website/docs: add docs for different flow executors

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

website/docs/flow/executors/headless.md

@@ -0,0 +1,11 @@
+---
+title: Headless
+---
+
+The headless flow executor is used by clients which don't have access to the web interface. It is currently used by the LDAP outpost to authenticate users.
+
+The following stages are supported:
+
+- [**identification**](../stages/identification/)
+- [**password**](../stages/password/)
+- [**authenticator_validate**](../stages/authenticator_validate/) (currently only DUO devices are supported)

website/docs/flow/executors/if-flow.md

@@ -0,0 +1,5 @@
+---
+title: Default (Web)
+---
+
+This is the default, web-based environment flows are executed in. All stages are compatible with this environment and no limitations are imposed.

website/docs/flow/executors/user-settings.md

@@ -0,0 +1,14 @@
+---
+title: User settings
+---
+
+:::info
+Requires authentik 2022.3.1
+:::
+
+The user interface (`/if/user/`) embeds a downsized flow executor to allow the user to configure their profile using custom stages and prompts.
+
+This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
+Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface *if* a non-supported stage is returned.
+
+To configure which flow is used for this, configure it in the tenant settings.

website/docs/flow/index.md

@@ -18,6 +18,8 @@ To determine which flow is linked, authentik searches all flows with the require
 
 Flows can have policies assigned to them. These policies determine if the current user is allowed to see and use this flow.
 
+Keep in mind that in certain circumstances, policies cannot match against users and groups as there is no authenticated user yet.
+
 ## Designation
 
 Flows are designated for a single purpose. This designation changes when a flow is used. The following designations are available:
@@ -47,6 +49,6 @@ This designates a flow for unenrollment. This flow can contain any amount of ver
 This designates a flow for recovery. This flow normally contains an [**identification**](stages/identification/) stage to find the user. It can also contain any amount of verification stages, such as [**email**](stages/email/) or [**captcha**](stages/captcha/).
 Afterwards, use the [**prompt**](stages/prompt/) stage to ask the user for a new password and the [**user_write**](stages/user_write.md) stage to update the password.
 
-### Setup
+### Stage configuration
 
 This designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure Factors, like change a password and setup TOTP.

website/sidebars.js

@@ -75,7 +75,20 @@ module.exports = {
         {
             type: "category",
             label: "Flows",
-            items: ["flow/index", "flow/inspector", "flow/examples"],
+            items: [
+                "flow/index",
+                "flow/inspector",
+                "flow/examples",
+                {
+                    type: "category",
+                    label: "Executors",
+                    items: [
+                        "flow/executors/if-flow",
+                        "flow/executors/user-settings",
+                        "flow/executors/headless",
+                    ],
+                },
+            ],
         },
         {
             type: "category",