diff --git a/pkgs/by-name/ka/kanidm/patches/oauth2-basic-secret-modify.patch b/pkgs/by-name/ka/kanidm/patches/oauth2-basic-secret-modify.patch
index afff94ca51e9..80bd4c16bd9b 100644
--- a/pkgs/by-name/ka/kanidm/patches/oauth2-basic-secret-modify.patch
+++ b/pkgs/by-name/ka/kanidm/patches/oauth2-basic-secret-modify.patch
@@ -1,6 +1,6 @@
-From 44dfbc2b9dccce86c7d7e7b54db4c989344b8c56 Mon Sep 17 00:00:00 2001
+From e9dfca73e6fb80faf6fc106e7aee6b93c0908525 Mon Sep 17 00:00:00 2001
 From: oddlama <oddlama@oddlama.org>
-Date: Mon, 12 Aug 2024 23:17:25 +0200
+Date: Fri, 1 Nov 2024 12:26:17 +0100
 Subject: [PATCH 1/2] oauth2 basic secret modify
 
 ---
@@ -11,10 +11,10 @@ Subject: [PATCH 1/2] oauth2 basic secret modify
  4 files changed, 82 insertions(+), 1 deletion(-)
 
 diff --git a/server/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs
-index e00a969fb..1cacc67b8 100644
+index 732e826c8..0fe66503f 100644
 --- a/server/core/src/actors/v1_write.rs
 +++ b/server/core/src/actors/v1_write.rs
-@@ -315,20 +315,62 @@ impl QueryServerWriteV1 {
+@@ -317,20 +317,62 @@ impl QueryServerWriteV1 {
          };
  
          trace!(?del, "Begin delete event");
@@ -39,7 +39,7 @@ index e00a969fb..1cacc67b8 100644
 +    ) -> Result<(), OperationError> {
 +        // Given a protoEntry, turn this into a modification set.
 +        let ct = duration_from_epoch_now();
-+        let mut idms_prox_write = self.idms.proxy_write(ct).await;
++        let mut idms_prox_write = self.idms.proxy_write(ct).await?;
 +        let ident = idms_prox_write
 +            .validate_client_auth_info_to_ident(client_auth_info, ct)
 +            .map_err(|e| {
@@ -78,7 +78,7 @@ index e00a969fb..1cacc67b8 100644
          filter: Filter<FilterInvalid>,
          eventid: Uuid,
 diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs
-index 8aba83bb2..f1f815026 100644
+index c410a4b5d..cc67cac6c 100644
 --- a/server/core/src/https/v1.rs
 +++ b/server/core/src/https/v1.rs
 @@ -1,17 +1,17 @@
@@ -100,7 +100,7 @@ index 8aba83bb2..f1f815026 100644
  use kanidm_proto::internal::{
      ApiToken, AppLink, CUIntentToken, CURequest, CUSessionToken, CUStatus, CreateRequest,
      CredentialStatus, DeleteRequest, IdentifyUserRequest, IdentifyUserResponse, ModifyRequest,
-@@ -3119,20 +3119,24 @@ pub(crate) fn route_setup(state: ServerState) -> Router<ServerState> {
+@@ -3120,20 +3120,24 @@ pub(crate) fn route_setup(state: ServerState) -> Router<ServerState> {
          )
          .route(
              "/v1/oauth2/:rs_name/_image",
@@ -126,7 +126,7 @@ index 8aba83bb2..f1f815026 100644
                  .delete(super::v1_oauth2::oauth2_id_sup_scopemap_delete),
          )
 diff --git a/server/core/src/https/v1_oauth2.rs b/server/core/src/https/v1_oauth2.rs
-index 5e481afab..a771aed04 100644
+index d3966a7ad..f89c02c69 100644
 --- a/server/core/src/https/v1_oauth2.rs
 +++ b/server/core/src/https/v1_oauth2.rs
 @@ -144,20 +144,49 @@ pub(crate) async fn oauth2_id_get_basic_secret(
@@ -180,47 +180,10 @@ index 5e481afab..a771aed04 100644
      tag = "v1/oauth2",
      operation_id = "oauth2_id_patch"
 diff --git a/server/lib/src/constants/acp.rs b/server/lib/src/constants/acp.rs
-index f3409649d..42e407b7d 100644
+index be1836345..ebf4445be 100644
 --- a/server/lib/src/constants/acp.rs
 +++ b/server/lib/src/constants/acp.rs
-@@ -645,34 +645,36 @@ lazy_static! {
-             Attribute::Image,
-         ],
-         modify_present_attrs: vec![
-             Attribute::Description,
-             Attribute::DisplayName,
-             Attribute::OAuth2RsName,
-             Attribute::OAuth2RsOrigin,
-             Attribute::OAuth2RsOriginLanding,
-             Attribute::OAuth2RsSupScopeMap,
-             Attribute::OAuth2RsScopeMap,
-+            Attribute::OAuth2RsBasicSecret,
-             Attribute::OAuth2AllowInsecureClientDisablePkce,
-             Attribute::OAuth2JwtLegacyCryptoEnable,
-             Attribute::OAuth2PreferShortUsername,
-             Attribute::Image,
-         ],
-         create_attrs: vec![
-             Attribute::Class,
-             Attribute::Description,
-             Attribute::DisplayName,
-             Attribute::OAuth2RsName,
-             Attribute::OAuth2RsOrigin,
-             Attribute::OAuth2RsOriginLanding,
-             Attribute::OAuth2RsSupScopeMap,
-             Attribute::OAuth2RsScopeMap,
-+            Attribute::OAuth2RsBasicSecret,
-             Attribute::OAuth2AllowInsecureClientDisablePkce,
-             Attribute::OAuth2JwtLegacyCryptoEnable,
-             Attribute::OAuth2PreferShortUsername,
-             Attribute::Image,
-         ],
-         create_classes: vec![
-             EntryClass::Object,
-             EntryClass::OAuth2ResourceServer,
-             EntryClass::OAuth2ResourceServerBasic,
-             EntryClass::OAuth2ResourceServerPublic,
-@@ -739,36 +741,38 @@ lazy_static! {
+@@ -658,36 +658,38 @@ lazy_static! {
              Attribute::Image,
          ],
          modify_present_attrs: vec![
@@ -259,7 +222,7 @@ index f3409649d..42e407b7d 100644
          create_classes: vec![
              EntryClass::Object,
              EntryClass::OAuth2ResourceServer,
-@@ -840,36 +844,38 @@ lazy_static! {
+@@ -759,37 +761,39 @@ lazy_static! {
              Attribute::Image,
          ],
          modify_present_attrs: vec![
@@ -282,6 +245,7 @@ index f3409649d..42e407b7d 100644
              Attribute::Class,
              Attribute::Description,
              Attribute::Name,
+             Attribute::DisplayName,
              Attribute::OAuth2RsName,
              Attribute::OAuth2RsOrigin,
              Attribute::OAuth2RsOriginLanding,
@@ -298,6 +262,47 @@ index f3409649d..42e407b7d 100644
          create_classes: vec![
              EntryClass::Object,
              EntryClass::Account,
+@@ -864,38 +868,40 @@ lazy_static! {
+             Attribute::OAuth2StrictRedirectUri,
+         ],
+         modify_present_attrs: vec![
+             Attribute::Description,
+             Attribute::DisplayName,
+             Attribute::Name,
+             Attribute::OAuth2RsOrigin,
+             Attribute::OAuth2RsOriginLanding,
+             Attribute::OAuth2RsSupScopeMap,
+             Attribute::OAuth2RsScopeMap,
++            Attribute::OAuth2RsBasicSecret,
+             Attribute::OAuth2AllowInsecureClientDisablePkce,
+             Attribute::OAuth2JwtLegacyCryptoEnable,
+             Attribute::OAuth2PreferShortUsername,
+             Attribute::OAuth2AllowLocalhostRedirect,
+             Attribute::OAuth2RsClaimMap,
+             Attribute::Image,
+             Attribute::OAuth2StrictRedirectUri,
+         ],
+         create_attrs: vec![
+             Attribute::Class,
+             Attribute::Description,
+             Attribute::Name,
+             Attribute::DisplayName,
+             Attribute::OAuth2RsName,
+             Attribute::OAuth2RsOrigin,
+             Attribute::OAuth2RsOriginLanding,
+             Attribute::OAuth2RsSupScopeMap,
+             Attribute::OAuth2RsScopeMap,
++            Attribute::OAuth2RsBasicSecret,
+             Attribute::OAuth2AllowInsecureClientDisablePkce,
+             Attribute::OAuth2JwtLegacyCryptoEnable,
+             Attribute::OAuth2PreferShortUsername,
+             Attribute::OAuth2AllowLocalhostRedirect,
+             Attribute::OAuth2RsClaimMap,
+             Attribute::Image,
+             Attribute::OAuth2StrictRedirectUri,
+         ],
+         create_classes: vec![
+             EntryClass::Object,
 -- 
-2.45.2
+2.46.1
 
diff --git a/pkgs/by-name/ka/kanidm/patches/recover-account.patch b/pkgs/by-name/ka/kanidm/patches/recover-account.patch
index a344f5a2086f..1ec61301f036 100644
--- a/pkgs/by-name/ka/kanidm/patches/recover-account.patch
+++ b/pkgs/by-name/ka/kanidm/patches/recover-account.patch
@@ -1,6 +1,6 @@
-From cc8269489b56755714f07eee4671f8aa2659c014 Mon Sep 17 00:00:00 2001
+From c8ed69efe3f702b19834c2659be1dd3ec2d41c17 Mon Sep 17 00:00:00 2001
 From: oddlama <oddlama@oddlama.org>
-Date: Mon, 12 Aug 2024 23:17:42 +0200
+Date: Fri, 1 Nov 2024 12:27:43 +0100
 Subject: [PATCH 2/2] recover account
 
 ---
@@ -11,10 +11,10 @@ Subject: [PATCH 2/2] recover account
  4 files changed, 22 insertions(+), 5 deletions(-)
 
 diff --git a/server/core/src/actors/internal.rs b/server/core/src/actors/internal.rs
-index 40c18777f..40d553b40 100644
+index 420e72c6c..5c4353116 100644
 --- a/server/core/src/actors/internal.rs
 +++ b/server/core/src/actors/internal.rs
-@@ -153,25 +153,26 @@ impl QueryServerWriteV1 {
+@@ -171,25 +171,26 @@ impl QueryServerWriteV1 {
      }
  
      #[instrument(
@@ -29,7 +29,7 @@ index 40c18777f..40d553b40 100644
          eventid: Uuid,
      ) -> Result<String, OperationError> {
          let ct = duration_from_epoch_now();
-         let mut idms_prox_write = self.idms.proxy_write(ct).await;
+         let mut idms_prox_write = self.idms.proxy_write(ct).await?;
 -        let pw = idms_prox_write.recover_account(name.as_str(), None)?;
 +        let pw = idms_prox_write.recover_account(name.as_str(), password.as_deref())?;
  
@@ -95,10 +95,10 @@ index 90ccb1927..85e31ddef 100644
                      Some(ctrl_tx) => show_replication_certificate(ctrl_tx).await,
                      None => {
 diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs
-index 577995615..a967928c9 100644
+index 7486d34a8..784106352 100644
 --- a/server/daemon/src/main.rs
 +++ b/server/daemon/src/main.rs
-@@ -894,27 +894,39 @@ async fn kanidm_main(
+@@ -903,27 +903,39 @@ async fn kanidm_main(
              } else {
                  let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into();
                  submit_admin_req(
@@ -169,5 +169,5 @@ index f1b45a5b3..9c013e32e 100644
      /// Renew this server's replication certificate
      RenewReplicationCertificate {
 -- 
-2.45.2
+2.46.1