1ffb7efed6
* blueprints: fix policy exception causing password stage to be skipped after upgrade * make policy more fault tolerant Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
85 lines
2.7 KiB
YAML
85 lines
2.7 KiB
YAML
version: 1
|
|
metadata:
|
|
name: Default - Authentication flow
|
|
entries:
|
|
- model: authentik_blueprints.metaapplyblueprint
|
|
attrs:
|
|
identifiers:
|
|
name: Default - Password change flow
|
|
required: false
|
|
- attrs:
|
|
designation: authentication
|
|
name: Welcome to authentik!
|
|
title: Welcome to authentik!
|
|
authentication: none
|
|
identifiers:
|
|
slug: default-authentication-flow
|
|
model: authentik_flows.flow
|
|
id: flow
|
|
- attrs:
|
|
backends:
|
|
- authentik.core.auth.InbuiltBackend
|
|
- authentik.sources.ldap.auth.LDAPBackend
|
|
- authentik.core.auth.TokenBackend
|
|
configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
|
|
identifiers:
|
|
name: default-authentication-password
|
|
id: default-authentication-password
|
|
model: authentik_stages_password.passwordstage
|
|
- identifiers:
|
|
name: default-authentication-mfa-validation
|
|
id: default-authentication-mfa-validation
|
|
model: authentik_stages_authenticator_validate.authenticatorvalidatestage
|
|
- attrs:
|
|
user_fields:
|
|
- email
|
|
- username
|
|
identifiers:
|
|
name: default-authentication-identification
|
|
id: default-authentication-identification
|
|
model: authentik_stages_identification.identificationstage
|
|
- identifiers:
|
|
name: default-authentication-login
|
|
id: default-authentication-login
|
|
model: authentik_stages_user_login.userloginstage
|
|
- identifiers:
|
|
order: 10
|
|
stage: !KeyOf default-authentication-identification
|
|
target: !KeyOf flow
|
|
model: authentik_flows.flowstagebinding
|
|
- identifiers:
|
|
order: 20
|
|
stage: !KeyOf default-authentication-password
|
|
target: !KeyOf flow
|
|
attrs:
|
|
re_evaluate_policies: true
|
|
id: default-authentication-flow-password-binding
|
|
model: authentik_flows.flowstagebinding
|
|
- identifiers:
|
|
order: 30
|
|
stage: !KeyOf default-authentication-mfa-validation
|
|
target: !KeyOf flow
|
|
model: authentik_flows.flowstagebinding
|
|
- identifiers:
|
|
order: 100
|
|
stage: !KeyOf default-authentication-login
|
|
target: !KeyOf flow
|
|
model: authentik_flows.flowstagebinding
|
|
- model: authentik_policies_expression.expressionpolicy
|
|
id: default-authentication-flow-password-optional
|
|
identifiers:
|
|
name: default-authentication-flow-password-stage
|
|
attrs:
|
|
expression: |
|
|
flow_plan = request.context.get("flow_plan")
|
|
if not flow_plan:
|
|
return True
|
|
# If the user does not have a backend attached to it, they haven't
|
|
# been authenticated yet and we need the password stage
|
|
return not hasattr(flow_plan.context.get("pending_user"), "backend")
|
|
- model: authentik_policies.policybinding
|
|
identifiers:
|
|
order: 10
|
|
target: !KeyOf default-authentication-flow-password-binding
|
|
policy: !KeyOf default-authentication-flow-password-optional
|