This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/blueprints/example/flows-recovery-email-verification.yaml
Jens Langhammer e1a6dede54 *: backport CVE-2022-46145 fix
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-01 10:41:26 +02:00

160 lines
4.4 KiB
YAML

version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "false"
name: Example - Recovery with email verification
entries:
- identifiers:
slug: default-recovery-flow
id: flow
model: authentik_flows.flow
attrs:
name: Default recovery flow
title: Reset your password
designation: recovery
authentication: require_unauthenticated
- identifiers:
field_key: password
label: Password
id: prompt-field-password
model: authentik_stages_prompt.prompt
attrs:
type: password
required: true
placeholder: Password
order: 0
placeholder_expression: false
- identifiers:
field_key: password_repeat
label: Password (repeat)
id: prompt-field-password-repeat
model: authentik_stages_prompt.prompt
attrs:
type: password
required: true
placeholder: Password (repeat)
order: 1
placeholder_expression: false
- identifiers:
name: default-recovery-skip-if-restored
id: default-recovery-skip-if-restored
model: authentik_policies_expression.expressionpolicy
attrs:
expression: |
return request.context.get('is_restored', False)
- identifiers:
name: default-recovery-email
id: default-recovery-email
model: authentik_stages_email.emailstage
attrs:
use_global_settings: true
host: localhost
port: 25
username: ""
use_tls: false
use_ssl: false
timeout: 10
from_address: system@authentik.local
token_expiry: 30
subject: authentik
template: email/password_reset.html
activate_user_on_success: true
- identifiers:
name: default-recovery-user-write
id: default-recovery-user-write
model: authentik_stages_user_write.userwritestage
- identifiers:
name: default-recovery-identification
id: default-recovery-identification
model: authentik_stages_identification.identificationstage
attrs:
user_fields:
- email
- username
- identifiers:
name: default-recovery-user-login
id: default-recovery-user-login
model: authentik_stages_user_login.userloginstage
attrs:
session_duration: seconds=0
- identifiers:
name: Change your password
id: stages-prompt-password
model: authentik_stages_prompt.promptstage
attrs:
fields:
- !KeyOf prompt-field-password
- !KeyOf prompt-field-password-repeat
validation_policies: []
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-recovery-identification
order: 10
model: authentik_flows.flowstagebinding
id: flow-binding-identification
attrs:
evaluate_on_plan: true
re_evaluate_policies: true
policy_engine_mode: any
invalid_response_action: retry
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-recovery-email
order: 20
model: authentik_flows.flowstagebinding
id: flow-binding-email
attrs:
evaluate_on_plan: true
re_evaluate_policies: true
policy_engine_mode: any
invalid_response_action: retry
- identifiers:
pk: 1219d06e-2c06-4c5b-a162-78e3959c6cf0
target: !KeyOf flow
stage: !KeyOf stages-prompt-password
order: 30
model: authentik_flows.flowstagebinding
attrs:
evaluate_on_plan: true
re_evaluate_policies: false
policy_engine_mode: any
invalid_response_action: retry
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-recovery-user-write
order: 40
model: authentik_flows.flowstagebinding
attrs:
evaluate_on_plan: true
re_evaluate_policies: false
policy_engine_mode: any
invalid_response_action: retry
- identifiers:
target: !KeyOf flow
stage: !KeyOf default-recovery-user-login
order: 100
model: authentik_flows.flowstagebinding
attrs:
evaluate_on_plan: true
re_evaluate_policies: false
policy_engine_mode: any
invalid_response_action: retry
- identifiers:
policy: !KeyOf default-recovery-skip-if-restored
target: !KeyOf flow-binding-identification
order: 0
model: authentik_policies.policybinding
attrs:
negate: false
enabled: true
timeout: 30
- identifiers:
policy: !KeyOf default-recovery-skip-if-restored
target: !KeyOf flow-binding-email
order: 0
model: authentik_policies.policybinding
attrs:
negate: false
enabled: true
timeout: 30