Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/authentik/files/enrollment-flow.yaml

156 lines
3.9 KiB
YAML
Raw Normal View History

feat: Add public enrollment flow with invitation support - Created enrollment-flow.yaml blueprint with: * Enrollment flow with authentication: none * Invitation stage (continues without invitation token) * Prompt fields for user registration * User write stage with user_creation_mode: always_create * User login stage for automatic login after registration - Fixed blueprint structure (attrs before identifiers) - Public enrollment available at /if/flow/default-enrollment-flow/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:22:53 +01:00
version: 1
metadata:
fix: Change enrollment flow to invitation-only (not public) - Set continue_flow_without_invitation: false - Enrollment now requires a valid invitation token - Users cannot self-register without an invitation - Renamed metadata to reflect invitation-only nature 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:27:43 +01:00
name: invitation-enrollment-flow
feat: Add public enrollment flow with invitation support - Created enrollment-flow.yaml blueprint with: * Enrollment flow with authentication: none * Invitation stage (continues without invitation token) * Prompt fields for user registration * User write stage with user_creation_mode: always_create * User login stage for automatic login after registration - Fixed blueprint structure (attrs before identifiers) - Public enrollment available at /if/flow/default-enrollment-flow/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:22:53 +01:00
labels:
fix: Change enrollment flow to invitation-only (not public) - Set continue_flow_without_invitation: false - Enrollment now requires a valid invitation token - Users cannot self-register without an invitation - Renamed metadata to reflect invitation-only nature 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:27:43 +01:00
blueprints.goauthentik.io/description: "Invitation-only enrollment flow"
feat: Add public enrollment flow with invitation support - Created enrollment-flow.yaml blueprint with: * Enrollment flow with authentication: none * Invitation stage (continues without invitation token) * Prompt fields for user registration * User write stage with user_creation_mode: always_create * User login stage for automatic login after registration - Fixed blueprint structure (attrs before identifiers) - Public enrollment available at /if/flow/default-enrollment-flow/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:22:53 +01:00
blueprints.goauthentik.io/instantiate: "true"
entries:
# 1. CREATE ENROLLMENT FLOW
- attrs:
designation: enrollment
name: Default enrollment Flow
title: Welcome to authentik!
authentication: none
fix: Remove auto-login from enrollment flow to avoid redirect issue - Removed user login stage from enrollment flow - Users now see completion page instead of being auto-logged in - Prevents redirect to /if/user/ which requires internal user permissions - Users can manually go to Nextcloud and log in with OIDC after registration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:24:14 +01:00
denied_action: message_continue
feat: Add public enrollment flow with invitation support - Created enrollment-flow.yaml blueprint with: * Enrollment flow with authentication: none * Invitation stage (continues without invitation token) * Prompt fields for user registration * User write stage with user_creation_mode: always_create * User login stage for automatic login after registration - Fixed blueprint structure (attrs before identifiers) - Public enrollment available at /if/flow/default-enrollment-flow/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:22:53 +01:00
identifiers:
slug: default-enrollment-flow
model: authentik_flows.flow
id: flow
# 2. CREATE INVITATION STAGE
- attrs:
fix: Change enrollment flow to invitation-only (not public) - Set continue_flow_without_invitation: false - Enrollment now requires a valid invitation token - Users cannot self-register without an invitation - Renamed metadata to reflect invitation-only nature 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:27:43 +01:00
continue_flow_without_invitation: false
feat: Add public enrollment flow with invitation support - Created enrollment-flow.yaml blueprint with: * Enrollment flow with authentication: none * Invitation stage (continues without invitation token) * Prompt fields for user registration * User write stage with user_creation_mode: always_create * User login stage for automatic login after registration - Fixed blueprint structure (attrs before identifiers) - Public enrollment available at /if/flow/default-enrollment-flow/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:22:53 +01:00
identifiers:
name: default-enrollment-invitation
id: invitation-stage
model: authentik_stages_invitation.invitationstage
# 3. CREATE PROMPT FIELDS
- attrs:
order: 0
placeholder: Username
placeholder_expression: false
required: true
type: username
field_key: username
label: Username
identifiers:
name: default-enrollment-field-username
id: prompt-field-username
model: authentik_stages_prompt.prompt
- attrs:
order: 1
placeholder: Name
placeholder_expression: false
required: true
type: text
field_key: name
label: Name
identifiers:
name: default-enrollment-field-name
id: prompt-field-name
model: authentik_stages_prompt.prompt
- attrs:
order: 2
placeholder: Email
placeholder_expression: false
required: true
type: email
field_key: email
label: Email
identifiers:
name: default-enrollment-field-email
id: prompt-field-email
model: authentik_stages_prompt.prompt
- attrs:
order: 3
placeholder: Password
placeholder_expression: false
required: true
type: password
field_key: password
label: Password
identifiers:
name: default-enrollment-field-password
id: prompt-field-password
model: authentik_stages_prompt.prompt
- attrs:
order: 4
placeholder: Password (repeat)
placeholder_expression: false
required: true
type: password
field_key: password_repeat
label: Password (repeat)
identifiers:
name: default-enrollment-field-password-repeat
id: prompt-field-password-repeat
model: authentik_stages_prompt.prompt
# 4. CREATE PROMPT STAGE
- attrs:
fields:
- !KeyOf prompt-field-username
- !KeyOf prompt-field-name
- !KeyOf prompt-field-email
- !KeyOf prompt-field-password
- !KeyOf prompt-field-password-repeat
validation_policies: []
identifiers:
name: default-enrollment-prompt
id: prompt-stage
model: authentik_stages_prompt.promptstage
# 5. CREATE USER WRITE STAGE
- attrs:
user_creation_mode: always_create
create_users_as_inactive: false
create_users_group: null
user_path_template: ""
identifiers:
name: default-enrollment-user-write
id: user-write-stage
model: authentik_stages_user_write.userwritestage
fix: Remove auto-login from enrollment flow to avoid redirect issue - Removed user login stage from enrollment flow - Users now see completion page instead of being auto-logged in - Prevents redirect to /if/user/ which requires internal user permissions - Users can manually go to Nextcloud and log in with OIDC after registration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:24:14 +01:00
# 6. BIND INVITATION STAGE TO FLOW (order 0)
feat: Add public enrollment flow with invitation support - Created enrollment-flow.yaml blueprint with: * Enrollment flow with authentication: none * Invitation stage (continues without invitation token) * Prompt fields for user registration * User write stage with user_creation_mode: always_create * User login stage for automatic login after registration - Fixed blueprint structure (attrs before identifiers) - Public enrollment available at /if/flow/default-enrollment-flow/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 11:22:53 +01:00
- attrs:
evaluate_on_plan: true
re_evaluate_policies: false
identifiers:
order: 0
stage: !KeyOf invitation-stage
target: !KeyOf flow
model: authentik_flows.flowstagebinding
# 8. BIND PROMPT STAGE TO FLOW (order 10)
- attrs:
evaluate_on_plan: true
re_evaluate_policies: false
identifiers:
order: 10
stage: !KeyOf prompt-stage
target: !KeyOf flow
model: authentik_flows.flowstagebinding
# 9. BIND USER WRITE STAGE TO FLOW (order 20)
- attrs:
evaluate_on_plan: true
re_evaluate_policies: false
identifiers:
order: 20
stage: !KeyOf user-write-stage
target: !KeyOf flow
model: authentik_flows.flowstagebinding
fix: Set invitation-only enrollment flow as default in brand This ensures that when admins create invitations in the Authentik UI, they automatically use the correct default-enrollment-flow instead of the default-source-enrollment flow (which only works with external IdPs). Changes: - Added tenant configuration to set flow_enrollment - Invitation URLs will now correctly use /if/flow/default-enrollment-flow/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-15 13:08:27 +01:00
# 10. SET AS DEFAULT ENROLLMENT FLOW IN BRAND
- attrs:
flow_enrollment: !KeyOf flow
identifiers:
domain: authentik-default
model: authentik_tenants.tenant
Reference in a new issue Copy permalink