version: 1
metadata:
  name: custom-flow-configuration
  labels:
    blueprints.goauthentik.io/description: "Configure invitation and 2FA enforcement"
    blueprints.goauthentik.io/instantiate: "true"

entries:
  # 1. CREATE INVITATION STAGE
  # This stage allows enrollment flows to work with or without invitation tokens
  - model: authentik_stages_invitation.invitationstage
    identifiers:
      name: default-enrollment-invitation
    id: invitation-stage
    attrs:
      continue_flow_without_invitation: true

  # 2. BIND INVITATION STAGE TO ENROLLMENT FLOW
  # Adds the invitation stage as the first stage in the enrollment flow
  - model: authentik_flows.flowstagebinding
    identifiers:
      target: !Find [authentik_flows.flow, [slug, default-enrollment-flow]]
      stage: !KeyOf invitation-stage
      order: 0
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false

  # 3. ENFORCE 2FA CONFIGURATION
  # Updates MFA validation stage to force users to configure TOTP
  - model: authentik_stages_authenticator_validate.authenticatorvalidatestage
    identifiers:
      name: default-authentication-mfa-validation
    attrs:
      not_configured_action: configure
      device_classes:
        - totp
        - webauthn
      configuration_stages:
        - !Find [authentik_stages_authenticator_totp.authenticatortotpstage, [name, default-authenticator-totp-setup]]