From 5139656e95c1043e90a8f20c553b7b03ae5c009c Mon Sep 17 00:00:00 2001
From: Jens L <jens@goauthentik.io>
Date: Mon, 31 Jul 2023 13:42:35 +0200
Subject: [PATCH] blueprints: prevent duplicate password stage in default flow
 when using combined identification stage (#6432)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 .../flow-default-authentication-flow.yaml        | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/blueprints/default/flow-default-authentication-flow.yaml b/blueprints/default/flow-default-authentication-flow.yaml
index bb5f6089c..47cf27863 100644
--- a/blueprints/default/flow-default-authentication-flow.yaml
+++ b/blueprints/default/flow-default-authentication-flow.yaml
@@ -51,6 +51,7 @@ entries:
     order: 20
     stage: !KeyOf default-authentication-password
     target: !KeyOf flow
+  id: default-authentication-flow-password-binding
   model: authentik_flows.flowstagebinding
 - identifiers:
     order: 30
@@ -62,3 +63,18 @@ entries:
     stage: !KeyOf default-authentication-login
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
+- model: authentik_policies_expression.expressionpolicy
+  id: default-authentication-flow-password-optional
+  identifiers:
+    name: default-authentication-flow-password-stage
+  attrs:
+    expression: |
+      flow_plan = request.context["flow_plan"]
+      # If the user does not have a backend attached to it, they haven't
+      # been authenticated yet and we need the password stage
+      return not hasattr(flow_plan.context["pending_user"], "backend")
+- model: authentik_policies.policybinding
+  identifiers:
+    order: 10
+    target: !KeyOf default-authentication-flow-password-binding
+    policy: !KeyOf default-authentication-flow-password-optional