From 508825ca5ae71252983c7f00100ae9086f21eb49 Mon Sep 17 00:00:00 2001
From: Pieter <pieter@kolabnow.com>
Date: Thu, 15 Jan 2026 11:24:14 +0100
Subject: [PATCH] fix: Remove auto-login from enrollment flow to avoid redirect
 issue
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Removed user login stage from enrollment flow
- Users now see completion page instead of being auto-logged in
- Prevents redirect to /if/user/ which requires internal user permissions
- Users can manually go to Nextcloud and log in with OIDC after registration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../authentik/files/enrollment-flow.yaml      | 21 ++-----------------
 1 file changed, 2 insertions(+), 19 deletions(-)

diff --git a/ansible/roles/authentik/files/enrollment-flow.yaml b/ansible/roles/authentik/files/enrollment-flow.yaml
index dd0298e..6e6e2c8 100644
--- a/ansible/roles/authentik/files/enrollment-flow.yaml
+++ b/ansible/roles/authentik/files/enrollment-flow.yaml
@@ -12,6 +12,7 @@ entries:
       name: Default enrollment Flow
       title: Welcome to authentik!
       authentication: none
+      denied_action: message_continue
     identifiers:
       slug: default-enrollment-flow
     model: authentik_flows.flow
@@ -116,15 +117,7 @@ entries:
     id: user-write-stage
     model: authentik_stages_user_write.userwritestage
 
-  # 6. CREATE USER LOGIN STAGE
-  - attrs:
-      session_duration: seconds=0
-    identifiers:
-      name: default-enrollment-user-login
-    id: user-login-stage
-    model: authentik_stages_user_login.userloginstage
-
-  # 7. BIND INVITATION STAGE TO FLOW (order 0)
+  # 6. BIND INVITATION STAGE TO FLOW (order 0)
   - attrs:
       evaluate_on_plan: true
       re_evaluate_policies: false
@@ -153,13 +146,3 @@ entries:
       stage: !KeyOf user-write-stage
       target: !KeyOf flow
     model: authentik_flows.flowstagebinding
-
-  # 10. BIND USER LOGIN STAGE TO FLOW (order 30)
-  - attrs:
-      evaluate_on_plan: true
-      re_evaluate_policies: false
-    identifiers:
-      order: 30
-      stage: !KeyOf user-login-stage
-      target: !KeyOf flow
-    model: authentik_flows.flowstagebinding