version: 1
metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Custom - Flows
context:
  welcome_message: {{ if eq (env "WELCOME_MESSAGE") "" }} "Welcome to authentik!" {{ else }} {{ env "WELCOME_MESSAGE" }} {{ end }}
####### Translations ########
  transl_recovery: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort Zurücksetzen" {{ else }} "Reset your password" {{ end }}
  transl_password: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort" {{ else }} "Password" {{ end }}
  transl_password_repeat: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Passwort (wiederholen)" {{ else }} "Password (repeat)" {{ end }}
  transl_username: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Benutzername" {{ else }} "Username" {{ end }}
  transl_name: {{ if eq (env "DEFAULT_LANGUAGE") "de" }} "Vor- und Nachname" {{ else }} "Full name" {{ end }}

entries:
######## Email Recovery Flow ########
- identifiers:
    slug: default-recovery-flow
  id: recovery_flow
  model: authentik_flows.flow
  attrs:
    name: Default recovery flow
    title: !Context transl_recovery
    designation: recovery

### PROMPTS
- identifiers:
    field_key: password
  id: prompt-field-password
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_password
    type: password
    required: true
    placeholder: !Context transl_password
    order: 30
    placeholder_expression: false
- identifiers:
    field_key: password_repeat
  id: prompt-field-password-repeat
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_password_repeat
    type: password
    required: true
    placeholder: !Context transl_password_repeat
    order: 31
    placeholder_expression: false


### STAGES
- identifiers:
    name: default-recovery-email
  id: default-recovery-email
  model: authentik_stages_email.emailstage
  attrs:
    use_global_settings: true
    token_expiry: {{ if eq (env "EMAIL_TOKEN_EXPIRY_MINUTES") "" }} 30 {{ else }} {{ env "EMAIL_TOKEN_EXPIRY_MINUTES" }} {{ end }}
    subject: {{ if eq (env "EMAIL_SUBJECT") "" }} "Account Recovery" {{ else }} "{{ env "EMAIL_SUBJECT" }}" {{ end }} 
    template: email/password_reset.html
    activate_user_on_success: true
- identifiers:
    name: default-recovery-user-write
  id: default-recovery-user-write
  model: authentik_stages_user_write.userwritestage
- identifiers:
    name: default-recovery-identification
  id: default-recovery-identification
  model: authentik_stages_identification.identificationstage
  attrs:
    user_fields:
      - email
      - username
- identifiers:
    name: default-recovery-user-login
  id: default-recovery-user-login
  model: authentik_stages_user_login.userloginstage
  attrs:
    session_duration: seconds=0
- identifiers:
    name: Change your password
  id: stage-prompt-password
  model: authentik_stages_prompt.promptstage
  attrs:
    fields:
      - !KeyOf prompt-field-password
      - !KeyOf prompt-field-password-repeat
    validation_policies: []

### STAGE BINDINGS
- identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-identification
    order: 10
  model: authentik_flows.flowstagebinding
  id: flow-binding-identification
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
- identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-email
    order: 20
  model: authentik_flows.flowstagebinding
  id: flow-binding-email
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: true
    policy_engine_mode: any
    invalid_response_action: retry
- identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf stage-prompt-password
    order: 30
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
- identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-user-write
    order: 40
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry
- identifiers:
    target: !KeyOf recovery_flow
    stage: !KeyOf default-recovery-user-login
    order: 100
  model: authentik_flows.flowstagebinding
  attrs:
    evaluate_on_plan: true
    re_evaluate_policies: false
    policy_engine_mode: any
    invalid_response_action: retry

### POLICIES
## ISSUES with this policy
## https://github.com/goauthentik/authentik/blob/493cdd5c0f8caaec7a7dd474f1aa131e32fd39c3/blueprints/example/flows-recovery-email-verification.yaml#L37
## https://github.com/goauthentik/authentik/commit/317e9ec6053742e17ba74fb6aa38dc15aaf6657f#diff-a5c56bb7c60e27dda1b131b3fc2a17e3af6624e7cfaaa2337ec6b077ca489f34
# - identifiers:
#     name: default-recovery-skip-if-restored
#   id: default-recovery-skip-if-restored
#   model: authentik_policies_expression.expressionpolicy
#   attrs:
#     expression: |
#       return request.context.get('is_restored', False)

### POLICY BINDINGS
# - identifiers:
#     policy: !KeyOf default-recovery-skip-if-restored
#     target: !KeyOf flow-binding-identification
#     order: 0
#   model: authentik_policies.policybinding
#   attrs:
#     negate: false
#     enabled: true
#     timeout: 30
# - identifiers:
#     policy: !KeyOf default-recovery-skip-if-restored
#     target: !KeyOf flow-binding-email
#     order: 0
#   model: authentik_policies.policybinding
#   attrs:
#     negate: false
#     enabled: true
#     timeout: 30



######## Authentication Flow ########
- attrs:
    designation: authentication
    name: custom-authentication-flow
    title: !Context welcome_message
  identifiers:
    slug: custom-authentication-flow
  id: authentication_flow
  model: authentik_flows.flow

### STAGES
- attrs:
    backends:
    - authentik.core.auth.InbuiltBackend
    - authentik.sources.ldap.auth.LDAPBackend
    - authentik.core.auth.TokenBackend
    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
  identifiers:
    name: custom-authentication-password
  id: custom-authentication-password
  model: authentik_stages_password.passwordstage

- identifiers:
    name: custom-authentication-mfa-validation
  id: custom-authentication-mfa-validation
  model: authentik_stages_authenticator_validate.authenticatorvalidatestage

- attrs:
    password_stage: !KeyOf custom-authentication-password
    recovery_flow: !KeyOf recovery_flow  # !Find [authentik_flows.flow, [slug, default-recovery-flow]]
    user_fields:
    - email
    - username
  identifiers:
    name: custom-authentication-identification
  id: custom-authentication-identification
  model: authentik_stages_identification.identificationstage

- attrs:
    session_duration: seconds=0
  identifiers:
    name: custom-authentication-login
  id: custom-authentication-login
  model: authentik_stages_user_login.userloginstage

### STAGE BINDINGS
- identifiers:
    order: 10
    stage: !KeyOf custom-authentication-identification
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
- identifiers:
    order: 30
    stage: !KeyOf custom-authentication-mfa-validation
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding
- identifiers:
    order: 100
    stage: !KeyOf custom-authentication-login
    target: !KeyOf authentication_flow
  model: authentik_flows.flowstagebinding

######## Invitation Enrollment Flow ########
- attrs:
    designation: enrollment
    name: invitation-enrollment-flow
    title: !Context welcome_message
  identifiers:
    slug: invitation-enrollment-flow
  id: invitation-enrollment-flow
  model: authentik_flows.flow

### PROMPTS
- identifiers:
    field_key: username
  id: prompt-field-username
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_username
    type: username
    required: true
    placeholder: !Context transl_username
    order: 0
    placeholder_expression: false
- identifiers:
    field_key: name
  id: prompt-field-name
  model: authentik_stages_prompt.prompt
  attrs:
    label: !Context transl_name
    type: text
    required: true
    placeholder: !Context transl_name
    order: 1
    placeholder_expression: false
- identifiers:
    field_key: email
    label: Email
  id: prompt-field-email
  model: authentik_stages_prompt.prompt
  attrs:
    type: email
    required: true
    placeholder: muster@example.com
    order: 2
    placeholder_expression: false

### STAGES

- id: invitation-stage
  identifiers:
    name: invitation-stage
  model: authentik_stages_invitation.invitationstage

- attrs:
    fields:
      - !KeyOf prompt-field-username
      - !KeyOf prompt-field-name
      - !KeyOf prompt-field-email
      - !KeyOf prompt-field-password
      - !KeyOf prompt-field-password-repeat
  id: enrollment-prompt-userdata
  identifiers:
    name: enrollment-prompt-userdata
  model: authentik_stages_prompt.promptstage

- id: enrollment-user-write
  identifiers:
    name: enrollment-user-write
  model: authentik_stages_user_write.userwritestage

- attrs:
    session_duration: seconds=0
  id: enrollment-user-login
  identifiers:
    name: enrollment-user-login
  model: authentik_stages_user_login.userloginstage

### STAGE BINDINGS
- identifiers:
    order: 1
    stage: !KeyOf invitation-stage
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
- identifiers:
    order: 10
    stage: !KeyOf enrollment-prompt-userdata
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
- identifiers:
    order: 20
    stage: !KeyOf enrollment-user-write
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding
- identifiers:
    order: 100
    stage: !KeyOf enrollment-user-login
    target: !KeyOf invitation-enrollment-flow
  model: authentik_flows.flowstagebinding

######## Invalidation Flow ########
- identifiers:
    slug: logout-flow
  id: logout-flow
  model: authentik_flows.flow
  attrs:
    name: Logout
    title: Logout Flow
    designation: invalidation

### STAGES

- id: logout-stage
  identifiers:
    name: logout-stage
  model: authentik_stages_user_logout.userlogoutstage

### STAGE BINDINGS

- identifiers:
    order: 0
    stage: !KeyOf logout-stage
    target: !KeyOf logout-flow
  model: authentik_flows.flowstagebinding
  attrs:
    re_evaluate_policies: true
  id: logout-stage-binding

### POLICIES
- attrs:
    execution_logging: true
    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''

    return True'
  identifiers:
    name: redirect-policy
  id: redirect-policy
  model: authentik_policies_expression.expressionpolicy

### POLICY BINDINGS
- identifiers:
    policy: !KeyOf redirect-policy
    target: !KeyOf logout-stage-binding
    order: 0
  model: authentik_policies.policybinding
  attrs:
    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
    timeout: 30

######## System Brand ##########
- attrs:
    attributes:
      settings:
        locale: {{ if eq (env "DEFAULT_LANGUAGE") "" }} en {{ else }} {{ env "DEFAULT_LANGUAGE" }} {{ end }}
    # branding_favicon: /static/dist/assets/icons/icon.png
    # branding_logo: /static/dist/assets/icons/icon_left_brand.svg
    # branding_title: Authentik
    # default: true
    domain: {{ env "DOMAIN" }}
    # event_retention: days=365
    flow_authentication: !KeyOf authentication_flow
    flow_recovery: !KeyOf recovery_flow
    flow_invalidation: !KeyOf logout-flow
    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
  identifiers:
    pk: 047cce25-aae2-4b02-9f96-078e155f803d
  id: system_brand
  model: authentik_brands.brand