stages/redirect: create redirect stage (#12275)

* create redirect stage

* show "keep context" toggle in Flow mode only

* fix typos

* add docs

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>

* simplify property pass

* simplify toggle

* remove `print` statements

whoops

* fix typo

* remove default from `RedirectStage.mode`

* remove migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* oops

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* adjust docs

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>

website/docs/customize/policies/expression/managing_flow_context_keys.md

@@ -0,0 +1,17 @@
+---
+title: Managing flow context keys
+---
+
+[Flow context](../../../add-secure-apps/flows-stages/flow/context/index.md) can be managed in [Expression policies](../expression.mdx) via the `context['flow_plan'].context` variable.
+
+Here's an example of setting a key in an Expression policy:
+
+```python
+context['flow_plan'].context['redirect_stage_target'] = 'ak-flow://redirected-authentication-flow'
+```
+
+And here's an example of removing that key:
+
+```python
+context['flow_plan'].context.pop('redirect_stage_target', None)
+```

website/docs/customize/policies/expression/unique_email.md

@@ -0,0 +1,19 @@
+---
+title: Ensure unique email addresses
+---
+
+Due to the database design of authentik, email addresses are by default not required to be unique. This behavior can however be changed by policies.
+
+The snippet below can be used as the expression in policies both with enrollment flows, where the policy should be bound to any stage before the [User write](../../../add-secure-apps/flows-stages/stages/user_write.md) stage, or with the [Prompt stage](../../../add-secure-apps/flows-stages/stages/prompt/index.md).
+
+```python
+from authentik.core.models import User
+
+# Ensure this matches the *Field Key* value of the prompt
+field_name = "email"
+email = request.context["prompt_data"][field_name]
+if User.objects.filter(email=email).exists():
+  ak_message("Email address in use")
+  return False
+return True
+```

website/docs/customize/policies/expression/whitelist_email.md

@@ -0,0 +1,21 @@
+---
+title: Whitelist email domains
+---
+
+To add specific email addresses to an allow list for signing in through SSO or directly with default policy customization, follow these steps:
+
+1. In the Admin interface, navigate to **Customization > Policies** and modify the default policy named `default-source-enrollment-if-sso`.
+
+2. Add the following code snippet in the policy-specific settings under **Expression** and then click **Update**.
+
+```python
+allowed_domains = ["example.net", "example.com"]
+
+current_domain = request.context["prompt_data"]["email"].split("@")[1]
+if current_domain not in allowed_domains:
+  ak_message("Access denied for this email domain")
+  return False
+return ak_is_sso_flow
+```
+
+This configuration specifies the `allowed_domains` list of domains for logging in through SSO, such as Google OAuth2. If your email is not in the available domains, you will receive a 'Permission Denied' message on the login screen.