stages/authenticator_webauthn: Add WebAuthn client hints support

[melizeche]

Details

Adds WebAuthn client hints support (W3C WebAuthn Level 3) to both registration and authentication stages.
Admins can configure hints (security-key, client-device, hybrid) to guide browsers in prioritizing the preferred authenticator type in their UI.
For backward compatibility with older browsers that don't understand hints, authenticatorAttachment is auto-inferred from the selected hints when not explicitly set.

closes #6473

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	d1f8933
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/69a7aa063b140f0008a7377c
😎 Deploy Preview	https://deploy-preview-20700--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	d1f8933
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69a7aa040dae940008ccd670
😎 Deploy Preview	https://deploy-preview-20700--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.42%. Comparing base (0581c6a) to head (795297d).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #20700      +/-   ##
==========================================
+ Coverage   93.40%   93.42%   +0.02%     
==========================================
  Files         983      983              
  Lines       55473    55615     +142     
==========================================
+ Hits        51814    51958     +144     
+ Misses       3659     3657       -2     

Flag	Coverage Δ
conformance	37.55% <6.16%> (-0.09%)	⬇️
e2e	43.20% <11.64%> (-0.07%)	⬇️
integration	22.40% <5.47%> (-0.05%)	⬇️
unit	91.57% <100.00%> (+0.02%)	⬆️
unit-migrate	91.66% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-795297dfeda4787c698bf9fd06d66e9d6136f789
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-795297dfeda4787c698bf9fd06d66e9d6136f789

Afterwards, run the upgrade commands from the latest release notes.

[BeryJu]

LGTM for the backend, frontend imo should dualselect and if possible dual select without search (only 3 items, search doesn't make sense)

[melizeche]

@BeryJu necessary changes in <ak-dual-select> for this to work -> #20749