version: 1
metadata:
name: Default - Authentication flow
entries:
- model: authentik_blueprints.metaapplyblueprint
attrs:
identifiers:
name: Default - Password change flow
required: false
- attrs:
designation: authentication
name: Welcome to authentik!
title: Welcome to authentik!
authentication: none
slug: default-authentication-flow
model: authentik_flows.flow
id: flow
backends:
- authentik.core.auth.InbuiltBackend
- authentik.sources.ldap.auth.LDAPBackend
- authentik.core.auth.TokenBackend
configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
name: default-authentication-password
id: default-authentication-password
model: authentik_stages_password.passwordstage
- identifiers:
name: default-authentication-mfa-validation
id: default-authentication-mfa-validation
model: authentik_stages_authenticator_validate.authenticatorvalidatestage
user_fields:
- email
- username
name: default-authentication-identification
id: default-authentication-identification
model: authentik_stages_identification.identificationstage
name: default-authentication-login
id: default-authentication-login
model: authentik_stages_user_login.userloginstage
order: 10
stage: !KeyOf default-authentication-identification
target: !KeyOf flow
model: authentik_flows.flowstagebinding
order: 20
stage: !KeyOf default-authentication-password
re_evaluate_policies: true
id: default-authentication-flow-password-binding
order: 30
stage: !KeyOf default-authentication-mfa-validation
order: 100
stage: !KeyOf default-authentication-login
- model: authentik_policies_expression.expressionpolicy
id: default-authentication-flow-password-optional
name: default-authentication-flow-password-stage
expression: |
flow_plan = request.context.get("flow_plan")
if not flow_plan:
return True
# If the user does not have a backend attached to it, they haven't
# been authenticated yet and we need the password stage
return not hasattr(flow_plan.context.get("pending_user"), "backend")
- model: authentik_policies.policybinding
target: !KeyOf default-authentication-flow-password-binding
policy: !KeyOf default-authentication-flow-password-optional