Post-Tyranny-Tech-Infrastru.../ansible/roles/authentik/files/recovery-flow.yaml

version: 1
metadata:
  name: password-recovery-flow
  labels:
    blueprints.goauthentik.io/description: "Password recovery flow with email link"
    blueprints.goauthentik.io/instantiate: "true"

entries:
  # 1. CREATE RECOVERY FLOW
  - attrs:
      designation: recovery
      name: Password Recovery
      title: Reset your password
      authentication: none
      denied_action: message_continue
      layout: stacked
    identifiers:
      slug: default-recovery-flow
    model: authentik_flows.flow
    id: recovery-flow

  # 2. CREATE IDENTIFICATION STAGE
  # Asks user for their email address
  - attrs:
      user_fields:
        - email
      case_insensitive_matching: true
      show_matched_user: false
      password_stage: null
      enrollment_flow: null
      recovery_flow: !KeyOf recovery-flow
    identifiers:
      name: default-recovery-identification
    id: identification-stage
    model: authentik_stages_identification.identificationstage

  # 3. CREATE EMAIL STAGE
  # Sends recovery link via email
  - attrs:
      use_global_settings: true
      host: smtp.mailgun.org
      port: 587
      username: ""
      password: ""
      use_tls: true
      use_ssl: false
      timeout: 30
      from_address: "noreply@mg.vrije.cloud"
      token_expiry: 30
      subject: "Password Reset Request"
      template: |
        Hello,

        You have requested to reset your password. Click the link below to continue:

        {{ recovery_link }}

        This link will expire in 30 minutes.

        If you did not request this password reset, please ignore this email.

        Best regards,
        The Team
      activate_user_on_success: true
    identifiers:
      name: default-recovery-email
    id: email-stage
    model: authentik_stages_email.emailstage

  # 4. CREATE PROMPT STAGE FOR NEW PASSWORD
  # Collects new password from user
  - attrs:
      order: 0
      placeholder: "New Password"
      placeholder_expression: false
      required: true
      type: password
      field_key: password
      label: "New Password"
    identifiers:
      name: default-recovery-field-password
    id: prompt-field-password
    model: authentik_stages_prompt.prompt

  - attrs:
      order: 1
      placeholder: "Confirm New Password"
      placeholder_expression: false
      required: true
      type: password
      field_key: password_repeat
      label: "Confirm New Password"
    identifiers:
      name: default-recovery-field-password-repeat
    id: prompt-field-password-repeat
    model: authentik_stages_prompt.prompt

  - attrs:
      fields:
        - !KeyOf prompt-field-password
        - !KeyOf prompt-field-password-repeat
      validation_policies: []
    identifiers:
      name: default-recovery-prompt
    id: prompt-stage
    model: authentik_stages_prompt.promptstage

  # 5. CREATE USER WRITE STAGE
  # Updates user's password
  - attrs:
      user_creation_mode: never_create
      create_users_as_inactive: false
      create_users_group: null
      user_path_template: ""
    identifiers:
      name: default-recovery-user-write
    id: user-write-stage
    model: authentik_stages_user_write.userwritestage

  # 6. BIND IDENTIFICATION STAGE TO FLOW (order 10)
  - attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
      invalid_response_action: retry
    identifiers:
      order: 10
      stage: !KeyOf identification-stage
      target: !KeyOf recovery-flow
    model: authentik_flows.flowstagebinding

  # 7. BIND EMAIL STAGE TO FLOW (order 20)
  - attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
    identifiers:
      order: 20
      stage: !KeyOf email-stage
      target: !KeyOf recovery-flow
    model: authentik_flows.flowstagebinding

  # 8. BIND PROMPT STAGE TO FLOW (order 30)
  - attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
    identifiers:
      order: 30
      stage: !KeyOf prompt-stage
      target: !KeyOf recovery-flow
    model: authentik_flows.flowstagebinding

  # 9. BIND USER WRITE STAGE TO FLOW (order 40)
  - attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
    identifiers:
      order: 40
      stage: !KeyOf user-write-stage
      target: !KeyOf recovery-flow
    model: authentik_flows.flowstagebinding

  # 10. SET AS DEFAULT RECOVERY FLOW IN BRAND
  - attrs:
      flow_recovery: !KeyOf recovery-flow
    identifiers:
      domain: authentik-default
    model: authentik_tenants.tenant
feat: Add password recovery flow with email notifications ACHIEVEMENT: Password recovery via email is now fully working! 🎉 Implemented a complete password recovery flow that: - Asks users for their email address - Sends a recovery link via Mailgun SMTP - Allows users to set a new password - Expires recovery links after 30 minutes Flow stages: 1. Identification stage - collects user email 2. Email stage - sends recovery link 3. Prompt stage - collects new password 4. User write stage - updates password Features: ✓ Email sent via Mailgun (noreply@mg.vrije.cloud) ✓ 30-minute token expiry for security ✓ Set as default recovery flow in brand ✓ Clean, user-friendly interface ✓ Password confirmation required Users can access recovery at: https://auth.dev.vrije.cloud/if/flow/default-recovery-flow/ Files added: - recovery-flow.yaml - Blueprint defining the complete flow - update-recovery-flow.yml - Deployment playbook 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-15 13:36:43 +01:00			`version: 1`
			`metadata:`
			`name: password-recovery-flow`
			`labels:`
			`blueprints.goauthentik.io/description: "Password recovery flow with email link"`
			`blueprints.goauthentik.io/instantiate: "true"`

			`entries:`
			`# 1. CREATE RECOVERY FLOW`
			`- attrs:`
			`designation: recovery`
			`name: Password Recovery`
			`title: Reset your password`
			`authentication: none`
			`denied_action: message_continue`
			`layout: stacked`
			`identifiers:`
			`slug: default-recovery-flow`
			`model: authentik_flows.flow`
			`id: recovery-flow`

			`# 2. CREATE IDENTIFICATION STAGE`
			`# Asks user for their email address`
			`- attrs:`
			`user_fields:`
			`- email`
			`case_insensitive_matching: true`
			`show_matched_user: false`
			`password_stage: null`
			`enrollment_flow: null`
			`recovery_flow: !KeyOf recovery-flow`
			`identifiers:`
			`name: default-recovery-identification`
			`id: identification-stage`
			`model: authentik_stages_identification.identificationstage`

			`# 3. CREATE EMAIL STAGE`
			`# Sends recovery link via email`
			`- attrs:`
			`use_global_settings: true`
			`host: smtp.mailgun.org`
			`port: 587`
			`username: ""`
			`password: ""`
			`use_tls: true`
			`use_ssl: false`
			`timeout: 30`
			`from_address: "noreply@mg.vrije.cloud"`
			`token_expiry: 30`
			`subject: "Password Reset Request"`
			`template: \|`
			`Hello,`

			`You have requested to reset your password. Click the link below to continue:`

			`{{ recovery_link }}`

			`This link will expire in 30 minutes.`

			`If you did not request this password reset, please ignore this email.`

			`Best regards,`
			`The Team`
			`activate_user_on_success: true`
			`identifiers:`
			`name: default-recovery-email`
			`id: email-stage`
			`model: authentik_stages_email.emailstage`

			`# 4. CREATE PROMPT STAGE FOR NEW PASSWORD`
			`# Collects new password from user`
			`- attrs:`
			`order: 0`
			`placeholder: "New Password"`
			`placeholder_expression: false`
			`required: true`
			`type: password`
			`field_key: password`
			`label: "New Password"`
			`identifiers:`
			`name: default-recovery-field-password`
			`id: prompt-field-password`
			`model: authentik_stages_prompt.prompt`

			`- attrs:`
			`order: 1`
			`placeholder: "Confirm New Password"`
			`placeholder_expression: false`
			`required: true`
			`type: password`
			`field_key: password_repeat`
			`label: "Confirm New Password"`
			`identifiers:`
			`name: default-recovery-field-password-repeat`
			`id: prompt-field-password-repeat`
			`model: authentik_stages_prompt.prompt`

			`- attrs:`
			`fields:`
			`- !KeyOf prompt-field-password`
			`- !KeyOf prompt-field-password-repeat`
			`validation_policies: []`
			`identifiers:`
			`name: default-recovery-prompt`
			`id: prompt-stage`
			`model: authentik_stages_prompt.promptstage`

			`# 5. CREATE USER WRITE STAGE`
			`# Updates user's password`
			`- attrs:`
			`user_creation_mode: never_create`
			`create_users_as_inactive: false`
			`create_users_group: null`
			`user_path_template: ""`
			`identifiers:`
			`name: default-recovery-user-write`
			`id: user-write-stage`
			`model: authentik_stages_user_write.userwritestage`

			`# 6. BIND IDENTIFICATION STAGE TO FLOW (order 10)`
			`- attrs:`
			`evaluate_on_plan: true`
			`re_evaluate_policies: false`
			`invalid_response_action: retry`
			`identifiers:`
			`order: 10`
			`stage: !KeyOf identification-stage`
			`target: !KeyOf recovery-flow`
			`model: authentik_flows.flowstagebinding`

			`# 7. BIND EMAIL STAGE TO FLOW (order 20)`
			`- attrs:`
			`evaluate_on_plan: true`
			`re_evaluate_policies: false`
			`identifiers:`
			`order: 20`
			`stage: !KeyOf email-stage`
			`target: !KeyOf recovery-flow`
			`model: authentik_flows.flowstagebinding`

			`# 8. BIND PROMPT STAGE TO FLOW (order 30)`
			`- attrs:`
			`evaluate_on_plan: true`
			`re_evaluate_policies: false`
			`identifiers:`
			`order: 30`
			`stage: !KeyOf prompt-stage`
			`target: !KeyOf recovery-flow`
			`model: authentik_flows.flowstagebinding`

			`# 9. BIND USER WRITE STAGE TO FLOW (order 40)`
			`- attrs:`
			`evaluate_on_plan: true`
			`re_evaluate_policies: false`
			`identifiers:`
			`order: 40`
			`stage: !KeyOf user-write-stage`
			`target: !KeyOf recovery-flow`
			`model: authentik_flows.flowstagebinding`

			`# 10. SET AS DEFAULT RECOVERY FLOW IN BRAND`
			`- attrs:`
			`flow_recovery: !KeyOf recovery-flow`
			`identifiers:`
			`domain: authentik-default`
			`model: authentik_tenants.tenant`