stages/redirect: create redirect stage (#12275)

* create redirect stage * show "keep context" toggle in Flow mode only * fix typos * add docs Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> * simplify property pass * simplify toggle * remove `print` statements whoops * fix typo * remove default from `RedirectStage.mode` * remove migration Signed-off-by: Jens Langhammer <jens@goauthentik.io> * oops Signed-off-by: Jens Langhammer <jens@goauthentik.io> * adjust docs Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2024-12-12 18:00:09 +01:00
parent 587f2d74ac
commit ff504a3b80
35 changed files with 1314 additions and 40 deletions
--- a/website/docs/add-secure-apps/flows-stages/flow/context/index.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/context/index.md
@ -12,6 +12,8 @@ For example, in the Identification Stage (part of the default login flow), you c

 Any data can be stored in the flow context, however there are some reserved keys in the context dictionary that are used by authentik stages.

+To manage flow context on a more granular level, see [Setting flow context keys](../../../../customize/policies/expression/managing_flow_context_keys.md).
+
 ## Context dictionary and reserved keys

 This section describes the data (the context) that are used in authentik, and provides a list of keys, what they are used for and when they are set.
@ -68,11 +70,15 @@ When a flow is executed by an Outpost (for example the [LDAP](../../../providers

 #### `is_sso` (boolean)

-Set to `True` when the flow is executed from an "SSO" context. For example, this is set when a flow is used during the authentication or enrollment via an external source, and if a flow is executed to authorize access to an application.
+This key is set to `True` when the flow is executed from an "SSO" context. For example, this is set when a flow is used during the authentication or enrollment via an external source, and if a flow is executed to authorize access to an application.

 #### `is_restored` (Token object)

-Set when a flow execution is continued from a token. This happens for example when an [Email stage](../../stages/email/index.mdx) is used and the user clicks on the link within the email. The token object contains the key that was used to restore the flow execution.
+This key is set when a flow execution is continued from a token. This happens for example when an [Email stage](../../stages/email/index.mdx) is used and the user clicks on the link within the email. The token object contains the key that was used to restore the flow execution.
+
+#### `is_redirected` (Flow object)
+
+This key is set when the current flow was reached through a [Redirect stage](../../stages/redirect/index.md) in Flow mode.

 ### Stage-specific keys

@ -189,3 +195,11 @@ Optionally override the email address that the email will be sent to. If not set
 ##### `pending_user_identifier` (string)

 If _Show matched user_ is disabled, this key will be set to the user identifier entered by the user in the identification stage.
+
+#### Redirect stage
+
+##### `redirect_stage_target` (string)
+
+[Set this key](../../../../customize/policies/expression/managing_flow_context_keys.md) in an Expression Policy to override [Redirect stage](../../stages/redirect/index.md) to force it to redirect to a certain URL or flow. This is useful when a flow requires that the redirection target be decided dynamically.
+
+Use the format `ak-flow://{slug}` to use the Redirect stage in Flow mode. Any other format will result in the Redirect stage running in Static mode.
--- a/website/docs/add-secure-apps/flows-stages/flow/index.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/index.md
@ -44,7 +44,7 @@ To create a flow, follow these steps:
 2. In the Admin interface, navigate to **Flows and Stages -> Flows**.
 3. Click **Create**, define the flow using the [configuration settings](#flow-configuration-options) described below, and then click **Finish**.

-After creating the flow, you can then [bind specific stages](../stages/index.md#bind-a-stage-to-a-flow) to the flow and [bind policies](../../../customize/policies/working_with_policies/working_with_policies.md) to the flow to further customize the user's log in and authentication process.
+After creating the flow, you can then [bind specific stages](../stages/index.md#bind-a-stage-to-a-flow) to the flow and [bind policies](../../../customize/policies/working_with_policies.md) to the flow to further customize the user's log in and authentication process.

 To determine which flow should be used, authentik will first check which default authentication flow is configured in the active [**Brand**](../../../customize/brands.md). If no default is configured there, the policies in all flows with the matching designation are checked, and the first flow with matching policies sorted by `slug` will be used.

@ -66,7 +66,7 @@ import Defaultflowlist from "../flow/flow_list/\_defaultflowlist.mdx";

 <Defaultflowlist />

-**Authentication**: Using this option, you can configure whether the the flow requires initial authentication or not, whether the user must be a superuser, or if the flow requires an outpost.
+**Authentication**: Using this option, you can configure whether the the flow requires initial authentication or not, whether the user must be a superuser, if the flow can only be started after being redirected by a [Redirect stage](../stages/redirect/index.md), or if the flow requires an outpost.

 **Behavior settings**:

--- a/website/docs/add-secure-apps/flows-stages/stages/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/index.md
@ -43,7 +43,7 @@ To create a stage, follow these steps:
 2. In the Admin interface, navigate to **Flows and Stages -> Stages**.
 3. Click **Create**, define the flow using the configuration settings, and then click **Finish**.

-After creating the stage, you can then [bind the stage to a flow](#bind-a-stage-to-a-flow) or [bind a policy to the stage](../../../customize/policies/working_with_policies/working_with_policies.md) (the policy determines whether or not the stage will be implemented in the flow).
+After creating the stage, you can then [bind the stage to a flow](#bind-a-stage-to-a-flow) or [bind a policy to the stage](../../../customize/policies/working_with_policies.md) (the policy determines whether or not the stage will be implemented in the flow).

 ## Bind a stage to a flow

--- a/website/docs/add-secure-apps/flows-stages/stages/redirect/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/redirect/index.md
@ -0,0 +1,17 @@
+---
+title: Redirect stage
+---
+
+This stage's main purpose is to redirect the user to a new Flow while keeping flow context. For convenience, it can also redirect the user to a static URL.
+
+## Redirect stage modes
+
+### Static mode
+
+When the user reaches this stage, they are redirected to a static URL.
+
+### Flow mode
+
+When the user reaches this stage, they are redirected to a specified flow, retaining all [flow context](../../flow/context).
+
+Optionally, untoggle the "Keep flow context" switch. If this is untoggled, all flow context is cleared with the exception of the [is_redirected](../../flow/context#is_redirected-flow-object) key.
--- a/website/docs/customize/policies/expression/managing_flow_context_keys.md
+++ b/website/docs/customize/policies/expression/managing_flow_context_keys.md
@ -0,0 +1,17 @@
+---
+title: Managing flow context keys
+---
+
+[Flow context](../../../add-secure-apps/flows-stages/flow/context/index.md) can be managed in [Expression policies](../expression.mdx) via the `context['flow_plan'].context` variable.
+
+Here's an example of setting a key in an Expression policy:
+
+```python
+context['flow_plan'].context['redirect_stage_target'] = 'ak-flow://redirected-authentication-flow'
+```
+
+And here's an example of removing that key:
+
+```python
+context['flow_plan'].context.pop('redirect_stage_target', None)
+```
--- a/website/docs/customize/policies/working_with_policies/unique_email.md
+++ b/website/docs/customize/policies/working_with_policies/unique_email.md
--- a/website/docs/customize/policies/working_with_policies/whitelist_email.md
+++ b/website/docs/customize/policies/working_with_policies/whitelist_email.md
--- a/website/docs/customize/policies/index.md
+++ b/website/docs/customize/policies/index.md
@ -8,7 +8,7 @@ In effect, policies determine whether or not a specific stage is applied to a fl

 For example, you can create a policy that, for certain users, skips over a stage that prompts for MFA input. Or, you can define a policy that allows users to access a login flow only if the policy criteria are met. See below for other policies, including the reputation policy and an events-driven policy to manage notifications.

-For instructions about creating and binding policies to flows and stages, refer to ["Working with policies](./working_with_policies/working_with_policies.md)".
+For instructions about creating and binding policies to flows and stages, refer to ["Working with policies](./working_with_policies.md)".

 ## Standard policies

--- a/website/docs/customize/policies/working_with_policies/working_with_policies.md
+++ b/website/docs/customize/policies/working_with_policies/working_with_policies.md
@ -2,11 +2,11 @@
 title: Working with policies
 ---

-For an overview of policies, refer to our documentation on [Policies](../index.md).
+For an overview of policies, refer to our documentation on [Policies](./index.md).

-authentik provides several [standard policy types](../index.md#standard-policies), which can be configured for your specific needs.
+authentik provides several [standard policy types](./index.md#standard-policies), which can be configured for your specific needs.

-We also document how to use a policy to [whitelist email domains](./whitelist_email.md) and to [ensure unique email addresses](./unique_email.md).
+We also document how to use a policy to [whitelist email domains](./expression/whitelist_email.md) and to [ensure unique email addresses](./expression/unique_email.md).

 ## Create a policy

@ -19,7 +19,7 @@ To create a new policy, follow these steps:

 ## Bind a policy to a flow or stage

-After creating the policy, you can bind it to either a [flow](../../../add-secure-apps/flows-stages/flow/index.md) or to a [stage](../../../add-secure-apps/flows-stages/stages/index.md).
+After creating the policy, you can bind it to either a [flow](../../add-secure-apps/flows-stages/flow/index.md) or to a [stage](../../add-secure-apps/flows-stages/stages/index.md).

 :::info
 Bindings are instantiated objects themselves, and conceptually can be considered as the "connector" between the policy and the stage or flow. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the policy. You can edit bindings on a flow's **Stage Bindings** tab.
--- a/website/docs/users-sources/user/user_basic_operations.md
+++ b/website/docs/users-sources/user/user_basic_operations.md
@ -4,7 +4,7 @@ title: Manage users

 The following topics are for the basic management of users: how to create, modify, delete or deactivate users, and using a recovery email.

-[Policies](../../customize/policies/index.md) can be used to further manage how users are authenticated. For example, by default authentik does not require email addresses be unique, but you can use a policy to [enforce unique email addresses](../../customize/policies/working_with_policies/unique_email.md).
+[Policies](../../customize/policies/index.md) can be used to further manage how users are authenticated. For example, by default authentik does not require email addresses be unique, but you can use a policy to [enforce unique email addresses](../../customize/policies/expression/unique_email.md).

 ### Create a user

--- a/website/netlify.toml
+++ b/website/netlify.toml
@ -463,13 +463,25 @@

 [[redirects]]
  from = "/docs/policies/working_with_policies/unique_email"
-  to = "/docs/customize/policies/working_with_policies/unique_email"
+  to = "/docs/customize/policies/expression/unique_email"
+  status = 302
+  force = true
+
+[[redirects]]
+  from = "/docs/customize/policies/working_with_policies/unique_email"
+  to = "/docs/customize/policies/expression/unique_email"
  status = 302
  force = true

 [[redirects]]
  from = "/docs/policies/working_with_policies/whitelist_email"
-  to = "/docs/customize/policies/working_with_policies/whitelist_email"
+  to = "/docs/customize/policies/expression/whitelist_email"
+  status = 302
+  force = true
+
+[[redirects]]
+  from = "/docs/customize/policies/working_with_policies/whitelist_email"
+  to = "/docs/customize/policies/expression/whitelist_email"
  status = 302
  force = true

--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -297,6 +297,7 @@ export default {
                                "add-secure-apps/flows-stages/stages/invitation/index",
                                "add-secure-apps/flows-stages/stages/password/index",
                                "add-secure-apps/flows-stages/stages/prompt/index",
+                                "add-secure-apps/flows-stages/stages/redirect/index",
                                "add-secure-apps/flows-stages/stages/source/index",
                                "add-secure-apps/flows-stages/stages/user_delete",
                                "add-secure-apps/flows-stages/stages/user_login/index",
@ -352,19 +353,20 @@ export default {
                        id: "customize/policies/index",
                    },
                    items: [
+                        "customize/policies/working_with_policies",
                        {
                            type: "category",
-                            label: "Working with Policies",
+                            label: "Expression Policies",
                            link: {
                                type: "doc",
-                                id: "customize/policies/working_with_policies/working_with_policies",
+                                id: "customize/policies/expression",
                            },
                            items: [
-                                "customize/policies/working_with_policies/unique_email",
-                                "customize/policies/working_with_policies/whitelist_email",
+                                "customize/policies/expression/unique_email",
+                                "customize/policies/expression/whitelist_email",
+                                "customize/policies/expression/managing_flow_context_keys",
                            ],
                        },
-                        "customize/policies/expression",
                    ],
                },
                {