version: 1
metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: Custom Invalidation Flow
entries:
### DEPENDENCIES
- model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Default - Invalidation flow
    required: true

### STAGE BINDINGS

# This is specified only for setting an id (this stagebinding does not have an identifier)
- identifiers:
    order: 0
    stage: !Find [authentik_stages_user_logout.userlogoutstage, [name, default-invalidation-logout]]
    target: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
  model: authentik_flows.flowstagebinding
  attrs:
    re_evaluate_policies: true
  id: logout-stage-binding

### POLICIES
- attrs:
    execution_logging: true
    expression: 'context[''flow_plan''].context[''redirect''] = ''{{ env "LOGOUT_REDIRECT" }}''

    return True'
  identifiers:
    name: redirect-policy
  id: redirect-policy
  model: authentik_policies_expression.expressionpolicy

### POLICY BINDINGS
- identifiers:
    policy: !KeyOf redirect-policy
    target: !KeyOf logout-stage-binding
    order: 0
  model: authentik_policies.policybinding
  attrs:
    enabled: {{ if eq (env "LOGOUT_REDIRECT") "" }} false {{ else }} true {{ end }}
    timeout: 30