDataSourceName() string {
 	dataSourceName := GetConfigString("dataSourceName")
+	return ReplaceDataSourceNameByDocker(dataSourceName)
+}

+func ReplaceDataSourceNameByDocker(dataSourceName string) string {
 	runningInDocker := os.Getenv("RUNNING_IN_DOCKER")
 	if runningInDocker == "true" {
 		// https://stackoverflow.com/questions/48546124/what-is-linux-equivalent-of-host-docker-internal
@ -81,7 +84,6 @@ func GetConfigDataSourceName() string {
 			dataSourceName = strings.ReplaceAll(dataSourceName, "localhost", "host.docker.internal")
 		}
 	}
-
 	return dataSourceName
 }

@ -108,13 +110,3 @@ func GetConfigBatchSize() int {
 	}
 	return res
 }
-
-func GetConfigRealDataSourceName(driverName string) string {
-	var dataSourceName string
-	if driverName != "mysql" {
-		dataSourceName = GetConfigDataSourceName()
-	} else {
-		dataSourceName = GetConfigDataSourceName() + GetConfigString("dbName")
-	}
-	return dataSourceName
-}
--- a/controllers/account.go
+++ b/controllers/account.go
@ -94,7 +94,7 @@ func (c *ApiController) Signup() {
 		return
 	}
 	if application == nil {
-		c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist")), authForm.Application)
+		c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
 		return
 	}

@ -110,7 +110,7 @@ func (c *ApiController) Signup() {
 	}

 	if organization == nil {
-		c.ResponseError(fmt.Sprintf(c.T("auth:The organization: %s does not exist")), authForm.Organization)
+		c.ResponseError(fmt.Sprintf(c.T("auth:The organization: %s does not exist"), authForm.Organization))
 		return
 	}

@ -131,7 +131,12 @@ func (c *ApiController) Signup() {
 	}

 	if application.IsSignupItemVisible("Email") && application.GetSignupItemRule("Email") != "No verification" && authForm.Email != "" {
-		checkResult := object.CheckVerificationCode(authForm.Email, authForm.EmailCode, c.GetAcceptLanguage())
+		var checkResult *object.VerifyResult
+		checkResult, err = object.CheckVerificationCode(authForm.Email, authForm.EmailCode, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(c.T(err.Error()))
+			return
+		}
 		if checkResult.Code != object.VerificationSuccess {
 			c.ResponseError(checkResult.Msg)
 			return
@ -141,7 +146,13 @@ func (c *ApiController) Signup() {
 	var checkPhone string
 	if application.IsSignupItemVisible("Phone") && application.GetSignupItemRule("Phone") != "No verification" && authForm.Phone != "" {
 		checkPhone, _ = util.GetE164Number(authForm.Phone, authForm.CountryCode)
-		checkResult := object.CheckVerificationCode(checkPhone, authForm.PhoneCode, c.GetAcceptLanguage())
+
+		var checkResult *object.VerifyResult
+		checkResult, err = object.CheckVerificationCode(checkPhone, authForm.PhoneCode, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(c.T(err.Error()))
+			return
+		}
 		if checkResult.Code != object.VerificationSuccess {
 			c.ResponseError(checkResult.Msg)
 			return
@ -296,6 +307,7 @@ func (c *ApiController) Logout() {
 		}

 		c.ClearUserSession()
+		c.ClearTokenSession()
 		owner, username := util.GetOwnerAndNameFromId(user)
 		_, err := object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
 		if err != nil {
@ -342,6 +354,7 @@ func (c *ApiController) Logout() {
 		}

 		c.ClearUserSession()
+		c.ClearTokenSession()
 		// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
 		owner, username := util.GetOwnerAndNameFromId(user)

@ -422,6 +435,17 @@ func (c *ApiController) GetAccount() {
 		return
 	}

+	accessToken := c.GetSessionToken()
+	if accessToken == "" {
+		accessToken, err = object.GetAccessTokenByUser(user, c.Ctx.Request.Host)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		c.SetSessionToken(accessToken)
+	}
+	u.AccessToken = accessToken
+
 	resp := Response{
 		Status: "ok",
 		Sub:    user.Id,
@ -448,7 +472,12 @@ func (c *ApiController) GetUserinfo() {

 	scope, aud := c.GetSessionOidc()
 	host := c.Ctx.Request.Host
-	userInfo := object.GetUserInfo(user, scope, aud, host)
+
+	userInfo, err := object.GetUserInfo(user, scope, aud, host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	c.Data["json"] = userInfo
 	c.ServeJSON()
--- a/controllers/application.go
+++ b/controllers/application.go
@ -177,7 +177,7 @@ func (c *ApiController) GetOrganizationApplications() {
 			return
 		}

-		applications, err = object.GetAllowedApplications(applications, userId)
+		applications, err = object.GetAllowedApplications(applications, userId, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -194,13 +194,19 @@ func (c *ApiController) GetOrganizationApplications() {
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		application, err := object.GetPaginationOrganizationApplications(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		applications, err := object.GetPaginationOrganizationApplications(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		applications := object.GetMaskedApplications(application, userId)
+		applications, err = object.GetAllowedApplications(applications, userId, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		applications = object.GetMaskedApplications(applications, userId)
 		c.ResponseOk(applications, paginator.Nums())
 	}
 }
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -24,7 +24,6 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
-	"sync"

 	"github.com/casdoor/casdoor/captcha"
 	"github.com/casdoor/casdoor/conf"
@ -37,11 +36,6 @@ import (
 	"golang.org/x/oauth2"
 )

-var (
-	wechatCacheMap map[string]idp.WechatCacheMapValue
-	lock           sync.RWMutex
-)
-
 func codeToResponse(code *object.Code) *Response {
 	if code.Code == "" {
 		return &Response{Status: "error", Msg: code.Message, Data: code.Code}
@ -333,7 +327,38 @@ func (c *ApiController) Login() {
 		}

 		var user *object.User
-		if authForm.Password == "" {
+		if authForm.SigninMethod == "Face ID" {
+			if user, err = object.GetUserByFields(authForm.Organization, authForm.Username); err != nil {
+				c.ResponseError(err.Error(), nil)
+				return
+			} else if user == nil {
+				c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(authForm.Organization, authForm.Username)))
+				return
+			}
+
+			var application *object.Application
+			application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+			if err != nil {
+				c.ResponseError(err.Error(), nil)
+				return
+			}
+
+			if application == nil {
+				c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
+				return
+			}
+
+			if !application.IsFaceIdEnabled() {
+				c.ResponseError(c.T("auth:The login method: login with face is not enabled for the application"))
+				return
+			}
+
+			if err := object.CheckFaceId(user, authForm.FaceId, c.GetAcceptLanguage()); err != nil {
+				c.ResponseError(err.Error(), nil)
+				return
+			}
+
+		} else if authForm.Password == "" {
 			if user, err = object.GetUserByFields(authForm.Organization, authForm.Username); err != nil {
 				c.ResponseError(err.Error(), nil)
 				return
@ -896,6 +921,7 @@ func (c *ApiController) GetSamlLogin() {
 	authURL, method, err := object.GenerateSamlRequest(providerId, relayState, c.Ctx.Request.Host, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
+		return
 	}
 	c.ResponseOk(authURL, method)
 }
@ -906,6 +932,7 @@ func (c *ApiController) HandleSamlLogin() {
 	decode, err := base64.StdEncoding.DecodeString(relayState)
 	if err != nil {
 		c.ResponseError(err.Error())
+		return
 	}
 	slice := strings.Split(string(decode), "&")
 	relayState = url.QueryEscape(relayState)
@ -972,15 +999,15 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 		return
 	}

-	lock.Lock()
-	if wechatCacheMap == nil {
-		wechatCacheMap = make(map[string]idp.WechatCacheMapValue)
+	idp.Lock.Lock()
+	if idp.WechatCacheMap == nil {
+		idp.WechatCacheMap = make(map[string]idp.WechatCacheMapValue)
 	}
-	wechatCacheMap[data.Ticket] = idp.WechatCacheMapValue{
-		IsScanned:    true,
-		WechatOpenId: data.FromUserName,
+	idp.WechatCacheMap[data.Ticket] = idp.WechatCacheMapValue{
+		IsScanned:     true,
+		WechatUnionId: data.FromUserName,
 	}
-	lock.Unlock()
+	idp.Lock.Unlock()

 	c.Ctx.WriteString("")
 }
@ -994,18 +1021,15 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 func (c *ApiController) GetWebhookEventType() {
 	ticket := c.Input().Get("ticket")

-	lock.RLock()
-	wechatMsg, ok := wechatCacheMap[ticket]
-	lock.RUnlock()
+	idp.Lock.RLock()
+	_, ok := idp.WechatCacheMap[ticket]
+	idp.Lock.RUnlock()
 	if !ok {
 		c.ResponseError("ticket not found")
 		return
 	}
-	lock.Lock()
-	delete(wechatCacheMap, ticket)
-	lock.Unlock()

-	c.ResponseOk("SCAN", wechatMsg.IsScanned)
+	c.ResponseOk("SCAN", ticket)
 }

 // GetQRCode
--- a/controllers/base.go
+++ b/controllers/base.go
@ -122,6 +122,15 @@ func (c *ApiController) GetSessionUsername() string {
 	return user.(string)
 }

+func (c *ApiController) GetSessionToken() string {
+	accessToken := c.GetSession("accessToken")
+	if accessToken == nil {
+		return ""
+	}
+
+	return accessToken.(string)
+}
+
 func (c *ApiController) GetSessionApplication() *object.Application {
 	clientId := c.GetSession("aud")
 	if clientId == nil {
@ -141,6 +150,10 @@ func (c *ApiController) ClearUserSession() {
 	c.SetSessionData(nil)
 }

+func (c *ApiController) ClearTokenSession() {
+	c.SetSessionToken("")
+}
+
 func (c *ApiController) GetSessionOidc() (string, string) {
 	sessionData := c.GetSessionData()
 	if sessionData != nil &&
@ -167,6 +180,10 @@ func (c *ApiController) SetSessionUsername(user string) {
 	c.SetSession("username", user)
 }

+func (c *ApiController) SetSessionToken(accessToken string) {
+	c.SetSession("accessToken", accessToken)
+}
+
 // GetSessionData ...
 func (c *ApiController) GetSessionData() *SessionData {
 	session := c.GetSession("SessionData")
--- a/controllers/casbin_api.go
+++ b/controllers/casbin_api.go
@ -85,7 +85,7 @@ func (c *ApiController) Enforce() {
 			return
 		}
 		if permission == nil {
-			c.ResponseError(fmt.Sprintf("permission: %s doesn't exist", permissionId))
+			c.ResponseError(fmt.Sprintf(c.T("permission:The permission: \"%s\" doesn't exist"), permissionId))
 			return
 		}

@ -209,7 +209,7 @@ func (c *ApiController) BatchEnforce() {
 			return
 		}
 		if permission == nil {
-			c.ResponseError(fmt.Sprintf("permission: %s doesn't exist", permissionId))
+			c.ResponseError(fmt.Sprintf(c.T("permission:The permission: \"%s\" doesn't exist"), permissionId))
 			return
 		}

--- a/controllers/face.go
+++ b/controllers/face.go
@ -0,0 +1,55 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Casdoor will expose its providers as services to SDK
+// We are going to implement those services as APIs here
+
+package controllers
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// FaceIDSigninBegin
+// @Title FaceIDSigninBegin
+// @Tag Login API
+// @Description FaceId Login Flow 1st stage
+// @Param   owner     query    string  true        "owner"
+// @Param   name     query    string  true        "name"
+// @Success 200 {object} controllers.Response The Response object
+// @router /faceid-signin-begin [get]
+func (c *ApiController) FaceIDSigninBegin() {
+	userOwner := c.Input().Get("owner")
+	userName := c.Input().Get("name")
+
+	user, err := object.GetUserByFields(userOwner, userName)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	if user == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(userOwner, userName)))
+		return
+	}
+
+	if len(user.FaceIds) == 0 {
+		c.ResponseError(c.T("check:Face data does not exist, cannot log in"))
+		return
+	}
+
+	c.ResponseOk()
+}
--- a/controllers/mfa.go
+++ b/controllers/mfa.go
@ -110,7 +110,7 @@ func (c *ApiController) MfaSetupVerify() {
 			return
 		}
 		config.Secret = secret.(string)
-	} else if mfaType == object.EmailType || mfaType == object.SmsType {
+	} else if mfaType == object.SmsType {
 		dest := c.GetSession(MfaDestSession)
 		if dest == nil {
 			c.ResponseError("destination is missing")
@ -123,6 +123,13 @@ func (c *ApiController) MfaSetupVerify() {
 			return
 		}
 		config.CountryCode = countryCode.(string)
+	} else if mfaType == object.EmailType {
+		dest := c.GetSession(MfaDestSession)
+		if dest == nil {
+			c.ResponseError("destination is missing")
+			return
+		}
+		config.Secret = dest.(string)
 	}

 	mfaUtil := object.GetMfaUtil(mfaType, config)
@ -175,19 +182,30 @@ func (c *ApiController) MfaSetupEnable() {
 			return
 		}
 		config.Secret = secret.(string)
-	} else if mfaType == object.EmailType || mfaType == object.SmsType {
-		dest := c.GetSession(MfaDestSession)
-		if dest == nil {
-			c.ResponseError("destination is missing")
-			return
+	} else if mfaType == object.EmailType {
+		if user.Email == "" {
+			dest := c.GetSession(MfaDestSession)
+			if dest == nil {
+				c.ResponseError("destination is missing")
+				return
+			}
+			user.Email = dest.(string)
 		}
-		config.Secret = dest.(string)
-		countryCode := c.GetSession(MfaCountryCodeSession)
-		if countryCode == nil {
-			c.ResponseError("country code is missing")
-			return
+	} else if mfaType == object.SmsType {
+		if user.Phone == "" {
+			dest := c.GetSession(MfaDestSession)
+			if dest == nil {
+				c.ResponseError("destination is missing")
+				return
+			}
+			user.Phone = dest.(string)
+			countryCode := c.GetSession(MfaCountryCodeSession)
+			if countryCode == nil {
+				c.ResponseError("country code is missing")
+				return
+			}
+			user.CountryCode = countryCode.(string)
 		}
-		config.CountryCode = countryCode.(string)
 	}
 	recoveryCodes := c.GetSession(MfaRecoveryCodesSession)
 	if recoveryCodes == nil {
--- a/controllers/record.go
+++ b/controllers/record.go
@ -0,0 +1,128 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/casvisor/casvisor-go-sdk/casvisorsdk"
+
+	"github.com/beego/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetRecords
+// @Title GetRecords
+// @Tag Record API
+// @Description get all records
+// @Param   pageSize     query    string  true        "The size of each page"
+// @Param   p     query    string  true        "The number of the page"
+// @Success 200 {object} object.Record The Response object
+// @router /get-records [get]
+func (c *ApiController) GetRecords() {
+	organization, ok := c.RequireAdmin()
+	if !ok {
+		return
+	}
+
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+	organizationName := c.Input().Get("organizationName")
+
+	if limit == "" || page == "" {
+		records, err := object.GetRecords()
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(records)
+	} else {
+		limit := util.ParseInt(limit)
+		if c.IsGlobalAdmin() && organizationName != "" {
+			organization = organizationName
+		}
+		filterRecord := &casvisorsdk.Record{Organization: organization}
+		count, err := object.GetRecordCount(field, value, filterRecord)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		records, err := object.GetPaginationRecords(paginator.Offset(), limit, field, value, sortField, sortOrder, filterRecord)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(records, paginator.Nums())
+	}
+}
+
+// GetRecordsByFilter
+// @Tag Record API
+// @Title GetRecordsByFilter
+// @Description get records by filter
+// @Param   filter  body string     true  "filter Record message"
+// @Success 200 {object} object.Record The Response object
+// @router /get-records-filter [post]
+func (c *ApiController) GetRecordsByFilter() {
+	_, ok := c.RequireAdmin()
+	if !ok {
+		return
+	}
+
+	body := string(c.Ctx.Input.RequestBody)
+
+	record := &casvisorsdk.Record{}
+	err := util.JsonToStruct(body, record)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	records, err := object.GetRecordsByField(record)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(records)
+}
+
+// AddRecord
+// @Title AddRecord
+// @Tag Record API
+// @Description add a record
+// @Param   body    body   object.Record  true        "The details of the record"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-record [post]
+func (c *ApiController) AddRecord() {
+	var record casvisorsdk.Record
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &record)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddRecord(&record))
+	c.ServeJSON()
+}
--- a/controllers/resource.go
+++ b/controllers/resource.go
@ -52,6 +52,15 @@ func (c *ApiController) GetResources() {
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")

+	isOrgAdmin, ok := c.IsOrgAdmin()
+	if !ok {
+		return
+	}
+
+	if isOrgAdmin {
+		user = ""
+	}
+
 	if sortField == "Direct" {
 		provider, err := c.GetProviderFromContext("Storage")
 		if err != nil {
--- a/controllers/service.go
+++ b/controllers/service.go
@ -60,7 +60,6 @@ func (c *ApiController) SendEmail() {
 	}

 	var emailForm EmailForm
-
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &emailForm)
 	if err != nil {
 		c.ResponseError(err.Error())
@ -87,7 +86,7 @@ func (c *ApiController) SendEmail() {

 	// when receiver is the reserved keyword: "TestSmtpServer", it means to test the SMTP server instead of sending a real Email
 	if len(emailForm.Receivers) == 1 && emailForm.Receivers[0] == "TestSmtpServer" {
-		err := object.DailSmtpServer(provider)
+		err = object.DailSmtpServer(provider)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -112,20 +111,23 @@ func (c *ApiController) SendEmail() {
 		return
 	}

-	code := "123456"
+	content := emailForm.Content
+	if content == "" {
+		code := "123456"

-	// "You have requested a verification code at Casdoor. Here is your code: %s, please enter in 5 minutes."
-	content := strings.Replace(provider.Content, "%s", code, 1)
-	if !strings.HasPrefix(userId, "app/") {
-		var user *object.User
-		user, err = object.GetUser(userId)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
+		// "You have requested a verification code at Casdoor. Here is your code: %s, please enter in 5 minutes."
+		content = strings.Replace(provider.Content, "%s", code, 1)
+		if !strings.HasPrefix(userId, "app/") {
+			var user *object.User
+			user, err = object.GetUser(userId)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}

-		if user != nil {
-			content = strings.Replace(content, "%{user.friendlyName}", user.GetFriendlyName(), 1)
+			if user != nil {
+				content = strings.Replace(content, "%{user.friendlyName}", user.GetFriendlyName(), 1)
+			}
 		}
 	}

--- a/controllers/syncer.go
+++ b/controllers/syncer.go
@ -168,3 +168,20 @@ func (c *ApiController) RunSyncer() {

 	c.ResponseOk()
 }
+
+func (c *ApiController) TestSyncerDb() {
+	var syncer object.Syncer
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &syncer)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	err = object.TestSyncerDb(syncer)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk()
+}
--- a/controllers/token.go
+++ b/controllers/token.go
@ -317,7 +317,8 @@ func (c *ApiController) IntrospectToken() {
 		return
 	}

-	token, err := object.GetTokenByTokenValue(tokenValue)
+	tokenTypeHint := c.Input().Get("token_type_hint")
+	token, err := object.GetTokenByTokenValue(tokenValue, tokenTypeHint)
 	if err != nil {
 		c.ResponseTokenError(err.Error())
 		return
--- a/controllers/transaction.go
+++ b/controllers/transaction.go
@ -0,0 +1,167 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetTransactions
+// @Title GetTransactions
+// @Tag Transaction API
+// @Description get transactions
+// @Param   owner     query    string  true        "The owner of transactions"
+// @Success 200 {array} object.Transaction The Response object
+// @router /get-transactions [get]
+func (c *ApiController) GetTransactions() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+
+	if limit == "" || page == "" {
+		transactions, err := object.GetTransactions(owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(transactions)
+	} else {
+		limit := util.ParseInt(limit)
+		count, err := object.GetTransactionCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		transactions, err := object.GetPaginationTransactions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(transactions, paginator.Nums())
+	}
+}
+
+// GetUserTransactions
+// @Title GetUserTransaction
+// @Tag Transaction API
+// @Description get transactions for a user
+// @Param   owner     query    string  true        "The owner of transactions"
+// @Param   organization    query   string  true   "The organization of the user"
+// @Param   user    query   string  true           "The username of the user"
+// @Success 200 {array} object.Transaction The Response object
+// @router /get-user-transactions [get]
+func (c *ApiController) GetUserTransactions() {
+	owner := c.Input().Get("owner")
+	user := c.Input().Get("user")
+
+	transactions, err := object.GetUserTransactions(owner, user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(transactions)
+}
+
+// GetTransaction
+// @Title GetTransaction
+// @Tag Transaction API
+// @Description get transaction
+// @Param   id     query    string  true        "The id ( owner/name ) of the transaction"
+// @Success 200 {object} object.Transaction The Response object
+// @router /get-transaction [get]
+func (c *ApiController) GetTransaction() {
+	id := c.Input().Get("id")
+
+	transaction, err := object.GetTransaction(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(transaction)
+}
+
+// UpdateTransaction
+// @Title UpdateTransaction
+// @Tag Transaction API
+// @Description update transaction
+// @Param   id     query    string  true        "The id ( owner/name ) of the transaction"
+// @Param   body    body   object.Transaction  true        "The details of the transaction"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-transaction [post]
+func (c *ApiController) UpdateTransaction() {
+	id := c.Input().Get("id")
+
+	var transaction object.Transaction
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &transaction)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateTransaction(id, &transaction))
+	c.ServeJSON()
+}
+
+// AddTransaction
+// @Title AddTransaction
+// @Tag Transaction API
+// @Description add transaction
+// @Param   body    body   object.Transaction  true        "The details of the transaction"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-transaction [post]
+func (c *ApiController) AddTransaction() {
+	var transaction object.Transaction
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &transaction)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddTransaction(&transaction))
+	c.ServeJSON()
+}
+
+// DeleteTransaction
+// @Title DeleteTransaction
+// @Tag Transaction API
+// @Description delete transaction
+// @Param   body    body   object.Transaction  true        "The details of the transaction"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-transaction [post]
+func (c *ApiController) DeleteTransaction() {
+	var transaction object.Transaction
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &transaction)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteTransaction(&transaction))
+	c.ServeJSON()
+}
--- a/controllers/user.go
+++ b/controllers/user.go
@ -156,6 +156,10 @@ func (c *ApiController) GetUser() {
 			c.ResponseError(err.Error())
 			return
 		}
+		if userFromUserId == nil {
+			c.ResponseOk(nil)
+			return
+		}

 		id = util.GetId(userFromUserId.Owner, userFromUserId.Name)
 	}
@ -200,7 +204,7 @@ func (c *ApiController) GetUser() {
 			return
 		}
 		if organization == nil {
-			c.ResponseError(fmt.Sprintf("the organization: %s is not found", owner))
+			c.ResponseError(fmt.Sprintf(c.T("auth:The organization: %s does not exist"), owner))
 			return
 		}

--- a/controllers/util.go
+++ b/controllers/util.go
@ -108,12 +108,12 @@ func (c *ApiController) RequireSignedInUser() (*object.User, bool) {
 		c.ResponseError(err.Error())
 		return nil, false
 	}
-
 	if user == nil {
 		c.ClearUserSession()
 		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
 		return nil, false
 	}
+
 	return user, true
 }

@ -127,9 +127,39 @@ func (c *ApiController) RequireAdmin() (string, bool) {
 	if user.Owner == "built-in" {
 		return "", true
 	}
+
+	if !user.IsAdmin {
+		c.ResponseError(c.T("general:this operation requires administrator to perform"))
+		return "", false
+	}
+
 	return user.Owner, true
 }

+func (c *ApiController) IsOrgAdmin() (bool, bool) {
+	userId, ok := c.RequireSignedIn()
+	if !ok {
+		return false, true
+	}
+
+	if strings.HasPrefix(userId, "app/") {
+		return true, true
+	}
+
+	user, err := object.GetUser(userId)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return false, false
+	}
+	if user == nil {
+		c.ClearUserSession()
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
+		return false, false
+	}
+
+	return user.IsAdmin, true
+}
+
 // IsMaskedEnabled ...
 func (c *ApiController) IsMaskedEnabled() (bool, bool) {
 	isMaskEnabled := true
--- a/controllers/verification.go
+++ b/controllers/verification.go
@ -164,13 +164,13 @@ func (c *ApiController) SendVerificationCode() {
 			c.SetSession(MfaDestSession, vform.Dest)
 		}

-		provider, err := application.GetEmailProvider()
+		provider, err = application.GetEmailProvider(vform.Method)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 		if provider == nil {
-			c.ResponseError(fmt.Sprintf("please add an Email provider to the \"Providers\" list for the application: %s", application.Name))
+			c.ResponseError(fmt.Sprintf(c.T("verification:please add an Email provider to the \"Providers\" list for the application: %s"), application.Name))
 			return
 		}

@ -210,13 +210,13 @@ func (c *ApiController) SendVerificationCode() {
 			vform.CountryCode = mfaProps.CountryCode
 		}

-		provider, err := application.GetSmsProvider()
+		provider, err = application.GetSmsProvider(vform.Method)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 		if provider == nil {
-			c.ResponseError(fmt.Sprintf("please add a SMS provider to the \"Providers\" list for the application: %s", application.Name))
+			c.ResponseError(fmt.Sprintf(c.T("verification:please add a SMS provider to the \"Providers\" list for the application: %s"), application.Name))
 			return
 		}

@ -343,7 +343,12 @@ func (c *ApiController) ResetEmailOrPhone() {
 		}
 	}

-	if result := object.CheckVerificationCode(checkDest, code, c.GetAcceptLanguage()); result.Code != object.VerificationSuccess {
+	result, err := object.CheckVerificationCode(checkDest, code, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(c.T(err.Error()))
+		return
+	}
+	if result.Code != object.VerificationSuccess {
 		c.ResponseError(result.Msg)
 		return
 	}
@ -425,16 +430,22 @@ func (c *ApiController) VerifyCode() {
 		}
 	}

-	if result := object.CheckVerificationCode(checkDest, authForm.Code, c.GetAcceptLanguage()); result.Code != object.VerificationSuccess {
+	result, err := object.CheckVerificationCode(checkDest, authForm.Code, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(c.T(err.Error()))
+		return
+	}
+	if result.Code != object.VerificationSuccess {
 		c.ResponseError(result.Msg)
 		return
 	}
+
 	err = object.DisableVerificationCode(checkDest)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
-	c.SetSession("verifiedCode", authForm.Code)

+	c.SetSession("verifiedCode", authForm.Code)
 	c.ResponseOk()
 }
--- a/deployment/deploy.go
+++ b/deployment/deploy.go
@ -27,7 +27,10 @@ import (
 )

 func deployStaticFiles(provider *object.Provider) {
-	storageProvider := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, provider.Endpoint)
+	storageProvider, err := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, provider.Endpoint)
+	if err != nil {
+		panic(err)
+	}
 	if storageProvider == nil {
 		panic(fmt.Sprintf("the provider type: %s is not supported", provider.Type))
 	}
--- a/form/auth.go
+++ b/form/auth.go
@ -61,6 +61,8 @@ type AuthForm struct {

 	Plan    string `json:"plan"`
 	Pricing string `json:"pricing"`
+
+	FaceId []float64 `json:"faceId"`
 }

 func GetAuthFormFieldValue(form *AuthForm, fieldName string) (bool, string) {
--- a/go.mod
+++ b/go.mod
@ -9,12 +9,12 @@ require (
 	github.com/beego/beego v1.12.12
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin/v2 v2.77.2
-	github.com/casdoor/go-sms-sender v0.19.0
+	github.com/casdoor/go-sms-sender v0.20.0
 	github.com/casdoor/gomail/v2 v2.0.1
 	github.com/casdoor/notify v0.45.0
-	github.com/casdoor/oss v1.5.0
+	github.com/casdoor/oss v1.6.0
 	github.com/casdoor/xorm-adapter/v3 v3.1.0
-	github.com/casvisor/casvisor-go-sdk v1.0.3
+	github.com/casvisor/casvisor-go-sdk v1.3.0
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
 	github.com/denisenkom/go-mssqldb v0.9.0
 	github.com/elazarl/go-bindata-assetfs v1.0.1 // indirect
@ -59,7 +59,7 @@ require (
 	github.com/xorm-io/core v0.7.4
 	github.com/xorm-io/xorm v1.1.6
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	golang.org/x/crypto v0.14.0
+	golang.org/x/crypto v0.19.0
 	golang.org/x/net v0.17.0
 	golang.org/x/oauth2 v0.13.0
 	google.golang.org/api v0.150.0
--- a/go.sum
+++ b/go.sum
@ -1083,18 +1083,18 @@ github.com/casbin/casbin/v2 v2.77.2 h1:yQinn/w9x8AswiwqwtrXz93VU48R1aYTXdHEx4RI3
 github.com/casbin/casbin/v2 v2.77.2/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk=
 github.com/casdoor/go-reddit/v2 v2.1.0 h1:kIbfdJ7AA7H0uTQ8s0q4GGZqSS5V9wVE74RrXyD9XPs=
 github.com/casdoor/go-reddit/v2 v2.1.0/go.mod h1:eagkvwlZ4Hcsuc/uQsLHYEulz5jN65SVSwV/AIE7zsc=
-github.com/casdoor/go-sms-sender v0.19.0 h1:qVz7RLXx8aGgfzLUGvhNe6pbhxDqP2/qNY+XPepfpyQ=
-github.com/casdoor/go-sms-sender v0.19.0/go.mod h1:cQs7qqohMJBgIVZebOCB8ko09naG1vzFJEH59VNIscs=
+github.com/casdoor/go-sms-sender v0.20.0 h1:yLbCakV04DzzehhgBklOrSeCFjMwpfKBeemz9b+Y8OM=
+github.com/casdoor/go-sms-sender v0.20.0/go.mod h1:cQs7qqohMJBgIVZebOCB8ko09naG1vzFJEH59VNIscs=
 github.com/casdoor/gomail/v2 v2.0.1 h1:J+FG6x80s9e5lBHUn8Sv0Y56mud34KiWih5YdmudR/w=
 github.com/casdoor/gomail/v2 v2.0.1/go.mod h1:VnGPslEAtpix5FjHisR/WKB1qvZDBaujbikxDe9d+2Q=
 github.com/casdoor/notify v0.45.0 h1:OlaFvcQFjGOgA4mRx07M8AH1gvb5xNo21mcqrVGlLgk=
 github.com/casdoor/notify v0.45.0/go.mod h1:wNHQu0tiDROMBIvz0j3Om3Lhd5yZ+AIfnFb8MYb8OLQ=
-github.com/casdoor/oss v1.5.0 h1:mi1htaXR5fynskDry1S3wk+Dd2nRY1z1pVcnGsqMqP4=
-github.com/casdoor/oss v1.5.0/go.mod h1:rJAWA0hLhtu94t6IRpotLUkXO1NWMASirywQYaGizJE=
+github.com/casdoor/oss v1.6.0 h1:IOWrGLJ+VO82qS796eaRnzFPPA1Sn3cotYTi7O/VIlQ=
+github.com/casdoor/oss v1.6.0/go.mod h1:rJAWA0hLhtu94t6IRpotLUkXO1NWMASirywQYaGizJE=
 github.com/casdoor/xorm-adapter/v3 v3.1.0 h1:NodWayRtSLVSeCvL9H3Hc61k0G17KhV9IymTCNfh3kk=
 github.com/casdoor/xorm-adapter/v3 v3.1.0/go.mod h1:4WTcUw+bTgBylGHeGHzTtBvuTXRS23dtwzFLl9tsgFM=
-github.com/casvisor/casvisor-go-sdk v1.0.3 h1:TKJQWKnhtznEBhzLPEdNsp7nJK2GgdD8JsB0lFPMW7U=
-github.com/casvisor/casvisor-go-sdk v1.0.3/go.mod h1:frnNtH5GA0wxzAQLyZxxfL0RSsSub9GQPi2Ybe86ocE=
+github.com/casvisor/casvisor-go-sdk v1.3.0 h1:HVgm2g3lWpNX2wBNidzR743QY4O5kAjLUJ9tS2juO8g=
+github.com/casvisor/casvisor-go-sdk v1.3.0/go.mod h1:frnNtH5GA0wxzAQLyZxxfL0RSsSub9GQPi2Ybe86ocE=
 github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/cenkalti/backoff/v4 v4.1.3 h1:cFAlzYUlVYDysBEH2T5hyJZMh3+5+WCBvSnK6Q8UtC4=
@ -2117,8 +2117,9 @@ golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45
 golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20181106170214-d68db9428509/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -2447,8 +2448,9 @@ golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@ -2465,8 +2467,9 @@ golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
 golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -2486,8 +2489,9 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/i18n/locales/ar/data.json
+++ b/i18n/locales/ar/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/de/data.json
+++ b/i18n/locales/de/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "Die Anmeldeart \"Anmeldung mit Passwort\" ist für die Anwendung nicht aktiviert",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "Der Anbieter: %s ist nicht für die Anwendung aktiviert",
    "Unauthorized operation": "Nicht autorisierte Operation",
    "Unknown authentication type (not password or provider), form = %s": "Unbekannter Authentifizierungstyp (nicht Passwort oder Anbieter), Formular = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "E-Mail darf nicht leer sein",
    "Email is invalid": "E-Mail ist ungültig",
    "Empty username.": "Leerer Benutzername.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "Vorname darf nicht leer sein",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "Dem Benutzer ist der Zugang verboten, bitte kontaktieren Sie den Administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Der Benutzername darf nur alphanumerische Zeichen, Unterstriche oder Bindestriche enthalten, keine aufeinanderfolgenden Bindestriche oder Unterstriche haben und darf nicht mit einem Bindestrich oder Unterstrich beginnen oder enden.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Benutzername existiert bereits",
    "Username cannot be an email address": "Benutzername kann keine E-Mail-Adresse sein",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Fehlender Parameter",
    "Please login first": "Bitte zuerst einloggen",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "Der Benutzer %s existiert nicht",
    "don't support captchaProvider: ": "Unterstütze captchaProvider nicht:",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "Das %s ist unveränderlich.",
    "Unknown modify rule %s.": "Unbekannte Änderungsregel %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Ungültige Anwendungs-ID",
    "the provider: %s does not exist": "Der Anbieter %s existiert nicht"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "Der Anbieter-Typ %s wird nicht unterstützt"
  },
  "token": {
-    "Empty clientId or clientSecret": "Leerer clientId oder clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s wird von dieser Anwendung nicht unterstützt",
    "Invalid application or wrong clientSecret": "Ungültige Anwendung oder falsches clientSecret",
    "Invalid client_id": "Ungültige client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unbekannter Typ",
    "Wrong verification code!": "Falscher Bestätigungscode!",
    "You should verify your code in %d min!": "Du solltest deinen Code in %d Minuten verifizieren!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "Der Benutzer existiert nicht, bitte zuerst anmelden"
  },
  "webauthn": {
--- a/i18n/locales/en/data.json
+++ b/i18n/locales/en/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/es/data.json
+++ b/i18n/locales/es/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "El método de inicio de sesión: inicio de sesión con contraseña no está habilitado para la aplicación",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "El proveedor: %s no está habilitado para la aplicación",
    "Unauthorized operation": "Operación no autorizada",
    "Unknown authentication type (not password or provider), form = %s": "Tipo de autenticación desconocido (no es contraseña o proveedor), formulario = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "El correo electrónico no puede estar vacío",
    "Email is invalid": "El correo electrónico no es válido",
    "Empty username.": "Nombre de usuario vacío.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "El nombre no puede estar en blanco",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "El usuario no está autorizado a iniciar sesión, por favor contacte al administrador",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "El nombre de usuario solo puede contener caracteres alfanuméricos, guiones bajos o guiones, no puede tener guiones o subrayados consecutivos, y no puede comenzar ni terminar con un guión o subrayado.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "El nombre de usuario ya existe",
    "Username cannot be an email address": "Nombre de usuario no puede ser una dirección de correo electrónico",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Parámetro faltante",
    "Please login first": "Por favor, inicia sesión primero",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "El usuario: %s no existe",
    "don't support captchaProvider: ": "No apoyo a captchaProvider",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "El %s es inmutable.",
    "Unknown modify rule %s.": "Regla de modificación desconocida %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Identificación de aplicación no válida",
    "the provider: %s does not exist": "El proveedor: %s no existe"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "El tipo de proveedor: %s no es compatible"
  },
  "token": {
-    "Empty clientId or clientSecret": "ClienteId o clienteSecret vacío",
    "Grant_type: %s is not supported in this application": "El tipo de subvención: %s no es compatible con esta aplicación",
    "Invalid application or wrong clientSecret": "Solicitud inválida o clientSecret incorrecto",
    "Invalid client_id": "Identificador de cliente no válido",
@ -146,6 +154,8 @@
    "Unknown type": "Tipo desconocido",
    "Wrong verification code!": "¡Código de verificación incorrecto!",
    "You should verify your code in %d min!": "¡Deberías verificar tu código en %d minutos!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "El usuario no existe, por favor regístrese primero"
  },
  "webauthn": {
--- a/i18n/locales/fa/data.json
+++ b/i18n/locales/fa/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/fi/data.json
+++ b/i18n/locales/fi/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/fr/data.json
+++ b/i18n/locales/fr/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "La méthode de connexion : connexion avec mot de passe n'est pas activée pour l'application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "Le fournisseur :%s n'est pas activé pour l'application",
    "Unauthorized operation": "Opération non autorisée",
    "Unknown authentication type (not password or provider), form = %s": "Type d'authentification inconnu (pas de mot de passe ou de fournisseur), formulaire = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "L'e-mail ne peut pas être vide",
    "Email is invalid": "L'adresse e-mail est invalide",
    "Empty username.": "Nom d'utilisateur vide.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "Le prénom ne peut pas être laissé vide",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "L'utilisateur est interdit de se connecter, veuillez contacter l'administrateur",
    "The user: %s doesn't exist in LDAP server": "L'utilisateur %s n'existe pas sur le serveur LDAP",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Le nom d'utilisateur ne peut contenir que des caractères alphanumériques, des traits soulignés ou des tirets, ne peut pas avoir de tirets ou de traits soulignés consécutifs et ne peut pas commencer ou se terminer par un tiret ou un trait souligné.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Nom d'utilisateur existe déjà",
    "Username cannot be an email address": "Nom d'utilisateur ne peut pas être une adresse e-mail",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Paramètre manquant",
    "Please login first": "Veuillez d'abord vous connecter",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "L'utilisateur : %s n'existe pas",
    "don't support captchaProvider: ": "ne prend pas en charge captchaProvider: ",
    "this operation is not allowed in demo mode": "cette opération n’est pas autorisée en mode démo"
@ -93,6 +99,9 @@
    "The %s is immutable.": "Le %s est immuable.",
    "Unknown modify rule %s.": "Règle de modification inconnue %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Identifiant d'application invalide",
    "the provider: %s does not exist": "Le fournisseur : %s n'existe pas"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "Le type de fournisseur : %s n'est pas pris en charge"
  },
  "token": {
-    "Empty clientId or clientSecret": "clientId ou clientSecret vide",
    "Grant_type: %s is not supported in this application": "Type_de_subvention : %s n'est pas pris en charge dans cette application",
    "Invalid application or wrong clientSecret": "Application invalide ou clientSecret incorrect",
    "Invalid client_id": "Identifiant de client invalide",
@ -146,6 +154,8 @@
    "Unknown type": "Type inconnu",
    "Wrong verification code!": "Mauvais code de vérification !",
    "You should verify your code in %d min!": "Vous devriez vérifier votre code en %d min !",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "L'utilisateur n'existe pas, veuillez vous inscrire d'abord"
  },
  "webauthn": {
--- a/i18n/locales/he/data.json
+++ b/i18n/locales/he/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/id/data.json
+++ b/i18n/locales/id/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "Metode login: login dengan kata sandi tidak diaktifkan untuk aplikasi tersebut",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "Penyedia: %s tidak diaktifkan untuk aplikasi ini",
    "Unauthorized operation": "Operasi tidak sah",
    "Unknown authentication type (not password or provider), form = %s": "Jenis otentikasi tidak diketahui (bukan kata sandi atau pemberi), formulir = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email tidak boleh kosong",
    "Email is invalid": "Email tidak valid",
    "Empty username.": "Nama pengguna kosong.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "Nama depan tidak boleh kosong",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "Pengguna dilarang masuk, silakan hubungi administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Nama pengguna hanya bisa menggunakan karakter alfanumerik, garis bawah atau tanda hubung, tidak boleh memiliki dua tanda hubung atau garis bawah berurutan, dan tidak boleh diawali atau diakhiri dengan tanda hubung atau garis bawah.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Nama pengguna sudah ada",
    "Username cannot be an email address": "Username tidak bisa menjadi alamat email",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Parameter hilang",
    "Please login first": "Silahkan login terlebih dahulu",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "Pengguna: %s tidak ada",
    "don't support captchaProvider: ": "Jangan mendukung captchaProvider:",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "%s tidak dapat diubah.",
    "Unknown modify rule %s.": "Aturan modifikasi tidak diketahui %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "ID aplikasi tidak valid",
    "the provider: %s does not exist": "provider: %s tidak ada"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "Jenis penyedia: %s tidak didukung"
  },
  "token": {
-    "Empty clientId or clientSecret": "Kosong clientId atau clientSecret",
    "Grant_type: %s is not supported in this application": "Jenis grant (grant_type) %s tidak didukung dalam aplikasi ini",
    "Invalid application or wrong clientSecret": "Aplikasi tidak valid atau clientSecret salah",
    "Invalid client_id": "Invalid client_id = ID klien tidak valid",
@ -146,6 +154,8 @@
    "Unknown type": "Tipe tidak diketahui",
    "Wrong verification code!": "Kode verifikasi salah!",
    "You should verify your code in %d min!": "Anda harus memverifikasi kode Anda dalam %d menit!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "Pengguna tidak ada, silakan daftar terlebih dahulu"
  },
  "webauthn": {
--- a/i18n/locales/it/data.json
+++ b/i18n/locales/it/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/ja/data.json
+++ b/i18n/locales/ja/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "ログイン方法：パスワードでのログインはアプリケーションで有効になっていません",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "プロバイダー：%sはアプリケーションでは有効化されていません",
    "Unauthorized operation": "不正操作",
    "Unknown authentication type (not password or provider), form = %s": "不明な認証タイプ（パスワードまたはプロバイダーではない）フォーム=%s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "メールが空白にできません",
    "Email is invalid": "電子メールは無効です",
    "Empty username.": "空のユーザー名。",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "ファーストネームは空白にできません",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "ユーザーはサインインできません。管理者に連絡してください",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "ユーザー名には英数字、アンダースコア、ハイフンしか含めることができません。連続したハイフンまたはアンダースコアは不可であり、ハイフンまたはアンダースコアで始まるまたは終わることもできません。",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "ユーザー名はすでに存在しています",
    "Username cannot be an email address": "ユーザー名には電子メールアドレスを使用できません",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "不足しているパラメーター",
    "Please login first": "最初にログインしてください",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "そのユーザー：%sは存在しません",
    "don't support captchaProvider: ": "captchaProviderをサポートしないでください",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "%sは不変です。",
    "Unknown modify rule %s.": "未知の変更ルール%s。"
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "アプリケーションIDが無効です",
    "the provider: %s does not exist": "プロバイダー%sは存在しません"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "プロバイダータイプ：%sはサポートされていません"
  },
  "token": {
-    "Empty clientId or clientSecret": "クライアントIDまたはクライアントシークレットが空です",
    "Grant_type: %s is not supported in this application": "grant_type：%sはこのアプリケーションでサポートされていません",
    "Invalid application or wrong clientSecret": "無効なアプリケーションまたは誤ったクライアントシークレットです",
    "Invalid client_id": "client_idが無効です",
@ -146,6 +154,8 @@
    "Unknown type": "不明なタイプ",
    "Wrong verification code!": "誤った検証コードです！",
    "You should verify your code in %d min!": "あなたは%d分であなたのコードを確認する必要があります！",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "ユーザーは存在しません。まず登録してください"
  },
  "webauthn": {
--- a/i18n/locales/kk/data.json
+++ b/i18n/locales/kk/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/ko/data.json
+++ b/i18n/locales/ko/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "어플리케이션에서는 암호를 사용한 로그인 방법이 활성화되어 있지 않습니다",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "제공자 %s은(는) 응용 프로그램에서 활성화되어 있지 않습니다",
    "Unauthorized operation": "무단 조작",
    "Unknown authentication type (not password or provider), form = %s": "알 수 없는 인증 유형(암호 또는 공급자가 아님), 폼 = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "이메일은 비어 있을 수 없습니다",
    "Email is invalid": "이메일이 유효하지 않습니다",
    "Empty username.": "빈 사용자 이름.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "이름은 공백일 수 없습니다",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "사용자는 로그인이 금지되어 있습니다. 관리자에게 문의하십시오",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "사용자 이름은 알파벳, 숫자, 밑줄 또는 하이픈만 포함할 수 있으며, 연속된 하이픈 또는 밑줄을 가질 수 없으며, 하이픈 또는 밑줄로 시작하거나 끝날 수 없습니다.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "사용자 이름이 이미 존재합니다",
    "Username cannot be an email address": "사용자 이름은 이메일 주소가 될 수 없습니다",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "누락된 매개변수",
    "Please login first": "먼저 로그인 하십시오",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "사용자 %s는 존재하지 않습니다",
    "don't support captchaProvider: ": "CaptchaProvider를 지원하지 마세요",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "%s 는 변경할 수 없습니다.",
    "Unknown modify rule %s.": "미확인 수정 규칙 %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "잘못된 애플리케이션 ID입니다",
    "the provider: %s does not exist": "제공자 %s가 존재하지 않습니다"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "제공자 유형: %s은/는 지원되지 않습니다"
  },
  "token": {
-    "Empty clientId or clientSecret": "클라이언트 ID 또는 클라이언트 비밀번호가 비어 있습니다",
    "Grant_type: %s is not supported in this application": "그랜트 유형: %s은(는) 이 어플리케이션에서 지원되지 않습니다",
    "Invalid application or wrong clientSecret": "잘못된 어플리케이션 또는 올바르지 않은 클라이언트 시크릿입니다",
    "Invalid client_id": "잘못된 클라이언트 ID입니다",
@ -146,6 +154,8 @@
    "Unknown type": "알 수 없는 유형",
    "Wrong verification code!": "잘못된 인증 코드입니다!",
    "You should verify your code in %d min!": "당신은 %d분 안에 코드를 검증해야 합니다!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "사용자가 존재하지 않습니다. 먼저 회원 가입 해주세요"
  },
  "webauthn": {
--- a/i18n/locales/ms/data.json
+++ b/i18n/locales/ms/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/nl/data.json
+++ b/i18n/locales/nl/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/pl/data.json
+++ b/i18n/locales/pl/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/pt/data.json
+++ b/i18n/locales/pt/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "O %s é imutável.",
    "Unknown modify rule %s.": "Regra de modificação %s desconhecida."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Id do aplicativo inválido",
    "the provider: %s does not exist": "o provedor: %s não existe"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "ClientId ou clientSecret vazio",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Aplicativo inválido ou clientSecret errado",
    "Invalid client_id": "client_id inválido",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/ru/data.json
+++ b/i18n/locales/ru/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "Метод входа: вход с паролем не включен для приложения",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "Провайдер: %s не включен для приложения",
    "Unauthorized operation": "Несанкционированная операция",
    "Unknown authentication type (not password or provider), form = %s": "Неизвестный тип аутентификации (не пароль и не провайдер), форма = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Электронная почта не может быть пустой",
    "Email is invalid": "Адрес электронной почты недействительный",
    "Empty username.": "Пустое имя пользователя.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "Имя не может быть пустым",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "Пользователю запрещен вход, пожалуйста, обратитесь к администратору",
    "The user: %s doesn't exist in LDAP server": "Пользователь %s не существует на LDAP сервере",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Имя пользователя может состоять только из буквенно-цифровых символов, нижних подчеркиваний или дефисов, не может содержать последовательные дефисы или подчеркивания, а также не может начинаться или заканчиваться на дефис или подчеркивание.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Имя пользователя уже существует",
    "Username cannot be an email address": "Имя пользователя не может быть адресом электронной почты",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Отсутствующий параметр",
    "Please login first": "Пожалуйста, сначала войдите в систему",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "Пользователь %s не существует",
    "don't support captchaProvider: ": "неподдерживаемый captchaProvider: ",
    "this operation is not allowed in demo mode": "эта операция не разрешена в демо-режиме"
@ -93,6 +99,9 @@
    "The %s is immutable.": "%s неизменяемый.",
    "Unknown modify rule %s.": "Неизвестное изменение правила %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Неверный идентификатор приложения",
    "the provider: %s does not exist": "провайдер: %s не существует"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "Тип провайдера: %s не поддерживается"
  },
  "token": {
-    "Empty clientId or clientSecret": "Пустой идентификатор клиента или секрет клиента",
    "Grant_type: %s is not supported in this application": "Тип предоставления: %s не поддерживается в данном приложении",
    "Invalid application or wrong clientSecret": "Недействительное приложение или неправильный clientSecret",
    "Invalid client_id": "Недействительный идентификатор клиента",
@ -146,6 +154,8 @@
    "Unknown type": "Неизвестный тип",
    "Wrong verification code!": "Неправильный код подтверждения!",
    "You should verify your code in %d min!": "Вы должны проверить свой код через %d минут!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "Пользователь не существует, пожалуйста, сначала зарегистрируйтесь"
  },
  "webauthn": {
--- a/i18n/locales/sv/data.json
+++ b/i18n/locales/sv/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/tr/data.json
+++ b/i18n/locales/tr/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Kullanıcı adı zaten var",
    "Username cannot be an email address": "Kullanıcı adı bir e-mail adresi olamaz",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/uk/data.json
+++ b/i18n/locales/uk/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email cannot be empty",
    "Email is invalid": "Email is invalid",
    "Empty username.": "Empty username.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "FirstName cannot be blank",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Username already exists",
    "Username cannot be an email address": "Username cannot be an email address",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Missing parameter",
    "Please login first": "Please login first",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "The user: %s doesn't exist",
    "don't support captchaProvider: ": "don't support captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "The %s is immutable.",
    "Unknown modify rule %s.": "Unknown modify rule %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Invalid application id",
    "the provider: %s does not exist": "the provider: %s does not exist"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "The provider type: %s is not supported"
  },
  "token": {
-    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
    "Invalid client_id": "Invalid client_id",
@ -146,6 +154,8 @@
    "Unknown type": "Unknown type",
    "Wrong verification code!": "Wrong verification code!",
    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
  },
  "webauthn": {
--- a/i18n/locales/vi/data.json
+++ b/i18n/locales/vi/data.json
@ -18,7 +18,9 @@
    "The login method: login with LDAP is not enabled for the application": "The login method: login with LDAP is not enabled for the application",
    "The login method: login with SMS is not enabled for the application": "The login method: login with SMS is not enabled for the application",
    "The login method: login with email is not enabled for the application": "The login method: login with email is not enabled for the application",
+    "The login method: login with face is not enabled for the application": "The login method: login with face is not enabled for the application",
    "The login method: login with password is not enabled for the application": "Phương thức đăng nhập: đăng nhập bằng mật khẩu không được kích hoạt cho ứng dụng",
+    "The organization: %s does not exist": "The organization: %s does not exist",
    "The provider: %s is not enabled for the application": "Nhà cung cấp: %s không được kích hoạt cho ứng dụng",
    "Unauthorized operation": "Hoạt động không được ủy quyền",
    "Unknown authentication type (not password or provider), form = %s": "Loại xác thực không xác định (không phải mật khẩu hoặc nhà cung cấp), biểu mẫu = %s",
@ -37,6 +39,8 @@
    "Email cannot be empty": "Email không thể để trống",
    "Email is invalid": "Địa chỉ email không hợp lệ",
    "Empty username.": "Tên đăng nhập trống.",
+    "Face data does not exist, cannot log in": "Face data does not exist, cannot log in",
+    "Face data mismatch": "Face data mismatch",
    "FirstName cannot be blank": "Tên không được để trống",
    "Invitation code cannot be blank": "Invitation code cannot be blank",
    "Invitation code exhausted": "Invitation code exhausted",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "Người dùng bị cấm đăng nhập, vui lòng liên hệ với quản trị viên",
    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Tên người dùng chỉ có thể chứa các ký tự chữ và số, gạch dưới hoặc gạch ngang, không được có hai ký tự gạch dưới hoặc gạch ngang liền kề và không được bắt đầu hoặc kết thúc bằng dấu gạch dưới hoặc gạch ngang.",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"",
    "Username already exists": "Tên đăng nhập đã tồn tại",
    "Username cannot be an email address": "Tên người dùng không thể là địa chỉ email",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "Thiếu tham số",
    "Please login first": "Vui lòng đăng nhập trước",
+    "The organization: %s should have one application at least": "The organization: %s should have one application at least",
    "The user: %s doesn't exist": "Người dùng: %s không tồn tại",
    "don't support captchaProvider: ": "không hỗ trợ captchaProvider: ",
    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
@ -93,6 +99,9 @@
    "The %s is immutable.": "%s không thể thay đổi được.",
    "Unknown modify rule %s.": "Quy tắc thay đổi không xác định %s."
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "The permission: \\\"%s\\\" doesn't exist"
+  },
  "provider": {
    "Invalid application id": "Sai ID ứng dụng",
    "the provider: %s does not exist": "Nhà cung cấp: %s không tồn tại"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "Loại nhà cung cấp: %s không được hỗ trợ"
  },
  "token": {
-    "Empty clientId or clientSecret": "ClientId hoặc clientSecret trống",
    "Grant_type: %s is not supported in this application": "Loại cấp phép: %s không được hỗ trợ trong ứng dụng này",
    "Invalid application or wrong clientSecret": "Đơn đăng ký không hợp lệ hoặc sai clientSecret",
    "Invalid client_id": "Client_id không hợp lệ",
@ -146,6 +154,8 @@
    "Unknown type": "Loại không xác định",
    "Wrong verification code!": "Mã xác thực sai!",
    "You should verify your code in %d min!": "Bạn nên kiểm tra mã của mình trong %d phút!",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "please add a SMS provider to the \\\"Providers\\\" list for the application: %s",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "please add an Email provider to the \\\"Providers\\\" list for the application: %s",
    "the user does not exist, please sign up first": "Người dùng không tồn tại, vui lòng đăng ký trước"
  },
  "webauthn": {
--- a/i18n/locales/zh/data.json
+++ b/i18n/locales/zh/data.json
@ -18,12 +18,14 @@
    "The login method: login with LDAP is not enabled for the application": "该应用禁止采用LDAP登录方式",
    "The login method: login with SMS is not enabled for the application": "该应用禁止采用短信登录方式",
    "The login method: login with email is not enabled for the application": "该应用禁止采用邮箱登录方式",
+    "The login method: login with face is not enabled for the application": "该应用禁止采用人脸登录",
    "The login method: login with password is not enabled for the application": "该应用禁止采用密码登录方式",
+    "The organization: %s does not exist": "组织: %s 不存在",
    "The provider: %s is not enabled for the application": "该应用的提供商: %s未被启用",
    "Unauthorized operation": "未授权的操作",
    "Unknown authentication type (not password or provider), form = %s": "未知的认证类型（非密码或第三方提供商）：%s",
    "User's tag: %s is not listed in the application's tags": "用户的标签: %s不在该应用的标签列表中",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing"
+    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "paid-user %s 没有激活或正在等待订阅并且应用: %s 没有默认值"
  },
  "cas": {
    "Service %s and %s do not match": "服务%s与%s不匹配"
@ -37,10 +39,12 @@
    "Email cannot be empty": "邮箱不可为空",
    "Email is invalid": "无效邮箱",
    "Empty username.": "用户名不可为空",
+    "Face data does not exist, cannot log in": "未录入人脸数据，无法登录",
+    "Face data mismatch": "人脸不匹配",
    "FirstName cannot be blank": "名不可以为空",
-    "Invitation code cannot be blank": "Invitation code cannot be blank",
+    "Invitation code cannot be blank": "邀请码不能为空",
    "Invitation code exhausted": "邀请码使用次数已耗尽",
-    "Invitation code is invalid": "Invitation code is invalid",
+    "Invitation code is invalid": "邀请码无效",
    "Invitation code suspended": "邀请码已被禁止使用",
    "LDAP user name or password incorrect": "LDAP密码错误",
    "LastName cannot be blank": "姓不可以为空",
@ -57,6 +61,7 @@
    "The user is forbidden to sign in, please contact the administrator": "该用户被禁止登录，请联系管理员",
    "The user: %s doesn't exist in LDAP server": "用户: %s 在LDAP服务器中未找到",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "用户名只能包含字母数字字符、下划线或连字符，不能有连续的连字符或下划线，也不能以连字符或下划线开头或结尾",
+    "The value \\\"%s\\\" for account field \\\"%s\\\" doesn't match the account item regex": "值 \\\"%s\\\"在账户信息字段\\\"%s\\\" 中与应用的账户项正则表达式不匹配",
    "The value \\\"%s\\\" for signup field \\\"%s\\\" doesn't match the signup item regex of the application \\\"%s\\\"": "值\\\"%s\\\"在注册字段\\\"%s\\\"中与应用\\\"%s\\\"的注册项正则表达式不匹配",
    "Username already exists": "用户名已存在",
    "Username cannot be an email address": "用户名不可以是邮箱地址",
@ -73,6 +78,7 @@
  "general": {
    "Missing parameter": "缺少参数",
    "Please login first": "请先登录",
+    "The organization: %s should have one application at least": "组织: %s 应该拥有至少一个应用",
    "The user: %s doesn't exist": "用户: %s不存在",
    "don't support captchaProvider: ": "不支持验证码提供商: ",
    "this operation is not allowed in demo mode": "demo模式下不允许该操作"
@ -93,6 +99,9 @@
    "The %s is immutable.": "%s 是不可变的",
    "Unknown modify rule %s.": "未知的修改规则: %s"
  },
+  "permission": {
+    "The permission: \\\"%s\\\" doesn't exist": "权限: \\\"%s\\\" 不存在"
+  },
  "provider": {
    "Invalid application id": "无效的应用ID",
    "the provider: %s does not exist": "提供商: %s不存在"
@ -117,7 +126,6 @@
    "The provider type: %s is not supported": "不支持的提供商类型: %s"
  },
  "token": {
-    "Empty clientId or clientSecret": "clientId或clientSecret为空",
    "Grant_type: %s is not supported in this application": "该应用不支持Grant_type: %s",
    "Invalid application or wrong clientSecret": "无效应用或错误的clientSecret",
    "Invalid client_id": "无效的ClientId",
@ -146,6 +154,8 @@
    "Unknown type": "未知类型",
    "Wrong verification code!": "验证码错误!",
    "You should verify your code in %d min!": "请在 %d 分钟内输入正确验证码",
+    "please add a SMS provider to the \\\"Providers\\\" list for the application: %s": "请添加一个SMS提供商到应用： %s 的 \\\"提供商 \\\"列表",
+    "please add an Email provider to the \\\"Providers\\\" list for the application: %s": "请添加一个Email提供商到应用： %s 的 \\\"提供商 \\\"列表",
    "the user does not exist, please sign up first": "用户不存在，请先注册"
  },
  "webauthn": {
--- a/idp/adfs.go
+++ b/idp/adfs.go
@ -121,6 +121,9 @@ func (idp *AdfsIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 		return nil, err
 	}
 	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
 	var respKeys struct {
 		Keys []interface{} `json:"keys"`
 	}
--- a/idp/custom.go
+++ b/idp/custom.go
@ -98,11 +98,19 @@ func (idp *CustomIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 		return nil, err
 	}

+	requiredFields := []string{"id", "username", "displayName"}
+	for _, field := range requiredFields {
+		_, ok := idp.UserMapping[field]
+		if !ok {
+			return nil, fmt.Errorf("cannot find %s in userMapping, please check your configuration in custom provider", field)
+		}
+	}
+
 	// map user info
 	for k, v := range idp.UserMapping {
 		_, ok := dataMap[v]
 		if !ok {
-			return nil, fmt.Errorf("cannot find %s in user from castom provider", v)
+			return nil, fmt.Errorf("cannot find %s in user from custom provider", v)
 		}
 		dataMap[k] = dataMap[v]
 	}
--- a/idp/goth.go
+++ b/idp/goth.go
@ -75,6 +75,7 @@ import (
 	"github.com/markbates/goth/providers/twitterv2"
 	"github.com/markbates/goth/providers/typetalk"
 	"github.com/markbates/goth/providers/uber"
+	"github.com/markbates/goth/providers/vk"
 	"github.com/markbates/goth/providers/wepay"
 	"github.com/markbates/goth/providers/xero"
 	"github.com/markbates/goth/providers/yahoo"
@ -371,6 +372,11 @@ func NewGothIdProvider(providerType string, clientId string, clientSecret string
 			Provider: uber.New(clientId, clientSecret, redirectUrl),
 			Session:  &uber.Session{},
 		}
+	case "VK":
+		idp = GothIdProvider{
+			Provider: vk.New(clientId, clientSecret, redirectUrl),
+			Session:  &vk.Session{},
+		}
 	case "Wepay":
 		idp = GothIdProvider{
 			Provider: wepay.New(clientId, clientSecret, redirectUrl),
--- a/idp/wechat.go
+++ b/idp/wechat.go
@ -26,20 +26,26 @@ import (
 	"net/url"
 	"sort"
 	"strings"
+	"sync"
 	"time"

 	"github.com/skip2/go-qrcode"
 	"golang.org/x/oauth2"
 )

+var (
+	WechatCacheMap map[string]WechatCacheMapValue
+	Lock           sync.RWMutex
+)
+
 type WeChatIdProvider struct {
 	Client *http.Client
 	Config *oauth2.Config
 }

 type WechatCacheMapValue struct {
-	IsScanned    bool
-	WechatOpenId string
+	IsScanned     bool
+	WechatUnionId string
 }

 func NewWeChatIdProvider(clientId string, clientSecret string, redirectUrl string) *WeChatIdProvider {
@ -84,6 +90,15 @@ type WechatAccessToken struct {
 // GetToken use code get access_token (*operation of getting code ought to be done in front)
 // get more detail via: https://developers.weixin.qq.com/doc/oplatform/Website_App/WeChat_Login/Wechat_Login.html
 func (idp *WeChatIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	if strings.HasPrefix(code, "wechat_oa:") {
+		token := oauth2.Token{
+			AccessToken: code,
+			TokenType:   "WeChatAccessToken",
+			Expiry:      time.Time{},
+		}
+		return &token, nil
+	}
+
 	params := url.Values{}
 	params.Add("grant_type", "authorization_code")
 	params.Add("appid", idp.Config.ClientID)
@ -164,6 +179,29 @@ type WechatUserInfo struct {
 func (idp *WeChatIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	var wechatUserInfo WechatUserInfo
 	accessToken := token.AccessToken
+
+	if strings.HasPrefix(accessToken, "wechat_oa:") {
+		Lock.RLock()
+		mapValue, ok := WechatCacheMap[accessToken[10:]]
+		Lock.RUnlock()
+
+		if !ok || mapValue.WechatUnionId == "" {
+			return nil, fmt.Errorf("error ticket")
+		}
+
+		Lock.Lock()
+		delete(WechatCacheMap, accessToken[10:])
+		Lock.Unlock()
+
+		userInfo := UserInfo{
+			Id:          mapValue.WechatUnionId,
+			Username:    "wx_user_" + mapValue.WechatUnionId,
+			DisplayName: "wx_user_" + mapValue.WechatUnionId,
+			AvatarUrl:   "",
+		}
+		return &userInfo, nil
+	}
+
 	openid := token.Extra("Openid")

 	userInfoUrl := fmt.Sprintf("https://api.weixin.qq.com/sns/userinfo?access_token=%s&openid=%s", accessToken, openid)
@ -234,7 +272,7 @@ func GetWechatOfficialAccountAccessToken(clientId string, clientSecret string) (
 		ExpireIn    int    `json:"expires_in"`
 		AccessToken string `json:"access_token"`
 		ErrCode     int    `json:"errcode"`
-		Errmsg      string `json:errmsg`
+		Errmsg      string `json:"errmsg"`
 	}
 	err = json.Unmarshal(respBytes, &data)
 	if err != nil {
--- a/init_data.json.template
+++ b/init_data.json.template
@ -8,12 +8,62 @@
      "favicon": "",
      "passwordType": "plain",
      "passwordSalt": "",
-      "passwordOptions": ["AtLeast6"],
-      "countryCodes": ["US", "GB", "ES", "FR", "DE", "CN", "JP", "KR", "VN", "ID", "SG", "IN", "IT", "MY", "TR", "DZ", "IL", "PH", "NL", "PL", "FI", "SE", "UA", "KZ"],
+      "passwordOptions": [
+        "AtLeast6"
+      ],
+      "countryCodes": [
+        "US",
+        "GB",
+        "ES",
+        "FR",
+        "DE",
+        "CN",
+        "JP",
+        "KR",
+        "VN",
+        "ID",
+        "SG",
+        "IN",
+        "IT",
+        "MY",
+        "TR",
+        "DZ",
+        "IL",
+        "PH",
+        "NL",
+        "PL",
+        "FI",
+        "SE",
+        "UA",
+        "KZ"
+      ],
      "defaultAvatar": "",
      "defaultApplication": "",
      "tags": [],
-      "languages": ["en", "zh", "es", "fr", "de", "id", "ja", "ko", "ru", "vi", "it", "ms", "tr","ar", "he", "nl", "pl", "fi", "sv", "uk", "kk", "fa"],
+      "languages": [
+        "en",
+        "zh",
+        "es",
+        "fr",
+        "de",
+        "id",
+        "ja",
+        "ko",
+        "ru",
+        "vi",
+        "it",
+        "ms",
+        "tr",
+        "ar",
+        "he",
+        "nl",
+        "pl",
+        "fi",
+        "sv",
+        "uk",
+        "kk",
+        "fa"
+      ],
      "masterPassword": "",
      "defaultPassword": "",
      "initScore": 2000,
@ -49,18 +99,23 @@
        {
          "name": "Password",
          "displayName": "Password",
-          "rule": "All",
+          "rule": "All"
        },
        {
          "name": "Verification code",
          "displayName": "Verification code",
-          "rule": "All",
+          "rule": "All"
        },
        {
          "name": "WebAuthn",
          "displayName": "WebAuthn",
-          "rule": "None",
+          "rule": "None"
        },
+        {
+          "name": "Face ID",
+          "displayName": "Face ID",
+          "rule": "None"
+        }
      ],
      "signupItems": [
        {
@ -72,55 +127,67 @@
        },
        {
          "name": "Username",
-            "visible": true,
-            "required": true,
-            "prompted": false,
-            "rule": "None"
+          "visible": true,
+          "required": true,
+          "prompted": false,
+          "rule": "None"
        },
        {
          "name": "Display name",
-            "visible": true,
-            "required": true,
-            "prompted": false,
-            "rule": "None"
+          "visible": true,
+          "required": true,
+          "prompted": false,
+          "rule": "None"
        },
        {
          "name": "Password",
-            "visible": true,
-            "required": true,
-            "prompted": false,
-            "rule": "None"
+          "visible": true,
+          "required": true,
+          "prompted": false,
+          "rule": "None"
        },
        {
          "name": "Confirm password",
-            "visible": true,
-            "required": true,
-            "prompted": false,
-            "rule": "None"
+          "visible": true,
+          "required": true,
+          "prompted": false,
+          "rule": "None"
        },
        {
          "name": "Email",
-            "visible": true,
-            "required": true,
-            "prompted": false,
-            "rule": "None"
+          "visible": true,
+          "required": true,
+          "prompted": false,
+          "rule": "None"
        },
        {
          "name": "Phone",
-            "visible": true,
-            "required": true,
-            "prompted": false,
-            "rule": "None"
+          "visible": true,
+          "required": true,
+          "prompted": false,
+          "rule": "None"
        },
        {
          "name": "Agreement",
-            "visible": true,
-            "required": true,
-            "prompted": false,
-            "rule": "None"
+          "visible": true,
+          "required": true,
+          "prompted": false,
+          "rule": "None"
        }
      ],
-      "redirectUris": [""],
+      "grantTypes": [
+        "authorization_code",
+        "password",
+        "client_credentials",
+        "token",
+        "id_token",
+        "refresh_token"
+      ],
+      "redirectUris": [
+        "http://localhost:9000/callback"
+      ],
+      "tokenFormat": "JWT",
+      "tokenFields": [],
      "expireInHours": 168,
      "failedSigninLimit": 5,
      "failedSigninFrozenTime": 15
@ -146,7 +213,8 @@
      "isForbidden": false,
      "isDeleted": false,
      "signupApplication": "",
-      "createdIp": ""
+      "createdIp": "",
+      "groups": []
    }
  ],
  "providers": [
@ -349,5 +417,74 @@
      "owner": "",
      "url": ""
    }
+  ],
+  "groups": [
+    {
+      "owner": "",
+      "name": "",
+      "displayName": "",
+      "manager": "",
+      "contactEmail": "",
+      "type": "",
+      "parent_id": "",
+      "isTopGroup": true,
+      "title": "",
+      "key": "",
+      "children": "",
+      "isEnabled": true
+    }
+  ],
+  "adapters": [
+    {
+      "owner": "",
+      "name": "",
+      "table": "",
+      "useSameDb": true,
+      "type": "",
+      "databaseType": "",
+      "database": "",
+      "host": "",
+      "port": 0,
+      "user": "",
+      "password": ""
+    }
+  ],
+  "enforcers": [
+    {
+      "owner": "",
+      "name": "",
+      "displayName": "",
+      "description": "",
+      "model": "",
+      "adapter": "",
+      "enforcer": ""
+    }
+  ],
+  "plans": [
+    {
+      "owner": "",
+      "name": "",
+      "displayName": "",
+      "description": "",
+      "price": 0,
+      "currency": "",
+      "period": "",
+      "product": "",
+      "paymentProviders": [],
+      "isEnabled": true,
+      "role": ""
+    }
+  ],
+  "pricings": [
+    {
+      "owner": "",
+      "name": "",
+      "displayName": "",
+      "description": "",
+      "plans": [],
+      "isEnabled": true,
+      "trialDuration": 0,
+      "application": ""
+    }
  ]
 }
--- a/main.go
+++ b/main.go
@ -36,12 +36,12 @@ func main() {
 	object.CreateTables()

 	object.InitDb()
-	object.InitFromFile()
 	object.InitDefaultStorageProvider()
 	object.InitLdapAutoSynchronizer()
 	proxy.InitHttpClient()
 	authz.InitApi()
 	object.InitUserManager()
+	object.InitFromFile()
 	object.InitCasvisorConfig()

 	util.SafeGoroutine(func() { object.RunSyncUsersJob() })
--- a/object/adapter.go
+++ b/object/adapter.go
@ -178,6 +178,7 @@ func (adapter *Adapter) InitAdapter() error {
 		dataSourceName = strings.ReplaceAll(dataSourceName, "dbi.", "db.")
 	}

+	dataSourceName = conf.ReplaceDataSourceNameByDocker(dataSourceName)
 	engine, err := xorm.NewEngine(driverName, dataSourceName)
 	if err != nil {
 		return err
--- a/object/application.go
+++ b/object/application.go
@ -19,6 +19,7 @@ import (
 	"regexp"
 	"strings"

+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
 )
@ -40,6 +41,15 @@ type SignupItem struct {
 	Rule        string `json:"rule"`
 }

+type SigninItem struct {
+	Name        string `json:"name"`
+	Visible     bool   `json:"visible"`
+	Label       string `json:"label"`
+	Placeholder string `json:"placeholder"`
+	Rule        string `json:"rule"`
+	IsCustom    bool   `json:"isCustom"`
+}
+
 type SamlItem struct {
 	Name       string `json:"name"`
 	NameFormat string `json:"nameFormat"`
@ -57,6 +67,7 @@ type Application struct {
 	Description           string          `xorm:"varchar(100)" json:"description"`
 	Organization          string          `xorm:"varchar(100)" json:"organization"`
 	Cert                  string          `xorm:"varchar(100)" json:"cert"`
+	HeaderHtml            string          `xorm:"mediumtext" json:"headerHtml"`
 	EnablePassword        bool            `json:"enablePassword"`
 	EnableSignUp          bool            `json:"enableSignUp"`
 	EnableSigninSession   bool            `json:"enableSigninSession"`
@ -72,6 +83,7 @@ type Application struct {
 	Providers             []*ProviderItem `xorm:"mediumtext" json:"providers"`
 	SigninMethods         []*SigninMethod `xorm:"varchar(2000)" json:"signinMethods"`
 	SignupItems           []*SignupItem   `xorm:"varchar(2000)" json:"signupItems"`
+	SigninItems           []*SigninItem   `xorm:"mediumtext" json:"signinItems"`
 	GrantTypes            []string        `xorm:"varchar(1000)" json:"grantTypes"`
 	OrganizationObj       *Organization   `xorm:"-" json:"organizationObj"`
 	CertPublicKey         string          `xorm:"-" json:"certPublicKey"`
@ -93,6 +105,7 @@ type Application struct {
 	SignupHtml           string     `xorm:"mediumtext" json:"signupHtml"`
 	SigninHtml           string     `xorm:"mediumtext" json:"signinHtml"`
 	ThemeData            *ThemeData `xorm:"json" json:"themeData"`
+	FooterHtml           string     `xorm:"mediumtext" json:"footerHtml"`
 	FormCss              string     `xorm:"text" json:"formCss"`
 	FormCssMobile        string     `xorm:"text" json:"formCssMobile"`
 	FormOffset           int        `json:"formOffset"`
@ -190,6 +203,100 @@ func extendApplicationWithOrg(application *Application) (err error) {
 	return
 }

+func extendApplicationWithSigninItems(application *Application) (err error) {
+	if len(application.SigninItems) == 0 {
+		signinItem := &SigninItem{
+			Name:        "Back button",
+			Visible:     true,
+			Label:       "\n<style>\n  .back-button {\n      top: 65px;\n      left: 15px;\n      position: absolute;\n  }\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Languages",
+			Visible:     true,
+			Label:       "\n<style>\n  .login-languages {\n      top: 55px;\n      right: 5px;\n      position: absolute;\n  }\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Logo",
+			Visible:     true,
+			Label:       "\n<style>\n  .login-logo-box {\n  }\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Signin methods",
+			Visible:     true,
+			Label:       "\n<style>\n  .signin-methods {\n  }\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Username",
+			Visible:     true,
+			Label:       "\n<style>\n  .login-username {\n  }\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Password",
+			Visible:     true,
+			Label:       "\n<style>\n  .login-password {\n  }\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Agreement",
+			Visible:     true,
+			Label:       "\n<style>\n  .login-agreement {\n  }\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Forgot password?",
+			Visible:     true,
+			Label:       "\n<style>\n  .login-forget-password {\n    display: inline-flex;\n    justify-content: space-between;\n    width: 320px;\n    margin-bottom: 25px;\n  }\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Login button",
+			Visible:     true,
+			Label:       "\n<style>\n  .login-button-box {\n    margin-bottom: 5px;\n  }\n  .login-button {\n    width: 100%;\n  }\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Signup link",
+			Visible:     true,
+			Label:       "\n<style>\n  .login-signup-link {\n    margin-bottom: 24px;\n    display: flex;\n    justify-content: end;\n}\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Providers",
+			Visible:     true,
+			Label:       "\n<style>\n  .provider-img {\n      width: 30px;\n      margin: 5px;\n  }\n  .provider-big-img {\n      margin-bottom: 10px;\n  }\n</style>\n",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+	}
+	return
+}
+
 func extendApplicationWithSigninMethods(application *Application) (err error) {
 	if len(application.SigninMethods) == 0 {
 		if application.EnablePassword {
@ -204,6 +311,9 @@ func extendApplicationWithSigninMethods(application *Application) (err error) {
 			signinMethod := &SigninMethod{Name: "WebAuthn", DisplayName: "WebAuthn", Rule: "None"}
 			application.SigninMethods = append(application.SigninMethods, signinMethod)
 		}
+
+		signinMethod := &SigninMethod{Name: "Face ID", DisplayName: "Face ID", Rule: "None"}
+		application.SigninMethods = append(application.SigninMethods, signinMethod)
 	}

 	if len(application.SigninMethods) == 0 {
@ -240,6 +350,10 @@ func getApplication(owner string, name string) (*Application, error) {
 		if err != nil {
 			return nil, err
 		}
+		err = extendApplicationWithSigninItems(&application)
+		if err != nil {
+			return nil, err
+		}

 		return &application, nil
 	} else {
@ -270,6 +384,11 @@ func GetApplicationByOrganizationName(organization string) (*Application, error)
 			return nil, err
 		}

+		err = extendApplicationWithSigninItems(&application)
+		if err != nil {
+			return nil, err
+		}
+
 		return &application, nil
 	} else {
 		return nil, nil
@ -322,6 +441,11 @@ func GetApplicationByClientId(clientId string) (*Application, error) {
 			return nil, err
 		}

+		err = extendApplicationWithSigninItems(&application)
+		if err != nil {
+			return nil, err
+		}
+
 		return &application, nil
 	} else {
 		return nil, nil
@ -349,36 +473,71 @@ func GetMaskedApplication(application *Application, userId string) *Application
 		application.FailedSigninFrozenTime = DefaultFailedSigninFrozenTime
 	}

+	isOrgUser := false
 	if userId != "" {
 		if isUserIdGlobalAdmin(userId) {
 			return application
 		}

-		user, _ := GetUser(userId)
-		if user != nil && user.IsApplicationAdmin(application) {
-			return application
+		user, err := GetUser(userId)
+		if err != nil {
+			panic(err)
+		}
+		if user != nil {
+			if user.IsApplicationAdmin(application) {
+				return application
+			}
+
+			if user.Owner == application.Organization {
+				isOrgUser = true
+			}
 		}
 	}

-	if application.ClientSecret != "" {
-		application.ClientSecret = "***"
+	application.ClientSecret = "***"
+	application.Cert = "***"
+	application.EnablePassword = false
+	application.EnableSigninSession = false
+	application.EnableCodeSignin = false
+	application.EnableSamlCompress = false
+	application.EnableSamlC14n10 = false
+	application.EnableSamlPostBinding = false
+	application.EnableWebAuthn = false
+	application.EnableLinkWithEmail = false
+	application.SamlReplyUrl = "***"
+
+	providerItems := []*ProviderItem{}
+	for _, providerItem := range application.Providers {
+		if providerItem.Provider != nil && (providerItem.Provider.Category == "OAuth" || providerItem.Provider.Category == "Web3" || providerItem.Provider.Category == "Captcha") {
+			providerItems = append(providerItems, providerItem)
+		}
 	}
+	application.Providers = providerItems
+
+	application.GrantTypes = nil
+	application.Tags = nil
+	application.RedirectUris = nil
+	application.TokenFormat = "***"
+	application.TokenFields = nil
+	application.ExpireInHours = -1
+	application.RefreshExpireInHours = -1
+	application.FailedSigninLimit = -1
+	application.FailedSigninFrozenTime = -1

 	if application.OrganizationObj != nil {
-		if application.OrganizationObj.MasterPassword != "" {
-			application.OrganizationObj.MasterPassword = "***"
-		}
-		if application.OrganizationObj.DefaultPassword != "" {
-			application.OrganizationObj.DefaultPassword = "***"
-		}
-		if application.OrganizationObj.MasterVerificationCode != "" {
-			application.OrganizationObj.MasterVerificationCode = "***"
-		}
-		if application.OrganizationObj.PasswordType != "" {
-			application.OrganizationObj.PasswordType = "***"
-		}
-		if application.OrganizationObj.PasswordSalt != "" {
-			application.OrganizationObj.PasswordSalt = "***"
+		application.OrganizationObj.MasterPassword = "***"
+		application.OrganizationObj.DefaultPassword = "***"
+		application.OrganizationObj.MasterVerificationCode = "***"
+		application.OrganizationObj.PasswordType = "***"
+		application.OrganizationObj.PasswordSalt = "***"
+		application.OrganizationObj.InitScore = -1
+		application.OrganizationObj.EnableSoftDeletion = false
+
+		if !isOrgUser {
+			application.OrganizationObj.MfaItems = nil
+			if !application.OrganizationObj.IsProfilePublic {
+				application.OrganizationObj.AccountItems = nil
+			}
 		}
 	}

@ -396,8 +555,12 @@ func GetMaskedApplications(applications []*Application, userId string) []*Applic
 	return applications
 }

-func GetAllowedApplications(applications []*Application, userId string) ([]*Application, error) {
-	if userId == "" || isUserIdGlobalAdmin(userId) {
+func GetAllowedApplications(applications []*Application, userId string, lang string) ([]*Application, error) {
+	if userId == "" {
+		return nil, fmt.Errorf(i18n.Translate(lang, "auth:Unauthorized operation"))
+	}
+
+	if isUserIdGlobalAdmin(userId) {
 		return applications, nil
 	}

@ -405,7 +568,11 @@ func GetAllowedApplications(applications []*Application, userId string) ([]*Appl
 	if err != nil {
 		return nil, err
 	}
-	if user != nil && user.IsAdmin {
+	if user == nil {
+		return nil, fmt.Errorf(i18n.Translate(lang, "auth:Unauthorized operation"))
+	}
+
+	if user.IsAdmin {
 		return applications, nil
 	}

@ -520,7 +687,7 @@ func (application *Application) GetId() string {
 }

 func (application *Application) IsRedirectUriValid(redirectUri string) bool {
-	redirectUris := append([]string{"http://localhost:", "https://localhost:", "http://127.0.0.1:", "http://casdoor-app"}, application.RedirectUris...)
+	redirectUris := append([]string{"http://localhost:", "https://localhost:", "http://127.0.0.1:", "http://casdoor-app", ".chromiumapp.org"}, application.RedirectUris...)
 	for _, targetUri := range redirectUris {
 		targetUriRegex := regexp.MustCompile(targetUri)
 		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {
@ -593,6 +760,17 @@ func (application *Application) IsLdapEnabled() bool {
 	return false
 }

+func (application *Application) IsFaceIdEnabled() bool {
+	if len(application.SigninMethods) > 0 {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Face ID" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func IsOriginAllowed(origin string) (bool, error) {
 	applications, err := GetApplications("")
 	if err != nil {
--- a/object/application_item.go
+++ b/object/application_item.go
@ -38,12 +38,38 @@ func (application *Application) GetProviderByCategory(category string) (*Provide
 	return nil, nil
 }

-func (application *Application) GetEmailProvider() (*Provider, error) {
-	return application.GetProviderByCategory("Email")
+func (application *Application) GetProviderByCategoryAndRule(category string, method string) (*Provider, error) {
+	providers, err := GetProviders(application.Organization)
+	if err != nil {
+		return nil, err
+	}
+
+	m := map[string]*Provider{}
+	for _, provider := range providers {
+		if provider.Category != category {
+			continue
+		}
+
+		m[provider.Name] = provider
+	}
+
+	for _, providerItem := range application.Providers {
+		if providerItem.Rule == method || (providerItem.Rule == "all" || providerItem.Rule == "" || providerItem.Rule == "None") {
+			if provider, ok := m[providerItem.Name]; ok {
+				return provider, nil
+			}
+		}
+	}
+
+	return nil, nil
 }

-func (application *Application) GetSmsProvider() (*Provider, error) {
-	return application.GetProviderByCategory("SMS")
+func (application *Application) GetEmailProvider(method string) (*Provider, error) {
+	return application.GetProviderByCategoryAndRule("Email", method)
+}
+
+func (application *Application) GetSmsProvider(method string) (*Provider, error) {
+	return application.GetProviderByCategoryAndRule("SMS", method)
 }

 func (application *Application) GetStorageProvider() (*Provider, error) {
--- a/object/cert.go
+++ b/object/cert.go
@ -205,16 +205,41 @@ func (p *Cert) GetId() string {
 }

 func (p *Cert) populateContent() error {
-	if p.Certificate == "" || p.PrivateKey == "" {
-		certificate, privateKey, err := generateRsaKeys(p.BitSize, p.ExpireInYears, p.Name, p.Owner)
-		if err != nil {
-			return err
-		}
-
-		p.Certificate = certificate
-		p.PrivateKey = privateKey
+	if p.Certificate != "" && p.PrivateKey != "" {
+		return nil
 	}

+	if len(p.CryptoAlgorithm) < 3 {
+		err := fmt.Errorf("populateContent() error, unsupported crypto algorithm: %s", p.CryptoAlgorithm)
+		return err
+	}
+
+	if p.CryptoAlgorithm == "RSA" {
+		p.CryptoAlgorithm = "RS256"
+	}
+
+	sigAlgorithm := p.CryptoAlgorithm[:2]
+	shaSize, err := util.ParseIntWithError(p.CryptoAlgorithm[2:])
+	if err != nil {
+		return err
+	}
+
+	var certificate, privateKey string
+	if sigAlgorithm == "RS" {
+		certificate, privateKey, err = generateRsaKeys(p.BitSize, shaSize, p.ExpireInYears, p.Name, p.Owner)
+	} else if sigAlgorithm == "ES" {
+		certificate, privateKey, err = generateEsKeys(shaSize, p.ExpireInYears, p.Name, p.Owner)
+	} else if sigAlgorithm == "PS" {
+		certificate, privateKey, err = generateRsaPssKeys(p.BitSize, shaSize, p.ExpireInYears, p.Name, p.Owner)
+	} else {
+		err = fmt.Errorf("populateContent() error, unsupported signature algorithm: %s", sigAlgorithm)
+	}
+	if err != nil {
+		return err
+	}
+
+	p.Certificate = certificate
+	p.PrivateKey = privateKey
 	return nil
 }

--- a/object/get-dashboard.go
+++ b/object/get-dashboard.go
@ -28,6 +28,10 @@ type Dashboard struct {
 }

 func GetDashboard(owner string) (*Dashboard, error) {
+	if owner == "All" {
+		owner = ""
+	}
+
 	dashboard := &Dashboard{
 		OrganizationCounts: make([]int, 31),
 		UserCounts:         make([]int, 31),
@ -36,14 +40,13 @@ func GetDashboard(owner string) (*Dashboard, error) {
 		SubscriptionCounts: make([]int, 31),
 	}

-	var wg sync.WaitGroup
-
 	organizations := []Organization{}
 	users := []User{}
 	providers := []Provider{}
 	applications := []Application{}
 	subscriptions := []Subscription{}

+	var wg sync.WaitGroup
 	wg.Add(5)
 	go func() {
 		defer wg.Done()
--- a/object/init.go
+++ b/object/init.go
@ -184,6 +184,7 @@ func initBuiltInApplication() {
 			{Name: "Password", DisplayName: "Password", Rule: "All"},
 			{Name: "Verification code", DisplayName: "Verification code", Rule: "All"},
 			{Name: "WebAuthn", DisplayName: "WebAuthn", Rule: "None"},
+			{Name: "Face ID", DisplayName: "Face ID", Rule: "None"},
 		},
 		SignupItems: []*SignupItem{
 			{Name: "ID", Visible: false, Required: true, Prompted: false, Rule: "Random"},
@ -197,6 +198,7 @@ func initBuiltInApplication() {
 		},
 		Tags:          []string{},
 		RedirectUris:  []string{},
+		TokenFormat:   "JWT",
 		TokenFields:   []string{},
 		ExpireInHours: 168,
 		FormOffset:    2,
--- a/object/init_data.go
+++ b/object/init_data.go
@ -17,24 +17,35 @@ package object
 import (
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
+	"github.com/casvisor/casvisor-go-sdk/casvisorsdk"
 )

 type InitData struct {
-	Organizations []*Organization `json:"organizations"`
-	Applications  []*Application  `json:"applications"`
-	Users         []*User         `json:"users"`
-	Certs         []*Cert         `json:"certs"`
-	Providers     []*Provider     `json:"providers"`
-	Ldaps         []*Ldap         `json:"ldaps"`
-	Models        []*Model        `json:"models"`
-	Permissions   []*Permission   `json:"permissions"`
-	Payments      []*Payment      `json:"payments"`
-	Products      []*Product      `json:"products"`
-	Resources     []*Resource     `json:"resources"`
-	Roles         []*Role         `json:"roles"`
-	Syncers       []*Syncer       `json:"syncers"`
-	Tokens        []*Token        `json:"tokens"`
-	Webhooks      []*Webhook      `json:"webhooks"`
+	Organizations []*Organization       `json:"organizations"`
+	Applications  []*Application        `json:"applications"`
+	Users         []*User               `json:"users"`
+	Certs         []*Cert               `json:"certs"`
+	Providers     []*Provider           `json:"providers"`
+	Ldaps         []*Ldap               `json:"ldaps"`
+	Models        []*Model              `json:"models"`
+	Permissions   []*Permission         `json:"permissions"`
+	Payments      []*Payment            `json:"payments"`
+	Products      []*Product            `json:"products"`
+	Resources     []*Resource           `json:"resources"`
+	Roles         []*Role               `json:"roles"`
+	Syncers       []*Syncer             `json:"syncers"`
+	Tokens        []*Token              `json:"tokens"`
+	Webhooks      []*Webhook            `json:"webhooks"`
+	Groups        []*Group              `json:"groups"`
+	Adapters      []*Adapter            `json:"adapters"`
+	Enforcers     []*Enforcer           `json:"enforcers"`
+	Plans         []*Plan               `json:"plans"`
+	Pricings      []*Pricing            `json:"pricings"`
+	Invitations   []*Invitation         `json:"invitations"`
+	Records       []*casvisorsdk.Record `json:"records"`
+	Sessions      []*Session            `json:"sessions"`
+	Subscriptions []*Subscription       `json:"subscriptions"`
+	Transactions  []*Transaction        `json:"transactions"`
 }

 func InitFromFile() {
@ -94,6 +105,36 @@ func InitFromFile() {
 		for _, webhook := range initData.Webhooks {
 			initDefinedWebhook(webhook)
 		}
+		for _, group := range initData.Groups {
+			initDefinedGroup(group)
+		}
+		for _, adapter := range initData.Adapters {
+			initDefinedAdapter(adapter)
+		}
+		for _, enforcer := range initData.Enforcers {
+			initDefinedEnforcer(enforcer)
+		}
+		for _, plan := range initData.Plans {
+			initDefinedPlan(plan)
+		}
+		for _, pricing := range initData.Pricings {
+			initDefinedPricing(pricing)
+		}
+		for _, invitation := range initData.Invitations {
+			initDefinedInvitation(invitation)
+		}
+		for _, record := range initData.Records {
+			initDefinedRecord(record)
+		}
+		for _, session := range initData.Sessions {
+			initDefinedSession(session)
+		}
+		for _, subscription := range initData.Subscriptions {
+			initDefinedSubscription(subscription)
+		}
+		for _, transaction := range initData.Transactions {
+			initDefinedTransaction(transaction)
+		}
 	}
 }

@ -120,6 +161,16 @@ func readInitDataFromFile(filePath string) (*InitData, error) {
 		Syncers:       []*Syncer{},
 		Tokens:        []*Token{},
 		Webhooks:      []*Webhook{},
+		Groups:        []*Group{},
+		Adapters:      []*Adapter{},
+		Enforcers:     []*Enforcer{},
+		Plans:         []*Plan{},
+		Pricings:      []*Pricing{},
+		Invitations:   []*Invitation{},
+		Records:       []*casvisorsdk.Record{},
+		Sessions:      []*Session{},
+		Subscriptions: []*Subscription{},
+		Transactions:  []*Transaction{},
 	}
 	err := util.JsonToStruct(s, data)
 	if err != nil {
@ -190,7 +241,21 @@ func readInitDataFromFile(filePath string) (*InitData, error) {
 			webhook.Headers = []*Header{}
 		}
 	}
-
+	for _, plan := range data.Plans {
+		if plan.PaymentProviders == nil {
+			plan.PaymentProviders = []string{}
+		}
+	}
+	for _, pricing := range data.Pricings {
+		if pricing.Plans == nil {
+			pricing.Plans = []string{}
+		}
+	}
+	for _, session := range data.Sessions {
+		if session.SessionId == nil {
+			session.SessionId = []string{}
+		}
+	}
 	return data, nil
 }

@ -434,3 +499,136 @@ func initDefinedWebhook(webhook *Webhook) {
 		panic(err)
 	}
 }
+
+func initDefinedGroup(group *Group) {
+	existed, err := getGroup(group.Owner, group.Name)
+	if err != nil {
+		panic(err)
+	}
+	if existed != nil {
+		return
+	}
+	group.CreatedTime = util.GetCurrentTime()
+	_, err = AddGroup(group)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initDefinedAdapter(adapter *Adapter) {
+	existed, err := getAdapter(adapter.Owner, adapter.Name)
+	if err != nil {
+		panic(err)
+	}
+	if existed != nil {
+		return
+	}
+	adapter.CreatedTime = util.GetCurrentTime()
+	_, err = AddAdapter(adapter)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initDefinedEnforcer(enforcer *Enforcer) {
+	existed, err := getEnforcer(enforcer.Owner, enforcer.Name)
+	if err != nil {
+		panic(err)
+	}
+	if existed != nil {
+		return
+	}
+	enforcer.CreatedTime = util.GetCurrentTime()
+	_, err = AddEnforcer(enforcer)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initDefinedPlan(plan *Plan) {
+	existed, err := getPlan(plan.Owner, plan.Name)
+	if err != nil {
+		panic(err)
+	}
+	if existed != nil {
+		return
+	}
+	plan.CreatedTime = util.GetCurrentTime()
+	_, err = AddPlan(plan)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initDefinedPricing(pricing *Pricing) {
+	existed, err := getPlan(pricing.Owner, pricing.Name)
+	if err != nil {
+		panic(err)
+	}
+	if existed != nil {
+		return
+	}
+	pricing.CreatedTime = util.GetCurrentTime()
+	_, err = AddPricing(pricing)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initDefinedInvitation(invitation *Invitation) {
+	existed, err := getInvitation(invitation.Owner, invitation.Name)
+	if err != nil {
+		panic(err)
+	}
+	if existed != nil {
+		return
+	}
+	invitation.CreatedTime = util.GetCurrentTime()
+	_, err = AddInvitation(invitation, "en")
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initDefinedRecord(record *casvisorsdk.Record) {
+	record.CreatedTime = util.GetCurrentTime()
+	_ = AddRecord(record)
+}
+
+func initDefinedSession(session *Session) {
+	session.CreatedTime = util.GetCurrentTime()
+	_, err := AddSession(session)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initDefinedSubscription(subscription *Subscription) {
+	existed, err := getSubscription(subscription.Owner, subscription.Name)
+	if err != nil {
+		panic(err)
+	}
+	if existed != nil {
+		return
+	}
+	subscription.CreatedTime = util.GetCurrentTime()
+	_, err = AddSubscription(subscription)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initDefinedTransaction(transaction *Transaction) {
+	existed, err := getTransaction(transaction.Owner, transaction.Name)
+	if err != nil {
+		panic(err)
+	}
+	if existed != nil {
+		return
+	}
+	transaction.CreatedTime = util.GetCurrentTime()
+	_, err = AddTransaction(transaction)
+	if err != nil {
+		panic(err)
+	}
+}
--- a/object/init_data_dump.go
+++ b/object/init_data_dump.go
@ -96,6 +96,56 @@ func writeInitDataToFile(filePath string) error {
 		return err
 	}

+	groups, err := GetGroups("")
+	if err != nil {
+		return err
+	}
+
+	adapters, err := GetAdapters("")
+	if err != nil {
+		return err
+	}
+
+	enforcers, err := GetEnforcers("")
+	if err != nil {
+		return err
+	}
+
+	plans, err := GetPlans("")
+	if err != nil {
+		return err
+	}
+
+	pricings, err := GetPricings("")
+	if err != nil {
+		return err
+	}
+
+	invitations, err := GetInvitations("")
+	if err != nil {
+		return err
+	}
+
+	records, err := GetRecords()
+	if err != nil {
+		return err
+	}
+
+	sessions, err := GetSessions("")
+	if err != nil {
+		return err
+	}
+
+	subscriptions, err := GetSubscriptions("")
+	if err != nil {
+		return err
+	}
+
+	transactions, err := GetTransactions("")
+	if err != nil {
+		return err
+	}
+
 	data := &InitData{
 		Organizations: organizations,
 		Applications:  applications,
@ -112,6 +162,16 @@ func writeInitDataToFile(filePath string) error {
 		Syncers:       syncers,
 		Tokens:        tokens,
 		Webhooks:      webhooks,
+		Groups:        groups,
+		Adapters:      adapters,
+		Enforcers:     enforcers,
+		Plans:         plans,
+		Pricings:      pricings,
+		Invitations:   invitations,
+		Records:       records,
+		Sessions:      sessions,
+		Subscriptions: subscriptions,
+		Transactions:  transactions,
 	}

 	text := util.StructToJsonFormatted(data)
--- a/object/mfa_sms.go
+++ b/object/mfa_sms.go
@ -36,9 +36,14 @@ func (mfa *SmsMfa) SetupVerify(passCode string) error {
 		mfa.Secret, _ = util.GetE164Number(mfa.Secret, mfa.CountryCode)
 	}

-	if result := CheckVerificationCode(mfa.Secret, passCode, "en"); result.Code != VerificationSuccess {
+	result, err := CheckVerificationCode(mfa.Secret, passCode, "en")
+	if err != nil {
+		return err
+	}
+	if result.Code != VerificationSuccess {
 		return errors.New(result.Msg)
 	}
+
 	return nil
 }

@ -52,21 +57,10 @@ func (mfa *SmsMfa) Enable(user *User) error {

 	if mfa.MfaType == SmsType {
 		user.MfaPhoneEnabled = true
-		columns = append(columns, "mfa_phone_enabled")
-
-		if user.Phone == "" {
-			user.Phone = mfa.Secret
-			user.CountryCode = mfa.CountryCode
-			columns = append(columns, "phone", "country_code")
-		}
+		columns = append(columns, "mfa_phone_enabled", "phone", "country_code")
 	} else if mfa.MfaType == EmailType {
 		user.MfaEmailEnabled = true
-		columns = append(columns, "mfa_email_enabled")
-
-		if user.Email == "" {
-			user.Email = mfa.Secret
-			columns = append(columns, "email")
-		}
+		columns = append(columns, "mfa_email_enabled", "email")
 	}

 	_, err := UpdateUser(user.GetId(), user, columns, false)
@ -81,9 +75,15 @@ func (mfa *SmsMfa) Verify(passCode string) error {
 	if !util.IsEmailValid(mfa.Secret) {
 		mfa.Secret, _ = util.GetE164Number(mfa.Secret, mfa.CountryCode)
 	}
-	if result := CheckVerificationCode(mfa.Secret, passCode, "en"); result.Code != VerificationSuccess {
+
+	result, err := CheckVerificationCode(mfa.Secret, passCode, "en")
+	if err != nil {
+		return err
+	}
+	if result.Code != VerificationSuccess {
 		return errors.New(result.Msg)
 	}
+
 	return nil
 }

--- a/object/organization.go
+++ b/object/organization.go
@ -31,6 +31,7 @@ type AccountItem struct {
 	Visible    bool   `json:"visible"`
 	ViewRule   string `json:"viewRule"`
 	ModifyRule string `json:"modifyRule"`
+	Regex      string `json:"regex"`
 }

 type ThemeData struct {
@ -53,6 +54,8 @@ type Organization struct {

 	DisplayName            string     `xorm:"varchar(100)" json:"displayName"`
 	WebsiteUrl             string     `xorm:"varchar(100)" json:"websiteUrl"`
+	Logo                   string     `xorm:"varchar(200)" json:"logo"`
+	LogoDark               string     `xorm:"varchar(200)" json:"logoDark"`
 	Favicon                string     `xorm:"varchar(100)" json:"favicon"`
 	PasswordType           string     `xorm:"varchar(100)" json:"passwordType"`
 	PasswordSalt           string     `xorm:"varchar(100)" json:"passwordSalt"`
@ -342,6 +345,11 @@ func GetDefaultApplication(id string) (*Application, error) {
 		return nil, err
 	}

+	err = extendApplicationWithSigninItems(defaultApplication)
+	if err != nil {
+		return nil, err
+	}
+
 	return defaultApplication, nil
 }

@ -453,6 +461,16 @@ func organizationChangeTrigger(oldName string, newName string) error {
 		return err
 	}

+	record := new(Record)
+	record.Owner = newName
+	record.Organization = newName
+	_, err = session.Where("organization=?", oldName).Update(record)
+	if err != nil {
+		if err.Error() != "no columns found to be updated" {
+			return err
+		}
+	}
+
 	resource := new(Resource)
 	resource.Owner = newName
 	_, err = session.Where("owner=?", oldName).Update(resource)
--- a/object/ormer.go
+++ b/object/ormer.go
@ -23,6 +23,8 @@ import (
 	"runtime"
 	"strings"

+	"github.com/casvisor/casvisor-go-sdk/casvisorsdk"
+
 	"github.com/beego/beego"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
@ -30,8 +32,9 @@ import (
 	_ "github.com/denisenkom/go-mssqldb" // db = mssql
 	_ "github.com/go-sql-driver/mysql"   // db = mysql
 	_ "github.com/lib/pq"                // db = postgres
-	"github.com/xorm-io/core"
 	"github.com/xorm-io/xorm"
+	"github.com/xorm-io/xorm/core"
+	"github.com/xorm-io/xorm/names"
 	_ "modernc.org/sqlite" // db = sqlite
 )

@ -96,7 +99,7 @@ func InitAdapter() {
 	}

 	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
-	tbMapper := core.NewPrefixMapper(core.SnakeMapper{}, tableNamePrefix)
+	tbMapper := names.NewPrefixMapper(names.SnakeMapper{}, tableNamePrefix)
 	ormer.Engine.SetTableMapper(tbMapper)
 }

@ -116,6 +119,7 @@ type Ormer struct {
 	driverName     string
 	dataSourceName string
 	dbName         string
+	Db             *sql.DB
 	Engine         *xorm.Engine
 }

@ -125,6 +129,13 @@ func finalizer(a *Ormer) {
 	if err != nil {
 		panic(err)
 	}
+
+	if a.Db != nil {
+		err = a.Db.Close()
+		if err != nil {
+			panic(err)
+		}
+	}
 }

 // NewAdapter is the constructor for Ormer.
@ -146,6 +157,26 @@ func NewAdapter(driverName string, dataSourceName string, dbName string) (*Ormer
 	return a, nil
 }

+// NewAdapterFromdb is the constructor for Ormer.
+func NewAdapterFromDb(driverName string, dataSourceName string, dbName string, db *sql.DB) (*Ormer, error) {
+	a := &Ormer{}
+	a.driverName = driverName
+	a.dataSourceName = dataSourceName
+	a.dbName = dbName
+	a.Db = db
+
+	// Open the DB, create it if not existed.
+	err := a.openFromDb(a.Db)
+	if err != nil {
+		return nil, err
+	}
+
+	// Call the destructor when the object is released.
+	runtime.SetFinalizer(a, finalizer)
+
+	return a, nil
+}
+
 func refineDataSourceNameForPostgres(dataSourceName string) string {
 	reg := regexp.MustCompile(`dbname=[^ ]+\s*`)
 	return reg.ReplaceAllString(dataSourceName, "")
@ -224,6 +255,30 @@ func (a *Ormer) open() error {
 	return nil
 }

+func (a *Ormer) openFromDb(db *sql.DB) error {
+	dataSourceName := a.dataSourceName + a.dbName
+	if a.driverName != "mysql" {
+		dataSourceName = a.dataSourceName
+	}
+
+	xormDb := core.FromDB(db)
+
+	engine, err := xorm.NewEngineWithDB(a.driverName, dataSourceName, xormDb)
+	if err != nil {
+		return err
+	}
+
+	if a.driverName == "postgres" {
+		schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
+		if schema != "" {
+			engine.SetSchema(schema)
+		}
+	}
+
+	a.Engine = engine
+	return nil
+}
+
 func (a *Ormer) close() {
 	_ = a.Engine.Close()
 	a.Engine = nil
@ -333,11 +388,21 @@ func (a *Ormer) createTable() {
 		panic(err)
 	}

+	err = a.Engine.Sync2(new(Transaction))
+	if err != nil {
+		panic(err)
+	}
+
 	err = a.Engine.Sync2(new(Syncer))
 	if err != nil {
 		panic(err)
 	}

+	err = a.Engine.Sync2(new(casvisorsdk.Record))
+	if err != nil {
+		panic(err)
+	}
+
 	err = a.Engine.Sync2(new(Webhook))
 	if err != nil {
 		panic(err)
--- a/object/provider.go
+++ b/object/provider.go
@ -312,8 +312,6 @@ func GetPaymentProvider(p *Provider) (pp.PaymentProvider, error) {
 	} else {
 		return nil, fmt.Errorf("the payment provider type: %s is not supported", p.Type)
 	}
-
-	return nil, nil
 }

 func (p *Provider) GetId() string {
--- a/object/record.go
+++ b/object/record.go
@ -47,6 +47,12 @@ func NewRecord(ctx *context.Context) *casvisorsdk.Record {
 		object = string(ctx.Input.RequestBody)
 	}

+	language := ctx.Request.Header.Get("Accept-Language")
+	if len(language) > 2 {
+		language = language[0:2]
+	}
+	languageCode := conf.GetLanguage(language)
+
 	record := casvisorsdk.Record{
 		Name:        util.GenerateId(),
 		CreatedTime: util.GetCurrentTime(),
@ -55,7 +61,9 @@ func NewRecord(ctx *context.Context) *casvisorsdk.Record {
 		Method:      ctx.Request.Method,
 		RequestUri:  requestUri,
 		Action:      action,
+		Language:    languageCode,
 		Object:      object,
+		Response:    "",
 		IsTriggered: false,
 	}
 	return &record
@ -82,7 +90,12 @@ func AddRecord(record *casvisorsdk.Record) bool {
 	}

 	if casvisorsdk.GetClient() == nil {
-		return false
+		affected, err := ormer.Engine.Insert(record)
+		if err != nil {
+			panic(err)
+		}
+
+		return affected != 0
 	}

 	affected, err := casvisorsdk.AddRecord(record)
@ -93,13 +106,55 @@ func AddRecord(record *casvisorsdk.Record) bool {
 	return affected
 }

-func getFilteredWebhooks(webhooks []*Webhook, action string) []*Webhook {
+func GetRecordCount(field, value string, filterRecord *casvisorsdk.Record) (int64, error) {
+	session := GetSession("", -1, -1, field, value, "", "")
+	return session.Count(filterRecord)
+}
+
+func GetRecords() ([]*casvisorsdk.Record, error) {
+	records := []*casvisorsdk.Record{}
+	err := ormer.Engine.Desc("id").Find(&records)
+	if err != nil {
+		return records, err
+	}
+
+	return records, nil
+}
+
+func GetPaginationRecords(offset, limit int, field, value, sortField, sortOrder string, filterRecord *casvisorsdk.Record) ([]*casvisorsdk.Record, error) {
+	records := []*casvisorsdk.Record{}
+	session := GetSession("", offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&records, filterRecord)
+	if err != nil {
+		return records, err
+	}
+
+	return records, nil
+}
+
+func GetRecordsByField(record *casvisorsdk.Record) ([]*casvisorsdk.Record, error) {
+	records := []*casvisorsdk.Record{}
+	err := ormer.Engine.Find(&records, record)
+	if err != nil {
+		return records, err
+	}
+
+	return records, nil
+}
+
+func getFilteredWebhooks(webhooks []*Webhook, organization string, action string) []*Webhook {
 	res := []*Webhook{}
 	for _, webhook := range webhooks {
 		if !webhook.IsEnabled {
 			continue
 		}

+		if webhook.SingleOrgOnly {
+			if webhook.Organization != organization {
+				continue
+			}
+		}
+
 		matched := false
 		for _, event := range webhook.Events {
 			if action == event {
@ -116,13 +171,13 @@ func getFilteredWebhooks(webhooks []*Webhook, action string) []*Webhook {
 }

 func SendWebhooks(record *casvisorsdk.Record) error {
-	webhooks, err := getWebhooksByOrganization(record.Organization)
+	webhooks, err := getWebhooksByOrganization("")
 	if err != nil {
 		return err
 	}

 	errs := []error{}
-	webhooks = getFilteredWebhooks(webhooks, record.Action)
+	webhooks = getFilteredWebhooks(webhooks, record.Organization, record.Action)
 	for _, webhook := range webhooks {
 		var user *User
 		if webhook.IsUserExtended {
--- a/object/record_casvisor.go
+++ b/object/record_casvisor.go
@ -27,7 +27,7 @@ func getCasvisorApplication() *Application {
 	}

 	for _, application := range applications {
-		if strings.Contains(strings.ToLower(application.Name), "casvisor") {
+		if strings.Contains(strings.ToLower(application.Name), "casvisor-my") {
 			return application
 		}
 	}
--- a/object/saml_idp.go
+++ b/object/saml_idp.go
@ -179,8 +179,8 @@ type IdpSSODescriptor struct {
 }

 type NameIDFormat struct {
-	XMLName xml.Name
-	Value   string `xml:",innerxml"`
+	// XMLName xml.Name
+	Value string `xml:",innerxml"`
 }

 type SingleSignOnService struct {
@ -190,7 +190,7 @@ type SingleSignOnService struct {
 }

 type Attribute struct {
-	XMLName      xml.Name
+	// XMLName      xml.Name
 	Name         string   `xml:"Name,attr"`
 	NameFormat   string   `xml:"NameFormat,attr"`
 	FriendlyName string   `xml:"FriendlyName,attr"`
@ -273,7 +273,7 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 	// base64 decode
 	defated, err := base64.StdEncoding.DecodeString(samlRequest)
 	if err != nil {
-		return "", "", method, fmt.Errorf("err: Failed to decode SAML request , %s", err.Error())
+		return "", "", "", fmt.Errorf("err: Failed to decode SAML request, %s", err.Error())
 	}

 	// decompress
@ -281,7 +281,7 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 	rdr := flate.NewReader(bytes.NewReader(defated))

 	for {
-		_, err := io.CopyN(&buffer, rdr, 1024)
+		_, err = io.CopyN(&buffer, rdr, 1024)
 		if err != nil {
 			if err == io.EOF {
 				break
@ -293,12 +293,12 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 	var authnRequest saml.AuthNRequest
 	err = xml.Unmarshal(buffer.Bytes(), &authnRequest)
 	if err != nil {
-		return "", "", method, fmt.Errorf("err: Failed to unmarshal AuthnRequest, please check the SAML request. %s", err.Error())
+		return "", "", "", fmt.Errorf("err: Failed to unmarshal AuthnRequest, please check the SAML request, %s", err.Error())
 	}

 	// verify samlRequest
 	if isValid := application.IsRedirectUriValid(authnRequest.Issuer); !isValid {
-		return "", "", method, fmt.Errorf("err: Issuer URI: %s doesn't exist in the allowed Redirect URI list", authnRequest.Issuer)
+		return "", "", "", fmt.Errorf("err: Issuer URI: %s doesn't exist in the allowed Redirect URI list", authnRequest.Issuer)
 	}

 	// get certificate string
@ -323,8 +323,13 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 	}

 	_, originBackend := getOriginFromHost(host)
+
 	// build signedResponse
-	samlResponse, _ := NewSamlResponse(application, user, originBackend, certificate, authnRequest.AssertionConsumerServiceURL, authnRequest.Issuer, authnRequest.ID, application.RedirectUris)
+	samlResponse, err := NewSamlResponse(application, user, originBackend, certificate, authnRequest.AssertionConsumerServiceURL, authnRequest.Issuer, authnRequest.ID, application.RedirectUris)
+	if err != nil {
+		return "", "", "", fmt.Errorf("err: NewSamlResponse() error, %s", err.Error())
+	}
+
 	randomKeyStore := &X509Key{
 		PrivateKey:      cert.PrivateKey,
 		X509Certificate: certificate,
@ -336,18 +341,23 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 		ctx.Canonicalizer = dsig.MakeC14N10ExclusiveCanonicalizerWithPrefixList("")
 	}

-	//signedXML, err := ctx.SignEnvelopedLimix(samlResponse)
-	//if err != nil {
+	// signedXML, err := ctx.SignEnvelopedLimix(samlResponse)
+	// if err != nil {
 	//	return "", "", fmt.Errorf("err: %s", err.Error())
-	//}
+	// }
+
 	sig, err := ctx.ConstructSignature(samlResponse, true)
+	if err != nil {
+		return "", "", "", fmt.Errorf("err: Failed to serializes the SAML request into bytes, %s", err.Error())
+	}
+
 	samlResponse.InsertChildAt(1, sig)

 	doc := etree.NewDocument()
 	doc.SetRoot(samlResponse)
 	xmlBytes, err := doc.WriteToBytes()
 	if err != nil {
-		return "", "", method, fmt.Errorf("err: Failed to serializes the SAML request into bytes, %s", err.Error())
+		return "", "", "", fmt.Errorf("err: Failed to serializes the SAML request into bytes, %s", err.Error())
 	}

 	// compress
@ -355,16 +365,19 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 		flated := bytes.NewBuffer(nil)
 		writer, err := flate.NewWriter(flated, flate.DefaultCompression)
 		if err != nil {
-			return "", "", method, err
+			return "", "", "", err
 		}
+
 		_, err = writer.Write(xmlBytes)
 		if err != nil {
 			return "", "", "", err
 		}
+
 		err = writer.Close()
 		if err != nil {
 			return "", "", "", err
 		}
+
 		xmlBytes = flated.Bytes()
 	}
 	// base64 encode
@ -373,12 +386,12 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 }

 // NewSamlResponse11 return a saml1.1 response(not 2.0)
-func NewSamlResponse11(user *User, requestID string, host string) *etree.Element {
+func NewSamlResponse11(user *User, requestID string, host string) (*etree.Element, error) {
 	samlResponse := &etree.Element{
 		Space: "samlp",
 		Tag:   "Response",
 	}
-	// create samlresponse
+
 	samlResponse.CreateAttr("xmlns:samlp", "urn:oasis:names:tc:SAML:1.0:protocol")
 	samlResponse.CreateAttr("MajorVersion", "1")
 	samlResponse.CreateAttr("MinorVersion", "1")
@ -431,11 +444,15 @@ func NewSamlResponse11(user *User, requestID string, host string) *etree.Element
 	subjectConfirmationInAttribute := subjectInAttribute.CreateElement("saml:SubjectConfirmation")
 	subjectConfirmationInAttribute.CreateElement("saml:ConfirmationMethod").SetText("urn:oasis:names:tc:SAML:1.0:cm:artifact")

-	data, _ := json.Marshal(user)
-	tmp := map[string]string{}
-	err := json.Unmarshal(data, &tmp)
+	data, err := json.Marshal(user)
 	if err != nil {
-		panic(err)
+		return nil, err
+	}
+
+	tmp := map[string]string{}
+	err = json.Unmarshal(data, &tmp)
+	if err != nil {
+		return nil, err
 	}

 	for k, v := range tmp {
@ -447,7 +464,7 @@ func NewSamlResponse11(user *User, requestID string, host string) *etree.Element
 		}
 	}

-	return samlResponse
+	return samlResponse, nil
 }

 func GetSamlRedirectAddress(owner string, application string, relayState string, samlRequest string, host string) string {
--- a/object/storage.go
+++ b/object/storage.go
@ -109,14 +109,17 @@ func GetUploadFileUrl(provider *Provider, fullFilePath string, hasTimestamp bool

 func getStorageProvider(provider *Provider, lang string) (oss.StorageInterface, error) {
 	endpoint := getProviderEndpoint(provider)
-	storageProvider := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, endpoint)
+	storageProvider, err := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, endpoint)
+	if err != nil {
+		return nil, err
+	}
 	if storageProvider == nil {
 		return nil, fmt.Errorf(i18n.Translate(lang, "storage:The provider type: %s is not supported"), provider.Type)
 	}

 	if provider.Domain == "" {
 		provider.Domain = storageProvider.GetEndpoint()
-		_, err := UpdateProvider(provider.GetId(), provider)
+		_, err = UpdateProvider(provider.GetId(), provider)
 		if err != nil {
 			return nil, err
 		}
--- a/object/syncer.go
+++ b/object/syncer.go
@ -39,11 +39,17 @@ type Syncer struct {
 	Type         string `xorm:"varchar(100)" json:"type"`
 	DatabaseType string `xorm:"varchar(100)" json:"databaseType"`
 	SslMode      string `xorm:"varchar(100)" json:"sslMode"`
+	SshType      string `xorm:"varchar(100)" json:"sshType"`

 	Host             string         `xorm:"varchar(100)" json:"host"`
 	Port             int            `json:"port"`
 	User             string         `xorm:"varchar(100)" json:"user"`
 	Password         string         `xorm:"varchar(150)" json:"password"`
+	SshHost          string         `xorm:"varchar(100)" json:"sshHost"`
+	SshPort          int            `json:"sshPort"`
+	SshUser          string         `xorm:"varchar(100)" json:"sshUser"`
+	SshPassword      string         `xorm:"varchar(150)" json:"sshPassword"`
+	Cert             string         `xorm:"varchar(100)" json:"cert"`
 	Database         string         `xorm:"varchar(100)" json:"database"`
 	Table            string         `xorm:"varchar(100)" json:"table"`
 	TableColumns     []*TableColumn `xorm:"mediumtext" json:"tableColumns"`
@ -279,3 +285,25 @@ func RunSyncer(syncer *Syncer) error {

 	return syncer.syncUsers()
 }
+
+func TestSyncerDb(syncer Syncer) error {
+	oldSyncer, err := getSyncer(syncer.Owner, syncer.Name)
+	if err != nil {
+		return err
+	}
+
+	if syncer.Password == "***" {
+		syncer.Password = oldSyncer.Password
+	}
+
+	err = syncer.initAdapter()
+	if err != nil {
+		return err
+	}
+
+	err = syncer.Ormer.Engine.Ping()
+	if err != nil {
+		return err
+	}
+	return nil
+}
--- a/object/syncer_user.go
+++ b/object/syncer_user.go
@ -15,12 +15,17 @@
 package object

 import (
+	"context"
 	"database/sql"
+	"database/sql/driver"
 	"fmt"
 	"strings"
 	"time"

+	"golang.org/x/crypto/ssh"
+
 	"github.com/casdoor/casdoor/util"
+	"github.com/go-sql-driver/mysql"
 )

 type OriginalUser = User
@ -124,6 +129,19 @@ func (syncer *Syncer) calculateHash(user *OriginalUser) string {
 	return util.GetMd5Hash(s)
 }

+type dsnConnector struct {
+	dsn    string
+	driver driver.Driver
+}
+
+func (t dsnConnector) Connect(ctx context.Context) (driver.Conn, error) {
+	return t.driver.Open(t.dsn)
+}
+
+func (t dsnConnector) Driver() driver.Driver {
+	return t.driver
+}
+
 func (syncer *Syncer) initAdapter() error {
 	if syncer.Ormer != nil {
 		return nil
@ -142,12 +160,38 @@ func (syncer *Syncer) initAdapter() error {
 		dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%d)/", syncer.User, syncer.Password, syncer.Host, syncer.Port)
 	}

+	var db *sql.DB
+	var err error
+
+	if syncer.SshType != "" && (syncer.DatabaseType == "mysql" || syncer.DatabaseType == "postgres" || syncer.DatabaseType == "mssql") {
+		var dial *ssh.Client
+		if syncer.SshType == "password" {
+			dial, err = DialWithPassword(syncer.SshUser, syncer.SshPassword, syncer.SshHost, syncer.SshPort)
+		} else {
+			dial, err = DialWithCert(syncer.SshUser, syncer.Owner+"/"+syncer.Cert, syncer.SshHost, syncer.SshPort)
+		}
+		if err != nil {
+			return err
+		}
+
+		if syncer.DatabaseType == "mysql" {
+			dataSourceName = fmt.Sprintf("%s:%s@%s(%s:%d)/", syncer.User, syncer.Password, syncer.Owner+syncer.Name, syncer.Host, syncer.Port)
+			mysql.RegisterDialContext(syncer.Owner+syncer.Name, (&ViaSSHDialer{Client: dial, Context: nil}).MysqlDial)
+		} else if syncer.DatabaseType == "postgres" || syncer.DatabaseType == "mssql" {
+			db = sql.OpenDB(dsnConnector{dsn: dataSourceName, driver: &ViaSSHDialer{Client: dial, Context: nil, DatabaseType: syncer.DatabaseType}})
+		}
+	}
+
 	if !isCloudIntranet {
 		dataSourceName = strings.ReplaceAll(dataSourceName, "dbi.", "db.")
 	}

-	var err error
-	syncer.Ormer, err = NewAdapter(syncer.DatabaseType, dataSourceName, syncer.Database)
+	if db != nil {
+		syncer.Ormer, err = NewAdapterFromDb(syncer.DatabaseType, dataSourceName, syncer.Database, db)
+	} else {
+		syncer.Ormer, err = NewAdapter(syncer.DatabaseType, dataSourceName, syncer.Database)
+	}
+
 	return err
 }

--- a/object/token.go
+++ b/object/token.go
@ -16,33 +16,13 @@ package object

 import (
 	"crypto/sha256"
-	"encoding/base64"
 	"encoding/hex"
 	"fmt"
-	"time"

-	"github.com/casdoor/casdoor/i18n"
-	"github.com/casdoor/casdoor/idp"
 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
 )

-const (
-	hourSeconds          = int(time.Hour / time.Second)
-	InvalidRequest       = "invalid_request"
-	InvalidClient        = "invalid_client"
-	InvalidGrant         = "invalid_grant"
-	UnauthorizedClient   = "unauthorized_client"
-	UnsupportedGrantType = "unsupported_grant_type"
-	InvalidScope         = "invalid_scope"
-	EndpointError        = "endpoint_error"
-)
-
-type Code struct {
-	Message string `xorm:"varchar(100)" json:"message"`
-	Code    string `xorm:"varchar(100)" json:"code"`
-}
-
 type Token struct {
 	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
@ -65,35 +45,6 @@ type Token struct {
 	CodeExpireIn     int64  `json:"codeExpireIn"`
 }

-type TokenWrapper struct {
-	AccessToken  string `json:"access_token"`
-	IdToken      string `json:"id_token"`
-	RefreshToken string `json:"refresh_token"`
-	TokenType    string `json:"token_type"`
-	ExpiresIn    int    `json:"expires_in"`
-	Scope        string `json:"scope"`
-}
-
-type TokenError struct {
-	Error            string `json:"error"`
-	ErrorDescription string `json:"error_description,omitempty"`
-}
-
-type IntrospectionResponse struct {
-	Active    bool     `json:"active"`
-	Scope     string   `json:"scope,omitempty"`
-	ClientId  string   `json:"client_id,omitempty"`
-	Username  string   `json:"username,omitempty"`
-	TokenType string   `json:"token_type,omitempty"`
-	Exp       int64    `json:"exp,omitempty"`
-	Iat       int64    `json:"iat,omitempty"`
-	Nbf       int64    `json:"nbf,omitempty"`
-	Sub       string   `json:"sub,omitempty"`
-	Aud       []string `json:"aud,omitempty"`
-	Iss       string   `json:"iss,omitempty"`
-	Jti       string   `json:"jti,omitempty"`
-}
-
 func GetTokenCount(owner, organization, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
 	return session.Count(&Token{Organization: organization})
@ -186,21 +137,24 @@ func GetTokenByRefreshToken(refreshToken string) (*Token, error) {
 	return &token, nil
 }

-func GetTokenByTokenValue(tokenValue string) (*Token, error) {
-	token, err := GetTokenByAccessToken(tokenValue)
-	if err != nil {
-		return nil, err
-	}
-	if token != nil {
-		return token, nil
-	}
-
-	token, err = GetTokenByRefreshToken(tokenValue)
-	if err != nil {
-		return nil, err
-	}
-	if token != nil {
-		return token, nil
+func GetTokenByTokenValue(tokenValue, tokenTypeHint string) (*Token, error) {
+	switch tokenTypeHint {
+	case "access_token":
+		token, err := GetTokenByAccessToken(tokenValue)
+		if err != nil {
+			return nil, err
+		}
+		if token != nil {
+			return token, nil
+		}
+	case "refresh_token":
+		token, err := GetTokenByRefreshToken(tokenValue)
+		if err != nil {
+			return nil, err
+		}
+		if token != nil {
+			return token, nil
+		}
 	}

 	return nil, nil
@ -279,659 +233,3 @@ func DeleteToken(token *Token) (bool, error) {

 	return affected != 0, nil
 }
-
-func ExpireTokenByAccessToken(accessToken string) (bool, *Application, *Token, error) {
-	token, err := GetTokenByAccessToken(accessToken)
-	if err != nil {
-		return false, nil, nil, err
-	}
-	if token == nil {
-		return false, nil, nil, nil
-	}
-
-	token.ExpiresIn = 0
-	affected, err := ormer.Engine.ID(core.PK{token.Owner, token.Name}).Cols("expires_in").Update(token)
-	if err != nil {
-		return false, nil, nil, err
-	}
-
-	application, err := getApplication(token.Owner, token.Application)
-	if err != nil {
-		return false, nil, nil, err
-	}
-
-	return affected != 0, application, token, nil
-}
-
-func CheckOAuthLogin(clientId string, responseType string, redirectUri string, scope string, state string, lang string) (string, *Application, error) {
-	if responseType != "code" && responseType != "token" && responseType != "id_token" {
-		return fmt.Sprintf(i18n.Translate(lang, "token:Grant_type: %s is not supported in this application"), responseType), nil, nil
-	}
-
-	application, err := GetApplicationByClientId(clientId)
-	if err != nil {
-		return "", nil, err
-	}
-
-	if application == nil {
-		return i18n.Translate(lang, "token:Invalid client_id"), nil, nil
-	}
-
-	if !application.IsRedirectUriValid(redirectUri) {
-		return fmt.Sprintf(i18n.Translate(lang, "token:Redirect URI: %s doesn't exist in the allowed Redirect URI list"), redirectUri), application, nil
-	}
-
-	// Mask application for /api/get-app-login
-	application.ClientSecret = ""
-	return "", application, nil
-}
-
-func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string, lang string) (*Code, error) {
-	user, err := GetUser(userId)
-	if err != nil {
-		return nil, err
-	}
-
-	if user == nil {
-		return &Code{
-			Message: fmt.Sprintf("general:The user: %s doesn't exist", userId),
-			Code:    "",
-		}, nil
-	}
-	if user.IsForbidden {
-		return &Code{
-			Message: "error: the user is forbidden to sign in, please contact the administrator",
-			Code:    "",
-		}, nil
-	}
-
-	msg, application, err := CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, lang)
-	if err != nil {
-		return nil, err
-	}
-
-	if msg != "" {
-		return &Code{
-			Message: msg,
-			Code:    "",
-		}, nil
-	}
-
-	err = ExtendUserWithRolesAndPermissions(user)
-	if err != nil {
-		return nil, err
-	}
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
-	if err != nil {
-		return nil, err
-	}
-
-	if challenge == "null" {
-		challenge = ""
-	}
-
-	token := &Token{
-		Owner:         application.Owner,
-		Name:          tokenName,
-		CreatedTime:   util.GetCurrentTime(),
-		Application:   application.Name,
-		Organization:  user.Owner,
-		User:          user.Name,
-		Code:          util.GenerateClientId(),
-		AccessToken:   accessToken,
-		RefreshToken:  refreshToken,
-		ExpiresIn:     application.ExpireInHours * hourSeconds,
-		Scope:         scope,
-		TokenType:     "Bearer",
-		CodeChallenge: challenge,
-		CodeIsUsed:    false,
-		CodeExpireIn:  time.Now().Add(time.Minute * 5).Unix(),
-	}
-	_, err = AddToken(token)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Code{
-		Message: "",
-		Code:    token.Code,
-	}, nil
-}
-
-func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, username string, password string, host string, refreshToken string, tag string, avatar string, lang string) (interface{}, error) {
-	application, err := GetApplicationByClientId(clientId)
-	if err != nil {
-		return nil, err
-	}
-
-	if application == nil {
-		return &TokenError{
-			Error:            InvalidClient,
-			ErrorDescription: "client_id is invalid",
-		}, nil
-	}
-
-	// Check if grantType is allowed in the current application
-
-	if !IsGrantTypeValid(grantType, application.GrantTypes) && tag == "" {
-		return &TokenError{
-			Error:            UnsupportedGrantType,
-			ErrorDescription: fmt.Sprintf("grant_type: %s is not supported in this application", grantType),
-		}, nil
-	}
-
-	var token *Token
-	var tokenError *TokenError
-	switch grantType {
-	case "authorization_code": // Authorization Code Grant
-		token, tokenError, err = GetAuthorizationCodeToken(application, clientSecret, code, verifier)
-	case "password": //	Resource Owner Password Credentials Grant
-		token, tokenError, err = GetPasswordToken(application, username, password, scope, host)
-	case "client_credentials": // Client Credentials Grant
-		token, tokenError, err = GetClientCredentialsToken(application, clientSecret, scope, host)
-	case "refresh_token":
-		refreshToken2, err := RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
-		if err != nil {
-			return nil, err
-		}
-		return refreshToken2, nil
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	if tag == "wechat_miniprogram" {
-		// Wechat Mini Program
-		token, tokenError, err = GetWechatMiniProgramToken(application, code, host, username, avatar, lang)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if tokenError != nil {
-		return tokenError, nil
-	}
-
-	token.CodeIsUsed = true
-
-	go updateUsedByCode(token)
-
-	tokenWrapper := &TokenWrapper{
-		AccessToken:  token.AccessToken,
-		IdToken:      token.AccessToken,
-		RefreshToken: token.RefreshToken,
-		TokenType:    token.TokenType,
-		ExpiresIn:    token.ExpiresIn,
-		Scope:        token.Scope,
-	}
-
-	return tokenWrapper, nil
-}
-
-func RefreshToken(grantType string, refreshToken string, scope string, clientId string, clientSecret string, host string) (interface{}, error) {
-	// check parameters
-	if grantType != "refresh_token" {
-		return &TokenError{
-			Error:            UnsupportedGrantType,
-			ErrorDescription: "grant_type should be refresh_token",
-		}, nil
-	}
-	application, err := GetApplicationByClientId(clientId)
-	if err != nil {
-		return nil, err
-	}
-
-	if application == nil {
-		return &TokenError{
-			Error:            InvalidClient,
-			ErrorDescription: "client_id is invalid",
-		}, nil
-	}
-
-	if clientSecret != "" && application.ClientSecret != clientSecret {
-		return &TokenError{
-			Error:            InvalidClient,
-			ErrorDescription: "client_secret is invalid",
-		}, nil
-	}
-
-	// check whether the refresh token is valid, and has not expired.
-	token, err := GetTokenByRefreshToken(refreshToken)
-	if err != nil || token == nil {
-		return &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: "refresh token is invalid, expired or revoked",
-		}, nil
-	}
-
-	cert, err := getCertByApplication(application)
-	if err != nil {
-		return nil, err
-	}
-	if cert == nil {
-		return &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: fmt.Sprintf("cert: %s cannot be found", application.Cert),
-		}, nil
-	}
-
-	_, err = ParseJwtToken(refreshToken, cert)
-	if err != nil {
-		return &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: fmt.Sprintf("parse refresh token error: %s", err.Error()),
-		}, nil
-	}
-
-	// generate a new token
-	user, err := getUser(application.Organization, token.User)
-	if err != nil {
-		return nil, err
-	}
-
-	if user.IsForbidden {
-		return &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: "the user is forbidden to sign in, please contact the administrator",
-		}, nil
-	}
-
-	err = ExtendUserWithRolesAndPermissions(user)
-	if err != nil {
-		return nil, err
-	}
-
-	newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
-	if err != nil {
-		return &TokenError{
-			Error:            EndpointError,
-			ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
-		}, nil
-	}
-
-	newToken := &Token{
-		Owner:        application.Owner,
-		Name:         tokenName,
-		CreatedTime:  util.GetCurrentTime(),
-		Application:  application.Name,
-		Organization: user.Owner,
-		User:         user.Name,
-		Code:         util.GenerateClientId(),
-		AccessToken:  newAccessToken,
-		RefreshToken: newRefreshToken,
-		ExpiresIn:    application.ExpireInHours * hourSeconds,
-		Scope:        scope,
-		TokenType:    "Bearer",
-	}
-	_, err = AddToken(newToken)
-	if err != nil {
-		return nil, err
-	}
-
-	_, err = DeleteToken(token)
-	if err != nil {
-		return nil, err
-	}
-
-	tokenWrapper := &TokenWrapper{
-		AccessToken:  newToken.AccessToken,
-		IdToken:      newToken.AccessToken,
-		RefreshToken: newToken.RefreshToken,
-		TokenType:    newToken.TokenType,
-		ExpiresIn:    newToken.ExpiresIn,
-		Scope:        newToken.Scope,
-	}
-	return tokenWrapper, nil
-}
-
-// PkceChallenge: base64-URL-encoded SHA256 hash of verifier, per rfc 7636
-func pkceChallenge(verifier string) string {
-	sum := sha256.Sum256([]byte(verifier))
-	challenge := base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(sum[:])
-	return challenge
-}
-
-// IsGrantTypeValid
-// Check if grantType is allowed in the current application
-// authorization_code is allowed by default
-func IsGrantTypeValid(method string, grantTypes []string) bool {
-	if method == "authorization_code" {
-		return true
-	}
-	for _, m := range grantTypes {
-		if m == method {
-			return true
-		}
-	}
-	return false
-}
-
-// GetAuthorizationCodeToken
-// Authorization code flow
-func GetAuthorizationCodeToken(application *Application, clientSecret string, code string, verifier string) (*Token, *TokenError, error) {
-	if code == "" {
-		return nil, &TokenError{
-			Error:            InvalidRequest,
-			ErrorDescription: "authorization code should not be empty",
-		}, nil
-	}
-
-	token, err := getTokenByCode(code)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if token == nil {
-		return nil, &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: "authorization code is invalid",
-		}, nil
-	}
-	if token.CodeIsUsed {
-		// anti replay attacks
-		return nil, &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: "authorization code has been used",
-		}, nil
-	}
-
-	if token.CodeChallenge != "" && pkceChallenge(verifier) != token.CodeChallenge {
-		return nil, &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: "verifier is invalid",
-		}, nil
-	}
-
-	if application.ClientSecret != clientSecret {
-		// when using PKCE, the Client Secret can be empty,
-		// but if it is provided, it must be accurate.
-		if token.CodeChallenge == "" {
-			return nil, &TokenError{
-				Error:            InvalidClient,
-				ErrorDescription: "client_secret is invalid",
-			}, nil
-		} else {
-			if clientSecret != "" {
-				return nil, &TokenError{
-					Error:            InvalidClient,
-					ErrorDescription: "client_secret is invalid",
-				}, nil
-			}
-		}
-	}
-
-	if application.Name != token.Application {
-		return nil, &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: "the token is for wrong application (client_id)",
-		}, nil
-	}
-
-	if time.Now().Unix() > token.CodeExpireIn {
-		// code must be used within 5 minutes
-		return nil, &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: "authorization code has expired",
-		}, nil
-	}
-	return token, nil, nil
-}
-
-// GetPasswordToken
-// Resource Owner Password Credentials flow
-func GetPasswordToken(application *Application, username string, password string, scope string, host string) (*Token, *TokenError, error) {
-	user, err := getUser(application.Organization, username)
-	if err != nil {
-		return nil, nil, err
-	}
-	if user == nil {
-		return nil, &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: "the user does not exist",
-		}, nil
-	}
-
-	if user.Ldap != "" {
-		err = checkLdapUserPassword(user, password, "en")
-	} else {
-		err = CheckPassword(user, password, "en")
-	}
-	if err != nil {
-		return nil, &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: fmt.Sprintf("invalid username or password: %s", err.Error()),
-		}, nil
-	}
-
-	if user.IsForbidden {
-		return nil, &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: "the user is forbidden to sign in, please contact the administrator",
-		}, nil
-	}
-
-	err = ExtendUserWithRolesAndPermissions(user)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
-	if err != nil {
-		return nil, &TokenError{
-			Error:            EndpointError,
-			ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
-		}, nil
-	}
-	token := &Token{
-		Owner:        application.Owner,
-		Name:         tokenName,
-		CreatedTime:  util.GetCurrentTime(),
-		Application:  application.Name,
-		Organization: user.Owner,
-		User:         user.Name,
-		Code:         util.GenerateClientId(),
-		AccessToken:  accessToken,
-		RefreshToken: refreshToken,
-		ExpiresIn:    application.ExpireInHours * hourSeconds,
-		Scope:        scope,
-		TokenType:    "Bearer",
-		CodeIsUsed:   true,
-	}
-	_, err = AddToken(token)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return token, nil, nil
-}
-
-// GetClientCredentialsToken
-// Client Credentials flow
-func GetClientCredentialsToken(application *Application, clientSecret string, scope string, host string) (*Token, *TokenError, error) {
-	if application.ClientSecret != clientSecret {
-		return nil, &TokenError{
-			Error:            InvalidClient,
-			ErrorDescription: "client_secret is invalid",
-		}, nil
-	}
-	nullUser := &User{
-		Owner: application.Owner,
-		Id:    application.GetId(),
-		Name:  application.Name,
-		Type:  "application",
-	}
-
-	accessToken, _, tokenName, err := generateJwtToken(application, nullUser, "", scope, host)
-	if err != nil {
-		return nil, &TokenError{
-			Error:            EndpointError,
-			ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
-		}, nil
-	}
-	token := &Token{
-		Owner:        application.Owner,
-		Name:         tokenName,
-		CreatedTime:  util.GetCurrentTime(),
-		Application:  application.Name,
-		Organization: application.Organization,
-		User:         nullUser.Name,
-		Code:         util.GenerateClientId(),
-		AccessToken:  accessToken,
-		ExpiresIn:    application.ExpireInHours * hourSeconds,
-		Scope:        scope,
-		TokenType:    "Bearer",
-		CodeIsUsed:   true,
-	}
-	_, err = AddToken(token)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return token, nil, nil
-}
-
-// GetTokenByUser
-// Implicit flow
-func GetTokenByUser(application *Application, user *User, scope string, nonce string, host string) (*Token, error) {
-	err := ExtendUserWithRolesAndPermissions(user)
-	if err != nil {
-		return nil, err
-	}
-
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
-	if err != nil {
-		return nil, err
-	}
-
-	token := &Token{
-		Owner:        application.Owner,
-		Name:         tokenName,
-		CreatedTime:  util.GetCurrentTime(),
-		Application:  application.Name,
-		Organization: user.Owner,
-		User:         user.Name,
-		Code:         util.GenerateClientId(),
-		AccessToken:  accessToken,
-		RefreshToken: refreshToken,
-		ExpiresIn:    application.ExpireInHours * hourSeconds,
-		Scope:        scope,
-		TokenType:    "Bearer",
-		CodeIsUsed:   true,
-	}
-	_, err = AddToken(token)
-	if err != nil {
-		return nil, err
-	}
-
-	return token, nil
-}
-
-// GetWechatMiniProgramToken
-// Wechat Mini Program flow
-func GetWechatMiniProgramToken(application *Application, code string, host string, username string, avatar string, lang string) (*Token, *TokenError, error) {
-	mpProvider := GetWechatMiniProgramProvider(application)
-	if mpProvider == nil {
-		return nil, &TokenError{
-			Error:            InvalidClient,
-			ErrorDescription: "the application does not support wechat mini program",
-		}, nil
-	}
-	provider, err := GetProvider(util.GetId("admin", mpProvider.Name))
-	if err != nil {
-		return nil, nil, err
-	}
-
-	mpIdp := idp.NewWeChatMiniProgramIdProvider(provider.ClientId, provider.ClientSecret)
-	session, err := mpIdp.GetSessionByCode(code)
-	if err != nil {
-		return nil, &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: fmt.Sprintf("get wechat mini program session error: %s", err.Error()),
-		}, nil
-	}
-
-	openId, unionId := session.Openid, session.Unionid
-	if openId == "" && unionId == "" {
-		return nil, &TokenError{
-			Error:            InvalidRequest,
-			ErrorDescription: "the wechat mini program session is invalid",
-		}, nil
-	}
-	user, err := getUserByWechatId(application.Organization, openId, unionId)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if user == nil {
-		if !application.EnableSignUp {
-			return nil, &TokenError{
-				Error:            InvalidGrant,
-				ErrorDescription: "the application does not allow to sign up new account",
-			}, nil
-		}
-		// Add new user
-		var name string
-		if CheckUsername(username, lang) == "" {
-			name = username
-		} else {
-			name = fmt.Sprintf("wechat-%s", openId)
-		}
-
-		user = &User{
-			Owner:             application.Organization,
-			Id:                util.GenerateId(),
-			Name:              name,
-			Avatar:            avatar,
-			SignupApplication: application.Name,
-			WeChat:            openId,
-			Type:              "normal-user",
-			CreatedTime:       util.GetCurrentTime(),
-			IsAdmin:           false,
-			IsForbidden:       false,
-			IsDeleted:         false,
-			Properties: map[string]string{
-				UserPropertiesWechatOpenId:  openId,
-				UserPropertiesWechatUnionId: unionId,
-			},
-		}
-		_, err = AddUser(user)
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-
-	err = ExtendUserWithRolesAndPermissions(user)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", host)
-	if err != nil {
-		return nil, &TokenError{
-			Error:            EndpointError,
-			ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
-		}, nil
-	}
-
-	token := &Token{
-		Owner:        application.Owner,
-		Name:         tokenName,
-		CreatedTime:  util.GetCurrentTime(),
-		Application:  application.Name,
-		Organization: user.Owner,
-		User:         user.Name,
-		Code:         session.SessionKey, // a trick, because miniprogram does not use the code, so use the code field to save the session_key
-		AccessToken:  accessToken,
-		RefreshToken: refreshToken,
-		ExpiresIn:    application.ExpireInHours * 60,
-		Scope:        "",
-		TokenType:    "Bearer",
-		CodeIsUsed:   true,
-	}
-	_, err = AddToken(token)
-	if err != nil {
-		return nil, nil, err
-	}
-	return token, nil, nil
-}
--- a/object/token_cas.go
+++ b/object/token_cas.go
@ -256,12 +256,12 @@ func GetValidationBySaml(samlRequest string, host string) (string, string, error

 	ticket := request.AssertionArtifact.InnerXML
 	if ticket == "" {
-		return "", "", fmt.Errorf("samlp:AssertionArtifact field not found")
+		return "", "", fmt.Errorf("request.AssertionArtifact.InnerXML error, AssertionArtifact field not found")
 	}

 	ok, _, service, userId := GetCasTokenByTicket(ticket)
 	if !ok {
-		return "", "", fmt.Errorf("ticket %s found", ticket)
+		return "", "", fmt.Errorf("the CAS token for ticket %s is not found", ticket)
 	}

 	user, err := GetUser(userId)
@ -270,7 +270,7 @@ func GetValidationBySaml(samlRequest string, host string) (string, string, error
 	}

 	if user == nil {
-		return "", "", fmt.Errorf("user %s found", userId)
+		return "", "", fmt.Errorf("the user %s is not found", userId)
 	}

 	application, err := GetApplicationByUser(user)
@ -279,10 +279,13 @@ func GetValidationBySaml(samlRequest string, host string) (string, string, error
 	}

 	if application == nil {
-		return "", "", fmt.Errorf("application for user %s found", userId)
+		return "", "", fmt.Errorf("the application for user %s is not found", userId)
 	}

-	samlResponse := NewSamlResponse11(user, request.RequestID, host)
+	samlResponse, err := NewSamlResponse11(user, request.RequestID, host)
+	if err != nil {
+		return "", "", err
+	}

 	cert, err := getCertByApplication(application)
 	if err != nil {
--- a/object/token_jwt.go
+++ b/object/token_jwt.go
@ -359,6 +359,10 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 	var token *jwt.Token
 	var refreshToken *jwt.Token

+	if application.TokenFormat == "" {
+		application.TokenFormat = "JWT"
+	}
+
 	// the JWT token length in "JWT-Empty" mode will be very short, as User object only has two properties: owner and name
 	if application.TokenFormat == "JWT" {
 		claimsWithoutThirdIdp := getClaimsWithoutThirdIdp(claims)
--- a/object/token_jwt_key.go
+++ b/object/token_jwt_key.go
@ -15,16 +15,19 @@
 package object

 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"fmt"
 	"math/big"
 	"time"
 )

-func generateRsaKeys(bitSize int, expireInYears int, commonName string, organization string) (string, string, error) {
+func generateRsaKeys(bitSize int, shaSize int, expireInYears int, commonName string, organization string) (string, string, error) {
 	// https://stackoverflow.com/questions/64104586/use-golang-to-get-rsa-key-the-same-way-openssl-genrsa
 	// https://stackoverflow.com/questions/43822945/golang-can-i-create-x509keypair-using-rsa-key

@ -55,6 +58,132 @@ func generateRsaKeys(bitSize int, expireInYears int, commonName string, organiza
 		BasicConstraintsValid: true,
 	}

+	switch shaSize {
+	case 256:
+		tml.SignatureAlgorithm = x509.SHA256WithRSA
+	case 384:
+		tml.SignatureAlgorithm = x509.SHA384WithRSA
+	case 512:
+		tml.SignatureAlgorithm = x509.SHA512WithRSA
+	default:
+		return "", "", fmt.Errorf("generateRsaKeys() error, unsupported SHA size: %d", shaSize)
+	}
+
+	cert, err := x509.CreateCertificate(rand.Reader, &tml, &tml, &key.PublicKey, key)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Generate a pem block with the certificate
+	certPem := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert,
+	})
+
+	return string(certPem), string(privateKeyPem), nil
+}
+
+func generateEsKeys(shaSize int, expireInYears int, commonName string, organization string) (string, string, error) {
+	var curve elliptic.Curve
+	switch shaSize {
+	case 256:
+		curve = elliptic.P256()
+	case 384:
+		curve = elliptic.P384()
+	case 512:
+		curve = elliptic.P521() // ES512(P521,SHA512)
+	default:
+		return "", "", fmt.Errorf("generateEsKeys() error, unsupported SHA size: %d", shaSize)
+	}
+
+	// Generate ECDSA key pair.
+	privateKey, err := ecdsa.GenerateKey(curve, rand.Reader)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Encode private key to PEM format.
+	privateKeyBytes, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		return "", "", err
+	}
+	privateKeyPem := pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: privateKeyBytes,
+	})
+
+	// Generate certificate template.
+	template := x509.Certificate{
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().AddDate(expireInYears, 0, 0),
+		SerialNumber: big.NewInt(time.Now().Unix()),
+		Subject: pkix.Name{
+			CommonName:   commonName,
+			Organization: []string{organization},
+		},
+		BasicConstraintsValid: true,
+	}
+
+	// Generate certificate.
+	certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Encode certificate to PEM format.
+	certPem := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	})
+
+	return string(certPem), string(privateKeyPem), nil
+}
+
+func generateRsaPssKeys(bitSize int, shaSize int, expireInYears int, commonName string, organization string) (string, string, error) {
+	// Generate RSA key.
+	key, err := rsa.GenerateKey(rand.Reader, bitSize)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Encode private key to PKCS#8 ASN.1 PEM.
+	privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return "", "", err
+	}
+
+	privateKeyPem := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "RSA PSS PRIVATE KEY",
+			Bytes: privateKeyBytes,
+		},
+	)
+
+	tml := x509.Certificate{
+		// you can add any attr that you need
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().AddDate(expireInYears, 0, 0),
+		// you have to generate a different serial number each execution
+		SerialNumber: big.NewInt(123456),
+		Subject: pkix.Name{
+			CommonName:   commonName,
+			Organization: []string{organization},
+		},
+		BasicConstraintsValid: true,
+	}
+
+	// Set the signature algorithm based on the hash function
+	switch shaSize {
+	case 256:
+		tml.SignatureAlgorithm = x509.SHA256WithRSAPSS
+	case 384:
+		tml.SignatureAlgorithm = x509.SHA384WithRSAPSS
+	case 512:
+		tml.SignatureAlgorithm = x509.SHA512WithRSAPSS
+	default:
+		return "", "", fmt.Errorf("generateRsaPssKeys() error, unsupported SHA size: %d", shaSize)
+	}
+
 	cert, err := x509.CreateCertificate(rand.Reader, &tml, &tml, &key.PublicKey, key)
 	if err != nil {
 		return "", "", err
--- a/object/token_jwt_key_test.go
+++ b/object/token_jwt_key_test.go
@ -23,7 +23,35 @@ import (

 func TestGenerateRsaKeys(t *testing.T) {
 	fileId := "token_jwt_key"
-	certificate, privateKey, err := generateRsaKeys(4096, 20, "Casdoor Cert", "Casdoor Organization")
+	certificate, privateKey, err := generateRsaKeys(4096, 512, 20, "Casdoor Cert", "Casdoor Organization")
+	if err != nil {
+		panic(err)
+	}
+
+	// Write certificate (aka certificate) to file.
+	util.WriteStringToPath(certificate, fmt.Sprintf("%s.pem", fileId))
+
+	// Write private key to file.
+	util.WriteStringToPath(privateKey, fmt.Sprintf("%s.key", fileId))
+}
+
+func TestGenerateEsKeys(t *testing.T) {
+	fileId := "token_jwt_key"
+	certificate, privateKey, err := generateEsKeys(256, 20, "Casdoor Cert", "Casdoor Organization")
+	if err != nil {
+		panic(err)
+	}
+
+	// Write certificate (aka certificate) to file.
+	util.WriteStringToPath(certificate, fmt.Sprintf("%s.pem", fileId))
+
+	// Write private key to file.
+	util.WriteStringToPath(privateKey, fmt.Sprintf("%s.key", fileId))
+}
+
+func TestGenerateRsaPssKeys(t *testing.T) {
+	fileId := "token_jwt_key"
+	certificate, privateKey, err := generateRsaPssKeys(4096, 256, 20, "Casdoor Cert", "Casdoor Organization")
 	if err != nil {
 		panic(err)
 	}
--- a/object/token_oauth.go
+++ b/object/token_oauth.go
@ -0,0 +1,745 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	"github.com/casdoor/casdoor/i18n"
+	"github.com/casdoor/casdoor/idp"
+	"github.com/casdoor/casdoor/util"
+	"github.com/xorm-io/core"
+)
+
+const (
+	hourSeconds          = int(time.Hour / time.Second)
+	InvalidRequest       = "invalid_request"
+	InvalidClient        = "invalid_client"
+	InvalidGrant         = "invalid_grant"
+	UnauthorizedClient   = "unauthorized_client"
+	UnsupportedGrantType = "unsupported_grant_type"
+	InvalidScope         = "invalid_scope"
+	EndpointError        = "endpoint_error"
+)
+
+type Code struct {
+	Message string `xorm:"varchar(100)" json:"message"`
+	Code    string `xorm:"varchar(100)" json:"code"`
+}
+
+type TokenWrapper struct {
+	AccessToken  string `json:"access_token"`
+	IdToken      string `json:"id_token"`
+	RefreshToken string `json:"refresh_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+	Scope        string `json:"scope"`
+}
+
+type TokenError struct {
+	Error            string `json:"error"`
+	ErrorDescription string `json:"error_description,omitempty"`
+}
+
+type IntrospectionResponse struct {
+	Active    bool     `json:"active"`
+	Scope     string   `json:"scope,omitempty"`
+	ClientId  string   `json:"client_id,omitempty"`
+	Username  string   `json:"username,omitempty"`
+	TokenType string   `json:"token_type,omitempty"`
+	Exp       int64    `json:"exp,omitempty"`
+	Iat       int64    `json:"iat,omitempty"`
+	Nbf       int64    `json:"nbf,omitempty"`
+	Sub       string   `json:"sub,omitempty"`
+	Aud       []string `json:"aud,omitempty"`
+	Iss       string   `json:"iss,omitempty"`
+	Jti       string   `json:"jti,omitempty"`
+}
+
+func ExpireTokenByAccessToken(accessToken string) (bool, *Application, *Token, error) {
+	token, err := GetTokenByAccessToken(accessToken)
+	if err != nil {
+		return false, nil, nil, err
+	}
+	if token == nil {
+		return false, nil, nil, nil
+	}
+
+	token.ExpiresIn = 0
+	affected, err := ormer.Engine.ID(core.PK{token.Owner, token.Name}).Cols("expires_in").Update(token)
+	if err != nil {
+		return false, nil, nil, err
+	}
+
+	application, err := getApplication(token.Owner, token.Application)
+	if err != nil {
+		return false, nil, nil, err
+	}
+
+	return affected != 0, application, token, nil
+}
+
+func CheckOAuthLogin(clientId string, responseType string, redirectUri string, scope string, state string, lang string) (string, *Application, error) {
+	if responseType != "code" && responseType != "token" && responseType != "id_token" {
+		return fmt.Sprintf(i18n.Translate(lang, "token:Grant_type: %s is not supported in this application"), responseType), nil, nil
+	}
+
+	application, err := GetApplicationByClientId(clientId)
+	if err != nil {
+		return "", nil, err
+	}
+
+	if application == nil {
+		return i18n.Translate(lang, "token:Invalid client_id"), nil, nil
+	}
+
+	if !application.IsRedirectUriValid(redirectUri) {
+		return fmt.Sprintf(i18n.Translate(lang, "token:Redirect URI: %s doesn't exist in the allowed Redirect URI list"), redirectUri), application, nil
+	}
+
+	// Mask application for /api/get-app-login
+	application.ClientSecret = ""
+	return "", application, nil
+}
+
+func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string, lang string) (*Code, error) {
+	user, err := GetUser(userId)
+	if err != nil {
+		return nil, err
+	}
+
+	if user == nil {
+		return &Code{
+			Message: fmt.Sprintf("general:The user: %s doesn't exist", userId),
+			Code:    "",
+		}, nil
+	}
+	if user.IsForbidden {
+		return &Code{
+			Message: "error: the user is forbidden to sign in, please contact the administrator",
+			Code:    "",
+		}, nil
+	}
+
+	msg, application, err := CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, lang)
+	if err != nil {
+		return nil, err
+	}
+
+	if msg != "" {
+		return &Code{
+			Message: msg,
+			Code:    "",
+		}, nil
+	}
+
+	err = ExtendUserWithRolesAndPermissions(user)
+	if err != nil {
+		return nil, err
+	}
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
+	if err != nil {
+		return nil, err
+	}
+
+	if challenge == "null" {
+		challenge = ""
+	}
+
+	token := &Token{
+		Owner:         application.Owner,
+		Name:          tokenName,
+		CreatedTime:   util.GetCurrentTime(),
+		Application:   application.Name,
+		Organization:  user.Owner,
+		User:          user.Name,
+		Code:          util.GenerateClientId(),
+		AccessToken:   accessToken,
+		RefreshToken:  refreshToken,
+		ExpiresIn:     application.ExpireInHours * hourSeconds,
+		Scope:         scope,
+		TokenType:     "Bearer",
+		CodeChallenge: challenge,
+		CodeIsUsed:    false,
+		CodeExpireIn:  time.Now().Add(time.Minute * 5).Unix(),
+	}
+	_, err = AddToken(token)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Code{
+		Message: "",
+		Code:    token.Code,
+	}, nil
+}
+
+func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, username string, password string, host string, refreshToken string, tag string, avatar string, lang string) (interface{}, error) {
+	application, err := GetApplicationByClientId(clientId)
+	if err != nil {
+		return nil, err
+	}
+
+	if application == nil {
+		return &TokenError{
+			Error:            InvalidClient,
+			ErrorDescription: "client_id is invalid",
+		}, nil
+	}
+
+	// Check if grantType is allowed in the current application
+
+	if !IsGrantTypeValid(grantType, application.GrantTypes) && tag == "" {
+		return &TokenError{
+			Error:            UnsupportedGrantType,
+			ErrorDescription: fmt.Sprintf("grant_type: %s is not supported in this application", grantType),
+		}, nil
+	}
+
+	var token *Token
+	var tokenError *TokenError
+	switch grantType {
+	case "authorization_code": // Authorization Code Grant
+		token, tokenError, err = GetAuthorizationCodeToken(application, clientSecret, code, verifier)
+	case "password": //	Resource Owner Password Credentials Grant
+		token, tokenError, err = GetPasswordToken(application, username, password, scope, host)
+	case "client_credentials": // Client Credentials Grant
+		token, tokenError, err = GetClientCredentialsToken(application, clientSecret, scope, host)
+	case "refresh_token":
+		refreshToken2, err := RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
+		if err != nil {
+			return nil, err
+		}
+		return refreshToken2, nil
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	if tag == "wechat_miniprogram" {
+		// Wechat Mini Program
+		token, tokenError, err = GetWechatMiniProgramToken(application, code, host, username, avatar, lang)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if tokenError != nil {
+		return tokenError, nil
+	}
+
+	token.CodeIsUsed = true
+
+	go updateUsedByCode(token)
+
+	tokenWrapper := &TokenWrapper{
+		AccessToken:  token.AccessToken,
+		IdToken:      token.AccessToken,
+		RefreshToken: token.RefreshToken,
+		TokenType:    token.TokenType,
+		ExpiresIn:    token.ExpiresIn,
+		Scope:        token.Scope,
+	}
+
+	return tokenWrapper, nil
+}
+
+func RefreshToken(grantType string, refreshToken string, scope string, clientId string, clientSecret string, host string) (interface{}, error) {
+	// check parameters
+	if grantType != "refresh_token" {
+		return &TokenError{
+			Error:            UnsupportedGrantType,
+			ErrorDescription: "grant_type should be refresh_token",
+		}, nil
+	}
+	application, err := GetApplicationByClientId(clientId)
+	if err != nil {
+		return nil, err
+	}
+
+	if application == nil {
+		return &TokenError{
+			Error:            InvalidClient,
+			ErrorDescription: "client_id is invalid",
+		}, nil
+	}
+
+	if clientSecret != "" && application.ClientSecret != clientSecret {
+		return &TokenError{
+			Error:            InvalidClient,
+			ErrorDescription: "client_secret is invalid",
+		}, nil
+	}
+
+	// check whether the refresh token is valid, and has not expired.
+	token, err := GetTokenByRefreshToken(refreshToken)
+	if err != nil || token == nil {
+		return &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "refresh token is invalid, expired or revoked",
+		}, nil
+	}
+
+	cert, err := getCertByApplication(application)
+	if err != nil {
+		return nil, err
+	}
+	if cert == nil {
+		return &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: fmt.Sprintf("cert: %s cannot be found", application.Cert),
+		}, nil
+	}
+
+	_, err = ParseJwtToken(refreshToken, cert)
+	if err != nil {
+		return &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: fmt.Sprintf("parse refresh token error: %s", err.Error()),
+		}, nil
+	}
+
+	// generate a new token
+	user, err := getUser(application.Organization, token.User)
+	if err != nil {
+		return nil, err
+	}
+
+	if user.IsForbidden {
+		return &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "the user is forbidden to sign in, please contact the administrator",
+		}, nil
+	}
+
+	err = ExtendUserWithRolesAndPermissions(user)
+	if err != nil {
+		return nil, err
+	}
+
+	newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
+	if err != nil {
+		return &TokenError{
+			Error:            EndpointError,
+			ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
+		}, nil
+	}
+
+	newToken := &Token{
+		Owner:        application.Owner,
+		Name:         tokenName,
+		CreatedTime:  util.GetCurrentTime(),
+		Application:  application.Name,
+		Organization: user.Owner,
+		User:         user.Name,
+		Code:         util.GenerateClientId(),
+		AccessToken:  newAccessToken,
+		RefreshToken: newRefreshToken,
+		ExpiresIn:    application.ExpireInHours * hourSeconds,
+		Scope:        scope,
+		TokenType:    "Bearer",
+	}
+	_, err = AddToken(newToken)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = DeleteToken(token)
+	if err != nil {
+		return nil, err
+	}
+
+	tokenWrapper := &TokenWrapper{
+		AccessToken:  newToken.AccessToken,
+		IdToken:      newToken.AccessToken,
+		RefreshToken: newToken.RefreshToken,
+		TokenType:    newToken.TokenType,
+		ExpiresIn:    newToken.ExpiresIn,
+		Scope:        newToken.Scope,
+	}
+	return tokenWrapper, nil
+}
+
+// PkceChallenge: base64-URL-encoded SHA256 hash of verifier, per rfc 7636
+func pkceChallenge(verifier string) string {
+	sum := sha256.Sum256([]byte(verifier))
+	challenge := base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(sum[:])
+	return challenge
+}
+
+// IsGrantTypeValid
+// Check if grantType is allowed in the current application
+// authorization_code is allowed by default
+func IsGrantTypeValid(method string, grantTypes []string) bool {
+	if method == "authorization_code" {
+		return true
+	}
+	for _, m := range grantTypes {
+		if m == method {
+			return true
+		}
+	}
+	return false
+}
+
+// GetAuthorizationCodeToken
+// Authorization code flow
+func GetAuthorizationCodeToken(application *Application, clientSecret string, code string, verifier string) (*Token, *TokenError, error) {
+	if code == "" {
+		return nil, &TokenError{
+			Error:            InvalidRequest,
+			ErrorDescription: "authorization code should not be empty",
+		}, nil
+	}
+
+	token, err := getTokenByCode(code)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if token == nil {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "authorization code is invalid",
+		}, nil
+	}
+	if token.CodeIsUsed {
+		// anti replay attacks
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "authorization code has been used",
+		}, nil
+	}
+
+	if token.CodeChallenge != "" && pkceChallenge(verifier) != token.CodeChallenge {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "verifier is invalid",
+		}, nil
+	}
+
+	if application.ClientSecret != clientSecret {
+		// when using PKCE, the Client Secret can be empty,
+		// but if it is provided, it must be accurate.
+		if token.CodeChallenge == "" {
+			return nil, &TokenError{
+				Error:            InvalidClient,
+				ErrorDescription: "client_secret is invalid",
+			}, nil
+		} else {
+			if clientSecret != "" {
+				return nil, &TokenError{
+					Error:            InvalidClient,
+					ErrorDescription: "client_secret is invalid",
+				}, nil
+			}
+		}
+	}
+
+	if application.Name != token.Application {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "the token is for wrong application (client_id)",
+		}, nil
+	}
+
+	if time.Now().Unix() > token.CodeExpireIn {
+		// code must be used within 5 minutes
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "authorization code has expired",
+		}, nil
+	}
+	return token, nil, nil
+}
+
+// GetPasswordToken
+// Resource Owner Password Credentials flow
+func GetPasswordToken(application *Application, username string, password string, scope string, host string) (*Token, *TokenError, error) {
+	user, err := GetUserByFields(application.Organization, username)
+	if err != nil {
+		return nil, nil, err
+	}
+	if user == nil {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "the user does not exist",
+		}, nil
+	}
+
+	if user.Ldap != "" {
+		err = checkLdapUserPassword(user, password, "en")
+	} else {
+		err = CheckPassword(user, password, "en")
+	}
+	if err != nil {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: fmt.Sprintf("invalid username or password: %s", err.Error()),
+		}, nil
+	}
+
+	if user.IsForbidden {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: "the user is forbidden to sign in, please contact the administrator",
+		}, nil
+	}
+
+	err = ExtendUserWithRolesAndPermissions(user)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
+	if err != nil {
+		return nil, &TokenError{
+			Error:            EndpointError,
+			ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
+		}, nil
+	}
+	token := &Token{
+		Owner:        application.Owner,
+		Name:         tokenName,
+		CreatedTime:  util.GetCurrentTime(),
+		Application:  application.Name,
+		Organization: user.Owner,
+		User:         user.Name,
+		Code:         util.GenerateClientId(),
+		AccessToken:  accessToken,
+		RefreshToken: refreshToken,
+		ExpiresIn:    application.ExpireInHours * hourSeconds,
+		Scope:        scope,
+		TokenType:    "Bearer",
+		CodeIsUsed:   true,
+	}
+	_, err = AddToken(token)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return token, nil, nil
+}
+
+// GetClientCredentialsToken
+// Client Credentials flow
+func GetClientCredentialsToken(application *Application, clientSecret string, scope string, host string) (*Token, *TokenError, error) {
+	if application.ClientSecret != clientSecret {
+		return nil, &TokenError{
+			Error:            InvalidClient,
+			ErrorDescription: "client_secret is invalid",
+		}, nil
+	}
+	nullUser := &User{
+		Owner: application.Owner,
+		Id:    application.GetId(),
+		Name:  application.Name,
+		Type:  "application",
+	}
+
+	accessToken, _, tokenName, err := generateJwtToken(application, nullUser, "", scope, host)
+	if err != nil {
+		return nil, &TokenError{
+			Error:            EndpointError,
+			ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
+		}, nil
+	}
+	token := &Token{
+		Owner:        application.Owner,
+		Name:         tokenName,
+		CreatedTime:  util.GetCurrentTime(),
+		Application:  application.Name,
+		Organization: application.Organization,
+		User:         nullUser.Name,
+		Code:         util.GenerateClientId(),
+		AccessToken:  accessToken,
+		ExpiresIn:    application.ExpireInHours * hourSeconds,
+		Scope:        scope,
+		TokenType:    "Bearer",
+		CodeIsUsed:   true,
+	}
+	_, err = AddToken(token)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return token, nil, nil
+}
+
+// GetTokenByUser
+// Implicit flow
+func GetTokenByUser(application *Application, user *User, scope string, nonce string, host string) (*Token, error) {
+	err := ExtendUserWithRolesAndPermissions(user)
+	if err != nil {
+		return nil, err
+	}
+
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
+	if err != nil {
+		return nil, err
+	}
+
+	token := &Token{
+		Owner:        application.Owner,
+		Name:         tokenName,
+		CreatedTime:  util.GetCurrentTime(),
+		Application:  application.Name,
+		Organization: user.Owner,
+		User:         user.Name,
+		Code:         util.GenerateClientId(),
+		AccessToken:  accessToken,
+		RefreshToken: refreshToken,
+		ExpiresIn:    application.ExpireInHours * hourSeconds,
+		Scope:        scope,
+		TokenType:    "Bearer",
+		CodeIsUsed:   true,
+	}
+	_, err = AddToken(token)
+	if err != nil {
+		return nil, err
+	}
+
+	return token, nil
+}
+
+// GetWechatMiniProgramToken
+// Wechat Mini Program flow
+func GetWechatMiniProgramToken(application *Application, code string, host string, username string, avatar string, lang string) (*Token, *TokenError, error) {
+	mpProvider := GetWechatMiniProgramProvider(application)
+	if mpProvider == nil {
+		return nil, &TokenError{
+			Error:            InvalidClient,
+			ErrorDescription: "the application does not support wechat mini program",
+		}, nil
+	}
+	provider, err := GetProvider(util.GetId("admin", mpProvider.Name))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	mpIdp := idp.NewWeChatMiniProgramIdProvider(provider.ClientId, provider.ClientSecret)
+	session, err := mpIdp.GetSessionByCode(code)
+	if err != nil {
+		return nil, &TokenError{
+			Error:            InvalidGrant,
+			ErrorDescription: fmt.Sprintf("get wechat mini program session error: %s", err.Error()),
+		}, nil
+	}
+
+	openId, unionId := session.Openid, session.Unionid
+	if openId == "" && unionId == "" {
+		return nil, &TokenError{
+			Error:            InvalidRequest,
+			ErrorDescription: "the wechat mini program session is invalid",
+		}, nil
+	}
+	user, err := getUserByWechatId(application.Organization, openId, unionId)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if user == nil {
+		if !application.EnableSignUp {
+			return nil, &TokenError{
+				Error:            InvalidGrant,
+				ErrorDescription: "the application does not allow to sign up new account",
+			}, nil
+		}
+		// Add new user
+		var name string
+		if CheckUsername(username, lang) == "" {
+			name = username
+		} else {
+			name = fmt.Sprintf("wechat-%s", openId)
+		}
+
+		user = &User{
+			Owner:             application.Organization,
+			Id:                util.GenerateId(),
+			Name:              name,
+			Avatar:            avatar,
+			SignupApplication: application.Name,
+			WeChat:            openId,
+			Type:              "normal-user",
+			CreatedTime:       util.GetCurrentTime(),
+			IsAdmin:           false,
+			IsForbidden:       false,
+			IsDeleted:         false,
+			Properties: map[string]string{
+				UserPropertiesWechatOpenId:  openId,
+				UserPropertiesWechatUnionId: unionId,
+			},
+		}
+		_, err = AddUser(user)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	err = ExtendUserWithRolesAndPermissions(user)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", host)
+	if err != nil {
+		return nil, &TokenError{
+			Error:            EndpointError,
+			ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
+		}, nil
+	}
+
+	token := &Token{
+		Owner:        application.Owner,
+		Name:         tokenName,
+		CreatedTime:  util.GetCurrentTime(),
+		Application:  application.Name,
+		Organization: user.Owner,
+		User:         user.Name,
+		Code:         session.SessionKey, // a trick, because miniprogram does not use the code, so use the code field to save the session_key
+		AccessToken:  accessToken,
+		RefreshToken: refreshToken,
+		ExpiresIn:    application.ExpireInHours * hourSeconds,
+		Scope:        "",
+		TokenType:    "Bearer",
+		CodeIsUsed:   true,
+	}
+	_, err = AddToken(token)
+	if err != nil {
+		return nil, nil, err
+	}
+	return token, nil, nil
+}
+
+func GetAccessTokenByUser(user *User, host string) (string, error) {
+	application, err := GetApplicationByUser(user)
+	if err != nil {
+		return "", err
+	}
+	if application == nil {
+		return "", fmt.Errorf("the application for user %s is not found", user.Id)
+	}
+
+	token, err := GetTokenByUser(application, user, "profile", "", host)
+	if err != nil {
+		return "", err
+	}
+
+	return token.AccessToken, nil
+}
--- a/object/transaction.go
+++ b/object/transaction.go
@ -0,0 +1,144 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/util"
+	"github.com/xorm-io/core"
+)
+
+type Transaction struct {
+	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
+	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
+	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
+	DisplayName string `xorm:"varchar(100)" json:"displayName"`
+	// Transaction Provider Info
+	Provider string `xorm:"varchar(100)" json:"provider"`
+	Category string `xorm:"varchar(100)" json:"category"`
+	Type     string `xorm:"varchar(100)" json:"type"`
+	// Product Info
+	ProductName        string  `xorm:"varchar(100)" json:"productName"`
+	ProductDisplayName string  `xorm:"varchar(100)" json:"productDisplayName"`
+	Detail             string  `xorm:"varchar(255)" json:"detail"`
+	Tag                string  `xorm:"varchar(100)" json:"tag"`
+	Currency           string  `xorm:"varchar(100)" json:"currency"`
+	Amount             float64 `json:"amount"`
+	ReturnUrl          string  `xorm:"varchar(1000)" json:"returnUrl"`
+	// User Info
+	User        string `xorm:"varchar(100)" json:"user"`
+	Application string `xorm:"varchar(100)" json:"application"`
+	Payment     string `xorm:"varchar(100)" json:"payment"`
+
+	State string `xorm:"varchar(100)" json:"state"`
+}
+
+func GetTransactionCount(owner, field, value string) (int64, error) {
+	session := GetSession(owner, -1, -1, field, value, "", "")
+	return session.Count(&Transaction{Owner: owner})
+}
+
+func GetTransactions(owner string) ([]*Transaction, error) {
+	transactions := []*Transaction{}
+	err := ormer.Engine.Desc("created_time").Find(&transactions, &Transaction{Owner: owner})
+	if err != nil {
+		return nil, err
+	}
+
+	return transactions, nil
+}
+
+func GetUserTransactions(owner, user string) ([]*Transaction, error) {
+	transactions := []*Transaction{}
+	err := ormer.Engine.Desc("created_time").Find(&transactions, &Transaction{Owner: owner, User: user})
+	if err != nil {
+		return nil, err
+	}
+
+	return transactions, nil
+}
+
+func GetPaginationTransactions(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Transaction, error) {
+	transactions := []*Transaction{}
+	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&transactions, &Transaction{Owner: owner})
+	if err != nil {
+		return nil, err
+	}
+
+	return transactions, nil
+}
+
+func getTransaction(owner string, name string) (*Transaction, error) {
+	if owner == "" || name == "" {
+		return nil, nil
+	}
+
+	transaction := Transaction{Owner: owner, Name: name}
+	existed, err := ormer.Engine.Get(&transaction)
+	if err != nil {
+		return nil, err
+	}
+
+	if existed {
+		return &transaction, nil
+	} else {
+		return nil, nil
+	}
+}
+
+func GetTransaction(id string) (*Transaction, error) {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	return getTransaction(owner, name)
+}
+
+func UpdateTransaction(id string, transaction *Transaction) (bool, error) {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	if p, err := getTransaction(owner, name); err != nil {
+		return false, err
+	} else if p == nil {
+		return false, nil
+	}
+
+	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(transaction)
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func AddTransaction(transaction *Transaction) (bool, error) {
+	affected, err := ormer.Engine.Insert(transaction)
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func DeleteTransaction(transaction *Transaction) (bool, error) {
+	affected, err := ormer.Engine.ID(core.PK{transaction.Owner, transaction.Name}).Delete(&Transaction{})
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func (transaction *Transaction) GetId() string {
+	return fmt.Sprintf("%s/%s", transaction.Owner, transaction.Name)
+}
--- a/object/user.go
+++ b/object/user.go
@ -15,7 +15,9 @@
 package object

 import (
+	"encoding/json"
 	"fmt"
+	"reflect"
 	"strconv"
 	"strings"

@ -84,6 +86,8 @@ type User struct {
 	Score             int      `json:"score"`
 	Karma             int      `json:"karma"`
 	Ranking           int      `json:"ranking"`
+	Balance           float64  `json:"balance"`
+	Currency          string   `xorm:"varchar(100)" json:"currency"`
 	IsDefaultAvatar   bool     `json:"isDefaultAvatar"`
 	IsOnline          bool     `json:"isOnline"`
 	IsAdmin           bool     `json:"isAdmin"`
@ -94,6 +98,7 @@ type User struct {
 	PreHash           string   `xorm:"varchar(100)" json:"preHash"`
 	AccessKey         string   `xorm:"varchar(100)" json:"accessKey"`
 	AccessSecret      string   `xorm:"varchar(100)" json:"accessSecret"`
+	AccessToken       string   `xorm:"mediumtext" json:"accessToken"`

 	CreatedIp      string `xorm:"varchar(100)" json:"createdIp"`
 	LastSigninTime string `xorm:"varchar(100)" json:"lastSigninTime"`
@ -186,6 +191,7 @@ type User struct {
 	MultiFactorAuths    []*MfaProps           `xorm:"-" json:"multiFactorAuths,omitempty"`
 	Invitation          string                `xorm:"varchar(100) index" json:"invitation"`
 	InvitationCode      string                `xorm:"varchar(100) index" json:"invitationCode"`
+	FaceIds             []*FaceId             `json:"faceIds"`

 	Ldap       string            `xorm:"ldap varchar(100)" json:"ldap"`
 	Properties map[string]string `json:"properties"`
@ -212,6 +218,8 @@ type Userinfo struct {
 	Address       string   `json:"address,omitempty"`
 	Phone         string   `json:"phone,omitempty"`
 	Groups        []string `json:"groups,omitempty"`
+	Roles         []string `json:"roles,omitempty"`
+	Permissions   []string `json:"permissions,omitempty"`
 }

 type ManagedAccount struct {
@ -221,6 +229,31 @@ type ManagedAccount struct {
 	SigninUrl   string `xorm:"varchar(200)" json:"signinUrl"`
 }

+type FaceId struct {
+	Name       string    `xorm:"varchar(100) notnull pk" json:"name"`
+	FaceIdData []float64 `json:"faceIdData"`
+}
+
+func GetUserFieldStringValue(user *User, fieldName string) (bool, string, error) {
+	val := reflect.ValueOf(*user)
+	fieldValue := val.FieldByName(fieldName)
+
+	if !fieldValue.IsValid() {
+		return false, "", nil
+	}
+
+	if fieldValue.Kind() == reflect.String {
+		return true, fieldValue.String(), nil
+	}
+
+	marshalValue, err := json.Marshal(fieldValue.Interface())
+	if err != nil {
+		return false, "", err
+	}
+
+	return true, string(marshalValue), nil
+}
+
 func GetGlobalUserCount(field, value string) (int64, error) {
 	session := GetSession("", -1, -1, field, value, "", "")
 	return session.Count(&User{})
@ -641,7 +674,7 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 		columns = []string{
 			"owner", "display_name", "avatar", "first_name", "last_name",
 			"location", "address", "country_code", "region", "language", "affiliation", "title", "id_card_type", "id_card", "homepage", "bio", "tag", "language", "gender", "birthday", "education", "score", "karma", "ranking", "signup_application",
-			"is_admin", "is_forbidden", "is_deleted", "hash", "is_default_avatar", "properties", "webauthnCredentials", "managedAccounts",
+			"is_admin", "is_forbidden", "is_deleted", "hash", "is_default_avatar", "properties", "webauthnCredentials", "managedAccounts", "face_ids",
 			"signin_wrong_times", "last_signin_wrong_time", "groups", "access_key", "access_secret",
 			"github", "google", "qq", "wechat", "facebook", "dingtalk", "weibo", "gitee", "linkedin", "wecom", "lark", "gitlab", "adfs",
 			"baidu", "alipay", "casdoor", "infoflow", "apple", "azuread", "azureadb2c", "slack", "steam", "bilibili", "okta", "douyin", "line", "amazon",
@ -653,7 +686,7 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 		}
 	}
 	if isAdmin {
-		columns = append(columns, "name", "email", "phone", "country_code", "type")
+		columns = append(columns, "name", "id", "email", "phone", "country_code", "type")
 	}

 	columns = append(columns, "updated_time")
@ -793,6 +826,13 @@ func AddUser(user *User) (bool, error) {
 	}
 	user.Ranking = int(count + 1)

+	if user.Groups != nil && len(user.Groups) > 0 {
+		_, err = userEnforcer.UpdateGroupsForUser(user.GetId(), user.Groups)
+		if err != nil {
+			return false, err
+		}
+	}
+
 	affected, err := ormer.Engine.Insert(user)
 	if err != nil {
 		return false, err
@ -822,6 +862,13 @@ func AddUsers(users []*User) (bool, error) {
 		if err != nil {
 			return false, err
 		}
+
+		if user.Groups != nil && len(user.Groups) > 0 {
+			_, err = userEnforcer.UpdateGroupsForUser(user.GetId(), user.Groups)
+			if err != nil {
+				return false, err
+			}
+		}
 	}

 	affected, err := ormer.Engine.Insert(users)
@ -876,7 +923,7 @@ func DeleteUser(user *User) (bool, error) {
 	return affected != 0, nil
 }

-func GetUserInfo(user *User, scope string, aud string, host string) *Userinfo {
+func GetUserInfo(user *User, scope string, aud string, host string) (*Userinfo, error) {
 	_, originBackend := getOriginFromHost(host)

 	resp := Userinfo{
@ -884,24 +931,44 @@ func GetUserInfo(user *User, scope string, aud string, host string) *Userinfo {
 		Iss: originBackend,
 		Aud: aud,
 	}
+
 	if strings.Contains(scope, "profile") {
 		resp.Name = user.Name
 		resp.DisplayName = user.DisplayName
 		resp.Avatar = user.Avatar
 		resp.Groups = user.Groups
+
+		err := ExtendUserWithRolesAndPermissions(user)
+		if err != nil {
+			return nil, err
+		}
+
+		resp.Roles = []string{}
+		for _, role := range user.Roles {
+			resp.Roles = append(resp.Roles, role.Name)
+		}
+
+		resp.Permissions = []string{}
+		for _, permission := range user.Permissions {
+			resp.Permissions = append(resp.Permissions, permission.Name)
+		}
 	}
+
 	if strings.Contains(scope, "email") {
 		resp.Email = user.Email
 		// resp.EmailVerified = user.EmailVerified
 		resp.EmailVerified = true
 	}
+
 	if strings.Contains(scope, "address") {
 		resp.Address = user.Location
 	}
+
 	if strings.Contains(scope, "phone") {
 		resp.Phone = user.Phone
 	}
-	return &resp
+
+	return &resp, nil
 }

 func LinkUserAccount(user *User, field string, value string) (bool, error) {
@ -985,6 +1052,10 @@ func userChangeTrigger(oldName string, newName string) error {
 	}
 	for _, permission := range permissions {
 		for j, u := range permission.Users {
+			if u == "*" {
+				continue
+			}
+
 			// u = organization/username
 			owner, name := util.GetOwnerAndNameFromId(u)
 			if name == oldName {
--- a/object/user_enforcer.go
+++ b/object/user_enforcer.go
@ -1,10 +1,12 @@
 package object

 import (
+	errors2 "errors"
 	"fmt"

-	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/errors"
+
+	"github.com/casbin/casbin/v2"
 	"github.com/casdoor/casdoor/util"
 )

@ -87,7 +89,7 @@ func (e *UserGroupEnforcer) GetAllUsersByGroup(group string) ([]string, error) {

 	users, err := e.enforcer.GetUsersForRole(GetGroupWithPrefix(group))
 	if err != nil {
-		if err == errors.ErrNameNotFound {
+		if errors2.Is(err, errors.ErrNameNotFound) {
 			return []string{}, nil
 		}
 		return nil, err
--- a/object/user_util.go
+++ b/object/user_util.go
@ -18,8 +18,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
+	"regexp"
 	"strings"

+	"github.com/casdoor/casdoor/i18n"
+
 	jsoniter "github.com/json-iterator/go"

 	"github.com/casdoor/casdoor/idp"
@ -74,6 +77,12 @@ func GetUserByFields(organization string, field string) (*User, error) {
 		return user, err
 	}

+	// check user ID
+	user, err = GetUserByField(organization, "id", field)
+	if user != nil || err != nil {
+		return user, err
+	}
+
 	// check ID card
 	user, err = GetUserByField(organization, "id_card", field)
 	if user != nil || err != nil {
@ -328,6 +337,31 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 		itemsChanged = append(itemsChanged, item)
 	}

+	if oldUser.Gender != newUser.Gender {
+		item := GetAccountItemByName("Gender", organization)
+		itemsChanged = append(itemsChanged, item)
+	}
+
+	if oldUser.Birthday != newUser.Birthday {
+		item := GetAccountItemByName("Birthday", organization)
+		itemsChanged = append(itemsChanged, item)
+	}
+
+	if oldUser.Education != newUser.Education {
+		item := GetAccountItemByName("Education", organization)
+		itemsChanged = append(itemsChanged, item)
+	}
+
+	if oldUser.IdCard != newUser.IdCard {
+		item := GetAccountItemByName("ID card", organization)
+		itemsChanged = append(itemsChanged, item)
+	}
+
+	if oldUser.IdCardType != newUser.IdCardType {
+		item := GetAccountItemByName("ID card type", organization)
+		itemsChanged = append(itemsChanged, item)
+	}
+
 	oldUserPropertiesJson, _ := json.Marshal(oldUser.Properties)
 	newUserPropertiesJson, _ := json.Marshal(newUser.Properties)
 	if string(oldUserPropertiesJson) != string(newUserPropertiesJson) {
@ -353,6 +387,11 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 		itemsChanged = append(itemsChanged, item)
 	}

+	if newUser.FaceIds != nil {
+		item := GetAccountItemByName("Face ID", organization)
+		itemsChanged = append(itemsChanged, item)
+	}
+
 	if oldUser.IsAdmin != newUser.IsAdmin {
 		item := GetAccountItemByName("Is admin", organization)
 		itemsChanged = append(itemsChanged, item)
@ -372,10 +411,33 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 		itemsChanged = append(itemsChanged, item)
 	}

-	for i := range itemsChanged {
-		if pass, err := CheckAccountItemModifyRule(itemsChanged[i], isAdmin, lang); !pass {
+	for _, accountItem := range itemsChanged {
+
+		if pass, err := CheckAccountItemModifyRule(accountItem, isAdmin, lang); !pass {
 			return pass, err
 		}
+
+		exist, userValue, err := GetUserFieldStringValue(newUser, util.SpaceToCamel(accountItem.Name))
+		if err != nil {
+			return false, err.Error()
+		}
+
+		if !exist {
+			continue
+		}
+
+		if accountItem.Regex == "" {
+			continue
+		}
+		regexSignupItem, err := regexp.Compile(accountItem.Regex)
+		if err != nil {
+			return false, err.Error()
+		}
+
+		matched := regexSignupItem.MatchString(userValue)
+		if !matched {
+			return false, fmt.Sprintf(i18n.Translate(lang, "check:The value \"%s\" for account field \"%s\" doesn't match the account item regex"), userValue, accountItem.Name)
+		}
 	}
 	return true, ""
 }
--- a/object/verification.go
+++ b/object/verification.go
@ -17,6 +17,7 @@ package object
 import (
 	"errors"
 	"fmt"
+	"math"
 	"math/rand"
 	"strings"
 	"time"
@ -53,7 +54,7 @@ type VerificationRecord struct {
 	Type       string `xorm:"varchar(10)"`
 	User       string `xorm:"varchar(100) notnull"`
 	Provider   string `xorm:"varchar(100) notnull"`
-	Receiver   string `xorm:"varchar(100) notnull"`
+	Receiver   string `xorm:"varchar(100) index notnull"`
 	Code       string `xorm:"varchar(10) notnull"`
 	Time       int64  `xorm:"notnull"`
 	IsUsed     bool
@ -66,6 +67,7 @@ func IsAllowSend(user *User, remoteAddr, recordType string) error {
 	if user != nil {
 		record.User = user.GetId()
 	}
+
 	has, err := ormer.Engine.Desc("created_time").Get(&record)
 	if err != nil {
 		return err
@ -94,15 +96,18 @@ func SendVerificationCodeToEmail(organization *Organization, user *User, provide
 		content = strings.Replace(content, "%{user.friendlyName}", user.GetFriendlyName(), 1)
 	}

-	if err := IsAllowSend(user, remoteAddr, provider.Category); err != nil {
+	err := IsAllowSend(user, remoteAddr, provider.Category)
+	if err != nil {
 		return err
 	}

-	if err := SendEmail(provider, title, content, dest, sender); err != nil {
+	err = SendEmail(provider, title, content, dest, sender)
+	if err != nil {
 		return err
 	}

-	if err := AddToVerificationRecord(user, provider, remoteAddr, provider.Category, dest, code); err != nil {
+	err = AddToVerificationRecord(user, provider, remoteAddr, provider.Category, dest, code)
+	if err != nil {
 		return err
 	}

@ -110,7 +115,8 @@ func SendVerificationCodeToEmail(organization *Organization, user *User, provide
 }

 func SendVerificationCodeToPhone(organization *Organization, user *User, provider *Provider, remoteAddr string, dest string) error {
-	if err := IsAllowSend(user, remoteAddr, provider.Category); err != nil {
+	err := IsAllowSend(user, remoteAddr, provider.Category)
+	if err != nil {
 		return err
 	}

@ -119,11 +125,13 @@ func SendVerificationCodeToPhone(organization *Organization, user *User, provide
 		code = organization.MasterVerificationCode
 	}

-	if err := SendSms(provider, code, dest); err != nil {
+	err = SendSms(provider, code, dest)
+	if err != nil {
 		return err
 	}

-	if err := AddToVerificationRecord(user, provider, remoteAddr, provider.Category, dest, code); err != nil {
+	err = AddToVerificationRecord(user, provider, remoteAddr, provider.Category, dest, code)
+	if err != nil {
 		return err
 	}

@ -158,6 +166,7 @@ func AddToVerificationRecord(user *User, provider *Provider, remoteAddr, recordT
 func getVerificationRecord(dest string) (*VerificationRecord, error) {
 	var record VerificationRecord
 	record.Receiver = dest
+
 	has, err := ormer.Engine.Desc("time").Where("is_used = false").Get(&record)
 	if err != nil {
 		return nil, err
@ -165,34 +174,34 @@ func getVerificationRecord(dest string) (*VerificationRecord, error) {
 	if !has {
 		return nil, nil
 	}
+
 	return &record, nil
 }

-func CheckVerificationCode(dest string, code string, lang string) *VerifyResult {
+func CheckVerificationCode(dest string, code string, lang string) (*VerifyResult, error) {
 	record, err := getVerificationRecord(dest)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}
-
 	if record == nil {
-		return &VerifyResult{noRecordError, i18n.Translate(lang, "verification:Code has not been sent yet!")}
+		return &VerifyResult{noRecordError, i18n.Translate(lang, "verification:The verification code has not been sent yet, or has already been used!")}, nil
 	}

 	timeout, err := conf.GetConfigInt64("verificationCodeTimeout")
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	now := time.Now().Unix()
 	if now-record.Time > timeout*60 {
-		return &VerifyResult{timeoutError, fmt.Sprintf(i18n.Translate(lang, "verification:You should verify your code in %d min!"), timeout)}
+		return &VerifyResult{timeoutError, fmt.Sprintf(i18n.Translate(lang, "verification:You should verify your code in %d min!"), timeout)}, nil
 	}

 	if record.Code != code {
-		return &VerifyResult{wrongCodeError, i18n.Translate(lang, "verification:Wrong verification code!")}
+		return &VerifyResult{wrongCodeError, i18n.Translate(lang, "verification:Wrong verification code!")}, nil
 	}

-	return &VerifyResult{VerificationSuccess, ""}
+	return &VerifyResult{VerificationSuccess, ""}, nil
 }

 func DisableVerificationCode(dest string) error {
@ -213,7 +222,11 @@ func CheckSigninCode(user *User, dest, code, lang string) error {
 		return err
 	}

-	result := CheckVerificationCode(dest, code, lang)
+	result, err := CheckVerificationCode(dest, code, lang)
+	if err != nil {
+		return err
+	}
+
 	switch result.Code {
 	case VerificationSuccess:
 		return resetUserSigninErrorTimes(user)
@ -224,6 +237,28 @@ func CheckSigninCode(user *User, dest, code, lang string) error {
 	}
 }

+func CheckFaceId(user *User, faceId []float64, lang string) error {
+	if len(user.FaceIds) == 0 {
+		return fmt.Errorf(i18n.Translate(lang, "check:Face data does not exist, cannot log in"))
+	}
+
+	for _, userFaceId := range user.FaceIds {
+		if faceId == nil || len(userFaceId.FaceIdData) != len(faceId) {
+			continue
+		}
+		var sumOfSquares float64
+		for i := 0; i < len(userFaceId.FaceIdData); i++ {
+			diff := userFaceId.FaceIdData[i] - faceId[i]
+			sumOfSquares += diff * diff
+		}
+		if math.Sqrt(sumOfSquares) < 0.25 {
+			return nil
+		}
+	}
+
+	return fmt.Errorf(i18n.Translate(lang, "check:Face data mismatch"))
+}
+
 func GetVerifyType(username string) (verificationCodeType string) {
 	if strings.Contains(username, "@") {
 		return VerifyTypeEmail
--- a/object/viaSSHDialer.go
+++ b/object/viaSSHDialer.go
@ -0,0 +1,116 @@
+// Copyright 2024 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"context"
+	"database/sql/driver"
+	"fmt"
+	"net"
+	"time"
+
+	mssql "github.com/denisenkom/go-mssqldb"
+
+	"github.com/lib/pq"
+	"golang.org/x/crypto/ssh"
+)
+
+type ViaSSHDialer struct {
+	Client       *ssh.Client
+	Context      *context.Context
+	DatabaseType string
+}
+
+func (v *ViaSSHDialer) MysqlDial(ctx context.Context, addr string) (net.Conn, error) {
+	return v.Client.Dial("tcp", addr)
+}
+
+func (v *ViaSSHDialer) Open(s string) (_ driver.Conn, err error) {
+	if v.DatabaseType == "mssql" {
+		c, err := mssql.NewConnector(s)
+		if err != nil {
+			return nil, err
+		}
+		c.Dialer = v
+		return c.Connect(context.Background())
+	} else if v.DatabaseType == "postgres" {
+		return pq.DialOpen(v, s)
+	}
+	return nil, nil
+}
+
+func (v *ViaSSHDialer) Dial(network, address string) (net.Conn, error) {
+	return v.Client.Dial(network, address)
+}
+
+func (v *ViaSSHDialer) DialContext(ctx context.Context, network string, addr string) (net.Conn, error) {
+	return v.Client.DialContext(ctx, network, addr)
+}
+
+func (v *ViaSSHDialer) DialTimeout(network, address string, timeout time.Duration) (net.Conn, error) {
+	return v.Client.Dial(network, address)
+}
+
+func DialWithPassword(SshUser string, SshPassword string, SshHost string, SshPort int) (*ssh.Client, error) {
+	address := fmt.Sprintf("%s:%d", SshHost, SshPort)
+	config := &ssh.ClientConfig{
+		User: SshUser,
+		Auth: []ssh.AuthMethod{
+			ssh.Password(SshPassword),
+		},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+
+	return ssh.Dial("tcp", address, config)
+}
+
+func DialWithCert(SshUser string, CertId string, SshHost string, SshPort int) (*ssh.Client, error) {
+	address := fmt.Sprintf("%s:%d", SshHost, SshPort)
+	config := &ssh.ClientConfig{
+		User:            SshUser,
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+
+	cert, err := GetCert(CertId)
+	if err != nil {
+		return nil, err
+	}
+
+	signer, err := ssh.ParsePrivateKey([]byte(cert.PrivateKey))
+	if err != nil {
+		return nil, err
+	}
+	config.Auth = []ssh.AuthMethod{
+		ssh.PublicKeys(signer),
+	}
+	return ssh.Dial("tcp", address, config)
+}
+
+func DialWithPrivateKey(SshUser string, PrivateKey []byte, SshHost string, SshPort int) (*ssh.Client, error) {
+	address := fmt.Sprintf("%s:%d", SshHost, SshPort)
+	config := &ssh.ClientConfig{
+		User:            SshUser,
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+
+	signer, err := ssh.ParsePrivateKey(PrivateKey)
+	if err != nil {
+		return nil, err
+	}
+	config.Auth = []ssh.AuthMethod{
+		ssh.PublicKeys(signer),
+	}
+	return ssh.Dial("tcp", address, config)
+}
--- a/object/webhook.go
+++ b/object/webhook.go
@ -33,12 +33,13 @@ type Webhook struct {

 	Organization string `xorm:"varchar(100) index" json:"organization"`

-	Url            string    `xorm:"varchar(100)" json:"url"`
+	Url            string    `xorm:"varchar(200)" json:"url"`
 	Method         string    `xorm:"varchar(100)" json:"method"`
 	ContentType    string    `xorm:"varchar(100)" json:"contentType"`
 	Headers        []*Header `xorm:"mediumtext" json:"headers"`
 	Events         []string  `xorm:"varchar(1000)" json:"events"`
 	IsUserExtended bool      `json:"isUserExtended"`
+	SingleOrgOnly  bool      `json:"singleOrgOnly"`
 	IsEnabled      bool      `json:"isEnabled"`
 }

--- a/routers/authz_filter.go
+++ b/routers/authz_filter.go
@ -66,17 +66,27 @@ func getObject(ctx *context.Context) (string, string) {
 	path := ctx.Request.URL.Path

 	if method == http.MethodGet {
-		if ctx.Request.URL.Path == "/api/get-policies" && ctx.Input.Query("id") == "/" {
-			adapterId := ctx.Input.Query("adapterId")
-			if adapterId != "" {
-				return util.GetOwnerAndNameFromIdNoCheck(adapterId)
+		if ctx.Request.URL.Path == "/api/get-policies" {
+			if ctx.Input.Query("id") == "/" {
+				adapterId := ctx.Input.Query("adapterId")
+				if adapterId != "" {
+					return util.GetOwnerAndNameFromIdNoCheck(adapterId)
+				}
+			} else {
+				// query == "?id=built-in/admin"
+				id := ctx.Input.Query("id")
+				if id != "" {
+					return util.GetOwnerAndNameFromIdNoCheck(id)
+				}
 			}
 		}

-		// query == "?id=built-in/admin"
-		id := ctx.Input.Query("id")
-		if id != "" {
-			return util.GetOwnerAndNameFromIdNoCheck(id)
+		if !(strings.HasPrefix(ctx.Request.URL.Path, "/api/get-") && strings.HasSuffix(ctx.Request.URL.Path, "s")) {
+			// query == "?id=built-in/admin"
+			id := ctx.Input.Query("id")
+			if id != "" {
+				return util.GetOwnerAndNameFromIdNoCheck(id)
+			}
 		}

 		owner := ctx.Input.Query("owner")
--- a/routers/base.go
+++ b/routers/base.go
@ -17,7 +17,6 @@ package routers
 import (
 	"fmt"
 	"net"
-	"net/http"
 	"net/url"
 	"strings"

@ -36,7 +35,7 @@ type Response struct {
 }

 func responseError(ctx *context.Context, error string, data ...interface{}) {
-	ctx.ResponseWriter.WriteHeader(http.StatusForbidden)
+	// ctx.ResponseWriter.WriteHeader(http.StatusForbidden)

 	resp := Response{Status: "error", Msg: error}
 	switch len(data) {
--- a/routers/cors_filter.go
+++ b/routers/cors_filter.go
@ -48,7 +48,7 @@ func CorsFilter(ctx *context.Context) {
 	originHostname := getHostname(origin)
 	host := removePort(ctx.Request.Host)

-	if strings.HasPrefix(origin, "http://localhost") || strings.HasPrefix(origin, "https://localhost") || strings.HasPrefix(origin, "http://127.0.0.1") || strings.HasPrefix(origin, "http://casdoor-app") {
+	if strings.HasPrefix(origin, "http://localhost") || strings.HasPrefix(origin, "https://localhost") || strings.HasPrefix(origin, "http://127.0.0.1") || strings.HasPrefix(origin, "http://casdoor-app") || strings.Contains(origin, ".chromiumapp.org") {
 		setCorsHeaders(ctx, origin)
 		return
 	}
--- a/routers/router.go
+++ b/routers/router.go
@ -221,6 +221,12 @@ func initAPI() {
 	beego.Router("/api/add-subscription", &controllers.ApiController{}, "POST:AddSubscription")
 	beego.Router("/api/delete-subscription", &controllers.ApiController{}, "POST:DeleteSubscription")

+	beego.Router("/api/get-transactions", &controllers.ApiController{}, "GET:GetTransactions")
+	beego.Router("/api/get-transaction", &controllers.ApiController{}, "GET:GetTransaction")
+	beego.Router("/api/update-transaction", &controllers.ApiController{}, "POST:UpdateTransaction")
+	beego.Router("/api/add-transaction", &controllers.ApiController{}, "POST:AddTransaction")
+	beego.Router("/api/delete-transaction", &controllers.ApiController{}, "POST:DeleteTransaction")
+
 	beego.Router("/api/get-system-info", &controllers.ApiController{}, "GET:GetSystemInfo")
 	beego.Router("/api/get-version-info", &controllers.ApiController{}, "GET:GetVersionInfo")
 	beego.Router("/api/health", &controllers.ApiController{}, "GET:Health")
@ -233,6 +239,7 @@ func initAPI() {
 	beego.Router("/api/add-syncer", &controllers.ApiController{}, "POST:AddSyncer")
 	beego.Router("/api/delete-syncer", &controllers.ApiController{}, "POST:DeleteSyncer")
 	beego.Router("/api/run-syncer", &controllers.ApiController{}, "GET:RunSyncer")
+	beego.Router("/api/test-syncer-db", &controllers.ApiController{}, "POST:TestSyncerDb")

 	beego.Router("/api/get-webhooks", &controllers.ApiController{}, "GET:GetWebhooks")
 	beego.Router("/api/get-webhook", &controllers.ApiController{}, "GET:GetWebhook")
@ -261,6 +268,10 @@ func initAPI() {
 	beego.Router("/api/login/oauth/refresh_token", &controllers.ApiController{}, "POST:RefreshToken")
 	beego.Router("/api/login/oauth/introspect", &controllers.ApiController{}, "POST:IntrospectToken")

+	beego.Router("/api/get-records", &controllers.ApiController{}, "GET:GetRecords")
+	beego.Router("/api/get-records-filter", &controllers.ApiController{}, "POST:GetRecordsByFilter")
+	beego.Router("/api/add-record", &controllers.ApiController{}, "POST:AddRecord")
+
 	beego.Router("/api/send-email", &controllers.ApiController{}, "POST:SendEmail")
 	beego.Router("/api/send-sms", &controllers.ApiController{}, "POST:SendSms")
 	beego.Router("/api/send-notification", &controllers.ApiController{}, "POST:SendNotification")
@ -289,4 +300,6 @@ func initAPI() {
 	beego.Router("/cas/:organization/:application/samlValidate", &controllers.RootController{}, "POST:SamlValidate")

 	beego.Router("/scim/*", &controllers.RootController{}, "*:HandleScim")
+
+	beego.Router("/api/faceid-signin-begin", &controllers.ApiController{}, "GET:FaceIDSigninBegin")
 }
--- a/storage/qiniu_cloud.go
+++ b/storage/qiniu_cloud.go
@ -19,8 +19,8 @@ import (
 	"github.com/casdoor/oss/qiniu"
 )

-func NewQiniuCloudKodoStorageProvider(clientId string, clientSecret string, region string, bucket string, endpoint string) oss.StorageInterface {
-	sp := qiniu.New(&qiniu.Config{
+func NewQiniuCloudKodoStorageProvider(clientId string, clientSecret string, region string, bucket string, endpoint string) (oss.StorageInterface, error) {
+	sp, err := qiniu.New(&qiniu.Config{
 		AccessID:  clientId,
 		AccessKey: clientSecret,
 		Region:    region,
@ -28,5 +28,5 @@ func NewQiniuCloudKodoStorageProvider(clientId string, clientSecret string, regi
 		Endpoint:  endpoint,
 	})

-	return sp
+	return sp, err
 }
--- a/storage/storage.go
+++ b/storage/storage.go
@ -16,27 +16,27 @@ package storage

 import "github.com/casdoor/oss"

-func GetStorageProvider(providerType string, clientId string, clientSecret string, region string, bucket string, endpoint string) oss.StorageInterface {
+func GetStorageProvider(providerType string, clientId string, clientSecret string, region string, bucket string, endpoint string) (oss.StorageInterface, error) {
 	switch providerType {
 	case "Local File System":
-		return NewLocalFileSystemStorageProvider()
+		return NewLocalFileSystemStorageProvider(), nil
 	case "AWS S3":
-		return NewAwsS3StorageProvider(clientId, clientSecret, region, bucket, endpoint)
+		return NewAwsS3StorageProvider(clientId, clientSecret, region, bucket, endpoint), nil
 	case "MinIO":
-		return NewMinIOS3StorageProvider(clientId, clientSecret, "_", bucket, endpoint)
+		return NewMinIOS3StorageProvider(clientId, clientSecret, "_", bucket, endpoint), nil
 	case "Aliyun OSS":
-		return NewAliyunOssStorageProvider(clientId, clientSecret, region, bucket, endpoint)
+		return NewAliyunOssStorageProvider(clientId, clientSecret, region, bucket, endpoint), nil
 	case "Tencent Cloud COS":
-		return NewTencentCloudCosStorageProvider(clientId, clientSecret, region, bucket, endpoint)
+		return NewTencentCloudCosStorageProvider(clientId, clientSecret, region, bucket, endpoint), nil
 	case "Azure Blob":
-		return NewAzureBlobStorageProvider(clientId, clientSecret, region, bucket, endpoint)
+		return NewAzureBlobStorageProvider(clientId, clientSecret, region, bucket, endpoint), nil
 	case "Qiniu Cloud Kodo":
 		return NewQiniuCloudKodoStorageProvider(clientId, clientSecret, region, bucket, endpoint)
 	case "Google Cloud Storage":
-		return NewGoogleCloudStorageProvider(clientSecret, bucket, endpoint)
+		return NewGoogleCloudStorageProvider(clientSecret, bucket, endpoint), nil
 	case "Synology":
-		return NewSynologyNasStorageProvider(clientId, clientSecret, endpoint)
+		return NewSynologyNasStorageProvider(clientId, clientSecret, endpoint), nil
 	}

-	return nil
+	return nil, nil
 }
--- a/util/string.go
+++ b/util/string.go
@ -113,6 +113,15 @@ func SnakeToCamel(snake string) string {
 	return strings.Join(words, "")
 }

+func SpaceToCamel(name string) string {
+	words := strings.Split(name, " ")
+	for i := range words {
+		words[i] = strings.ToLower(words[i])
+		words[i] = strings.Title(words[i])
+	}
+	return strings.Join(words, "")
+}
+
 func GetOwnerAndNameFromId(id string) (string, string) {
 	tokens := strings.Split(id, "/")
 	if len(tokens) != 2 {
@ -255,6 +264,10 @@ func GetMaskedEmail(email string) string {
 		return ""
 	}

+	if !strings.Contains(email, "@") {
+		return maskString(email)
+	}
+
 	tokens := strings.Split(email, "@")
 	username := maskString(tokens[0])
 	domain := tokens[1]
--- a/util/validation.go
+++ b/util/validation.go
@ -34,7 +34,7 @@ func init() {
 	rePhone, _ = regexp.Compile(`(\d{3})\d*(\d{4})`)
 	ReWhiteSpace, _ = regexp.Compile(`\s`)
 	ReFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
-	ReUserName, _ = regexp.Compile("^[a-zA-Z0-9]+((?:-[a-zA-Z0-9]+)|(?:_[a-zA-Z0-9]+))*$")
+	ReUserName, _ = regexp.Compile("^[a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*$")
 }

 func IsEmailValid(email string) bool {
--- a/web/craco.config.js
+++ b/web/craco.config.js
@ -93,6 +93,7 @@ module.exports = {
          "buffer": false,
          "crypto": false,
          "os": false,
+          "fs": false,
        },
      }
    },
--- a/web/package.json
+++ b/web/package.json
@ -29,6 +29,7 @@
    "craco-less": "^2.0.0",
    "echarts": "^5.4.3",
    "ethers": "5.6.9",
+    "face-api.js": "^0.22.2",
    "file-saver": "^2.0.5",
    "i18n-iso-countries": "^7.0.0",
    "i18next": "^19.8.9",
--- a/web/src/App.js
+++ b/web/src/App.js
@ -12,67 +12,14 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-import React, {Component} from "react";
+import React, {Component, Suspense, lazy} from "react";
 import "./App.less";
 import {Helmet} from "react-helmet";
 import * as Setting from "./Setting";
 import {StyleProvider, legacyLogicalPropertiesTransformer} from "@ant-design/cssinjs";
-import {AppstoreTwoTone, BarsOutlined, DeploymentUnitOutlined, DollarTwoTone, DownOutlined, GithubOutlined, HomeTwoTone, InfoCircleFilled, LockTwoTone, LogoutOutlined, SafetyCertificateTwoTone, SettingOutlined, SettingTwoTone, ShareAltOutlined, WalletTwoTone} from "@ant-design/icons";
-import {Alert, Avatar, Button, Card, ConfigProvider, Drawer, Dropdown, FloatButton, Layout, Menu, Result, Tooltip} from "antd";
-import {Link, Redirect, Route, Switch, withRouter} from "react-router-dom";
-import AccountPage from "./account/AccountPage";
-import Dashboard from "./basic/Dashboard";
-import ShortcutsPage from "./basic/ShortcutsPage";
-import AppListPage from "./basic/AppListPage";
-import OrganizationListPage from "./OrganizationListPage";
-import OrganizationEditPage from "./OrganizationEditPage";
-import GroupEditPage from "./GroupEdit";
-import GroupListPage from "./GroupList";
-import GroupTreePage from "./GroupTreePage";
-import UserListPage from "./UserListPage";
-import UserEditPage from "./UserEditPage";
-import InvitationListPage from "./InvitationListPage";
-import InvitationEditPage from "./InvitationEditPage";
-import ApplicationListPage from "./ApplicationListPage";
-import ApplicationEditPage from "./ApplicationEditPage";
-import ProviderListPage from "./ProviderListPage";
-import ProviderEditPage from "./ProviderEditPage";
-import ResourceListPage from "./ResourceListPage";
-import CertListPage from "./CertListPage";
-import CertEditPage from "./CertEditPage";
-import RoleListPage from "./RoleListPage";
-import RoleEditPage from "./RoleEditPage";
-import PermissionListPage from "./PermissionListPage";
-import PermissionEditPage from "./PermissionEditPage";
-import ModelListPage from "./ModelListPage";
-import ModelEditPage from "./ModelEditPage";
-import AdapterListPage from "./AdapterListPage";
-import AdapterEditPage from "./AdapterEditPage";
-import EnforcerEditPage from "./EnforcerEditPage";
-import EnforcerListPage from "./EnforcerListPage";
-import SessionListPage from "./SessionListPage";
-import TokenListPage from "./TokenListPage";
-import TokenEditPage from "./TokenEditPage";
-import ProductListPage from "./ProductListPage";
-import ProductEditPage from "./ProductEditPage";
-import ProductBuyPage from "./ProductBuyPage";
-import PaymentListPage from "./PaymentListPage";
-import PaymentEditPage from "./PaymentEditPage";
-import PaymentResultPage from "./PaymentResultPage";
-import PricingListPage from "./PricingListPage";
-import PricingEditPage from "./PricingEditPage";
-import PlanListPage from "./PlanListPage";
-import PlanEditPage from "./PlanEditPage";
-import SubscriptionListPage from "./SubscriptionListPage";
-import SubscriptionEditPage from "./SubscriptionEditPage";
-import SystemInfo from "./SystemInfo";
-import SyncerListPage from "./SyncerListPage";
-import SyncerEditPage from "./SyncerEditPage";
-import WebhookListPage from "./WebhookListPage";
-import WebhookEditPage from "./WebhookEditPage";
-import LdapEditPage from "./LdapEditPage";
-import LdapSyncPage from "./LdapSyncPage";
-import MfaSetupPage from "./auth/MfaSetupPage";
+import {GithubOutlined, InfoCircleFilled, ShareAltOutlined} from "@ant-design/icons";
+import {Alert, Button, ConfigProvider, Drawer, FloatButton, Layout, Result, Tooltip} from "antd";
+import {Route, Switch, withRouter} from "react-router-dom";
 import CustomGithubCorner from "./common/CustomGithubCorner";
 import * as Conf from "./Conf";

@ -80,40 +27,39 @@ import * as Auth from "./auth/Auth";
 import EntryPage from "./EntryPage";
 import * as AuthBackend from "./auth/AuthBackend";
 import AuthCallback from "./auth/AuthCallback";
-import OdicDiscoveryPage from "./auth/OidcDiscoveryPage";
 import SamlCallback from "./auth/SamlCallback";
 import i18next from "i18next";
 import {withTranslation} from "react-i18next";
-import EnableMfaNotification from "./common/notifaction/EnableMfaNotification";
-import LanguageSelect from "./common/select/LanguageSelect";
-import ThemeSelect from "./common/select/ThemeSelect";
-import OrganizationSelect from "./common/select/OrganizationSelect";
-import {clearWeb3AuthToken} from "./auth/Web3Auth";
-import AccountAvatar from "./account/AccountAvatar";
-import OpenTour from "./common/OpenTour";
-
-const {Header, Footer, Content} = Layout;
+const ManagementPage = lazy(() => import("./ManagementPage"));
+const {Footer, Content} = Layout;

 import {setTwoToneColor} from "@ant-design/icons";
+import * as ApplicationBackend from "./backend/ApplicationBackend";

 setTwoToneColor("rgb(87,52,211)");

 class App extends Component {
  constructor(props) {
    super(props);
+    let storageThemeAlgorithm = [];
+    try {
+      storageThemeAlgorithm = localStorage.getItem("themeAlgorithm") ? JSON.parse(localStorage.getItem("themeAlgorithm")) : ["default"];
+    } catch {
+      storageThemeAlgorithm = ["default"];
+    }
    this.state = {
      classes: props,
      selectedMenuKey: 0,
      account: undefined,
+      accessToken: undefined,
      uri: null,
-      menuVisible: false,
-      themeAlgorithm: ["default"],
+      themeAlgorithm: storageThemeAlgorithm,
      themeData: Conf.ThemeDefault,
-      logo: this.getLogo(Setting.getAlgorithmNames(Conf.ThemeDefault)),
+      logo: this.getLogo(storageThemeAlgorithm),
      requiredEnableMfa: false,
      isAiAssistantOpen: false,
+      application: undefined,
    };
-
    Setting.initServerUrl();
    Auth.initAuthWithConfig({
      serverUrl: Setting.ServerUrl,
@ -124,6 +70,7 @@ class App extends Component {
  UNSAFE_componentWillMount() {
    this.updateMenuKey();
    this.getAccount();
+    this.getApplication();
  }

  componentDidUpdate(prevProps, prevState, snapshot) {
@ -207,11 +154,7 @@ class App extends Component {
  }

  getLogo(themes) {
-    if (themes.includes("dark")) {
-      return `${Setting.StaticBaseUrl}/img/casdoor-logo_1185x256_dark.png`;
-    } else {
-      return `${Setting.StaticBaseUrl}/img/casdoor-logo_1185x256.png`;
-    }
+    return Setting.getLogo(themes);
  }

  setLanguage(account) {
@ -227,6 +170,19 @@ class App extends Component {
    });

    if (initThemeAlgorithm) {
+      if (localStorage.getItem("themeAlgorithm")) {
+        let storageThemeAlgorithm = [];
+        try {
+          storageThemeAlgorithm = JSON.parse(localStorage.getItem("themeAlgorithm"));
+        } catch {
+          storageThemeAlgorithm = ["default"];
+        }
+        this.setState({
+          logo: this.getLogo(storageThemeAlgorithm),
+          themeAlgorithm: storageThemeAlgorithm,
+        });
+        return;
+      }
      this.setState({
        logo: this.getLogo(Setting.getAlgorithmNames(theme)),
        themeAlgorithm: Setting.getAlgorithmNames(theme),
@ -234,6 +190,24 @@ class App extends Component {
    }
  };

+  getApplication() {
+    const applicationName = localStorage.getItem("applicationName");
+    if (!applicationName) {
+      return;
+    }
+    ApplicationBackend.getApplication("admin", applicationName)
+      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
+        this.setState({
+          application: res.data,
+        });
+      });
+  }
+
  getAccount() {
    const params = new URLSearchParams(this.props.location.search);

@ -255,9 +229,11 @@ class App extends Component {
    AuthBackend.getAccount(query)
      .then((res) => {
        let account = null;
+        let accessToken = null;
        if (res.status === "ok") {
          account = res.data;
          account.organization = res.data2;
+          accessToken = res.data.accessToken;

          this.setLanguage(account);
          this.setTheme(Setting.getThemeData(account.organization), Conf.InitThemeAlgorithm);
@ -269,404 +245,39 @@ class App extends Component {

        this.setState({
          account: account,
+          accessToken: accessToken,
        });
      });
  }

-  logout() {
-    this.setState({
-      expired: false,
-      submitted: false,
-    });
-
-    AuthBackend.logout()
-      .then((res) => {
-        if (res.status === "ok") {
-          const owner = this.state.account.owner;
-          this.setState({
-            account: null,
-            themeAlgorithm: ["default"],
-          });
-          clearWeb3AuthToken();
-          Setting.showMessage("success", i18next.t("application:Logged out successfully"));
-          const redirectUri = res.data2;
-          if (redirectUri !== null && redirectUri !== undefined && redirectUri !== "") {
-            Setting.goToLink(redirectUri);
-          } else if (owner !== "built-in") {
-            Setting.goToLink(`${window.location.origin}/login/${owner}`);
-          } else {
-            Setting.goToLinkSoft(this, "/");
-          }
-        } else {
-          Setting.showMessage("error", `Failed to log out: ${res.msg}`);
-        }
-      });
-  }
-
  onUpdateAccount(account) {
    this.setState({
      account: account,
    });
  }

-  renderAvatar() {
-    if (this.state.account.avatar === "") {
-      return (
-        <Avatar style={{backgroundColor: Setting.getAvatarColor(this.state.account.name), verticalAlign: "middle"}} size="large">
-          {Setting.getShortName(this.state.account.name)}
-        </Avatar>
-      );
-    } else {
-      return (
-        <Avatar src={this.state.account.avatar} style={{verticalAlign: "middle"}} size="large"
-          icon={<AccountAvatar src={this.state.account.avatar} style={{verticalAlign: "middle"}} size={40} />}
-        >
-          {Setting.getShortName(this.state.account.name)}
-        </Avatar>
-      );
-    }
-  }
-
-  renderRightDropdown() {
-    const items = [];
-    if (this.state.requiredEnableMfa === false) {
-      items.push(Setting.getItem(<><SettingOutlined />&nbsp;&nbsp;{i18next.t("account:My Account")}</>,
-        "/account"
-      ));
-    }
-    items.push(Setting.getItem(<><LogoutOutlined />&nbsp;&nbsp;{i18next.t("account:Logout")}</>,
-      "/logout"));
-
-    const onClick = (e) => {
-      if (e.key === "/account") {
-        this.props.history.push("/account");
-      } else if (e.key === "/subscription") {
-        this.props.history.push("/subscription");
-      } else if (e.key === "/logout") {
-        this.logout();
-      }
-    };
-
-    return (
-      <Dropdown key="/rightDropDown" menu={{items, onClick}} >
-        <div className="rightDropDown">
-          {
-            this.renderAvatar()
-          }
-          &nbsp;
-          &nbsp;
-          {Setting.isMobile() ? null : Setting.getShortText(Setting.getNameAtLeast(this.state.account.displayName), 30)} &nbsp; <DownOutlined />
-          &nbsp;
-          &nbsp;
-          &nbsp;
-        </div>
-      </Dropdown>
-    );
-  }
-
-  renderAccountMenu() {
-    if (this.state.account === undefined) {
-      return null;
-    } else if (this.state.account === null) {
-      return (
-        <React.Fragment>
-          <LanguageSelect />
-        </React.Fragment>
-      );
-    } else {
-      return (
-        <React.Fragment>
-          {this.renderRightDropdown()}
-          <ThemeSelect
-            themeAlgorithm={this.state.themeAlgorithm}
-            onChange={(nextThemeAlgorithm) => {
-              this.setState({
-                themeAlgorithm: nextThemeAlgorithm,
-                logo: this.getLogo(nextThemeAlgorithm),
-              });
-            }} />
-          <LanguageSelect languages={this.state.account.organization.languages} />
-          <Tooltip title="Click to open AI assitant">
-            <div className="select-box" onClick={() => {
-              this.setState({
-                isAiAssistantOpen: true,
-              });
-            }}>
-              <DeploymentUnitOutlined style={{fontSize: "24px", color: "rgb(77,77,77)"}} />
-            </div>
-          </Tooltip>
-          <OpenTour />
-          {Setting.isAdminUser(this.state.account) && !Setting.isMobile() && (this.state.uri.indexOf("/trees") === -1) &&
-            <OrganizationSelect
-              initValue={Setting.getOrganization()}
-              withAll={true}
-              style={{marginRight: "20px", width: "180px", display: "flex"}}
-              onChange={(value) => {
-                Setting.setOrganization(value);
-              }}
-              className="select-box"
-            />
-          }
-        </React.Fragment>
-      );
-    }
-  }
-
-  getMenuItems() {
-    const res = [];
-
-    if (this.state.account === null || this.state.account === undefined) {
-      return [];
-    }
-
-    res.push(Setting.getItem(<Link to="/">{i18next.t("general:Home")}</Link>, "/home", <HomeTwoTone />, [
-      Setting.getItem(<Link to="/">{i18next.t("general:Dashboard")}</Link>, "/"),
-      Setting.getItem(<Link to="/shortcuts">{i18next.t("general:Shortcuts")}</Link>, "/shortcuts"),
-      Setting.getItem(<Link to="/apps">{i18next.t("general:Apps")}</Link>, "/apps"),
-    ].filter(item => {
-      return Setting.isLocalAdminUser(this.state.account);
-    })));
-
-    if (Setting.isLocalAdminUser(this.state.account)) {
-      if (Conf.ShowGithubCorner) {
-        res.push(Setting.getItem(<a href={"https://casdoor.com"}>
-          <span style={{fontWeight: "bold", backgroundColor: "rgba(87,52,211,0.4)", marginTop: "12px", paddingLeft: "5px", paddingRight: "5px", display: "flex", alignItems: "center", height: "40px", borderRadius: "5px"}}>
-            🚀 SaaS Hosting 🔥
-          </span>
-        </a>, "#"));
-      }
-
-      res.push(Setting.getItem(<Link style={{color: "black"}} to="/organizations">{i18next.t("general:User Management")}</Link>, "/orgs", <AppstoreTwoTone />, [
-        Setting.getItem(<Link to="/organizations">{i18next.t("general:Organizations")}</Link>, "/organizations"),
-        Setting.getItem(<Link to="/groups">{i18next.t("general:Groups")}</Link>, "/groups"),
-        Setting.getItem(<Link to="/users">{i18next.t("general:Users")}</Link>, "/users"),
-        Setting.getItem(<Link to="/invitations">{i18next.t("general:Invitations")}</Link>, "/invitations"),
-      ]));
-
-      res.push(Setting.getItem(<Link style={{color: "black"}} to="/applications">{i18next.t("general:Identity")}</Link>, "/identity", <LockTwoTone />, [
-        Setting.getItem(<Link to="/applications">{i18next.t("general:Applications")}</Link>, "/applications"),
-        Setting.getItem(<Link to="/providers">{i18next.t("general:Providers")}</Link>, "/providers"),
-        Setting.getItem(<Link to="/resources">{i18next.t("general:Resources")}</Link>, "/resources"),
-        Setting.getItem(<Link to="/certs">{i18next.t("general:Certs")}</Link>, "/certs"),
-      ]));
-
-      res.push(Setting.getItem(<Link style={{color: "black"}} to="/roles">{i18next.t("general:Authorization")}</Link>, "/auth", <SafetyCertificateTwoTone />, [
-        Setting.getItem(<Link to="/roles">{i18next.t("general:Roles")}</Link>, "/roles"),
-        Setting.getItem(<Link to="/permissions">{i18next.t("general:Permissions")}</Link>, "/permissions"),
-        Setting.getItem(<Link to="/models">{i18next.t("general:Models")}</Link>, "/models"),
-        Setting.getItem(<Link to="/adapters">{i18next.t("general:Adapters")}</Link>, "/adapters"),
-        Setting.getItem(<Link to="/enforcers">{i18next.t("general:Enforcers")}</Link>, "/enforcers"),
-      ].filter(item => {
-        if (!Setting.isLocalAdminUser(this.state.account) && ["/models", "/adapters", "/enforcers"].includes(item.key)) {
-          return false;
-        } else {
-          return true;
-        }
-      })));
-
-      res.push(Setting.getItem(<Link style={{color: "black"}} to="/sessions">{i18next.t("general:Logging & Auditing")}</Link>, "/logs", <WalletTwoTone />, [
-        Setting.getItem(<Link to="/sessions">{i18next.t("general:Sessions")}</Link>, "/sessions"),
-        Setting.getItem(<a target="_blank" rel="noreferrer" href={Conf.CasvisorUrl}>{i18next.t("general:Records")}</a>, "/records"),
-        Setting.getItem(<Link to="/tokens">{i18next.t("general:Tokens")}</Link>, "/tokens"),
-      ]));
-
-      res.push(Setting.getItem(<Link style={{color: "black"}} to="/products">{i18next.t("general:Business & Payments")}</Link>, "/business", <DollarTwoTone />, [
-        Setting.getItem(<Link to="/products">{i18next.t("general:Products")}</Link>, "/products"),
-        Setting.getItem(<Link to="/payments">{i18next.t("general:Payments")}</Link>, "/payments"),
-        Setting.getItem(<Link to="/plans">{i18next.t("general:Plans")}</Link>, "/plans"),
-        Setting.getItem(<Link to="/pricings">{i18next.t("general:Pricings")}</Link>, "/pricings"),
-        Setting.getItem(<Link to="/subscriptions">{i18next.t("general:Subscriptions")}</Link>, "/subscriptions"),
-      ]));
-
-      if (Setting.isAdminUser(this.state.account)) {
-        res.push(Setting.getItem(<Link style={{color: "black"}} to="/sysinfo">{i18next.t("general:Admin")}</Link>, "/admin", <SettingTwoTone />, [
-          Setting.getItem(<Link to="/sysinfo">{i18next.t("general:System Info")}</Link>, "/sysinfo"),
-          Setting.getItem(<Link to="/syncers">{i18next.t("general:Syncers")}</Link>, "/syncers"),
-          Setting.getItem(<Link to="/webhooks">{i18next.t("general:Webhooks")}</Link>, "/webhooks"),
-          Setting.getItem(<a target="_blank" rel="noreferrer" href={Setting.isLocalhost() ? `${Setting.ServerUrl}/swagger` : "/swagger"}>{i18next.t("general:Swagger")}</a>, "/swagger")]));
-      } else {
-        res.push(Setting.getItem(<Link style={{color: "black"}} to="/syncers">{i18next.t("general:Admin")}</Link>, "/admin", <SettingTwoTone />, [
-          Setting.getItem(<Link to="/syncers">{i18next.t("general:Syncers")}</Link>, "/syncers"),
-          Setting.getItem(<Link to="/webhooks">{i18next.t("general:Webhooks")}</Link>, "/webhooks")]));
-      }
-    }
-
-    return res;
-  }
-
-  renderLoginIfNotLoggedIn(component) {
-    if (this.state.account === null) {
-      sessionStorage.setItem("from", window.location.pathname);
-      return <Redirect to="/login" />;
-    } else if (this.state.account === undefined) {
-      return null;
-    } else {
-      return component;
-    }
-  }
-
-  renderRouter() {
-    return (
-      <Switch>
-        <Route exact path="/" render={(props) => this.renderLoginIfNotLoggedIn(<Dashboard account={this.state.account} {...props} />)} />
-        <Route exact path="/apps" render={(props) => this.renderLoginIfNotLoggedIn(<AppListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/shortcuts" render={(props) => this.renderLoginIfNotLoggedIn(<ShortcutsPage account={this.state.account} {...props} />)} />
-        <Route exact path="/account" render={(props) => this.renderLoginIfNotLoggedIn(<AccountPage account={this.state.account} {...props} />)} />
-        <Route exact path="/organizations" render={(props) => this.renderLoginIfNotLoggedIn(<OrganizationListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/organizations/:organizationName" render={(props) => this.renderLoginIfNotLoggedIn(<OrganizationEditPage account={this.state.account} onChangeTheme={this.setTheme} {...props} />)} />
-        <Route exact path="/organizations/:organizationName/users" render={(props) => this.renderLoginIfNotLoggedIn(<UserListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/trees/:organizationName" render={(props) => this.renderLoginIfNotLoggedIn(<GroupTreePage account={this.state.account} {...props} />)} />
-        <Route exact path="/trees/:organizationName/:groupName" render={(props) => this.renderLoginIfNotLoggedIn(<GroupTreePage account={this.state.account} {...props} />)} />
-        <Route exact path="/groups" render={(props) => this.renderLoginIfNotLoggedIn(<GroupListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/groups/:organizationName/:groupName" render={(props) => this.renderLoginIfNotLoggedIn(<GroupEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/users" render={(props) => this.renderLoginIfNotLoggedIn(<UserListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/users/:organizationName/:userName" render={(props) => <UserEditPage account={this.state.account} {...props} />} />
-        <Route exact path="/invitations" render={(props) => this.renderLoginIfNotLoggedIn(<InvitationListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/invitations/:organizationName/:invitationName" render={(props) => this.renderLoginIfNotLoggedIn(<InvitationEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/applications" render={(props) => this.renderLoginIfNotLoggedIn(<ApplicationListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/applications/:organizationName/:applicationName" render={(props) => this.renderLoginIfNotLoggedIn(<ApplicationEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/providers" render={(props) => this.renderLoginIfNotLoggedIn(<ProviderListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/providers/:organizationName/:providerName" render={(props) => this.renderLoginIfNotLoggedIn(<ProviderEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/resources" render={(props) => this.renderLoginIfNotLoggedIn(<ResourceListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/certs" render={(props) => this.renderLoginIfNotLoggedIn(<CertListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/certs/:organizationName/:certName" render={(props) => this.renderLoginIfNotLoggedIn(<CertEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/roles" render={(props) => this.renderLoginIfNotLoggedIn(<RoleListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/roles/:organizationName/:roleName" render={(props) => this.renderLoginIfNotLoggedIn(<RoleEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/permissions" render={(props) => this.renderLoginIfNotLoggedIn(<PermissionListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/permissions/:organizationName/:permissionName" render={(props) => this.renderLoginIfNotLoggedIn(<PermissionEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/models" render={(props) => this.renderLoginIfNotLoggedIn(<ModelListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/models/:organizationName/:modelName" render={(props) => this.renderLoginIfNotLoggedIn(<ModelEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/adapters" render={(props) => this.renderLoginIfNotLoggedIn(<AdapterListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/adapters/:organizationName/:adapterName" render={(props) => this.renderLoginIfNotLoggedIn(<AdapterEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/enforcers" render={(props) => this.renderLoginIfNotLoggedIn(<EnforcerListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/enforcers/:organizationName/:enforcerName" render={(props) => this.renderLoginIfNotLoggedIn(<EnforcerEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/sessions" render={(props) => this.renderLoginIfNotLoggedIn(<SessionListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/tokens" render={(props) => this.renderLoginIfNotLoggedIn(<TokenListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/tokens/:tokenName" render={(props) => this.renderLoginIfNotLoggedIn(<TokenEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/products" render={(props) => this.renderLoginIfNotLoggedIn(<ProductListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/products/:organizationName/:productName" render={(props) => this.renderLoginIfNotLoggedIn(<ProductEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/products/:organizationName/:productName/buy" render={(props) => this.renderLoginIfNotLoggedIn(<ProductBuyPage account={this.state.account} {...props} />)} />
-        <Route exact path="/payments" render={(props) => this.renderLoginIfNotLoggedIn(<PaymentListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/payments/:organizationName/:paymentName" render={(props) => this.renderLoginIfNotLoggedIn(<PaymentEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/payments/:organizationName/:paymentName/result" render={(props) => this.renderLoginIfNotLoggedIn(<PaymentResultPage account={this.state.account} {...props} />)} />
-        <Route exact path="/plans" render={(props) => this.renderLoginIfNotLoggedIn(<PlanListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/plans/:organizationName/:planName" render={(props) => this.renderLoginIfNotLoggedIn(<PlanEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/pricings" render={(props) => this.renderLoginIfNotLoggedIn(<PricingListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/pricings/:organizationName/:pricingName" render={(props) => this.renderLoginIfNotLoggedIn(<PricingEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/subscriptions" render={(props) => this.renderLoginIfNotLoggedIn(<SubscriptionListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/subscriptions/:organizationName/:subscriptionName" render={(props) => this.renderLoginIfNotLoggedIn(<SubscriptionEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/sysinfo" render={(props) => this.renderLoginIfNotLoggedIn(<SystemInfo account={this.state.account} {...props} />)} />
-        <Route exact path="/syncers" render={(props) => this.renderLoginIfNotLoggedIn(<SyncerListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/syncers/:syncerName" render={(props) => this.renderLoginIfNotLoggedIn(<SyncerEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/webhooks" render={(props) => this.renderLoginIfNotLoggedIn(<WebhookListPage account={this.state.account} {...props} />)} />
-        <Route exact path="/webhooks/:webhookName" render={(props) => this.renderLoginIfNotLoggedIn(<WebhookEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/ldap/:organizationName/:ldapId" render={(props) => this.renderLoginIfNotLoggedIn(<LdapEditPage account={this.state.account} {...props} />)} />
-        <Route exact path="/ldap/sync/:organizationName/:ldapId" render={(props) => this.renderLoginIfNotLoggedIn(<LdapSyncPage account={this.state.account} {...props} />)} />
-        <Route exact path="/mfa/setup" render={(props) => this.renderLoginIfNotLoggedIn(<MfaSetupPage account={this.state.account} onfinish={() => this.setState({requiredEnableMfa: false})} {...props} />)} />
-        <Route exact path="/.well-known/openid-configuration" render={(props) => <OdicDiscoveryPage />} />
-        <Route path="" render={() => <Result status="404" title="404 NOT FOUND" subTitle={i18next.t("general:Sorry, the page you visited does not exist.")}
-          extra={<a href="/"><Button type="primary">{i18next.t("general:Back Home")}</Button></a>} />} />
-      </Switch>
-    );
-  }
-
-  onClose = () => {
-    this.setState({
-      menuVisible: false,
-    });
-  };
-
-  showMenu = () => {
-    this.setState({
-      menuVisible: true,
-    });
-  };
-
-  isWithoutCard() {
-    return Setting.isMobile() || window.location.pathname.startsWith("/trees");
-  }
-
-  renderContent() {
-    const onClick = ({key}) => {
-      if (key !== "/swagger" && key !== "/records") {
-        if (this.state.requiredEnableMfa) {
-          Setting.showMessage("info", "Please enable MFA first!");
-        } else {
-          this.props.history.push(key);
-        }
-      }
-    };
-    const menuStyleRight = Setting.isAdminUser(this.state.account) && !Setting.isMobile() ? "calc(180px + 280px)" : "280px";
-    return (
-      <Layout id="parent-area">
-        <EnableMfaNotification account={this.state.account} />
-        <Header style={{padding: "0", marginBottom: "3px", backgroundColor: this.state.themeAlgorithm.includes("dark") ? "black" : "white"}} >
-          {Setting.isMobile() ? null : (
-            <Link to={"/"}>
-              <div className="logo" style={{background: `url(${this.state.logo})`}} />
-            </Link>
-          )}
-          {this.state.requiredEnableMfa || (Setting.isMobile() ?
-            <React.Fragment>
-              <Drawer title={i18next.t("general:Close")} placement="left" visible={this.state.menuVisible} onClose={this.onClose}>
-                <Menu
-                  items={this.getMenuItems()}
-                  mode={"inline"}
-                  selectedKeys={[this.state.selectedMenuKey]}
-                  style={{lineHeight: "64px"}}
-                  onClick={this.onClose}
-                >
-                </Menu>
-              </Drawer>
-              <Button icon={<BarsOutlined />} onClick={this.showMenu} type="text">
-                {i18next.t("general:Menu")}
-              </Button>
-            </React.Fragment> :
-            <Menu
-              onClick={onClick}
-              items={this.getMenuItems()}
-              mode={"horizontal"}
-              selectedKeys={[this.state.selectedMenuKey]}
-              style={{position: "absolute", left: "145px", right: menuStyleRight}}
-            />
-          )}
-          {
-            this.renderAccountMenu()
-          }
-        </Header>
-        <Content style={{display: "flex", flexDirection: "column"}} >
-          {this.isWithoutCard() ?
-            this.renderRouter() :
-            <Card className="content-warp-card">
-              {this.renderRouter()}
-            </Card>
-          }
-        </Content>
-        {
-          this.renderFooter()
-        }
-        {
-          this.renderAiAssistant()
-        }
-      </Layout>
-    );
-  }
-
  renderFooter() {
    return (
      <React.Fragment>
        {!this.state.account ? null : <div style={{display: "none"}} id="CasdoorApplicationName" value={this.state.account.signupApplication} />}
+        {!this.state.account ? null : <div style={{display: "none"}} id="CasdoorAccessToken" value={this.state.accessToken} />}
        <Footer id="footer" style={
          {
            textAlign: "center",
          }
        }>
          {
-            Conf.CustomFooter !== null ? Conf.CustomFooter : (
+            this.state.application?.footerHtml && this.state.application.footerHtml !== "" ?
              <React.Fragment>
-                Powered by <a target="_blank" href="https://casdoor.org" rel="noreferrer"><img style={{paddingBottom: "3px"}} height={"20px"} alt={"Casdoor"} src={this.state.logo} /></a>
+                <div dangerouslySetInnerHTML={{__html: this.state.application.footerHtml}} />
              </React.Fragment>
-            )
+              : (
+                Conf.CustomFooter !== null ? Conf.CustomFooter : (
+                  <React.Fragment>
+                  Powered by <a target="_blank" href="https://casdoor.org" rel="noreferrer"><img style={{paddingBottom: "3px"}} height={"20px"} alt={"Casdoor"} src={this.state.logo} /></a>
+                  </React.Fragment>
+                )
+              )
          }
        </Footer>
      </React.Fragment>
@ -718,49 +329,68 @@ class App extends Component {
        window.location.pathname.startsWith("/prompt") ||
        window.location.pathname.startsWith("/result") ||
        window.location.pathname.startsWith("/cas") ||
-        window.location.pathname.startsWith("/auto-signup") ||
        window.location.pathname.startsWith("/select-plan") ||
        window.location.pathname.startsWith("/buy-plan") ||
        window.location.pathname.startsWith("/qrcode") ;
  }

+  onClick = ({key}) => {
+    if (key !== "/swagger" && key !== "/records") {
+      if (this.state.requiredEnableMfa) {
+        Setting.showMessage("info", "Please enable MFA first!");
+      } else {
+        this.props.history.push(key);
+      }
+    }
+  };
+
  renderPage() {
    if (this.isDoorPages()) {
      return (
-        <Layout id="parent-area">
-          <Content style={{display: "flex", justifyContent: "center"}}>
-            {
-              this.isEntryPages() ?
-                <EntryPage
-                  account={this.state.account}
-                  theme={this.state.themeData}
-                  onLoginSuccess={(redirectUrl) => {
-                    if (redirectUrl) {
-                      localStorage.setItem("mfaRedirectUrl", redirectUrl);
-                    }
-                    this.getAccount();
-                  }}
-                  onUpdateAccount={(account) => this.onUpdateAccount(account)}
-                  updataThemeData={this.setTheme}
-                /> :
-                <Switch>
-                  <Route exact path="/callback" component={AuthCallback} />
-                  <Route exact path="/callback/saml" component={SamlCallback} />
-                  <Route path="" render={() => <Result status="404" title="404 NOT FOUND" subTitle={i18next.t("general:Sorry, the page you visited does not exist.")}
-                    extra={<a href="/"><Button type="primary">{i18next.t("general:Back Home")}</Button></a>} />} />
-                </Switch>
-            }
-          </Content>
-          {
-            this.renderFooter()
-          }
-          {
-            this.renderAiAssistant()
-          }
-        </Layout>
+        <ConfigProvider theme={{
+          algorithm: Setting.getAlgorithm(["default"]),
+        }}>
+          <StyleProvider hashPriority="high" transformers={[legacyLogicalPropertiesTransformer]}>
+            <Layout id="parent-area">
+              <Content style={{display: "flex", justifyContent: "center"}}>
+                {
+                  this.isEntryPages() ?
+                    <EntryPage
+                      account={this.state.account}
+                      theme={this.state.themeData}
+                      updateApplication={(application) => {
+                        this.setState({
+                          application: application,
+                        });
+                      }}
+                      onLoginSuccess={(redirectUrl) => {
+                        if (redirectUrl) {
+                          localStorage.setItem("mfaRedirectUrl", redirectUrl);
+                        }
+                        this.getAccount();
+                      }}
+                      onUpdateAccount={(account) => this.onUpdateAccount(account)}
+                      updataThemeData={this.setTheme}
+                    /> :
+                    <Switch>
+                      <Route exact path="/callback" component={AuthCallback} />
+                      <Route exact path="/callback/saml" component={SamlCallback} />
+                      <Route path="" render={() => <Result status="404" title="404 NOT FOUND" subTitle={i18next.t("general:Sorry, the page you visited does not exist.")}
+                        extra={<a href="/"><Button type="primary">{i18next.t("general:Back Home")}</Button></a>} />} />
+                    </Switch>
+                }
+              </Content>
+              {
+                this.renderFooter()
+              }
+              {
+                this.renderAiAssistant()
+              }
+            </Layout>
+          </StyleProvider>
+        </ConfigProvider>
      );
    }
-
    return (
      <React.Fragment>
        {/* { */}
@ -769,7 +399,49 @@ class App extends Component {
        <FloatButton.BackTop />
        <CustomGithubCorner />
        {
-          this.renderContent()
+          <Suspense fallback={null}>
+            <Layout id="parent-area">
+              <ManagementPage
+                account={this.state.account}
+                uri={this.state.uri}
+                themeData={this.state.themeData}
+                themeAlgorithm={this.state.themeAlgorithm}
+                selectedMenuKey={this.state.selectedMenuKey}
+                requiredEnableMfa={this.state.requiredEnableMfa}
+                menuVisible={this.state.menuVisible}
+                logo={this.state.logo}
+                onChangeTheme={this.setTheme}
+                onClick = {this.onClick}
+                onfinish={() => {
+                  this.setState({requiredEnableMfa: false});
+                }}
+                openAiAssistant={() => {
+                  this.setState({
+                    isAiAssistantOpen: true,
+                  });
+                }}
+                setLogoAndThemeAlgorithm={(nextThemeAlgorithm) => {
+                  this.setState({
+                    themeAlgorithm: nextThemeAlgorithm,
+                    logo: this.getLogo(nextThemeAlgorithm),
+                  });
+                  localStorage.setItem("themeAlgorithm", JSON.stringify(nextThemeAlgorithm));
+                }}
+                setLogoutState={() => {
+                  this.setState({
+                    account: null,
+                    themeAlgorithm: ["default"],
+                  });
+                }}
+              />
+              {
+                this.renderFooter()
+              }
+              {
+                this.renderAiAssistant()
+              }
+            </Layout>
+          </Suspense>
        }
      </React.Fragment>
    );
--- a/web/src/App.less
+++ b/web/src/App.less
@ -54,7 +54,7 @@ img {
  cursor: pointer;

  &:hover {
-    background-color: #f5f5f5 !important;
+    background-color: #f5f5f5a5 !important;
  }
 }

@ -67,8 +67,7 @@ img {
  cursor: pointer;

  &:hover {
-    background-color: #f5f5f5;
-    color: black;
+    background-color: #f5f5f5a5;
  }
 }

--- a/web/src/ApplicationEditPage.js
+++ b/web/src/ApplicationEditPage.js
@ -36,6 +36,7 @@ import ThemeEditor from "./common/theme/ThemeEditor";

 import {Controlled as CodeMirror} from "react-codemirror2";
 import "codemirror/lib/codemirror.css";
+import SigninTable from "./table/SigninTable";

 require("codemirror/theme/material-darker.css");
 require("codemirror/mode/htmlmixed/htmlmixed");
@ -759,7 +760,7 @@ class ApplicationEditPage extends React.Component {
        </Row>
        <Row>
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("application:Form CSS"), i18next.t("application:Form CSS - Tooltip"))} :
+            {Setting.getLabel(i18next.t("application:Custom CSS"), i18next.t("application:Custom CSS - Tooltip"))} :
          </Col>
          <Col span={22}>
            <Popover placement="right" content={
@ -771,7 +772,7 @@ class ApplicationEditPage extends React.Component {
                  }}
                />
              </div>
-            } title={i18next.t("application:Form CSS - Edit")} trigger="click">
+            } title={i18next.t("application:Custom CSS - Edit")} trigger="click">
              <Input value={this.state.application.formCss} style={{marginBottom: "10px"}} onChange={e => {
                this.updateApplicationField("formCss", e.target.value);
              }} />
@ -780,7 +781,7 @@ class ApplicationEditPage extends React.Component {
        </Row>
        <Row>
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("application:Form CSS Mobile"), i18next.t("application:Form CSS Mobile - Tooltip"))} :
+            {Setting.getLabel(i18next.t("application:Custom CSS Mobile"), i18next.t("application:Custom CSS Mobile - Tooltip"))} :
          </Col>
          <Col span={22}>
            <Popover placement="right" content={
@ -792,7 +793,7 @@ class ApplicationEditPage extends React.Component {
                  }}
                />
              </div>
-            } title={i18next.t("application:Form CSS Mobile - Edit")} trigger="click">
+            } title={i18next.t("application:Custom CSS Mobile - Edit")} trigger="click">
              <Input value={this.state.application.formCssMobile} style={{marginBottom: "10px"}} onChange={e => {
                this.updateApplicationField("formCssMobile", e.target.value);
              }} />
@ -864,6 +865,78 @@ class ApplicationEditPage extends React.Component {
            }
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("application:Header HTML"), i18next.t("application:Header HTML - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Popover placement="right" content={
+              <div style={{width: "900px", height: "300px"}} >
+                <CodeMirror
+                  value={this.state.application.headerHtml}
+                  options={{mode: "htmlmixed", theme: "material-darker"}}
+                  onBeforeChange={(editor, data, value) => {
+                    this.updateApplicationField("headerHtml", value);
+                  }}
+                />
+              </div>
+            } title={i18next.t("application:Header HTML - Edit")} trigger="click">
+              <Input value={this.state.application.headerHtml} style={{marginBottom: "10px"}} onChange={e => {
+                this.updateApplicationField("headerHtml", e.target.value);
+              }} />
+            </Popover>
+          </Col>
+        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("application:Footer HTML"), i18next.t("application:Footer HTML - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Popover placement="right" content={
+              <div style={{width: "900px", height: "300px"}} >
+                <CodeMirror
+                  value={this.state.application.footerHtml}
+                  options={{mode: "htmlmixed", theme: "material-darker"}}
+                  onBeforeChange={(editor, data, value) => {
+                    this.updateApplicationField("footerHtml", value);
+                  }}
+                />
+              </div>
+            } title={i18next.t("application:Footer HTML - Edit")} trigger="click">
+              <Input value={this.state.application.footerHtml} style={{marginBottom: "10px"}} onChange={e => {
+                this.updateApplicationField("footerHtml", e.target.value);
+              }} />
+            </Popover>
+          </Col>
+        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+          </Col>
+          <Button style={{marginLeft: "10px", marginBottom: "5px"}} onClick={() => this.updateApplicationField("footerHtml", Setting.getDefaultFooterContent())} >
+            {i18next.t("provider:Reset to Default HTML")}
+          </Button>
+          <Button style={{marginLeft: "10px", marginBottom: "5px"}} onClick={() => this.updateApplicationField("footerHtml", Setting.getEmptyFooterContent())} >
+            {i18next.t("application:Reset to Empty")}
+          </Button>
+        </Row>
+        {
+          <React.Fragment>
+            <Row style={{marginTop: "20px"}} >
+              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                {Setting.getLabel(i18next.t("application:Signin items"), i18next.t("application:Signin items - Tooltip"))} :
+              </Col>
+              <Col span={22} >
+                <SigninTable
+                  title={i18next.t("application:Signin items")}
+                  table={this.state.application.signinItems}
+                  onUpdateTable={(value) => {
+                    this.updateApplicationField("signinItems", value);
+                  }}
+                />
+              </Col>
+            </Row>
+          </React.Fragment>
+        }
        {
          !this.state.application.enableSignUp ? null : (
            <React.Fragment>
@ -1008,7 +1081,7 @@ class ApplicationEditPage extends React.Component {
  submitApplicationEdit(exitAfterSave) {
    const application = Setting.deepCopy(this.state.application);
    application.providers = application.providers?.filter(provider => this.state.providers.map(provider => provider.name).includes(provider.name));
-    application.signinMethods = application.signinMethods?.filter(signinMethod => ["Password", "Verification code", "WebAuthn", "LDAP"].includes(signinMethod.name));
+    application.signinMethods = application.signinMethods?.filter(signinMethod => ["Password", "Verification code", "WebAuthn", "LDAP", "Face ID"].includes(signinMethod.name));

    ApplicationBackend.updateApplication("admin", this.state.applicationName, application)
      .then((res) => {
--- a/web/src/ApplicationListPage.js
+++ b/web/src/ApplicationListPage.js
@ -50,6 +50,7 @@ class ApplicationListPage extends BaseListPage {
        {name: "Password", displayName: "Password", rule: "All"},
        {name: "Verification code", displayName: "Verification code", rule: "All"},
        {name: "WebAuthn", displayName: "WebAuthn", rule: "None"},
+        {name: "Face ID", displayName: "Face ID", rule: "None"},
      ],
      signupItems: [
        {name: "ID", visible: false, required: true, rule: "Random"},
@ -61,6 +62,7 @@ class ApplicationListPage extends BaseListPage {
        {name: "Phone", visible: true, required: true, rule: "None"},
        {name: "Agreement", visible: true, required: true, rule: "None"},
      ],
+      grantTypes: ["authorization_code", "password", "client_credentials", "token", "id_token", "refresh_token"],
      cert: "cert-built-in",
      redirectUris: ["http://localhost:9000/callback"],
      tokenFormat: "JWT",
--- a/web/src/CertEditPage.js
+++ b/web/src/CertEditPage.js
@ -171,48 +171,54 @@ class CertEditPage extends React.Component {
          <Col span={22} >
            <Select virtual={false} style={{width: "100%"}} value={this.state.cert.cryptoAlgorithm} onChange={(value => {
              this.updateCertField("cryptoAlgorithm", value);
-              if (value === "RS256") {
-                this.updateCertField("bitSize", 2048);
-              } else if (value === "HS256" || value === "ES256") {
-                this.updateCertField("bitSize", 256);
-              } else if (value === "ES384") {
-                this.updateCertField("bitSize", 384);
-              } else if (value === "ES521") {
-                this.updateCertField("bitSize", 521);
-              } else {
+
+              if (value.startsWith("ES")) {
                this.updateCertField("bitSize", 0);
+              } else {
+                if (this.state.cert.bitSize !== 1024 && this.state.cert.bitSize !== 2048 && this.state.cert.bitSize !== 4096) {
+                  this.updateCertField("bitSize", 2048);
+                }
              }
+
              this.updateCertField("certificate", "");
              this.updateCertField("privateKey", "");
            })}>
              {
                [
                  {id: "RS256", name: "RS256 (RSA + SHA256)"},
-                  {id: "HS256", name: "HS256 (HMAC + SHA256)"},
+                  {id: "RS384", name: "RS384 (RSA + SHA384)"},
+                  {id: "RS512", name: "RS512 (RSA + SHA512)"},
                  {id: "ES256", name: "ES256 (ECDSA using P-256 + SHA256)"},
-                  {id: "ES384", name: "ES384 (ECDSA using P-384 + SHA256)"},
-                  {id: "ES521", name: "ES521 (ECDSA using P-521 + SHA256)"},
+                  {id: "ES384", name: "ES384 (ECDSA using P-384 + SHA384)"},
+                  {id: "ES512", name: "ES512 (ECDSA using P-521 + SHA512)"},
+                  {id: "PS256", name: "PS256 (RSASSA-PSS using SHA256 and MGF1 with SHA256)"},
+                  {id: "PS384", name: "PS384 (RSASSA-PSS using SHA384 and MGF1 with SHA384)"},
+                  {id: "PS512", name: "PS512 (RSASSA-PSS using SHA512 and MGF1 with SHA512)"},
                ].map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
              }
            </Select>
          </Col>
        </Row>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("cert:Bit size"), i18next.t("cert:Bit size - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <Select virtual={false} style={{width: "100%"}} value={this.state.cert.bitSize} onChange={(value => {
-              this.updateCertField("bitSize", value);
-              this.updateCertField("certificate", "");
-              this.updateCertField("privateKey", "");
-            })}>
-              {
-                Setting.getCryptoAlgorithmOptions(this.state.cert.cryptoAlgorithm).map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
-              }
-            </Select>
-          </Col>
-        </Row>
+        {
+          this.state.cert.cryptoAlgorithm.startsWith("ES") ? null : (
+            <Row style={{marginTop: "20px"}} >
+              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                {Setting.getLabel(i18next.t("cert:Bit size"), i18next.t("cert:Bit size - Tooltip"))} :
+              </Col>
+              <Col span={22} >
+                <Select virtual={false} style={{width: "100%"}} value={this.state.cert.bitSize} onChange={(value => {
+                  this.updateCertField("bitSize", value);
+                  this.updateCertField("certificate", "");
+                  this.updateCertField("privateKey", "");
+                })}>
+                  {
+                    Setting.getCryptoAlgorithmOptions(this.state.cert.cryptoAlgorithm).map((item, index) => <Option key={index} value={item.id}>{item.name}</Option>)
+                  }
+                </Select>
+              </Col>
+            </Row>
+          )
+        }
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("cert:Expire in years"), i18next.t("cert:Expire in years - Tooltip"))} :
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Yaodong Yu	44ae76503e	feat: add default user mapping in custom oauth2 provider (#2819 )	2024-03-18 23:01:17 +08:00
Yang Luo	ae1634a4d5	feat: fix user cannot logout issue about bug in GetSessionToken()	2024-03-18 02:11:39 +08:00
HGZ-20	bdf9864f69	fix: add FaceIdSigninBegin() to verify user information before face login (#2815 ) * feat: add FaceIdSigninBegin() to verify user information before face login * Update face.go --------- Co-authored-by: Eric Luo <hsluoyz@qq.com>	2024-03-18 00:04:12 +08:00
Yang Luo	72839d6bf5	feat: fix TokenFormat error in get-account API	2024-03-17 23:03:50 +08:00
Will.Feng	2c4b1093ed	fix: Correct expiresIn calculation for WeChat Mini Program token. (#2814 )	2024-03-17 22:20:21 +08:00
Yang Luo	d1c55d5aa7	fix: improve error message in token_cas.go	2024-03-17 22:01:49 +08:00
SamYSF	c8aa35c9c6	feat: add token to the page for Chrome extension (#2804 ) * feat: add token to the page for Chrome extension * Update token_oauth.go --------- Co-authored-by: Eric Luo <hsluoyz@qq.com>	2024-03-17 22:01:28 +08:00
Yang Luo	6037f37b87	feat: add default token format for built-in app	2024-03-17 20:46:01 +08:00
Yang Luo	1b478903d8	feat: fix login page error cannot show bug	2024-03-17 11:39:12 +08:00
Yang Luo	4f5ac7a10b	Fix Face IDs label	2024-03-17 09:56:24 +08:00
Yang Luo	e81ba62234	Improve Face ID signin method UI	2024-03-17 09:56:23 +08:00
Ron	a19060c7cb	fix: missing parameter type_token_hint in IntrospectToken() (#2812 ) * fix: missing parameter type_token_hint in IntrospectToken(); fix key token type	2024-03-17 01:39:04 +08:00
HGZ-20	96812f676b	fix: "fs" module not found issue in face-api.js for browser usage (#2810 )	2024-03-17 01:35:43 +08:00
HGZ-20	04f0458b5c	feat: improve handleCameraError() and camera call logic (#2809 ) add i18n for face recognition	2024-03-16 22:52:57 +08:00
Yang Luo	fd0bcd9a17	Improve getObject() for "/api/get-policies"	2024-03-16 21:42:00 +08:00
Yang Luo	01a5958307	Improve error text in RequireAdmin()	2024-03-16 21:14:19 +08:00
Yang Luo	be88b00278	feat: improve RequireAdmin() logic	2024-03-16 20:49:17 +08:00
Yang Luo	1bd0245e7a	Improve CheckVerificationCode() error message, add receiver to index	2024-03-16 18:16:29 +08:00
Yang Luo	cc84bd37cf	Add object field in RecordListPage	2024-03-16 16:57:04 +08:00
Yang Luo	8302fcf805	Improve handleCameraError()	2024-03-16 09:55:55 +08:00
HGZ-20	391a533ce1	feat: add "Face ID" login method (#2782 ) Face Login via face-api.js	2024-03-16 09:04:00 +08:00
Will.Feng	57431a59ad	fix: Ensure /api/get-app-login Returns Captcha Provider for Applications Configured with Captcha (#2800 ) In LoginPage.js, the line 92:const captchaProviderItems = this.getCaptchaProviderItems(this.props.application); captchaProviderItems have no Captcha Provider.	2024-03-15 19:56:12 +08:00
Yang Luo	88a4736520	feat: fix GetDashboard() page	2024-03-15 19:52:19 +08:00
xiao-kong-long	2cb6ff69ae	fix: show selected organizations' statistics in dashboard page (#2805 ) * fix: show selected organizations' statistics in dashboard page * Update get-dashboard.go * Update saml_idp.go --------- Co-authored-by: Eric Luo <hsluoyz@qq.com>	2024-03-15 19:36:39 +08:00
leon.zhao	e1e5943a3e	fix: fix the issue of adding xmlns="" when generating XML (#2799 ) * fix:solve the problem of adding xmlns="" when generating XML * fix:remove fmt.Println * Update saml_idp.go --------- Co-authored-by: zhaoxianfei <zhaoxianfei@meiqia.cn> Co-authored-by: Eric Luo <hsluoyz@qq.com>	2024-03-13 23:59:05 +08:00
DacongDA	3875896c1e	feat: support custom header logo (#2801 ) * feat: support custom header logo * feat: add i18n * feat: preview default logo when field is empty * feat: improve logo setting and display logic * feat: change logoLight to logo	2024-03-13 23:33:43 +08:00
DacongDA	7e2f265420	feat: improve organization select UI (#2798 )	2024-03-12 19:39:53 +08:00
Yang Luo	53ef179e9b	Set Webhook.Url length to 200	2024-03-11 18:18:01 +08:00
Yang Luo	376ef0ed14	feat: support custom Email content in /send-email API	2024-03-11 11:48:00 +08:00
Yang Luo	ca183be336	Improve ManagedAccountTable UI	2024-03-11 00:13:34 +08:00
Yang Luo	e5da57a005	feat: fix cert's ES options	2024-03-10 19:30:05 +08:00
Yang Luo	e4e225db32	Use "ES512" value	2024-03-10 19:25:41 +08:00
Yang Luo	a1add992ee	Support legacy "RSA" value	2024-03-10 19:23:54 +08:00
Yang Luo	2aac265ed4	Improve populateContent()	2024-03-10 18:58:53 +08:00
xiao-kong-long	2dc755f529	fix: add more cert algorithms like ES256 and PS256 (#2793 )	2024-03-10 18:39:41 +08:00
Yang Luo	0dd474d5fc	feat: fix public profile page shows blank page bug	2024-03-10 14:12:24 +08:00
Yang Luo	6998451e97	fix: support roles and permissions in /userinfo API	2024-03-10 12:34:56 +08:00
Yang Luo	9175e5b664	Fix bug in GetMaskedEmail()	2024-03-10 11:49:55 +08:00
DacongDA	dbc6b0dc45	feat: fix issue that forget password page fails to redirect back to signin page (#2792 )	2024-03-10 09:55:44 +08:00
Yang Luo	31b7000f6a	fix: enable the only language for login page	2024-03-09 11:28:23 +08:00
DacongDA	d25eaa65cd	feat: support custom page footer (#2790 )	2024-03-08 23:11:03 +08:00
Yang Luo	f5bcd00652	Add language to records page	2024-03-08 23:03:30 +08:00
Yang Luo	0d5f49e40a	fix: fix GetResources() bug for app users	2024-03-08 16:15:31 +08:00
Yang Luo	3527e070a0	Fix my account page UI	2024-03-08 15:18:18 +08:00
Yang Luo	0108b58db4	Return status 200 for unauthorized operation, revert commit: `2fd2d88d20`	2024-03-08 15:11:25 +08:00
Yang Luo	976b5766a5	feat: refactor out token_oauth.go	2024-03-08 15:03:28 +08:00
Yang Luo	a92d20162a	feat: show all resources for org admin	2024-03-08 15:03:03 +08:00
Yang Luo	204b1c2b8c	Fix resource page link error	2024-03-08 14:44:39 +08:00
Yang Luo	49fb269170	Improve error handling for GetSamlResponse()	2024-03-08 02:17:50 +08:00
Yang Luo	c532a5d54d	Remove suspense fallback loading.	2024-03-07 23:21:25 +08:00
DacongDA	89df80baca	feat: remove loading fallback in Suspense and use spin to display (#2780 )	2024-03-06 20:30:54 +08:00
DacongDA	d988ac814c	fix: fix account items display error (#2781 )	2024-03-06 20:30:34 +08:00
Yang Luo	e4b25055d5	Improve isAllowedInDemoMode()	2024-03-06 02:17:28 +08:00
DacongDA	4123d47174	feat: callback will jump to blank page when from param start with "http" (#2778 )	2024-03-06 01:07:52 +08:00
Yang Luo	fbdd5a926d	Fix normal user my-account page blank bug	2024-03-06 01:07:28 +08:00
xiao-kong-long	92b6fda0f6	feat: support more objects in init_data JSON (#2776 )	2024-03-05 23:41:46 +08:00
DacongDA	6a7ac35e65	fix: fix wechat media account can not bind issue (#2774 ) * fix: fix wechat media account can not bind * fix: improve code format	2024-03-05 18:46:28 +08:00
DacongDA	fc137b9f76	feat: fix custom JS doesn't reload after refresh bug (#2773 )	2024-03-05 15:03:25 +08:00
DacongDA	11dbd5ba9a	fix: fix duplicated load bug of custom JS (#2771 )	2024-03-05 00:09:37 +08:00
Yang Luo	19942a8bd4	Add webhook.SingleOrgOnly	2024-03-04 21:14:52 +08:00
Yang Luo	f9ee8a68cb	Support Chrome extension redirecting	2024-03-04 18:31:56 +08:00
Ron	f241336ad7	feat: add OSON SMS provider (#2769 ) * implemented SMS provider 'OSON SMS' for frontend * feat: add 'OSON SMS' provider for frontend	2024-03-04 01:05:53 +08:00
Yang Luo	8b64d113fb	Upgrade go-sms-sender dependency to 0.20.0	2024-03-04 01:05:28 +08:00
DacongDA	a8800c4d5c	fix: add missing / for style tag in signin items (#2768 )	2024-03-03 23:46:57 +08:00
Yang Luo	75fc9ab9f7	Improve GetMaskedApplication()'s logic	2024-03-03 22:01:49 +08:00
Yang Luo	d06da76c3d	feat: fix bug in /get-organization-applications API	2024-03-03 21:08:36 +08:00
Yang Luo	bc399837cc	Rename label to "Custom CSS"	2024-03-03 20:45:14 +08:00
Yang Luo	265abfe102	fix: handle error in storage.GetStorageProvider()	2024-03-03 18:18:54 +08:00
DacongDA	12acb24dbc	feat: add transaction pages (#2761 )	2024-03-02 10:41:16 +08:00
Yang Luo	ba1ddc7e50	fix: admin can modify user ID now	2024-02-28 18:07:53 +08:00
Yang Luo	59e07a35aa	Add balance to user	2024-02-28 16:54:30 +08:00
DacongDA	cabe830f55	feat: use dynamic import to load web3Auth (#2757 ) * feat: use dynamic import to load web3Auth and success reduce the size of signin page to 720KB when web3 idp disabled * feat: avoid frequent import in OAuthWidget.js which may cause e2e test EPIPE error * feat: remove import may cause e2e error * feat: remove import may cause e2e error * feat: remove bug may cause e2e error * feat: try use chrome in ci/cd instead of electron to solve e2e error	2024-02-28 15:58:04 +08:00
DacongDA	78af5daec3	feat: use resourcesToBackend to load i18n files (#2755 )	2024-02-28 01:43:55 +08:00
Lénaïc Grolleau	6c76913f71	fix: Set default value for email and SMS rule to all instead of none (#2754 )	2024-02-28 01:28:59 +08:00
Yang Luo	5a0d1bcb6e	Support login by user ID	2024-02-28 01:28:24 +08:00
Yang Luo	37232faa07	feat: fix bug for missing SMS and Email provider in application	2024-02-27 22:54:35 +08:00
Yang Luo	4d9c81ef96	Fix broken error messages	2024-02-27 22:48:33 +08:00
DacongDA	b0d87f60ae	feat: use lazy load to load management pages (#2752 )	2024-02-27 22:31:02 +08:00
DacongDA	a5499219d1	fix: refactor out ManagementPage.js from App.js (#2750 ) * feat: basic separate * feat: nearly fully separate * feat: add License * feat: full load application in /login url, lazy load in /login/oauth... etc * fix: fix onChangeTheme error in organization edit page * fix: revert lazy load	2024-02-27 18:49:23 +08:00
DacongDA	6a813a1f8c	feat: fix headerHtml script not running bug (#2749 ) * fix: fix custom head not exec <script> tag * fix: fix create element bug	2024-02-26 20:21:07 +08:00
DacongDA	e4cf244cf8	fix: theme will fully restore after page reload (#2743 ) * fix: theme will set to default after flush * fix: use consume theme to ensure EntryPage will always use default themeAlgorithm * fix: fix logo render, add try catch to handle potential err cause by JSON.parse	2024-02-25 00:05:13 +08:00
DacongDA	f5a6415e57	feat: improve dark theme UI (#2742 )	2024-02-24 20:11:42 +08:00
DacongDA	13e871043c	fix: fix theme switch bug (#2741 )	2024-02-24 16:56:12 +08:00
DacongDA	a8699d0b87	feat: use React routing to remove spin between signup and signin pages (#2740 ) * fix: Regarding the color of loading * fix: use goToLinkSoft and use same code format with result and forget psw * fix: update signup url	2024-02-24 12:59:09 +08:00
hsluoyz	6621d693de	feat: revert "feat: use i18next-resources-to-backend to lazy load i18n" (#2739 ) This reverts commit `dc3131c683`.	2024-02-23 23:38:49 +08:00
DacongDA	dc3131c683	feat: use i18next-resources-to-backend to lazy load i18n (#2738 ) * feat: use i18next-resources-to-backend to lazy load i18n file * feat: change source in yarn.lock	2024-02-23 22:35:59 +08:00
zhuying1999	042a8d0ad6	feat: add rule for SMS and Email provider (#2733 ) * add phonecoderule * feat:add phone code rule * feat: add email rule * fix: merge	2024-02-23 00:09:37 +08:00
DacongDA	44abfb3430	feat: support custom header HTML in entry pages (#2731 )	2024-02-22 17:56:47 +08:00
Yang Luo	53b8424a1f	feat: fix JSON typo in init_data.json template	2024-02-21 17:33:08 +08:00
DacongDA	23c2ba3a2b	feat: support ssh key/pem file in DB syncer (#2727 ) * feat: support connect database with ssh tunnel in syncer * feat: improve i18n translate * feat: improve code format and i18n	2024-02-21 17:27:37 +08:00
许懿赫	3a9ffedce4	feat: support phone and Email in /api/login/oauth/access_token API (#2725 ) Phone Number supports for /api/login/oauth/access_token as username ✅ Closes: #2724	2024-02-21 17:27:24 +08:00
Yang Luo	03f005389f	feat: fix organizationChangeTrigger() and userChangeTrigger() bugs	2024-02-21 01:14:32 +08:00
Yang Luo	69a8346d05	Remove "/auto-signup/oauth/authorize" path introduced in PR: #896	2024-02-20 17:40:39 +08:00
Yang Luo	546512a0ea	Fix getCasvisorApplication()	2024-02-20 13:45:03 +08:00
DacongDA	c4a307b9ec	feat: add built-in "Records" pages back (#2720 )	2024-02-20 13:28:29 +08:00
DacongDA	d731c3c934	feat: add regex support for account item (#2714 ) * feat: add regex support for account item * feat: use reflect to process user field * fix: fix lint problem * feat: improve code format and fix reflect error	2024-02-17 15:24:36 +08:00
Yang Luo	4a68dd65cd	Fix typo in renderFormItem()	2024-02-16 10:13:50 +08:00
Yang Luo	d59148890e	Improve error handling for CheckVerificationCode()	2024-02-16 08:53:56 +08:00
Yang Luo	7f52755e32	feat: improve error messages	2024-02-16 01:13:34 +08:00
Yang Luo	eaa6f50085	Add initial value for grantTypes	2024-02-15 23:18:23 +08:00
Yaodong Yu	f35a5f9a47	feat: fix issue that admin cannot enable MFA for user (#2702 )	2024-02-14 23:29:04 +08:00
Yang Luo	7481b229a4	feat: show domain field for MinIO storage provider	2024-02-14 13:54:17 +08:00
Yang Luo	39e485ae82	Fix SigninTable issue	2024-02-14 12:20:03 +08:00
Yang Luo	764c64e67c	Fix SigninTable CSS	2024-02-14 12:10:30 +08:00
Yang Luo	e755a7331d	Fix renderLink()	2024-02-14 09:45:21 +08:00
hsluoyz	6d9d595f86	fix: Revert "fix: fix display bug in SigninTable" (#2700 ) This reverts commit `d52058d2ae`.	2024-02-14 09:44:42 +08:00
DacongDA	d52058d2ae	fix: fix display bug in SigninTable (#2698 ) * fix: fix display bug in SigninTable * fix: fix code bug * feat: improve code format * feat: improve code format	2024-02-14 09:26:51 +08:00
Yang Luo	bcfbfc6947	Support "signinUrl" in forget page	2024-02-14 02:36:52 +08:00
Yang Luo	75699c4a26	feat: improve code in getObject()	2024-02-13 23:50:21 +08:00
DacongDA	3e8bfb52a8	feat: add signin items table (#2695 ) * feat: add signin items table * fix:unable to login * feat: improve code format * fix: fix display err on signup link * feat: improve display of sign up link	2024-02-13 23:12:40 +08:00
Yaodong Yu	bbbd857a45	fix: fix bug that failed to run initApi adapter in docker (#2696 )	2024-02-13 23:12:25 +08:00
Andrey	498900df76	feat: allow dot in the username (like john.smith) (#2692 )	2024-02-12 20:52:17 +08:00
Dmitri Aleksandrov	7e3c1a6581	fix: improve goth code (#2693 ) Signed-off-by: Dmitrii Aleksandrov <goodmobiledevices@gmail.com>	2024-02-12 20:51:58 +08:00
github-actions[bot]	6e28043dba	refactor: New Crowdin translations (#2648 ) * refactor: New Crowdin translations by Github Action * refactor: New Crowdin Backend translations by Github Action --------- Co-authored-by: Crowdin Bot <support+bot@crowdin.com>	2024-02-12 18:54:31 +08:00
Yang Luo	cb200687dc	feat: fix GetUserByUserId() API crash issue	2024-02-12 18:51:55 +08:00
Lars Lehtonen	23bb0ee450	feat: fix error handling in AdfsIdProvider (#2687 )	2024-02-10 15:38:38 +08:00
Yang Luo	117259dfc5	ci: fix repo name in CI	2024-02-10 15:38:17 +08:00
DacongDA	e71d0476f0	feat: support data initialization for groups, adapters, enforcers, plans and pricings (#2685 )	2024-02-08 20:46:40 +08:00
Yang Luo	b5d26767b2	docs: improve README	2024-02-08 00:02:31 +08:00
DacongDA	5c4e22288e	feat: improve error handling and code format (#2682 ) * feat: improve error process and code format * feat: improve error process and code format	2024-02-07 20:55:33 +08:00
Satinder Singh	3ac4be64b8	fix: error msg for invalid org & app names in signup (#2679 )	2024-02-07 08:53:50 +08:00
DacongDA	97db54b6b9	feat: full support for wechat official account login (#2677 ) * feat: full support for wechat official account login * feat: improve provider edit page * fix: improve i18n format	2024-02-07 00:00:10 +08:00
Yang Luo	3a19d4c7c8	fix: do not filter webhooks by org	2024-02-06 20:33:11 +08:00