From a9f095d1d9dcbdef1affcb06ea44bf87049067d7 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 9 Mar 2022 23:36:09 +0100
Subject: [PATCH] website/docs: add docs for different flow executors

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 website/docs/flow/executors/headless.md      | 11 +++++++++++
 website/docs/flow/executors/if-flow.md       |  5 +++++
 website/docs/flow/executors/user-settings.md | 14 ++++++++++++++
 website/docs/flow/index.md                   |  4 +++-
 website/sidebars.js                          | 15 ++++++++++++++-
 5 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 website/docs/flow/executors/headless.md
 create mode 100644 website/docs/flow/executors/if-flow.md
 create mode 100644 website/docs/flow/executors/user-settings.md

diff --git a/website/docs/flow/executors/headless.md b/website/docs/flow/executors/headless.md
new file mode 100644
index 000000000..d4cdeda3e
--- /dev/null
+++ b/website/docs/flow/executors/headless.md
@@ -0,0 +1,11 @@
+---
+title: Headless
+---
+
+The headless flow executor is used by clients which don't have access to the web interface. It is currently used by the LDAP outpost to authenticate users.
+
+The following stages are supported:
+
+- [**identification**](../stages/identification/)
+- [**password**](../stages/password/)
+- [**authenticator_validate**](../stages/authenticator_validate/) (currently only DUO devices are supported)
diff --git a/website/docs/flow/executors/if-flow.md b/website/docs/flow/executors/if-flow.md
new file mode 100644
index 000000000..e7587be4c
--- /dev/null
+++ b/website/docs/flow/executors/if-flow.md
@@ -0,0 +1,5 @@
+---
+title: Default (Web)
+---
+
+This is the default, web-based environment flows are executed in. All stages are compatible with this environment and no limitations are imposed.
diff --git a/website/docs/flow/executors/user-settings.md b/website/docs/flow/executors/user-settings.md
new file mode 100644
index 000000000..65817bb4a
--- /dev/null
+++ b/website/docs/flow/executors/user-settings.md
@@ -0,0 +1,14 @@
+---
+title: User settings
+---
+
+:::info
+Requires authentik 2022.3.1
+:::
+
+The user interface (`/if/user/`) embeds a downsized flow executor to allow the user to configure their profile using custom stages and prompts.
+
+This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
+Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface *if* a non-supported stage is returned.
+
+To configure which flow is used for this, configure it in the tenant settings.
diff --git a/website/docs/flow/index.md b/website/docs/flow/index.md
index 83a6c4b40..7839ebb25 100644
--- a/website/docs/flow/index.md
+++ b/website/docs/flow/index.md
@@ -18,6 +18,8 @@ To determine which flow is linked, authentik searches all flows with the require
 
 Flows can have policies assigned to them. These policies determine if the current user is allowed to see and use this flow.
 
+Keep in mind that in certain circumstances, policies cannot match against users and groups as there is no authenticated user yet.
+
 ## Designation
 
 Flows are designated for a single purpose. This designation changes when a flow is used. The following designations are available:
@@ -47,6 +49,6 @@ This designates a flow for unenrollment. This flow can contain any amount of ver
 This designates a flow for recovery. This flow normally contains an [**identification**](stages/identification/) stage to find the user. It can also contain any amount of verification stages, such as [**email**](stages/email/) or [**captcha**](stages/captcha/).
 Afterwards, use the [**prompt**](stages/prompt/) stage to ask the user for a new password and the [**user_write**](stages/user_write.md) stage to update the password.
 
-### Setup
+### Stage configuration
 
 This designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure Factors, like change a password and setup TOTP.
diff --git a/website/sidebars.js b/website/sidebars.js
index 3237a4ecb..94be4bd8d 100644
--- a/website/sidebars.js
+++ b/website/sidebars.js
@@ -75,7 +75,20 @@ module.exports = {
         {
             type: "category",
             label: "Flows",
-            items: ["flow/index", "flow/inspector", "flow/examples"],
+            items: [
+                "flow/index",
+                "flow/inspector",
+                "flow/examples",
+                {
+                    type: "category",
+                    label: "Executors",
+                    items: [
+                        "flow/executors/if-flow",
+                        "flow/executors/user-settings",
+                        "flow/executors/headless",
+                    ],
+                },
+            ],
         },
         {
             type: "category",