version: 1 metadata: name: password-recovery-flow labels: blueprints.goauthentik.io/description: "Password recovery flow with email link" blueprints.goauthentik.io/instantiate: "true" entries: # 1. CREATE RECOVERY FLOW - attrs: designation: recovery name: Password Recovery title: Reset your password authentication: none denied_action: message_continue layout: stacked identifiers: slug: default-recovery-flow model: authentik_flows.flow id: recovery-flow # 2. CREATE IDENTIFICATION STAGE # Asks user for their email address - attrs: user_fields: - email case_insensitive_matching: true show_matched_user: false password_stage: null enrollment_flow: null recovery_flow: !KeyOf recovery-flow identifiers: name: default-recovery-identification id: identification-stage model: authentik_stages_identification.identificationstage # 3. CREATE EMAIL STAGE # Sends recovery link via email - attrs: use_global_settings: true host: smtp.mailgun.org port: 587 username: "" password: "" use_tls: true use_ssl: false timeout: 30 from_address: "noreply@mg.vrije.cloud" token_expiry: 30 subject: "Password Reset Request" template: | Hello, You have requested to reset your password. Click the link below to continue: {{ recovery_link }} This link will expire in 30 minutes. If you did not request this password reset, please ignore this email. Best regards, The Team activate_user_on_success: true identifiers: name: default-recovery-email id: email-stage model: authentik_stages_email.emailstage # 4. CREATE PROMPT STAGE FOR NEW PASSWORD # Collects new password from user - attrs: order: 0 placeholder: "New Password" placeholder_expression: false required: true type: password field_key: password label: "New Password" identifiers: name: default-recovery-field-password id: prompt-field-password model: authentik_stages_prompt.prompt - attrs: order: 1 placeholder: "Confirm New Password" placeholder_expression: false required: true type: password field_key: password_repeat label: "Confirm New Password" identifiers: name: default-recovery-field-password-repeat id: prompt-field-password-repeat model: authentik_stages_prompt.prompt - attrs: fields: - !KeyOf prompt-field-password - !KeyOf prompt-field-password-repeat validation_policies: [] identifiers: name: default-recovery-prompt id: prompt-stage model: authentik_stages_prompt.promptstage # 5. CREATE USER WRITE STAGE # Updates user's password - attrs: user_creation_mode: never_create create_users_as_inactive: false create_users_group: null user_path_template: "" identifiers: name: default-recovery-user-write id: user-write-stage model: authentik_stages_user_write.userwritestage # 6. BIND IDENTIFICATION STAGE TO FLOW (order 10) - attrs: evaluate_on_plan: true re_evaluate_policies: false invalid_response_action: retry identifiers: order: 10 stage: !KeyOf identification-stage target: !KeyOf recovery-flow model: authentik_flows.flowstagebinding # 7. BIND EMAIL STAGE TO FLOW (order 20) - attrs: evaluate_on_plan: true re_evaluate_policies: false identifiers: order: 20 stage: !KeyOf email-stage target: !KeyOf recovery-flow model: authentik_flows.flowstagebinding # 8. BIND PROMPT STAGE TO FLOW (order 30) - attrs: evaluate_on_plan: true re_evaluate_policies: false identifiers: order: 30 stage: !KeyOf prompt-stage target: !KeyOf recovery-flow model: authentik_flows.flowstagebinding # 9. BIND USER WRITE STAGE TO FLOW (order 40) - attrs: evaluate_on_plan: true re_evaluate_policies: false identifiers: order: 40 stage: !KeyOf user-write-stage target: !KeyOf recovery-flow model: authentik_flows.flowstagebinding # 10. SET AS DEFAULT RECOVERY FLOW IN BRAND - attrs: flow_recovery: !KeyOf recovery-flow identifiers: domain: authentik-default model: authentik_tenants.tenant