habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website: format docs with prettier (#2833)

Browse Source 
* run prettier

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add scim to comparison

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L
2022-05-09 21:22:41 +02:00
committed by GitHub
parent 26d92d9259
commit f9469e3f99
148 changed files with 3447 additions and 3107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
website/docs/flow/executors/headless.md
View File

@ -6,6 +6,6 @@ The headless flow executor is used by clients which don't have access to the web
The following stages are supported:
- [**identification**](../stages/identification/)
- [**password**](../stages/password/)
- [**authenticator_validate**](../stages/authenticator_validate/) (currently only DUO devices are supported)
- [**identification**](../stages/identification/)
- [**password**](../stages/password/)
- [**authenticator_validate**](../stages/authenticator_validate/) (currently only DUO devices are supported)

2
website/docs/flow/executors/user-settings.md
View File

@ -9,6 +9,6 @@ Requires authentik 2022.3.1
The user interface (`/if/user/`) embeds a downsized flow executor to allow the user to configure their profile using custom stages and prompts.
This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface *if* a non-supported stage is returned.
Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface _if_ a non-supported stage is returned.
To configure which flow is used for this, configure it in the tenant settings.

6
website/docs/flow/index.md
View File

@ -6,9 +6,9 @@ Flows are a method of describing a sequence of stages. A stage represents a sing
For example, a standard login flow would consist of the following stages:
- Identification, user identifies themselves via a username or email address
- Password, the user's password is checked against the hash in the database
- Log the user in
- Identification, user identifies themselves via a username or email address
- Password, the user's password is checked against the hash in the database
- Log the user in
Upon flow execution, a plan containing all stages is generated. This means that all attached policies are evaluated upon execution. This behaviour can be altered by enabling the **Re-evaluate Policies** option on the binding.

4
website/docs/flow/stages/authenticator_duo/index.md
View File

@ -22,7 +22,7 @@ This API requires version 2021.9.1 or later
You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters:
- `duo_user_id`: The Duo User's ID. This can be found in the Duo Admin Portal, navigating to the user list and clicking on a single user. Their ID is shown in th URL.
- `username`: The authentik user's username to assign the device to.
- `duo_user_id`: The Duo User's ID. This can be found in the Duo Admin Portal, navigating to the user list and clicking on a single user. Their ID is shown in th URL.
- `username`: The authentik user's username to assign the device to.
Additionally, you need to pass `stage_uuid` which is the `authenticator_duo` stage, in which you entered your API credentials.

14
website/docs/flow/stages/authenticator_sms/index.md
View File

@ -8,23 +8,23 @@ This stage configures an SMS-based authenticator using either Twilio, or a gener
Navigate to https://console.twilio.com/, and log in to your existing account, or create a new one.
In the sidebar, navigate to *Explore Products*, then *Messaging*, and *Services* below that.
In the sidebar, navigate to _Explore Products_, then _Messaging_, and _Services_ below that.
Click on *Create Messaging Service* to create a new set of API credentials.
Click on _Create Messaging Service_ to create a new set of API credentials.
Give the service a Name, and select *Verify users* as a use-case.
Give the service a Name, and select _Verify users_ as a use-case.
In the next step, add an address from your Sender Pool. Instructions on how to create numbers are not covered here, please check the Twilio documentation [here](https://www.twilio.com/docs).
The other two steps can be skipped using the *Skip setup* button.
The other two steps can be skipped using the _Skip setup_ button.
Afterwards, copy the value of **Messaging Service SID**. This is the value for the *Twilio Account SID* field in authentik.
Afterwards, copy the value of **Messaging Service SID**. This is the value for the _Twilio Account SID_ field in authentik.
Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the *Twilio Auth Token* field in authentik.
Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the _Twilio Auth Token_ field in authentik.
## Generic
For the generic provider, a POST request will be sent to the URL you have specified in the *External API URL* field. The request payload looks like this
For the generic provider, a POST request will be sent to the URL you have specified in the _External API URL_ field. The request payload looks like this
```json
{

24
website/docs/flow/stages/authenticator_validate/index.md
View File

@ -4,19 +4,19 @@ title: Authenticator Validation Stage
This stage validates an already configured Authenticator Device. This device has to be configured using any of the other authenticator stages:
- [Duo authenticator stage](../authenticator_duo/)
- [SMS authenticator stage](../authenticator_sms/).
- [Static authenticator stage](../authenticator_static/).
- [TOTP authenticator stage](../authenticator_totp/)
- [WebAuth authenticator stage](../authenticator_webauthn/).
- [Duo authenticator stage](../authenticator_duo/)
- [SMS authenticator stage](../authenticator_sms/).
- [Static authenticator stage](../authenticator_static/).
- [TOTP authenticator stage](../authenticator_totp/)
- [WebAuth authenticator stage](../authenticator_webauthn/).
You can select which type of device classes are allowed.
Using the `Not configured action`, you can choose what happens when a user does not have any matching devices.
- Skip: Validation is skipped and the flow continues
- Deny: Access is denied, the flow execution ends
- Configure: This option requires a *Configuration stage* to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.
- Skip: Validation is skipped and the flow continues
- Deny: Access is denied, the flow execution ends
- Configure: This option requires a _Configuration stage_ to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.
## Passwordless authentication
@ -26,17 +26,17 @@ Requires authentik 2021.12.4
Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics.
To configure passwordless authentication, create a new Flow with the delegation set to *Authentication*.
To configure passwordless authentication, create a new Flow with the delegation set to _Authentication_.
As first stage, add an *Authentication validation* stage, with the WebAuthn device class allowed.
As first stage, add an _Authentication validation_ stage, with the WebAuthn device class allowed.
After this stage you can bind any additional verification stages.
As final stage, bind a *User login* stage.
As final stage, bind a _User login_ stage.
Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow.
#### Logging
Logins which used Passwordless authentication have the *auth_method* context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example:
Logins which used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example:
```json
{

2
website/docs/flow/stages/deny.md
View File

@ -6,5 +6,5 @@ This stage stops the execution of a flow. This can be used to conditionally deny
even if they are not signed in (and permissions can't be checked via groups).
:::caution
To effectively use this stage, make sure to **disable** *Evaluate on plan* on the Stage binding.
To effectively use this stage, make sure to **disable** _Evaluate on plan_ on the Stage binding.
:::

84
website/docs/flow/stages/email/index.md
View File

@ -41,27 +41,21 @@ If you've add the line and created a file, and can't see if, check the logs usin
Templates are rendered using Django's templating engine. The following variables can be used:
- `url`: The full URL for the user to click on
- `user`: The pending user object.
- `expires`: The timestamp when the token expires.
- `url`: The full URL for the user to click on
- `user`: The pending user object.
- `expires`: The timestamp when the token expires.
```html
{# This is how you can write comments which aren't rendered. #}
{# Extend this template from the base email template, which includes base layout and CSS. #}
{% extends "email/base.html" %}
{# Load the internationalization module to translate strings, and humanize to show date-time #}
{% load i18n %}
{% load humanize %}
{# The email/base.html template uses a single "content" block #}
{% block content %}
{# This is how you can write comments which aren't rendered. #} {# Extend this
template from the base email template, which includes base layout and CSS. #} {%
extends "email/base.html" %} {# Load the internationalization module to
translate strings, and humanize to show date-time #} {% load i18n %} {% load
humanize %} {# The email/base.html template uses a single "content" block #} {%
block content %}
<tr>
<td class="alert alert-success">
{% blocktrans with username=user.username %}
Hi {{ username }},
{% endblocktrans %}
{% blocktrans with username=user.username %} Hi {{ username }}, {%
endblocktrans %}
</td>
</tr>
<tr>
@ -69,35 +63,55 @@ Templates are rendered using Django's templating engine. The following variables
<table width="100%" cellpadding="0" cellspacing="0">
<tr>
<td class="content-block">
{% blocktrans %}
You recently requested to change your password for you authentik account. Use the button below to set a new password.
{% endblocktrans %}
{% blocktrans %} You recently requested to change your
password for you authentik account. Use the button below to
set a new password. {% endblocktrans %}
</td>
</tr>
<tr>
<td class="content-block">
<table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
<table
role="presentation"
border="0"
cellpadding="0"
cellspacing="0"
class="btn btn-primary"
>
<tbody>
<tr>
<td align="center">
<table role="presentation" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td> <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">{% trans 'Reset Password' %}</a> </td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td align="center">
<table
role="presentation"
border="0"
cellpadding="0"
cellspacing="0"
>
<tbody>
<tr>
<td>
<a
id="confirm"
href="{{ url }}"
rel="noopener noreferrer"
target="_blank"
>{% trans 'Reset
Password' %}</a
>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td class="content-block">
{% blocktrans with expires=expires|naturaltime %}
If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}.
{% endblocktrans %}
{% blocktrans with expires=expires|naturaltime %} If you did
not request a password change, please ignore this Email. The
link above is valid for {{ expires }}. {% endblocktrans %}
</td>
</tr>
</table>

4
website/docs/flow/stages/identification/index.md
View File

@ -11,8 +11,8 @@ This stage provides a ready-to-go form for users to identify themselves.
Select which fields the user can use to identify themselves. Multiple fields can be specified and separated with a comma.
Valid choices:
- email
- username
- email
- username
### Template

2
website/docs/flow/stages/invitation/index.md
View File

@ -10,4 +10,4 @@ To check if a user has used an invitation within a policy, you can check `reques
To use an invitation, use the URL `https://authentik.tld/if/flow/your-enrollment-flow/?itoken=invitation-token`.
You can also prompt the user for an invite by using the [*Prompt stage*](../prompt/) by using a field with a field key of `token`.
You can also prompt the user for an invite by using the [_Prompt stage_](../prompt/) by using a field with a field key of `token`.

4
website/docs/flow/stages/password/index.md
View File

@ -6,7 +6,7 @@ This is a generic password prompt which authenticates the current `pending_user`
## Passwordless login
To achieve a "passwordless" experience; authenticating users based only on TOTP/WebAuthn/Duo, create an expression policy and optionally skip the password stage.
To achieve a "passwordless" experience; authenticating users based only on TOTP/WebAuthn/Duo, create an expression policy and optionally skip the password stage.
Depending on what kind of device you want to require the user to have:
@ -26,4 +26,4 @@ return DuoDevice.objects.filter(user=request.user, confirmed=True).exists()
Afterwards, bind the policy you've created to the stage binding of the password stage.
Make sure to uncheck *Evaluate on plan* and check *Re-evaluate policies*, otherwise an invalid result will be cached.
Make sure to uncheck _Evaluate on plan_ and check _Re-evaluate policies_, otherwise an invalid result will be cached.

38
website/docs/flow/stages/prompt/index.md
View File

@ -8,27 +8,27 @@ This stage is used to show the user arbitrary prompts.
The prompt can be any of the following types:
| Type | Description |
| -------- | ----------------------------------------------------------------- |
| Text | Arbitrary text. No client-side validation is done. |
| Text (Read only) | Same as above, but cannot be edited. |
| Username | Same as text, except the username is validated to be unique. |
| Email | Text input, ensures the value is an email address (validation is only done client-side). |
| Password | Same as text, shown as a password field client-side, and custom validation (see below). |
| Number | Numerical textbox. |
| Checkbox | Simple checkbox. |
| Date | Same as text, except the client renders a date-picker |
| Date-time | Same as text, except the client renders a date-time-picker |
| Separator | Passive element to group surrounding elements |
| Hidden | Hidden input field. Allows for the pre-setting of default values. |
| Static | Display arbitrary value as is |
| authentik: Locale | Display a list of all locales authentik supports. |
| Type | Description |
| ----------------- | ---------------------------------------------------------------------------------------- |
| Text | Arbitrary text. No client-side validation is done. |
| Text (Read only) | Same as above, but cannot be edited. |
| Username | Same as text, except the username is validated to be unique. |
| Email | Text input, ensures the value is an email address (validation is only done client-side). |
| Password | Same as text, shown as a password field client-side, and custom validation (see below). |
| Number | Numerical textbox. |
| Checkbox | Simple checkbox. |
| Date | Same as text, except the client renders a date-picker |
| Date-time | Same as text, except the client renders a date-time-picker |
| Separator | Passive element to group surrounding elements |
| Hidden | Hidden input field. Allows for the pre-setting of default values. |
| Static | Display arbitrary value as is |
| authentik: Locale | Display a list of all locales authentik supports. |
Some types have special behaviors:
- *Username*: Input is validated against other usernames to ensure a unique value is provided.
- *Password*: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown
- *Hidden* and *Static*: Their placeholder values are defaults and are not user-changeable.
- _Username_: Input is validated against other usernames to ensure a unique value is provided.
- _Password_: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown
- _Hidden_ and _Static_: Their placeholder values are defaults and are not user-changeable.
A prompt has the following attributes:
@ -52,7 +52,7 @@ A flag which decides whether or not this field is required.
A field placeholder, shown within the input field. This field is also used by the `hidden` type as the actual value.
By default, the placeholder is interpreted as-is. If you enable *Interpret placeholder as expression*, the placeholder
By default, the placeholder is interpreted as-is. If you enable _Interpret placeholder as expression_, the placeholder
will be evaluated as a python expression. This happens in the same environment as [_Property mappings_](../../../property-mappings/expression).
You can access both the HTTP request and the user as with a mapping. Additionally, you can access `prompt_context`, which is a dictionary of the current state of the prompt stage's data.

16
website/docs/flow/stages/user_login.md
View File

@ -8,16 +8,16 @@ It can be used after `user_write` during an enrollment flow, or after a `passwor
## Session duration
By default, the authentik session expires when you close your browser (*seconds=0*).
By default, the authentik session expires when you close your browser (_seconds=0_).
You can set the session to expire after any duration using the syntax of `hours=1,minutes=2,seconds=3`. The following keys are allowed:
- Microseconds
- Milliseconds
- Seconds
- Minutes
- Hours
- Days
- Weeks
- Microseconds
- Milliseconds
- Seconds
- Minutes
- Hours
- Days
- Weeks
All values accept floating-point values.