205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

enterprise: account lockdown (#18615)

Browse Source
This commit is contained in:
Dominic R
2026-04-30 19:02:46 -04:00
committed by GitHub
parent 8963d29ab4
commit 821b74d7c1
68 changed files with 4412 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/actions/setup/action.yml
+1 -1
View File
@@ -104,7 +104,7 @@ runs:
working-directory: ${{ inputs.working-directory }}
run: |
export PSQL_TAG=${{ inputs.postgresql_version }}
docker compose -f .github/actions/setup/compose.yml up -d
docker compose -f .github/actions/setup/compose.yml up -d --wait
cd web && npm ci
- name: Generate config
if: ${{ contains(inputs.dependencies, 'python') }}
.github/actions/setup/compose.yml
+6
View File
@@ -8,8 +8,14 @@ services:
POSTGRES_USER: authentik
POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
POSTGRES_DB: authentik
PGDATA: /var/lib/postgresql/data/pgdata
ports:
- 5432:5432
healthcheck:
test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB} -h 127.0.0.1"]
interval: 1s
timeout: 5s
retries: 60
restart: always
s3:
container_name: s3
authentik/blueprints/api.py
+1 -1
View File
@@ -126,7 +126,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
def check_blueprint_perms(blueprint: Blueprint, user: User, explicit_action: str | None = None):
"""Check for individual permissions for each model in a blueprint"""
for entry in blueprint.entries:
for entry in blueprint.iter_entries():
full_model = entry.get_model(blueprint)
app, __, model = full_model.partition(".")
perms = [
authentik/blueprints/tests/test_v1_conditions.py
+45
View File
@@ -1,8 +1,11 @@
"""Test blueprints v1"""
from unittest.mock import patch
from django.test import TransactionTestCase
from authentik.blueprints.v1.importer import Importer
from authentik.enterprise.license import LicenseKey
from authentik.flows.models import Flow
from authentik.lib.generators import generate_id
from authentik.lib.tests.utils import load_fixture
@@ -42,3 +45,45 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
# Ensure objects do not exist
self.assertFalse(Flow.objects.filter(slug=flow_slug1))
self.assertFalse(Flow.objects.filter(slug=flow_slug2))
def test_enterprise_license_context_unlicensed(self):
"""Test enterprise license context defaults to a false boolean when unlicensed."""
license_key = LicenseKey("test", 0, "Test license", 0, 0)
with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
importer = Importer.from_string("""
version: 1
entries:
- identifiers:
name: enterprise-test
slug: enterprise-test
model: authentik_flows.flow
conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
designation: stage_configuration
title: foo
""")
self.assertIs(importer.blueprint.context["goauthentik.io/enterprise/licensed"], False)
def test_enterprise_license_context_licensed(self):
"""Test enterprise license context defaults to a true boolean when licensed."""
license_key = LicenseKey("test", 253402300799, "Test license", 1000, 1000)
with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
importer = Importer.from_string("""
version: 1
entries:
- identifiers:
name: enterprise-test
slug: enterprise-test
model: authentik_flows.flow
conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
designation: stage_configuration
title: foo
""")
self.assertIs(importer.blueprint.context["goauthentik.io/enterprise/licensed"], True)
authentik/blueprints/v1/importer.py
+1 -3
View File
@@ -146,9 +146,7 @@ class Importer:
try:
from authentik.enterprise.license import LicenseKey
context["goauthentik.io/enterprise/licensed"] = (
LicenseKey.get_total().status().is_valid,
)
context["goauthentik.io/enterprise/licensed"] = LicenseKey.get_total().status().is_valid
except ModuleNotFoundError:
pass
return context
authentik/brands/api.py
+3
View File
@@ -64,6 +64,7 @@ class BrandSerializer(ModelSerializer):
"flow_unenrollment",
"flow_user_settings",
"flow_device_code",
"flow_lockdown",
"default_application",
"web_certificate",
"client_certificates",
@@ -117,6 +118,7 @@ class CurrentBrandSerializer(PassiveSerializer):
flow_unenrollment = CharField(source="flow_unenrollment.slug", required=False)
flow_user_settings = CharField(source="flow_user_settings.slug", required=False)
flow_device_code = CharField(source="flow_device_code.slug", required=False)
flow_lockdown = CharField(source="flow_lockdown.slug", required=False)
default_locale = CharField(read_only=True)
flags = SerializerMethodField()
@@ -154,6 +156,7 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
"flow_unenrollment",
"flow_user_settings",
"flow_device_code",
"flow_lockdown",
"web_certificate",
"client_certificates",
]
authentik/brands/migrations/0012_brand_flow_lockdown.py
+25
View File
@@ -0,0 +1,25 @@
# Generated by Django 5.2.12 on 2026-03-14 02:58
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_brands", "0011_alter_brand_branding_default_flow_background_and_more"),
("authentik_flows", "0031_alter_flow_layout"),
]
operations = [
migrations.AddField(
model_name="brand",
name="flow_lockdown",
field=models.ForeignKey(
null=True,
on_delete=django.db.models.deletion.SET_NULL,
related_name="brand_lockdown",
to="authentik_flows.flow",
),
),
]
authentik/brands/models.py
+3
View File
@@ -58,6 +58,9 @@ class Brand(SerializerModel):
flow_device_code = models.ForeignKey(
Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
)
flow_lockdown = models.ForeignKey(
Flow, null=True, on_delete=models.SET_NULL, related_name="brand_lockdown"
)
default_application = models.ForeignKey(
"authentik_core.Application",
authentik/core/api/users.py
+3
View File
@@ -563,6 +563,9 @@ class UsersFilter(FilterSet):
class UserViewSet(
ConditionalInheritance(
"authentik.enterprise.stages.account_lockdown.api.UserAccountLockdownMixin"
),
ConditionalInheritance("authentik.enterprise.reports.api.reports.ExportMixin"),
UsedByMixin,
ModelViewSet,
authentik/enterprise/settings.py
+1
View File
@@ -14,6 +14,7 @@ TENANT_APPS = [
"authentik.enterprise.providers.ssf",
"authentik.enterprise.providers.ws_federation",
"authentik.enterprise.reports",
"authentik.enterprise.stages.account_lockdown",
"authentik.enterprise.stages.authenticator_endpoint_gdtc",
"authentik.enterprise.stages.mtls",
"authentik.enterprise.stages.source",
authentik/enterprise/stages/account_lockdown/__init__.py
View File
authentik/enterprise/stages/account_lockdown/api.py
+141
View File
@@ -0,0 +1,141 @@
"""Account Lockdown Stage API Views"""
from django.utils.translation import gettext as _
from drf_spectacular.utils import OpenApiExample, OpenApiResponse, extend_schema
from rest_framework.decorators import action
from rest_framework.exceptions import ValidationError
from rest_framework.permissions import IsAuthenticated
from rest_framework.request import Request
from rest_framework.response import Response
from rest_framework.serializers import PrimaryKeyRelatedField
from rest_framework.viewsets import ModelViewSet
from structlog.stdlib import get_logger
from authentik.api.validation import validate
from authentik.core.api.used_by import UsedByMixin
from authentik.core.api.utils import LinkSerializer, PassiveSerializer
from authentik.core.models import (
User,
)
from authentik.enterprise.api import EnterpriseRequiredMixin, enterprise_action
from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
from authentik.enterprise.stages.account_lockdown.stage import (
can_lock_user,
get_lockdown_target_users,
)
from authentik.flows.api.stages import StageSerializer
from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
LOGGER = get_logger()
class AccountLockdownStageSerializer(EnterpriseRequiredMixin, StageSerializer):
"""AccountLockdownStage Serializer"""
class Meta:
model = AccountLockdownStage
fields = StageSerializer.Meta.fields + [
"deactivate_user",
"set_unusable_password",
"delete_sessions",
"revoke_tokens",
"self_service_completion_flow",
]
class AccountLockdownStageViewSet(UsedByMixin, ModelViewSet):
"""AccountLockdownStage Viewset"""
queryset = AccountLockdownStage.objects.all()
serializer_class = AccountLockdownStageSerializer
filterset_fields = "__all__"
ordering = ["name"]
search_fields = ["name"]
class UserAccountLockdownSerializer(PassiveSerializer):
"""Choose the target account before starting the lockdown flow."""
user = PrimaryKeyRelatedField(
queryset=get_lockdown_target_users(),
required=False,
allow_null=True,
help_text=_("User to lock. If omitted, locks the current user (self-service)."),
)
class UserAccountLockdownMixin:
"""Enterprise account-lockdown API actions for UserViewSet."""
def _create_lockdown_flow_url(self, request: Request, user: User) -> str:
"""Create a flow URL for account lockdown.
The request body selects the target before the flow starts. The API
pre-plans the lockdown flow with the target as the pending user, so the
account lockdown stage can use the normal flow context.
"""
flow = request._request.brand.flow_lockdown
if flow is None:
raise ValidationError({"non_field_errors": [_("No lockdown flow configured.")]})
planner = FlowPlanner(flow)
planner.use_cache = False
try:
plan = planner.plan(request._request, {PLAN_CONTEXT_PENDING_USER: user})
except EmptyFlowException, FlowNonApplicableException:
raise ValidationError(
{"non_field_errors": [_("Lockdown flow is not applicable.")]}
) from None
return plan.to_redirect(request._request, flow).url
@extend_schema(
description=_("Choose the target account, then return a flow link."),
request=UserAccountLockdownSerializer,
responses={
"200": OpenApiResponse(
response=LinkSerializer,
examples=[
OpenApiExample(
"Lockdown flow URL",
value={
"link": "https://example.invalid/if/flow/default-account-lockdown/",
},
response_only=True,
status_codes=["200"],
)
],
),
"400": OpenApiResponse(
description=_("No lockdown flow configured or the flow is not applicable")
),
"403": OpenApiResponse(
description=_("Permission denied (when targeting another user)")
),
},
)
@action(
detail=False,
methods=["POST"],
permission_classes=[IsAuthenticated],
url_path="account_lockdown",
)
@validate(UserAccountLockdownSerializer)
@enterprise_action
def account_lockdown(self, request: Request, body: UserAccountLockdownSerializer) -> Response:
"""Trigger account lockdown for a user.
If no user is specified, locks the current user (self-service).
When targeting another user, admin permissions are required.
Returns a flow link for the frontend to follow. The flow is pre-planned
with the target user as pending user for the lockdown stage.
"""
user = body.validated_data.get("user") or request.user
if not can_lock_user(request.user, user):
LOGGER.debug("Permission denied for account lockdown", user=request.user)
self.permission_denied(request)
flow_url = self._create_lockdown_flow_url(request, user)
LOGGER.debug("Returning lockdown flow URL", flow_url=flow_url, user=user.username)
return Response({"link": flow_url})
authentik/enterprise/stages/account_lockdown/apps.py
+12
View File
@@ -0,0 +1,12 @@
"""authentik account lockdown stage app config"""
from authentik.enterprise.apps import EnterpriseConfig
class AuthentikEnterpriseStageAccountLockdownConfig(EnterpriseConfig):
"""authentik account lockdown stage config"""
name = "authentik.enterprise.stages.account_lockdown"
label = "authentik_stages_account_lockdown"
verbose_name = "authentik Enterprise.Stages.Account Lockdown"
default = True
authentik/enterprise/stages/account_lockdown/migrations/0001_initial.py
+74
View File
@@ -0,0 +1,74 @@
# Generated by Django 5.2.13 on 2026-04-19 21:56
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
initial = True
dependencies = [
("authentik_flows", "0031_alter_flow_layout"),
]
operations = [
migrations.CreateModel(
name="AccountLockdownStage",
fields=[
(
"stage_ptr",
models.OneToOneField(
auto_created=True,
on_delete=django.db.models.deletion.CASCADE,
parent_link=True,
primary_key=True,
serialize=False,
to="authentik_flows.stage",
),
),
(
"deactivate_user",
models.BooleanField(
default=True,
help_text="Deactivate the user account (set is_active to False)",
),
),
(
"set_unusable_password",
models.BooleanField(
default=True, help_text="Set an unusable password for the user"
),
),
(
"delete_sessions",
models.BooleanField(
default=True, help_text="Delete all active sessions for the user"
),
),
(
"revoke_tokens",
models.BooleanField(
default=True,
help_text="Revoke all tokens for the user (API, app password, recovery, verification, OAuth)",
),
),
(
"self_service_completion_flow",
models.ForeignKey(
blank=True,
help_text="Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.",
null=True,
on_delete=django.db.models.deletion.SET_NULL,
related_name="account_lockdown_stages",
to="authentik_flows.flow",
),
),
],
options={
"verbose_name": "Account Lockdown Stage",
"verbose_name_plural": "Account Lockdown Stages",
},
bases=("authentik_flows.stage",),
),
]
authentik/enterprise/stages/account_lockdown/migrations/__init__.py
View File
authentik/enterprise/stages/account_lockdown/models.py
+62
View File
@@ -0,0 +1,62 @@
"""Account lockdown stage models"""
from django.db import models
from django.utils.translation import gettext_lazy as _
from django.views import View
from rest_framework.serializers import BaseSerializer
from authentik.flows.models import Stage
class AccountLockdownStage(Stage):
"""Lock down a target user account."""
deactivate_user = models.BooleanField(
default=True,
help_text=_("Deactivate the user account (set is_active to False)"),
)
set_unusable_password = models.BooleanField(
default=True,
help_text=_("Set an unusable password for the user"),
)
delete_sessions = models.BooleanField(
default=True,
help_text=_("Delete all active sessions for the user"),
)
revoke_tokens = models.BooleanField(
default=True,
help_text=_(
"Revoke all tokens for the user (API, app password, recovery, verification, OAuth)"
),
)
self_service_completion_flow = models.ForeignKey(
"authentik_flows.Flow",
on_delete=models.SET_NULL,
null=True,
blank=True,
related_name="account_lockdown_stages",
help_text=_(
"Flow to redirect users to after self-service lockdown. "
"This flow should not require authentication since the user's session is deleted."
),
)
@property
def serializer(self) -> type[BaseSerializer]:
from authentik.enterprise.stages.account_lockdown.api import AccountLockdownStageSerializer
return AccountLockdownStageSerializer
@property
def view(self) -> type[View]:
from authentik.enterprise.stages.account_lockdown.stage import AccountLockdownStageView
return AccountLockdownStageView
@property
def component(self) -> str:
return "ak-stage-account-lockdown-form"
class Meta:
verbose_name = _("Account Lockdown Stage")
verbose_name_plural = _("Account Lockdown Stages")
authentik/enterprise/stages/account_lockdown/stage.py
+345
View File
@@ -0,0 +1,345 @@
"""Account lockdown stage logic"""
from django.apps import apps
from django.core.exceptions import FieldDoesNotExist
from django.db.models import Model, QuerySet
from django.db.models.query_utils import Q
from django.db.transaction import atomic
from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
from django.urls import reverse
from django.utils.translation import gettext_lazy as _
from dramatiq.actor import Actor
from dramatiq.composition import group
from dramatiq.results.errors import ResultTimeout
from authentik.core.models import (
AuthenticatedSession,
ExpiringModel,
Session,
Token,
User,
UserTypes,
)
from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
from authentik.events.models import Event, EventAction
from authentik.flows.stage import StageView
from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
from authentik.lib.sync.outgoing.signals import sync_outgoing_inhibit_dispatch
from authentik.lib.utils.reflection import class_to_path
from authentik.lib.utils.time import timedelta_from_string
from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
PLAN_CONTEXT_LOCKDOWN_REASON = "lockdown_reason"
LOCKDOWN_EVENT_ACTION_ID = "account_lockdown"
TARGET_REQUIRED_MESSAGE = _("No target user specified for account lockdown")
PERMISSION_DENIED_MESSAGE = _("You do not have permission to lock down this account.")
ACCOUNT_LOCKDOWN_FAILED_MESSAGE = _("Account lockdown failed for this account.")
SELF_SERVICE_COMPLETION_FLOW_REQUIRED_MESSAGE = _(
"Self-service account lockdown requires a completion flow."
)
def get_lockdown_target_users() -> QuerySet[User]:
"""Return users that can be targeted by account lockdown."""
return User.objects.exclude_anonymous().exclude(type=UserTypes.INTERNAL_SERVICE_ACCOUNT)
def _get_model_field(model: type[Model], field_name: str):
"""Get a model field by name, if present."""
try:
return model._meta.get_field(field_name)
except FieldDoesNotExist:
return None
def _has_user_field(model: type[Model]) -> bool:
"""Check if a model has a direct user foreign key."""
field = _get_model_field(model, "user")
return bool(field and getattr(field, "remote_field", None) and field.remote_field.model is User)
def _has_authenticated_session_field(model: type[Model]) -> bool:
"""Check if a model is linked to an authenticated session."""
field = _get_model_field(model, "session")
return bool(
field
and getattr(field, "remote_field", None)
and field.remote_field.model is AuthenticatedSession
)
def _has_provider_field(model: type[Model]) -> bool:
"""Check if a model is linked to a provider."""
return _get_model_field(model, "provider") is not None
def get_lockdown_token_models() -> tuple[type[Model], ...]:
"""Return token, grant, and provider session models removed by account lockdown."""
token_models: list[type[Model]] = []
for model in apps.get_models():
if model._meta.abstract or not issubclass(model, ExpiringModel):
continue
if model is Token:
token_models.append(model)
elif _has_user_field(model) and (
_has_provider_field(model) or _has_authenticated_session_field(model)
):
token_models.append(model)
elif _has_authenticated_session_field(model):
token_models.append(model)
return tuple(token_models)
def get_lockdown_token_queryset(model: type[Model], user: User) -> QuerySet:
"""Return account lockdown artifacts for a model and user."""
manager = model.objects.including_expired()
if _has_user_field(model):
return manager.filter(user=user)
return manager.filter(session__user=user)
def can_lock_user(actor, user: User) -> bool:
"""Check whether the actor may lock the target user."""
if not actor.is_authenticated:
return False
if user.pk == actor.pk:
return True
return actor.has_perm("authentik_core.change_user", user)
def get_outgoing_sync_tasks() -> tuple[tuple[type[OutgoingSyncProvider], Actor], ...]:
"""Return outgoing sync provider types and their direct sync tasks."""
from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
from authentik.enterprise.providers.google_workspace.tasks import google_workspace_sync_direct
from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
from authentik.enterprise.providers.microsoft_entra.tasks import microsoft_entra_sync_direct
from authentik.providers.scim.models import SCIMProvider
from authentik.providers.scim.tasks import scim_sync_direct
return (
(SCIMProvider, scim_sync_direct),
(GoogleWorkspaceProvider, google_workspace_sync_direct),
(MicrosoftEntraProvider, microsoft_entra_sync_direct),
)
class AccountLockdownStageView(StageView):
"""Execute account lockdown actions on the target user."""
def is_self_service(self, request: HttpRequest, user: User) -> bool:
"""Check whether the currently authenticated user is locking their own account."""
return request.user.is_authenticated and user.pk == request.user.pk
def get_reason(self) -> str:
"""Get the lockdown reason from the plan context.
Priority:
1. prompt_data[PLAN_CONTEXT_LOCKDOWN_REASON]
2. PLAN_CONTEXT_LOCKDOWN_REASON (explicitly set)
3. Empty string as fallback
"""
prompt_data = self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {})
if PLAN_CONTEXT_LOCKDOWN_REASON in prompt_data:
return prompt_data[PLAN_CONTEXT_LOCKDOWN_REASON]
return self.executor.plan.context.get(PLAN_CONTEXT_LOCKDOWN_REASON, "")
def _apply_lockdown_actions(self, stage: AccountLockdownStage, user: User) -> None:
"""Apply the configured account changes to the target user."""
if stage.deactivate_user:
user.is_active = False
if stage.set_unusable_password:
user.set_unusable_password()
if stage.deactivate_user:
with sync_outgoing_inhibit_dispatch():
user.save()
return
user.save()
def _sync_deactivated_user_to_outgoing_providers(self, user: User) -> None:
"""Synchronize a deactivated user to outgoing sync providers."""
messages = []
wait_timeout = 0
model = class_to_path(User)
provider_filter = Q(backchannel_application__isnull=False) | Q(application__isnull=False)
for provider_model, task_sync_direct in get_outgoing_sync_tasks():
for provider in provider_model.objects.filter(provider_filter):
time_limit = int(
timedelta_from_string(provider.sync_page_timeout).total_seconds() * 1000
)
messages.append(
task_sync_direct.message_with_options(
args=(model, user.pk, provider.pk),
rel_obj=provider,
time_limit=time_limit,
uid=f"{provider.name}:user:{user.pk}:direct",
)
)
wait_timeout += time_limit
if not messages:
return
try:
group(messages).run().wait(timeout=wait_timeout)
except ResultTimeout:
self.logger.warning(
"Timed out waiting for outgoing sync tasks; tasks remain queued",
user=user.username,
timeout=wait_timeout,
)
def _get_lockdown_artifact_querysets(
self, stage: AccountLockdownStage, user: User
) -> tuple[QuerySet, ...]:
"""Return the configured sessions and tokens targeted by lockdown."""
querysets: list[QuerySet] = []
if stage.delete_sessions:
querysets.append(Session.objects.filter(authenticatedsession__user=user))
if stage.revoke_tokens:
querysets.extend(
get_lockdown_token_queryset(model, user) for model in get_lockdown_token_models()
)
return tuple(querysets)
def _delete_lockdown_artifacts(self, stage: AccountLockdownStage, user: User) -> None:
"""Delete sessions and tokens selected by the lockdown configuration."""
for queryset in self._get_lockdown_artifact_querysets(stage, user):
queryset.delete()
def _has_lockdown_artifacts(self, stage: AccountLockdownStage, user: User) -> bool:
"""Check whether there are still sessions or tokens to remove."""
return any(
queryset.exists() for queryset in self._get_lockdown_artifact_querysets(stage, user)
)
def _emit_lockdown_event(self, request: HttpRequest, user: User, reason: str) -> None:
"""Emit the audit event for a completed lockdown."""
# Emit the audit event after the transaction commits. If event creation
# fails here, dispatch() would otherwise treat the whole lockdown as
# failed even though the account changes have already been committed.
try:
Event.new(
EventAction.USER_WRITE,
action_id=LOCKDOWN_EVENT_ACTION_ID,
reason=reason,
affected_user=user.username,
).from_http(request)
except Exception as exc: # noqa: BLE001
# Event emission should not make the lockdown itself fail.
self.logger.warning(
"Failed to emit account lockdown event",
user=user.username,
exc=exc,
)
def _lockdown_user(
self,
request: HttpRequest,
stage: AccountLockdownStage,
user: User,
reason: str,
) -> None:
"""Execute lockdown actions on a single user."""
with atomic():
user = User.objects.get(pk=user.pk)
self._apply_lockdown_actions(stage, user)
self._delete_lockdown_artifacts(stage, user)
# These additional checks/deletes are done to prevent a timing attack that creates tokens
# with a compromised token that is simultaneously being deleted.
while self._has_lockdown_artifacts(stage, user):
with atomic():
self._delete_lockdown_artifacts(stage, user)
if stage.deactivate_user:
try:
self._sync_deactivated_user_to_outgoing_providers(user)
except Exception as exc: # noqa: BLE001
# Local lockdown has already committed. Provider sync failures
# must not reopen access or mark the lockdown itself as failed.
self.logger.warning(
"Failed to sync account lockdown deactivation to outgoing providers",
user=user.username,
exc=exc,
)
self._emit_lockdown_event(request, user, reason)
def dispatch(self, request: HttpRequest) -> HttpResponse:
"""Execute account lockdown actions."""
self.request = request
stage: AccountLockdownStage = self.executor.current_stage
pending_user = self.get_pending_user()
if not pending_user.is_authenticated:
self.logger.warning("No target user found for account lockdown")
return self.executor.stage_invalid(TARGET_REQUIRED_MESSAGE)
user = get_lockdown_target_users().filter(pk=pending_user.pk).first()
if user is None:
self.logger.warning("Target user is not eligible for account lockdown")
return self.executor.stage_invalid(TARGET_REQUIRED_MESSAGE)
if not can_lock_user(request.user, user):
self.logger.warning(
"Permission denied for account lockdown",
actor=getattr(request.user, "username", None),
target=user.username,
)
return self.executor.stage_invalid(PERMISSION_DENIED_MESSAGE)
reason = self.get_reason()
self_service = self.is_self_service(request, user)
if self_service and stage.delete_sessions and not stage.self_service_completion_flow:
self.logger.warning("No completion flow configured for self-service account lockdown")
return self.executor.stage_invalid(SELF_SERVICE_COMPLETION_FLOW_REQUIRED_MESSAGE)
self.logger.info(
"Executing account lockdown",
user=user.username,
reason=reason,
self_service=self_service,
deactivate_user=stage.deactivate_user,
set_unusable_password=stage.set_unusable_password,
delete_sessions=stage.delete_sessions,
revoke_tokens=stage.revoke_tokens,
)
try:
self._lockdown_user(request, stage, user, reason)
self.logger.info("Account lockdown completed", user=user.username)
except Exception as exc: # noqa: BLE001
# Convert unexpected lockdown errors to a flow-stage failure instead
# of leaking an exception through the flow executor.
self.logger.warning("Account lockdown failed", user=user.username, exc=exc)
return self.executor.stage_invalid(ACCOUNT_LOCKDOWN_FAILED_MESSAGE)
if self_service:
if stage.delete_sessions:
return self._self_service_completion_response(request)
return self.executor.stage_ok()
return self.executor.stage_ok()
def _self_service_completion_response(self, request: HttpRequest) -> HttpResponse:
"""Redirect to completion flow after self-service lockdown.
Since all sessions are deleted, the user cannot continue in the flow.
Redirect them to an unauthenticated completion flow that shows the
lockdown message.
We use a direct HTTP redirect instead of a challenge because the
flow executor's challenge handling may try to access the session
which we just deleted.
"""
stage: AccountLockdownStage = self.executor.current_stage
completion_flow = stage.self_service_completion_flow
if completion_flow:
# Flush the current request's session to prevent Django's session
# middleware from trying to save a deleted session
if hasattr(request, "session"):
request.session.flush()
redirect_to = reverse(
"authentik_core:if-flow",
kwargs={"flow_slug": completion_flow.slug},
)
return HttpResponseRedirect(redirect_to)
return self.executor.stage_invalid(SELF_SERVICE_COMPLETION_FLOW_REQUIRED_MESSAGE)
authentik/enterprise/stages/account_lockdown/tests/__init__.py
View File
authentik/enterprise/stages/account_lockdown/tests/test_api.py
+148
View File
@@ -0,0 +1,148 @@
"""Test Users Account Lockdown API"""
from json import loads
from unittest.mock import MagicMock, patch
from urllib.parse import urlparse
from django.urls import reverse
from rest_framework.test import APITestCase
from authentik.core.tests.utils import (
create_test_brand,
create_test_flow,
create_test_user,
)
from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
from authentik.flows.models import FlowDesignation, FlowStageBinding
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
from authentik.flows.views.executor import SESSION_KEY_PLAN
from authentik.lib.generators import generate_id
# Patch for enterprise license check
patch_license = patch(
"authentik.enterprise.models.LicenseUsageStatus.is_valid",
MagicMock(return_value=True),
)
@patch_license
class AccountLockdownAPITestCase(APITestCase):
"""Shared helpers for account lockdown API tests."""
def setUp(self) -> None:
self.lockdown_flow = create_test_flow(FlowDesignation.STAGE_CONFIGURATION)
self.lockdown_stage = AccountLockdownStage.objects.create(name=generate_id())
FlowStageBinding.objects.create(
target=self.lockdown_flow,
stage=self.lockdown_stage,
order=0,
)
self.brand = create_test_brand()
self.brand.flow_lockdown = self.lockdown_flow
self.brand.save()
def create_user_with_email(self):
"""Create a regular user with a unique email address."""
user = create_test_user()
user.email = f"{generate_id()}@test.com"
user.save()
return user
def assert_redirect_targets(self, response, user):
"""Assert that a response contains a pre-planned lockdown flow link for a user."""
self.assertEqual(response.status_code, 200)
body = loads(response.content)
self.assertIn(self.lockdown_flow.slug, body["link"])
self.assertEqual(urlparse(body["link"]).query, "")
plan = self.client.session[SESSION_KEY_PLAN]
self.assertEqual(plan.context[PLAN_CONTEXT_PENDING_USER].pk, user.pk)
def assert_no_flow_configured(self, response):
"""Assert that the API reports a missing lockdown flow."""
self.assertEqual(response.status_code, 400)
body = loads(response.content)
self.assertIn("No lockdown flow configured", body["non_field_errors"][0])
@patch_license
class TestUsersAccountLockdownAPI(AccountLockdownAPITestCase):
"""Test Users Account Lockdown API"""
def setUp(self) -> None:
super().setUp()
self.actor = create_test_user()
self.user = self.create_user_with_email()
def test_account_lockdown_with_change_user_returns_redirect(self):
"""Test that account lockdown allows users with change_user permission."""
self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.user)
self.client.force_login(self.actor)
response = self.client.post(
reverse("authentik_api:user-account-lockdown"),
data={"user": self.user.pk},
format="json",
)
self.assert_redirect_targets(response, self.user)
def test_account_lockdown_no_flow_configured(self):
"""Test account lockdown when no flow is configured"""
self.brand.flow_lockdown = None
self.brand.save()
self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.user)
self.client.force_login(self.actor)
response = self.client.post(
reverse("authentik_api:user-account-lockdown"),
data={"user": self.user.pk},
format="json",
)
self.assert_no_flow_configured(response)
def test_account_lockdown_unauthenticated(self):
"""Test account lockdown requires authentication"""
response = self.client.post(
reverse("authentik_api:user-account-lockdown"),
data={"user": self.user.pk},
format="json",
)
self.assertEqual(response.status_code, 403)
def test_account_lockdown_without_change_user_denied(self):
"""Test account lockdown denies users without change_user permission."""
self.client.force_login(self.actor)
response = self.client.post(
reverse("authentik_api:user-account-lockdown"),
data={"user": self.user.pk},
format="json",
)
self.assertEqual(response.status_code, 403)
def test_account_lockdown_self_returns_redirect(self):
"""Test successful self-service account lockdown returns a direct redirect."""
self.client.force_login(self.user)
response = self.client.post(
reverse("authentik_api:user-account-lockdown"),
data={},
format="json",
)
self.assert_redirect_targets(response, self.user)
def test_account_lockdown_self_target_without_change_user_returns_redirect(self):
"""Test self-service does not require change_user permission."""
self.client.force_login(self.user)
response = self.client.post(
reverse("authentik_api:user-account-lockdown"),
data={"user": self.user.pk},
format="json",
)
self.assert_redirect_targets(response, self.user)
authentik/enterprise/stages/account_lockdown/tests/test_blueprint.py
+46
View File
@@ -0,0 +1,46 @@
"""Tests for the packaged account-lockdown blueprint."""
from unittest.mock import patch
from django.test import TransactionTestCase
from authentik.blueprints.models import BlueprintInstance
from authentik.blueprints.v1.importer import Importer
from authentik.blueprints.v1.tasks import blueprints_find, check_blueprint_v1_file
from authentik.enterprise.license import LicenseKey
from authentik.flows.models import Flow
BLUEPRINT_PATH = "example/flow-default-account-lockdown.yaml"
class TestAccountLockdownBlueprint(TransactionTestCase):
"""Test the packaged account-lockdown blueprint behavior."""
def test_blueprint_is_not_auto_instantiated(self):
"""Test the packaged blueprint is opt-in and skipped by discovery."""
BlueprintInstance.objects.filter(path=BLUEPRINT_PATH).delete()
blueprint = next(item for item in blueprints_find() if item.path == BLUEPRINT_PATH)
check_blueprint_v1_file(blueprint)
self.assertFalse(BlueprintInstance.objects.filter(path=BLUEPRINT_PATH).exists())
def test_blueprint_requires_licensed_context(self):
"""Test manual import only creates flows when enterprise is licensed."""
content = BlueprintInstance(path=BLUEPRINT_PATH).retrieve()
license_key = LicenseKey("test", 253402300799, "Test license", 1000, 1000)
with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
importer = Importer.from_string(content, {"goauthentik.io/enterprise/licensed": False})
valid, logs = importer.validate()
self.assertTrue(valid, logs)
self.assertTrue(importer.apply())
self.assertFalse(Flow.objects.filter(slug="default-account-lockdown").exists())
self.assertFalse(Flow.objects.filter(slug="default-account-lockdown-complete").exists())
importer = Importer.from_string(content, {"goauthentik.io/enterprise/licensed": True})
valid, logs = importer.validate()
self.assertTrue(valid, logs)
self.assertTrue(importer.apply())
self.assertTrue(Flow.objects.filter(slug="default-account-lockdown").exists())
self.assertTrue(Flow.objects.filter(slug="default-account-lockdown-complete").exists())
authentik/enterprise/stages/account_lockdown/tests/test_stage.py
+627
View File
@@ -0,0 +1,627 @@
"""Account lockdown stage tests"""
import json
from dataclasses import asdict
from threading import Event as ThreadEvent
from threading import Thread
from types import SimpleNamespace
from unittest.mock import MagicMock, patch
from django.db import connection
from django.http import HttpResponse
from django.test import TransactionTestCase
from django.urls import reverse
from django.utils import timezone
from dramatiq.results.errors import ResultTimeout
from authentik.core.models import AuthenticatedSession, Session, Token, TokenIntents
from authentik.core.tests.utils import (
RequestFactory,
create_test_admin_user,
create_test_cert,
create_test_flow,
create_test_user,
)
from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
from authentik.enterprise.stages.account_lockdown.stage import (
LOCKDOWN_EVENT_ACTION_ID,
PLAN_CONTEXT_LOCKDOWN_REASON,
AccountLockdownStageView,
can_lock_user,
)
from authentik.events.models import Event, EventAction
from authentik.flows.markers import StageMarker
from authentik.flows.models import FlowDesignation, FlowStageBinding
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
from authentik.flows.tests import FlowTestCase
from authentik.lib.generators import generate_id
from authentik.lib.utils.reflection import class_to_path
from authentik.providers.oauth2.id_token import IDToken
from authentik.providers.oauth2.models import (
AccessToken,
AuthorizationCode,
DeviceToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
RefreshToken,
)
from authentik.providers.saml.models import SAMLProvider, SAMLSession
from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
patch_enterprise_enabled = patch(
"authentik.enterprise.apps.AuthentikEnterpriseConfig.check_enabled",
return_value=True,
)
class AccountLockdownStageTestMixin:
"""Shared setup helpers for account lockdown stage tests."""
@classmethod
def setUpClass(cls):
cls.patch_enterprise_enabled = patch_enterprise_enabled.start()
cls.patch_event_dispatch = patch("authentik.events.tasks.event_trigger_dispatch.send")
cls.patch_event_dispatch.start()
super().setUpClass()
@classmethod
def tearDownClass(cls):
cls.patch_event_dispatch.stop()
patch_enterprise_enabled.stop()
super().tearDownClass()
def setUp(self):
super().setUp()
self.user = create_test_admin_user()
self.target_user = create_test_admin_user()
self.flow = create_test_flow(FlowDesignation.STAGE_CONFIGURATION)
self.stage = AccountLockdownStage.objects.create(
name="lockdown",
)
self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=0)
self.request_factory = RequestFactory()
def make_stage_view(self, plan: FlowPlan):
def _stage_ok():
return HttpResponse(status=204)
def _stage_invalid(_error_message=None):
return HttpResponse(status=400)
return AccountLockdownStageView(
SimpleNamespace(
plan=plan,
current_stage=self.stage,
current_binding=self.binding,
flow=self.flow,
stage_ok=_stage_ok,
stage_invalid=_stage_invalid,
)
)
def make_request(self, *, user=None, query=None):
return self.request_factory.post(
reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
query_params=query or {},
user=user,
)
def get_lockdown_event(self):
"""Return the account-lockdown user-write event."""
return Event.objects.filter(
action=EventAction.USER_WRITE,
context__action_id=LOCKDOWN_EVENT_ACTION_ID,
).first()
class TestAccountLockdownStage(AccountLockdownStageTestMixin, FlowTestCase):
"""Account lockdown stage tests"""
def test_lockdown_no_target(self):
"""Test lockdown stage with no pending user fails"""
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
response = view.dispatch(self.make_request())
self.assertEqual(response.status_code, 400)
def test_lockdown_with_pending_user(self):
"""Test lockdown stage with a pending target user."""
self.target_user.is_active = True
self.target_user.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_LOCKDOWN_REASON] = "Security incident"
plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
view = self.make_stage_view(plan)
request = self.make_request(user=self.user)
self.assertTrue(can_lock_user(request.user, self.target_user))
response = view.dispatch(request)
self.target_user.refresh_from_db()
self.assertFalse(self.target_user.is_active)
self.assertFalse(self.target_user.has_usable_password())
self.assertEqual(response.status_code, 204)
# Check event was created
event = self.get_lockdown_event()
self.assertIsNotNone(event)
self.assertEqual(event.context["action_id"], LOCKDOWN_EVENT_ACTION_ID)
self.assertEqual(event.context["reason"], "Security incident")
self.assertEqual(event.context["affected_user"], self.target_user.username)
def test_lockdown_with_pending_user_reason(self):
"""Test lockdown stage with a pending target and explicit reason."""
self.target_user.is_active = True
self.target_user.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_LOCKDOWN_REASON] = "Compromised account"
plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
view = self.make_stage_view(plan)
request = self.make_request(user=self.user)
self.assertTrue(can_lock_user(request.user, self.target_user))
response = view.dispatch(request)
self.target_user.refresh_from_db()
self.assertFalse(self.target_user.is_active)
self.assertEqual(response.status_code, 204)
def test_lockdown_reason_from_prompt(self):
"""Test lockdown stage reads the reason from prompt data."""
self.target_user.is_active = True
self.target_user.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PROMPT] = {
PLAN_CONTEXT_LOCKDOWN_REASON: "User requested lockdown",
}
view = self.make_stage_view(plan)
request = self.make_request(user=self.user)
view._lockdown_user(request, self.stage, self.target_user, view.get_reason())
event = self.get_lockdown_event()
self.assertIsNotNone(event)
self.assertEqual(event.context["reason"], "User requested lockdown")
def test_lockdown_event_failure_does_not_fail_self_service(self):
"""Test lockdown still succeeds when event emission fails."""
self.stage.delete_sessions = False
self.stage.save()
self.target_user.is_active = True
self.target_user.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
view = self.make_stage_view(plan)
request = self.make_request(user=self.target_user)
original_event_new = Event.new
def _event_new_side_effect(action, *args, **kwargs):
if (
action == EventAction.USER_WRITE
and kwargs.get("action_id") == LOCKDOWN_EVENT_ACTION_ID
):
raise RuntimeError("simulated event failure")
return original_event_new(action, *args, **kwargs)
with patch(
"authentik.enterprise.stages.account_lockdown.stage.Event.new",
side_effect=_event_new_side_effect,
):
view._lockdown_user(request, self.stage, self.target_user, view.get_reason())
self.target_user.refresh_from_db()
self.assertFalse(self.target_user.is_active)
def test_dispatch_records_success_when_event_emission_fails(self):
"""Test dispatch still completes if event emission fails."""
self.stage.delete_sessions = False
self.stage.save()
self.target_user.is_active = True
self.target_user.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
view = self.make_stage_view(plan)
request = self.make_request(
user=self.target_user,
)
original_event_new = Event.new
def _event_new_side_effect(action, *args, **kwargs):
if (
action == EventAction.USER_WRITE
and kwargs.get("action_id") == LOCKDOWN_EVENT_ACTION_ID
):
raise RuntimeError("simulated event failure")
return original_event_new(action, *args, **kwargs)
with patch(
"authentik.enterprise.stages.account_lockdown.stage.Event.new",
side_effect=_event_new_side_effect,
):
response = view.dispatch(request)
self.target_user.refresh_from_db()
self.assertFalse(self.target_user.is_active)
self.assertEqual(response.status_code, 204)
def test_lockdown_self_service_redirects_to_completion_flow(self):
"""Test self-service lockdown redirects to completion flow when sessions are deleted."""
completion_flow = create_test_flow(FlowDesignation.STAGE_CONFIGURATION)
self.stage.self_service_completion_flow = completion_flow
self.stage.save()
self.target_user.is_active = True
self.target_user.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
request = self.make_request(user=self.target_user)
view._lockdown_user(request, self.stage, self.target_user, view.get_reason())
response = view._self_service_completion_response(request)
self.assertEqual(response.status_code, 302)
self.assertEqual(
response.url,
reverse("authentik_core:if-flow", kwargs={"flow_slug": completion_flow.slug}),
)
def test_lockdown_self_service_requires_completion_flow(self):
"""Test self-service lockdown fails before deleting sessions without a completion flow."""
self.stage.self_service_completion_flow = None
self.stage.save()
self.target_user.is_active = True
self.target_user.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
view = self.make_stage_view(plan)
request = self.make_request(user=self.target_user)
response = view.dispatch(request)
self.assertEqual(response.status_code, 400)
self.target_user.refresh_from_db()
self.assertTrue(self.target_user.is_active)
def test_lockdown_denies_other_user_without_permission(self):
"""Test lockdown stage rejects non-self requests without change_user permission."""
actor = create_test_user()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
view = self.make_stage_view(plan)
request = self.make_request(user=actor)
self.assertFalse(can_lock_user(request.user, self.target_user))
response = view.dispatch(request)
self.assertEqual(response.status_code, 400)
def test_lockdown_revokes_tokens(self):
"""Test lockdown stage revokes tokens"""
Token.objects.create(
user=self.target_user,
identifier="test-token",
intent=TokenIntents.INTENT_API,
key=generate_id(),
expiring=False,
)
self.assertEqual(Token.objects.filter(user=self.target_user).count(), 1)
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
self.assertEqual(Token.objects.filter(user=self.target_user).count(), 0)
def test_lockdown_revokes_provider_tokens(self):
"""Test lockdown stage revokes provider tokens and sessions."""
oauth_provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver/callback")
],
signing_key=create_test_cert(),
)
saml_provider = SAMLProvider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
acs_url="https://sp.example.com/acs",
issuer_override="https://idp.example.com",
)
session = Session.objects.create(
session_key=generate_id(),
expires=timezone.now() + timezone.timedelta(hours=1),
last_ip="127.0.0.1",
)
auth_session = AuthenticatedSession.objects.create(
session=session,
user=self.target_user,
)
grant_kwargs = {
"provider": oauth_provider,
"user": self.target_user,
"auth_time": timezone.now(),
"_scope": "openid profile",
"expiring": False,
}
token_kwargs = grant_kwargs | {"_id_token": json.dumps(asdict(IDToken("foo", "bar")))}
AuthorizationCode.objects.create(
code=generate_id(),
session=auth_session,
**grant_kwargs,
)
AccessToken.objects.create(
token=generate_id(),
session=auth_session,
**token_kwargs,
)
RefreshToken.objects.create(
token=generate_id(),
session=auth_session,
**token_kwargs,
)
DeviceToken.objects.create(
provider=oauth_provider,
user=self.target_user,
session=auth_session,
_scope="openid profile",
expiring=False,
)
SAMLSession.objects.create(
provider=saml_provider,
user=self.target_user,
session=auth_session,
session_index=generate_id(),
name_id=self.target_user.email,
expires=timezone.now() + timezone.timedelta(hours=1),
expiring=True,
)
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
self.assertEqual(AuthorizationCode.objects.filter(user=self.target_user).count(), 0)
self.assertEqual(AccessToken.objects.filter(user=self.target_user).count(), 0)
self.assertEqual(RefreshToken.objects.filter(user=self.target_user).count(), 0)
self.assertEqual(DeviceToken.objects.filter(user=self.target_user).count(), 0)
self.assertEqual(SAMLSession.objects.filter(user=self.target_user).count(), 0)
def test_lockdown_selective_actions(self):
"""Test lockdown stage with selective actions"""
self.stage.deactivate_user = True
self.stage.set_unusable_password = False
self.stage.delete_sessions = False
self.stage.revoke_tokens = False
self.stage.save()
self.target_user.is_active = True
self.target_user.set_password("testpassword")
self.target_user.save()
Token.objects.create(
user=self.target_user,
identifier="test-token",
intent=TokenIntents.INTENT_API,
key=generate_id(),
expiring=False,
)
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
self.target_user.refresh_from_db()
# User should be deactivated
self.assertFalse(self.target_user.is_active)
# Password should still be usable
self.assertTrue(self.target_user.has_usable_password())
# Token should still exist
self.assertEqual(Token.objects.filter(user=self.target_user).count(), 1)
def test_lockdown_no_actions(self):
"""Test lockdown stage with all actions disabled"""
self.stage.deactivate_user = False
self.stage.set_unusable_password = False
self.stage.delete_sessions = False
self.stage.revoke_tokens = False
self.stage.save()
self.target_user.is_active = True
self.target_user.set_password("testpassword")
self.target_user.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
self.target_user.refresh_from_db()
# User should still be active
self.assertTrue(self.target_user.is_active)
# Password should still be usable
self.assertTrue(self.target_user.has_usable_password())
# Event should still be created
event = self.get_lockdown_event()
self.assertIsNotNone(event)
def test_lockdown_deactivation_inhibits_signal_dispatch_until_after_commit(self):
"""Test lockdown queues explicit outgoing syncs after the deactivation transaction."""
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
with (
patch(
"authentik.enterprise.stages.account_lockdown.stage.sync_outgoing_inhibit_dispatch"
) as inhibit,
patch.object(view, "_sync_deactivated_user_to_outgoing_providers") as sync_outgoing,
):
view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
inhibit.assert_called_once()
sync_outgoing.assert_called_once()
synced_user = sync_outgoing.call_args.args[0]
self.assertEqual(synced_user.pk, self.target_user.pk)
self.assertFalse(synced_user.is_active)
def test_lockdown_waits_for_direct_outgoing_provider_syncs(self):
"""Test direct outgoing sync tasks are enqueued and waited on."""
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
provider = SimpleNamespace(name="outgoing", pk=1, sync_page_timeout="seconds=5")
task_sync_direct = MagicMock()
task_sync_direct.message_with_options.return_value = "direct-message"
provider_model = SimpleNamespace(
objects=SimpleNamespace(filter=MagicMock(return_value=[provider]))
)
task_group = MagicMock()
with (
patch(
"authentik.enterprise.stages.account_lockdown.stage.get_outgoing_sync_tasks",
return_value=((provider_model, task_sync_direct),),
),
patch(
"authentik.enterprise.stages.account_lockdown.stage.group",
return_value=task_group,
) as task_group_cls,
):
view._sync_deactivated_user_to_outgoing_providers(self.target_user)
task_sync_direct.message_with_options.assert_called_once_with(
args=(class_to_path(type(self.target_user)), self.target_user.pk, provider.pk),
rel_obj=provider,
time_limit=5000,
uid=f"{provider.name}:user:{self.target_user.pk}:direct",
)
task_group_cls.assert_called_once_with(["direct-message"])
task_group.run.return_value.wait.assert_called_once_with(timeout=5000)
def test_lockdown_outgoing_provider_sync_timeout_leaves_tasks_running(self):
"""Test timeout while waiting for direct outgoing syncs does not fail lockdown."""
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
provider = SimpleNamespace(name="outgoing", pk=1, sync_page_timeout="seconds=5")
task_sync_direct = MagicMock()
task_sync_direct.message_with_options.return_value = "direct-message"
provider_model = SimpleNamespace(
objects=SimpleNamespace(filter=MagicMock(return_value=[provider]))
)
task_group = MagicMock()
task_group.run.return_value.wait.side_effect = ResultTimeout("timed out")
with (
patch(
"authentik.enterprise.stages.account_lockdown.stage.get_outgoing_sync_tasks",
return_value=((provider_model, task_sync_direct),),
),
patch(
"authentik.enterprise.stages.account_lockdown.stage.group",
return_value=task_group,
),
):
view._sync_deactivated_user_to_outgoing_providers(self.target_user)
task_group.run.assert_called_once_with()
task_group.run.return_value.wait.assert_called_once_with(timeout=5000)
def test_lockdown_outgoing_provider_sync_failure_does_not_fail_lockdown(self):
"""Test completed local lockdown still emits an event if outgoing sync fails."""
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
with patch.object(
view,
"_sync_deactivated_user_to_outgoing_providers",
side_effect=ValueError("sync failed"),
):
view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
self.target_user.refresh_from_db()
self.assertFalse(self.target_user.is_active)
event = self.get_lockdown_event()
self.assertIsNotNone(event)
class TestAccountLockdownStageConcurrency(AccountLockdownStageTestMixin, TransactionTestCase):
"""Account lockdown concurrency tests."""
def test_lockdown_retries_when_another_transaction_recreates_a_token(self):
"""Lockdown should remove a token recreated before the retry check runs."""
Token.objects.create(
user=self.target_user,
identifier=f"initial-token-{generate_id()}",
intent=TokenIntents.INTENT_API,
key=generate_id(),
expiring=False,
)
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
view = self.make_stage_view(plan)
original_has_artifacts = view._has_lockdown_artifacts
target_user = self.target_user
thread_ready = ThreadEvent()
start_create = ThreadEvent()
thread_done = ThreadEvent()
thread_errors = []
class TokenCreatorThread(Thread):
__test__ = False
def run(self):
try:
thread_ready.set()
if not start_create.wait(timeout=5):
thread_errors.append("timed out waiting to recreate token")
return
Token.objects.create(
user=target_user,
identifier=f"concurrent-token-{generate_id()}",
intent=TokenIntents.INTENT_API,
key=generate_id(),
expiring=False,
)
except Exception as exc: # noqa: BLE001
thread_errors.append(exc)
finally:
thread_done.set()
connection.close()
def has_artifacts_after_concurrent_create(stage, user):
if not start_create.is_set():
start_create.set()
self.assertTrue(
thread_done.wait(timeout=30),
(
"Concurrent token creation did not complete "
f"before retry check: {thread_errors}"
),
)
return original_has_artifacts(stage, user)
creator = TokenCreatorThread()
with patch.object(
view, "_has_lockdown_artifacts", side_effect=has_artifacts_after_concurrent_create
):
creator.start()
self.assertTrue(
thread_ready.wait(timeout=5),
"Concurrent token creation thread did not start",
)
view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
creator.join()
self.assertEqual(thread_errors, [])
self.assertEqual(Token.objects.filter(user=self.target_user).count(), 0)
authentik/enterprise/stages/account_lockdown/urls.py
+5
View File
@@ -0,0 +1,5 @@
"""API URLs"""
from authentik.enterprise.stages.account_lockdown.api import AccountLockdownStageViewSet
api_urlpatterns = [("stages/account_lockdown", AccountLockdownStageViewSet)]
authentik/root/settings.py
+1
View File
@@ -172,6 +172,7 @@ SPECTACULAR_SETTINGS = {
},
"ENUM_NAME_OVERRIDES": {
"AppEnum": "authentik.lib.api.Apps",
"AuthenticationEnum": "authentik.flows.models.FlowAuthenticationRequirement",
"ConsentModeEnum": "authentik.stages.consent.models.ConsentMode",
"CountryCodeEnum": "django_countries.countries",
"DeviceClassesEnum": "authentik.stages.authenticator_validate.models.DeviceClasses",
authentik/stages/prompt/migrations/0012_alter_prompt_type.py
+64
View File
@@ -0,0 +1,64 @@
# Generated by Django 5.2.12 on 2026-03-14 02:58
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
(
"authentik_stages_prompt",
"0011_prompt_initial_value_prompt_initial_value_expression_and_more",
),
]
operations = [
migrations.AlterField(
model_name="prompt",
name="type",
field=models.CharField(
choices=[
("text", "Text: Simple Text input"),
("text_area", "Text area: Multiline Text Input."),
(
"text_read_only",
"Text (read-only): Simple Text input, but cannot be edited.",
),
(
"text_area_read_only",
"Text area (read-only): Multiline Text input, but cannot be edited.",
),
(
"username",
"Username: Same as Text input, but checks for and prevents duplicate usernames.",
),
("email", "Email: Text field with Email type."),
(
"password",
"Password: Masked input, multiple inputs of this type on the same prompt need to be identical.",
),
("number", "Number"),
("checkbox", "Checkbox"),
(
"radio-button-group",
"Fixed choice field rendered as a group of radio buttons.",
),
("dropdown", "Fixed choice field rendered as a dropdown."),
("date", "Date"),
("date-time", "Date Time"),
(
"file",
"File: File upload for arbitrary files. File content will be available in flow context as data-URI",
),
("separator", "Separator: Static Separator Line"),
("hidden", "Hidden: Hidden field, can be used to insert data into form."),
("static", "Static: Static value, displayed as-is."),
("alert_info", "Alert (Info): Static alert box with info styling"),
("alert_warning", "Alert (Warning): Static alert box with warning styling"),
("alert_danger", "Alert (Danger): Static alert box with danger styling"),
("ak-locale", "authentik: Selection of locales authentik supports"),
],
max_length=100,
),
),
]
authentik/stages/prompt/models.py
+11 -1
View File
@@ -87,6 +87,11 @@ class FieldTypes(models.TextChoices):
HIDDEN = "hidden", _("Hidden: Hidden field, can be used to insert data into form.")
STATIC = "static", _("Static: Static value, displayed as-is.")
# Alert box types for displaying styled messages
ALERT_INFO = "alert_info", _("Alert (Info): Static alert box with info styling")
ALERT_WARNING = "alert_warning", _("Alert (Warning): Static alert box with warning styling")
ALERT_DANGER = "alert_danger", _("Alert (Danger): Static alert box with danger styling")
AK_LOCALE = "ak-locale", _("authentik: Selection of locales authentik supports")
@@ -299,7 +304,12 @@ class Prompt(SerializerModel):
field_class = HiddenField
kwargs["required"] = False
kwargs["default"] = self.placeholder
case FieldTypes.STATIC:
case (
FieldTypes.STATIC
| FieldTypes.ALERT_INFO
| FieldTypes.ALERT_WARNING
| FieldTypes.ALERT_DANGER
):
kwargs["default"] = self.placeholder
kwargs["required"] = False
kwargs["label"] = ""
authentik/stages/prompt/stage.py
+3
View File
@@ -124,6 +124,9 @@ class PromptChallengeResponse(ChallengeResponse):
type__in=[
FieldTypes.HIDDEN,
FieldTypes.STATIC,
FieldTypes.ALERT_INFO,
FieldTypes.ALERT_WARNING,
FieldTypes.ALERT_DANGER,
FieldTypes.TEXT_READ_ONLY,
FieldTypes.TEXT_AREA_READ_ONLY,
]
authentik/stages/prompt/tests.py
+11
View File
@@ -330,10 +330,20 @@ class TestPromptStage(FlowTestCase):
def test_static_hidden_overwrite(self):
"""Test that static and hidden fields ignore any value sent to them"""
alert_prompt = Prompt.objects.create(
name=generate_id(),
field_key="alert_prompt",
type=FieldTypes.ALERT_INFO,
required=True,
placeholder="alert fallback",
initial_value="alert content",
)
self.stage.fields.add(alert_prompt)
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PROMPT] = {"hidden_prompt": "hidden"}
self.prompt_data["hidden_prompt"] = "foo"
self.prompt_data["static_prompt"] = "foo"
self.prompt_data["alert_prompt"] = "foo"
challenge_response = PromptChallengeResponse(
None, stage_instance=self.stage, plan=plan, data=self.prompt_data, stage=self.stage_view
)
@@ -341,6 +351,7 @@ class TestPromptStage(FlowTestCase):
self.assertNotEqual(challenge_response.validated_data["hidden_prompt"], "foo")
self.assertEqual(challenge_response.validated_data["hidden_prompt"], "hidden")
self.assertNotEqual(challenge_response.validated_data["static_prompt"], "foo")
self.assertEqual(challenge_response.validated_data["alert_prompt"], "alert content")
def test_prompt_placeholder(self):
"""Test placeholder and expression"""
blueprints/example/flow-default-account-lockdown.yaml
+306
View File
@@ -0,0 +1,306 @@
version: 1
metadata:
name: Example - Account lockdown flow
labels:
blueprints.goauthentik.io/instantiate: "false"
entries:
flows:
# Main lockdown flow - requires authentication
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
designation: stage_configuration
name: Account Lockdown
title: Lock Account
authentication: require_authenticated
identifiers:
slug: default-account-lockdown
model: authentik_flows.flow
id: flow
# Self-service completion flow - no authentication required
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
designation: stage_configuration
name: Account Lockdown Complete
title: Account Locked
authentication: none
identifiers:
slug: default-account-lockdown-complete
model: authentik_flows.flow
id: completion-flow
prompt_fields:
# Warning field - danger alert box (content varies based on self-service vs admin)
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
order: 50
initial_value: |
target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
is_self_service = not target_uuid or target_uuid == current_user_uuid
pending_user = None
if target_uuid and not is_self_service:
from authentik.core.models import User
pending_user = User.objects.filter(pk=target_uuid).first()
if is_self_service:
return (
"<p><strong>You are about to lock down your own account.</strong></p>"
"<p>This is an emergency action for cutting off access to your account right away.</p>"
"<p><strong>This will immediately:</strong></p>"
"<ul>"
"<li><strong>Invalidate your password</strong> - Your password will be set to a random value "
"and cannot be recovered</li>"
"<li><strong>Deactivate your account</strong> - Your account will be disabled</li>"
"<li><strong>Terminate all your sessions</strong> - You will be logged out everywhere</li>"
"<li><strong>Revoke all your tokens</strong> - All your API, app password, recovery, "
"verification, and OAuth2 tokens and grants will be revoked</li>"
"</ul>"
"<p><strong>This action cannot be easily undone.</strong></p>"
)
from django.utils.html import escape
if pending_user:
email = escape(pending_user.email or pending_user.name or "No email")
user_html = f"<p><code>{escape(pending_user.username)}</code> ({email})</p>"
else:
user_html = "<p>the account selected when this one-time lockdown link was created</p>"
return (
"<p><strong>You are about to lock down the following account:</strong></p>"
f"{user_html}"
"<p>This is an emergency action for cutting off access to the account right away. "
"It does not lock the administrator who opened this page.</p>"
"<p><strong>This will immediately:</strong></p>"
"<ul>"
"<li>Invalidate the user's password</li>"
"<li>Deactivate the user</li>"
"<li>Terminate all sessions - All active sessions will be ended</li>"
"<li>Revoke all tokens - All API, app password, recovery, verification, and OAuth2 "
"tokens and grants will be revoked</li>"
"</ul>"
"<p><strong>This action cannot be easily undone.</strong></p>"
)
initial_value_expression: true
required: false
type: alert_danger
field_key: lockdown_warning
label: Warning
sub_text: ""
identifiers:
name: default-account-lockdown-field-warning
id: prompt-field-warning
model: authentik_stages_prompt.prompt
# Info field - when to use lockdown (content varies based on self-service vs admin)
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
order: 100
initial_value: |
target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
is_self_service = not target_uuid or target_uuid == current_user_uuid
if is_self_service:
info = (
"Use this if you no longer trust your current password or sessions. "
"After lockdown, you will need help from your administrator or security team to regain access."
)
else:
info = (
"Use this for incident response on the listed account, for example after a compromise report "
"or suspicious activity. The reason you enter below will be recorded in the audit log."
)
return (
f"<p>{info}</p>"
'<p><a href="https://docs.goauthentik.io/docs/security/'
'account-lockdown?utm_source=authentik" '
'target="_blank" rel="noopener noreferrer">Learn more about account lockdown</a></p>'
)
initial_value_expression: true
required: false
type: alert_info
field_key: lockdown_info
label: Information
sub_text: ""
identifiers:
name: default-account-lockdown-field-info
id: prompt-field-info
model: authentik_stages_prompt.prompt
# Reason field - text area for lockdown reason
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
order: 200
placeholder: |
target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
is_self_service = not target_uuid or target_uuid == current_user_uuid
if is_self_service:
return "Describe why you are locking your account..."
return "Describe why this account is being locked down..."
placeholder_expression: true
required: true
type: text_area
field_key: lockdown_reason
label: Reason
sub_text: This explanation will be recorded in the audit log.
identifiers:
name: default-account-lockdown-field-reason
id: prompt-field-reason
model: authentik_stages_prompt.prompt
prompt_stages:
# Prompt stage for warnings and reason input
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
fields:
- !KeyOf prompt-field-warning
- !KeyOf prompt-field-info
- !KeyOf prompt-field-reason
identifiers:
name: default-account-lockdown-prompt
id: default-account-lockdown-prompt
model: authentik_stages_prompt.promptstage
lockdown_stage:
# Account lockdown stage - performs the actual lockdown
- conditions:
- !Context goauthentik.io/enterprise/licensed
identifiers:
name: default-account-lockdown-stage
id: default-account-lockdown-stage
model: authentik_stages_account_lockdown.accountlockdownstage
attrs:
deactivate_user: true
set_unusable_password: true
delete_sessions: true
revoke_tokens: true
self_service_completion_flow: !Find [authentik_flows.flow, [slug, default-account-lockdown-complete]]
completion_prompt:
# Completion message field - confirmation shown after an admin-triggered lockdown
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
order: 300
initial_value: |
target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
from django.utils.html import escape
from authentik.core.models import User
if target_uuid:
target = User.objects.filter(pk=target_uuid).first()
if target:
return f"<p><code>{escape(target.username)}</code> has been locked down.</p>"
return "<p>The selected account has been locked down.</p>"
initial_value_expression: true
required: false
type: alert_info
field_key: lockdown_complete
label: Result
sub_text: ""
identifiers:
name: default-account-lockdown-field-complete
id: prompt-field-complete
model: authentik_stages_prompt.prompt
# Prompt stage for admin completion message
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
fields:
- !KeyOf prompt-field-complete
identifiers:
name: default-account-lockdown-complete-prompt
id: default-account-lockdown-complete-prompt
model: authentik_stages_prompt.promptstage
policies:
# Expression policy to check if this is NOT a self-service lockdown (admin)
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
name: default-account-lockdown-admin-policy
expression: |
target_uuid = (request.http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
current_user_uuid = str(getattr(request.user, "pk", "") or getattr(request.http_request.user, "pk", ""))
return bool(target_uuid) and target_uuid != current_user_uuid
identifiers:
name: default-account-lockdown-admin-policy
id: admin-policy
model: authentik_policies_expression.expressionpolicy
bindings:
# Stage bindings
- conditions:
- !Context goauthentik.io/enterprise/licensed
identifiers:
order: 0
stage: !KeyOf default-account-lockdown-prompt
target: !KeyOf flow
model: authentik_flows.flowstagebinding
- conditions:
- !Context goauthentik.io/enterprise/licensed
identifiers:
order: 10
stage: !KeyOf default-account-lockdown-stage
target: !KeyOf flow
model: authentik_flows.flowstagebinding
# Admin completion stage binding - shown for admin lockdown only
- conditions:
- !Context goauthentik.io/enterprise/licensed
identifiers:
order: 20
stage: !KeyOf default-account-lockdown-complete-prompt
target: !KeyOf flow
id: admin-completion-binding
model: authentik_flows.flowstagebinding
# Bind the admin policy to the admin completion stage
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
enabled: true
negate: false
order: 0
identifiers:
policy: !KeyOf admin-policy
target: !KeyOf admin-completion-binding
model: authentik_policies.policybinding
self_service_completion:
# Self-service completion message field (for the unauthenticated completion flow)
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
order: 100
initial_value: |
return (
"<h1>Your account has been locked</h1>"
"<p>You have been logged out of all sessions and your password has been invalidated.</p>"
"<p>To regain access to your account, please contact your IT administrator or security team.</p>"
)
initial_value_expression: true
required: false
type: alert_warning
field_key: self_lockdown_complete
label: Account locked
sub_text: ""
identifiers:
name: default-account-lockdown-self-field-complete
id: self-prompt-field-complete
model: authentik_stages_prompt.prompt
# Prompt stage for self-service completion (unauthenticated)
- conditions:
- !Context goauthentik.io/enterprise/licensed
attrs:
fields:
- !KeyOf self-prompt-field-complete
identifiers:
name: default-account-lockdown-self-complete-prompt
id: default-account-lockdown-self-complete-prompt
model: authentik_stages_prompt.promptstage
# Bind self-service completion stage to the completion flow
- conditions:
- !Context goauthentik.io/enterprise/licensed
identifiers:
order: 0
stage: !KeyOf default-account-lockdown-self-complete-prompt
target: !Find [authentik_flows.flow, [slug, default-account-lockdown-complete]]
model: authentik_flows.flowstagebinding
blueprints/schema.json
+121
View File
@@ -1216,6 +1216,46 @@
}
}
},
{
"type": "object",
"required": [
"model",
"identifiers"
],
"properties": {
"model": {
"const": "authentik_stages_account_lockdown.accountlockdownstage"
},
"id": {
"type": "string"
},
"state": {
"type": "string",
"enum": [
"absent",
"created",
"must_created",
"present"
],
"default": "present"
},
"conditions": {
"type": "array",
"items": {
"type": "boolean"
}
},
"permissions": {
"$ref": "#/$defs/model_authentik_stages_account_lockdown.accountlockdownstage_permissions"
},
"attrs": {
"$ref": "#/$defs/model_authentik_stages_account_lockdown.accountlockdownstage"
},
"identifiers": {
"$ref": "#/$defs/model_authentik_stages_account_lockdown.accountlockdownstage"
}
}
},
{
"type": "object",
"required": [
@@ -5100,6 +5140,11 @@
"format": "uuid",
"title": "Flow device code"
},
"flow_lockdown": {
"type": "string",
"format": "uuid",
"title": "Flow lockdown"
},
"default_application": {
"type": "string",
"format": "uuid",
@@ -6094,6 +6139,10 @@
"authentik_sources_telegram.view_telegramsource",
"authentik_sources_telegram.view_telegramsourcepropertymapping",
"authentik_sources_telegram.view_usertelegramsourceconnection",
"authentik_stages_account_lockdown.add_accountlockdownstage",
"authentik_stages_account_lockdown.change_accountlockdownstage",
"authentik_stages_account_lockdown.delete_accountlockdownstage",
"authentik_stages_account_lockdown.view_accountlockdownstage",
"authentik_stages_authenticator_duo.add_authenticatorduostage",
"authentik_stages_authenticator_duo.add_duodevice",
"authentik_stages_authenticator_duo.change_authenticatorduostage",
@@ -7757,6 +7806,69 @@
}
}
},
"model_authentik_stages_account_lockdown.accountlockdownstage": {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1,
"title": "Name"
},
"deactivate_user": {
"type": "boolean",
"title": "Deactivate user",
"description": "Deactivate the user account (set is_active to False)"
},
"set_unusable_password": {
"type": "boolean",
"title": "Set unusable password",
"description": "Set an unusable password for the user"
},
"delete_sessions": {
"type": "boolean",
"title": "Delete sessions",
"description": "Delete all active sessions for the user"
},
"revoke_tokens": {
"type": "boolean",
"title": "Revoke tokens",
"description": "Revoke all tokens for the user (API, app password, recovery, verification, OAuth)"
},
"self_service_completion_flow": {
"type": "string",
"format": "uuid",
"title": "Self service completion flow",
"description": "Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted."
}
},
"required": []
},
"model_authentik_stages_account_lockdown.accountlockdownstage_permissions": {
"type": "array",
"items": {
"type": "object",
"required": [
"permission"
],
"properties": {
"permission": {
"type": "string",
"enum": [
"add_accountlockdownstage",
"change_accountlockdownstage",
"delete_accountlockdownstage",
"view_accountlockdownstage"
]
},
"user": {
"type": "integer"
},
"role": {
"type": "string"
}
}
}
},
"model_authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage": {
"type": "object",
"properties": {
@@ -8952,6 +9064,7 @@
"authentik.enterprise.providers.ssf",
"authentik.enterprise.providers.ws_federation",
"authentik.enterprise.reports",
"authentik.enterprise.stages.account_lockdown",
"authentik.enterprise.stages.authenticator_endpoint_gdtc",
"authentik.enterprise.stages.mtls",
"authentik.enterprise.stages.source"
@@ -9084,6 +9197,7 @@
"authentik_providers_ssf.ssfprovider",
"authentik_providers_ws_federation.wsfederationprovider",
"authentik_reports.dataexport",
"authentik_stages_account_lockdown.accountlockdownstage",
"authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
"authentik_stages_mtls.mutualtlsstage",
"authentik_stages_source.sourcestage"
@@ -11791,6 +11905,10 @@
"authentik_sources_telegram.view_telegramsource",
"authentik_sources_telegram.view_telegramsourcepropertymapping",
"authentik_sources_telegram.view_usertelegramsourceconnection",
"authentik_stages_account_lockdown.add_accountlockdownstage",
"authentik_stages_account_lockdown.change_accountlockdownstage",
"authentik_stages_account_lockdown.delete_accountlockdownstage",
"authentik_stages_account_lockdown.view_accountlockdownstage",
"authentik_stages_authenticator_duo.add_authenticatorduostage",
"authentik_stages_authenticator_duo.add_duodevice",
"authentik_stages_authenticator_duo.change_authenticatorduostage",
@@ -15657,6 +15775,9 @@
"separator",
"hidden",
"static",
"alert_info",
"alert_warning",
"alert_danger",
"ak-locale"
],
"title": "Type"
packages/client-go/api_core.go
Generated
+9
View File
@@ -39,6 +39,7 @@ type ApiCoreBrandsListRequest struct {
flowAuthentication *string
flowDeviceCode *string
flowInvalidation *string
flowLockdown *string
flowRecovery *string
flowUnenrollment *string
flowUserSettings *string
@@ -104,6 +105,11 @@ func (r ApiCoreBrandsListRequest) FlowInvalidation(flowInvalidation string) ApiC
return r
}
func (r ApiCoreBrandsListRequest) FlowLockdown(flowLockdown string) ApiCoreBrandsListRequest {
r.flowLockdown = &flowLockdown
return r
}
func (r ApiCoreBrandsListRequest) FlowRecovery(flowRecovery string) ApiCoreBrandsListRequest {
r.flowRecovery = &flowRecovery
return r
@@ -230,6 +236,9 @@ func (a *CoreAPIService) CoreBrandsListExecute(r ApiCoreBrandsListRequest) (*Pag
if r.flowInvalidation != nil {
parameterAddToHeaderOrQuery(localVarQueryParams, "flow_invalidation", r.flowInvalidation, "form", "")
}
if r.flowLockdown != nil {
parameterAddToHeaderOrQuery(localVarQueryParams, "flow_lockdown", r.flowLockdown, "form", "")
}
if r.flowRecovery != nil {
parameterAddToHeaderOrQuery(localVarQueryParams, "flow_recovery", r.flowRecovery, "form", "")
}
packages/client-go/model_brand.go
Generated
+48
View File
@@ -36,6 +36,7 @@ type Brand struct {
FlowUnenrollment NullableString `json:"flow_unenrollment,omitempty"`
FlowUserSettings NullableString `json:"flow_user_settings,omitempty"`
FlowDeviceCode NullableString `json:"flow_device_code,omitempty"`
FlowLockdown NullableString `json:"flow_lockdown,omitempty"`
// When set, external users will be redirected to this application after authenticating.
DefaultApplication NullableString `json:"default_application,omitempty"`
// Web Certificate used by the authentik Core webserver.
@@ -565,6 +566,49 @@ func (o *Brand) UnsetFlowDeviceCode() {
o.FlowDeviceCode.Unset()
}
// GetFlowLockdown returns the FlowLockdown field value if set, zero value otherwise (both if not set or set to explicit null).
func (o *Brand) GetFlowLockdown() string {
if o == nil || IsNil(o.FlowLockdown.Get()) {
var ret string
return ret
}
return *o.FlowLockdown.Get()
}
// GetFlowLockdownOk returns a tuple with the FlowLockdown field value if set, nil otherwise
// and a boolean to check if the value has been set.
// NOTE: If the value is an explicit nil, `nil, true` will be returned
func (o *Brand) GetFlowLockdownOk() (*string, bool) {
if o == nil {
return nil, false
}
return o.FlowLockdown.Get(), o.FlowLockdown.IsSet()
}
// HasFlowLockdown returns a boolean if a field has been set.
func (o *Brand) HasFlowLockdown() bool {
if o != nil && o.FlowLockdown.IsSet() {
return true
}
return false
}
// SetFlowLockdown gets a reference to the given NullableString and assigns it to the FlowLockdown field.
func (o *Brand) SetFlowLockdown(v string) {
o.FlowLockdown.Set(&v)
}
// SetFlowLockdownNil sets the value for FlowLockdown to be an explicit nil
func (o *Brand) SetFlowLockdownNil() {
o.FlowLockdown.Set(nil)
}
// UnsetFlowLockdown ensures that no value is present for FlowLockdown, not even an explicit nil
func (o *Brand) UnsetFlowLockdown() {
o.FlowLockdown.Unset()
}
// GetDefaultApplication returns the DefaultApplication field value if set, zero value otherwise (both if not set or set to explicit null).
func (o *Brand) GetDefaultApplication() string {
if o == nil || IsNil(o.DefaultApplication.Get()) {
@@ -763,6 +807,9 @@ func (o Brand) ToMap() (map[string]interface{}, error) {
if o.FlowDeviceCode.IsSet() {
toSerialize["flow_device_code"] = o.FlowDeviceCode.Get()
}
if o.FlowLockdown.IsSet() {
toSerialize["flow_lockdown"] = o.FlowLockdown.Get()
}
if o.DefaultApplication.IsSet() {
toSerialize["default_application"] = o.DefaultApplication.Get()
}
@@ -833,6 +880,7 @@ func (o *Brand) UnmarshalJSON(data []byte) (err error) {
delete(additionalProperties, "flow_unenrollment")
delete(additionalProperties, "flow_user_settings")
delete(additionalProperties, "flow_device_code")
delete(additionalProperties, "flow_lockdown")
delete(additionalProperties, "default_application")
delete(additionalProperties, "web_certificate")
delete(additionalProperties, "client_certificates")
packages/client-go/model_prompt_type_enum.go
Generated
+6
View File
@@ -38,6 +38,9 @@ const (
PROMPTTYPEENUM_SEPARATOR PromptTypeEnum = "separator"
PROMPTTYPEENUM_HIDDEN PromptTypeEnum = "hidden"
PROMPTTYPEENUM_STATIC PromptTypeEnum = "static"
PROMPTTYPEENUM_ALERT_INFO PromptTypeEnum = "alert_info"
PROMPTTYPEENUM_ALERT_WARNING PromptTypeEnum = "alert_warning"
PROMPTTYPEENUM_ALERT_DANGER PromptTypeEnum = "alert_danger"
PROMPTTYPEENUM_AK_LOCALE PromptTypeEnum = "ak-locale"
)
@@ -60,6 +63,9 @@ var AllowedPromptTypeEnumEnumValues = []PromptTypeEnum{
"separator",
"hidden",
"static",
"alert_info",
"alert_warning",
"alert_danger",
"ak-locale",
}
packages/client-rust/src/apis/core_api.rs
Generated
+5
View File
@@ -71,6 +71,7 @@ pub async fn core_brands_list(
flow_authentication: Option<&str>,
flow_device_code: Option<&str>,
flow_invalidation: Option<&str>,
flow_lockdown: Option<&str>,
flow_recovery: Option<&str>,
flow_unenrollment: Option<&str>,
flow_user_settings: Option<&str>,
@@ -92,6 +93,7 @@ pub async fn core_brands_list(
let p_query_flow_authentication = flow_authentication;
let p_query_flow_device_code = flow_device_code;
let p_query_flow_invalidation = flow_invalidation;
let p_query_flow_lockdown = flow_lockdown;
let p_query_flow_recovery = flow_recovery;
let p_query_flow_unenrollment = flow_unenrollment;
let p_query_flow_user_settings = flow_user_settings;
@@ -154,6 +156,9 @@ pub async fn core_brands_list(
if let Some(ref param_value) = p_query_flow_invalidation {
req_builder = req_builder.query(&[("flow_invalidation", &param_value.to_string())]);
}
if let Some(ref param_value) = p_query_flow_lockdown {
req_builder = req_builder.query(&[("flow_lockdown", &param_value.to_string())]);
}
if let Some(ref param_value) = p_query_flow_recovery {
req_builder = req_builder.query(&[("flow_recovery", &param_value.to_string())]);
}
packages/client-rust/src/models/brand.rs
Generated
+8
View File
@@ -78,6 +78,13 @@ pub struct Brand {
skip_serializing_if = "Option::is_none"
)]
pub flow_device_code: Option<Option<uuid::Uuid>>,
#[serde(
rename = "flow_lockdown",
default,
with = "::serde_with::rust::double_option",
skip_serializing_if = "Option::is_none"
)]
pub flow_lockdown: Option<Option<uuid::Uuid>>,
/// When set, external users will be redirected to this application after authenticating.
#[serde(
rename = "default_application",
@@ -122,6 +129,7 @@ impl Brand {
flow_unenrollment: None,
flow_user_settings: None,
flow_device_code: None,
flow_lockdown: None,
default_application: None,
web_certificate: None,
client_certificates: None,
packages/client-rust/src/models/prompt_type_enum.rs
Generated
+9
View File
@@ -47,6 +47,12 @@ pub enum PromptTypeEnum {
Hidden,
#[serde(rename = "static")]
Static,
#[serde(rename = "alert_info")]
AlertInfo,
#[serde(rename = "alert_warning")]
AlertWarning,
#[serde(rename = "alert_danger")]
AlertDanger,
#[serde(rename = "ak-locale")]
AkLocale,
}
@@ -71,6 +77,9 @@ impl std::fmt::Display for PromptTypeEnum {
Self::Separator => write!(f, "separator"),
Self::Hidden => write!(f, "hidden"),
Self::Static => write!(f, "static"),
Self::AlertInfo => write!(f, "alert_info"),
Self::AlertWarning => write!(f, "alert_warning"),
Self::AlertDanger => write!(f, "alert_danger"),
Self::AkLocale => write!(f, "ak-locale"),
}
}
packages/client-ts/src/apis/CoreApi.ts
Generated
+71
View File
@@ -52,6 +52,7 @@ import type {
TransactionApplicationResponse,
UsedBy,
User,
UserAccountLockdownRequest,
UserAccountRequest,
UserConsent,
UserPasswordHashSetRequest,
@@ -102,6 +103,7 @@ import {
TransactionApplicationRequestToJSON,
TransactionApplicationResponseFromJSON,
UsedByFromJSON,
UserAccountLockdownRequestToJSON,
UserAccountRequestToJSON,
UserConsentFromJSON,
UserFromJSON,
@@ -245,6 +247,7 @@ export interface CoreBrandsListRequest {
flowAuthentication?: string;
flowDeviceCode?: string;
flowInvalidation?: string;
flowLockdown?: string;
flowRecovery?: string;
flowUnenrollment?: string;
flowUserSettings?: string;
@@ -403,6 +406,10 @@ export interface CoreUserConsentUsedByListRequest {
id: number;
}
export interface CoreUsersAccountLockdownCreateRequest {
userAccountLockdownRequest?: UserAccountLockdownRequest;
}
export interface CoreUsersCreateRequest {
userRequest: UserRequest;
}
@@ -2214,6 +2221,10 @@ export class CoreApi extends runtime.BaseAPI {
queryParameters["flow_invalidation"] = requestParameters["flowInvalidation"];
}
if (requestParameters["flowLockdown"] != null) {
queryParameters["flow_lockdown"] = requestParameters["flowLockdown"];
}
if (requestParameters["flowRecovery"] != null) {
queryParameters["flow_recovery"] = requestParameters["flowRecovery"];
}
@@ -4189,6 +4200,66 @@ export class CoreApi extends runtime.BaseAPI {
return await response.value();
}
/**
* Creates request options for coreUsersAccountLockdownCreate without sending the request
*/
async coreUsersAccountLockdownCreateRequestOpts(
requestParameters: CoreUsersAccountLockdownCreateRequest,
): Promise<runtime.RequestOpts> {
const queryParameters: any = {};
const headerParameters: runtime.HTTPHeaders = {};
headerParameters["Content-Type"] = "application/json";
if (this.configuration && this.configuration.accessToken) {
const token = this.configuration.accessToken;
const tokenString = await token("authentik", []);
if (tokenString) {
headerParameters["Authorization"] = `Bearer ${tokenString}`;
}
}
let urlPath = `/core/users/account_lockdown/`;
return {
path: urlPath,
method: "POST",
headers: headerParameters,
query: queryParameters,
body: UserAccountLockdownRequestToJSON(requestParameters["userAccountLockdownRequest"]),
};
}
/**
* Choose the target account, then return a flow link.
*/
async coreUsersAccountLockdownCreateRaw(
requestParameters: CoreUsersAccountLockdownCreateRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<runtime.ApiResponse<Link>> {
const requestOptions =
await this.coreUsersAccountLockdownCreateRequestOpts(requestParameters);
const response = await this.request(requestOptions, initOverrides);
return new runtime.JSONApiResponse(response, (jsonValue) => LinkFromJSON(jsonValue));
}
/**
* Choose the target account, then return a flow link.
*/
async coreUsersAccountLockdownCreate(
requestParameters: CoreUsersAccountLockdownCreateRequest = {},
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<Link> {
const response = await this.coreUsersAccountLockdownCreateRaw(
requestParameters,
initOverrides,
);
return await response.value();
}
/**
* Creates request options for coreUsersCreate without sending the request
*/
packages/client-ts/src/apis/StagesApi.ts
Generated
+576
View File
@@ -13,6 +13,8 @@
*/
import type {
AccountLockdownStage,
AccountLockdownStageRequest,
AuthenticatorAttachmentEnum,
AuthenticatorDuoStage,
AuthenticatorDuoStageDeviceImportResponse,
@@ -61,6 +63,7 @@ import type {
MutualTLSStageRequest,
NetworkBindingEnum,
NotConfiguredActionEnum,
PaginatedAccountLockdownStageList,
PaginatedAuthenticatorDuoStageList,
PaginatedAuthenticatorEmailStageList,
PaginatedAuthenticatorEndpointGDTCStageList,
@@ -92,6 +95,7 @@ import type {
PaginatedWebAuthnDeviceTypeList,
PasswordStage,
PasswordStageRequest,
PatchedAccountLockdownStageRequest,
PatchedAuthenticatorDuoStageRequest,
PatchedAuthenticatorEmailStageRequest,
PatchedAuthenticatorEndpointGDTCStageRequest,
@@ -150,6 +154,8 @@ import type {
WebAuthnDeviceType,
} from "../models/index";
import {
AccountLockdownStageFromJSON,
AccountLockdownStageRequestToJSON,
AuthenticatorDuoStageDeviceImportResponseFromJSON,
AuthenticatorDuoStageFromJSON,
AuthenticatorDuoStageManualDeviceImportRequestToJSON,
@@ -190,6 +196,7 @@ import {
InvitationStageRequestToJSON,
MutualTLSStageFromJSON,
MutualTLSStageRequestToJSON,
PaginatedAccountLockdownStageListFromJSON,
PaginatedAuthenticatorDuoStageListFromJSON,
PaginatedAuthenticatorEmailStageListFromJSON,
PaginatedAuthenticatorEndpointGDTCStageListFromJSON,
@@ -221,6 +228,7 @@ import {
PaginatedWebAuthnDeviceTypeListFromJSON,
PasswordStageFromJSON,
PasswordStageRequestToJSON,
PatchedAccountLockdownStageRequestToJSON,
PatchedAuthenticatorDuoStageRequestToJSON,
PatchedAuthenticatorEmailStageRequestToJSON,
PatchedAuthenticatorEndpointGDTCStageRequestToJSON,
@@ -273,6 +281,46 @@ import {
} from "../models/index";
import * as runtime from "../runtime";
export interface StagesAccountLockdownCreateRequest {
accountLockdownStageRequest: AccountLockdownStageRequest;
}
export interface StagesAccountLockdownDestroyRequest {
stageUuid: string;
}
export interface StagesAccountLockdownListRequest {
deactivateUser?: boolean;
deleteSessions?: boolean;
name?: string;
ordering?: string;
page?: number;
pageSize?: number;
revokeTokens?: boolean;
search?: string;
selfServiceCompletionFlow?: string;
setUnusablePassword?: boolean;
stageUuid?: string;
}
export interface StagesAccountLockdownPartialUpdateRequest {
stageUuid: string;
patchedAccountLockdownStageRequest?: PatchedAccountLockdownStageRequest;
}
export interface StagesAccountLockdownRetrieveRequest {
stageUuid: string;
}
export interface StagesAccountLockdownUpdateRequest {
stageUuid: string;
accountLockdownStageRequest: AccountLockdownStageRequest;
}
export interface StagesAccountLockdownUsedByListRequest {
stageUuid: string;
}
export interface StagesAllDestroyRequest {
stageUuid: string;
}
@@ -1366,6 +1414,534 @@ export interface StagesUserWriteUsedByListRequest {
*
*/
export class StagesApi extends runtime.BaseAPI {
/**
* Creates request options for stagesAccountLockdownCreate without sending the request
*/
async stagesAccountLockdownCreateRequestOpts(
requestParameters: StagesAccountLockdownCreateRequest,
): Promise<runtime.RequestOpts> {
if (requestParameters["accountLockdownStageRequest"] == null) {
throw new runtime.RequiredError(
"accountLockdownStageRequest",
'Required parameter "accountLockdownStageRequest" was null or undefined when calling stagesAccountLockdownCreate().',
);
}
const queryParameters: any = {};
const headerParameters: runtime.HTTPHeaders = {};
headerParameters["Content-Type"] = "application/json";
if (this.configuration && this.configuration.accessToken) {
const token = this.configuration.accessToken;
const tokenString = await token("authentik", []);
if (tokenString) {
headerParameters["Authorization"] = `Bearer ${tokenString}`;
}
}
let urlPath = `/stages/account_lockdown/`;
return {
path: urlPath,
method: "POST",
headers: headerParameters,
query: queryParameters,
body: AccountLockdownStageRequestToJSON(
requestParameters["accountLockdownStageRequest"],
),
};
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownCreateRaw(
requestParameters: StagesAccountLockdownCreateRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<runtime.ApiResponse<AccountLockdownStage>> {
const requestOptions = await this.stagesAccountLockdownCreateRequestOpts(requestParameters);
const response = await this.request(requestOptions, initOverrides);
return new runtime.JSONApiResponse(response, (jsonValue) =>
AccountLockdownStageFromJSON(jsonValue),
);
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownCreate(
requestParameters: StagesAccountLockdownCreateRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<AccountLockdownStage> {
const response = await this.stagesAccountLockdownCreateRaw(
requestParameters,
initOverrides,
);
return await response.value();
}
/**
* Creates request options for stagesAccountLockdownDestroy without sending the request
*/
async stagesAccountLockdownDestroyRequestOpts(
requestParameters: StagesAccountLockdownDestroyRequest,
): Promise<runtime.RequestOpts> {
if (requestParameters["stageUuid"] == null) {
throw new runtime.RequiredError(
"stageUuid",
'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownDestroy().',
);
}
const queryParameters: any = {};
const headerParameters: runtime.HTTPHeaders = {};
if (this.configuration && this.configuration.accessToken) {
const token = this.configuration.accessToken;
const tokenString = await token("authentik", []);
if (tokenString) {
headerParameters["Authorization"] = `Bearer ${tokenString}`;
}
}
let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
urlPath = urlPath.replace(
`{${"stage_uuid"}}`,
encodeURIComponent(String(requestParameters["stageUuid"])),
);
return {
path: urlPath,
method: "DELETE",
headers: headerParameters,
query: queryParameters,
};
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownDestroyRaw(
requestParameters: StagesAccountLockdownDestroyRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<runtime.ApiResponse<void>> {
const requestOptions =
await this.stagesAccountLockdownDestroyRequestOpts(requestParameters);
const response = await this.request(requestOptions, initOverrides);
return new runtime.VoidApiResponse(response);
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownDestroy(
requestParameters: StagesAccountLockdownDestroyRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<void> {
await this.stagesAccountLockdownDestroyRaw(requestParameters, initOverrides);
}
/**
* Creates request options for stagesAccountLockdownList without sending the request
*/
async stagesAccountLockdownListRequestOpts(
requestParameters: StagesAccountLockdownListRequest,
): Promise<runtime.RequestOpts> {
const queryParameters: any = {};
if (requestParameters["deactivateUser"] != null) {
queryParameters["deactivate_user"] = requestParameters["deactivateUser"];
}
if (requestParameters["deleteSessions"] != null) {
queryParameters["delete_sessions"] = requestParameters["deleteSessions"];
}
if (requestParameters["name"] != null) {
queryParameters["name"] = requestParameters["name"];
}
if (requestParameters["ordering"] != null) {
queryParameters["ordering"] = requestParameters["ordering"];
}
if (requestParameters["page"] != null) {
queryParameters["page"] = requestParameters["page"];
}
if (requestParameters["pageSize"] != null) {
queryParameters["page_size"] = requestParameters["pageSize"];
}
if (requestParameters["revokeTokens"] != null) {
queryParameters["revoke_tokens"] = requestParameters["revokeTokens"];
}
if (requestParameters["search"] != null) {
queryParameters["search"] = requestParameters["search"];
}
if (requestParameters["selfServiceCompletionFlow"] != null) {
queryParameters["self_service_completion_flow"] =
requestParameters["selfServiceCompletionFlow"];
}
if (requestParameters["setUnusablePassword"] != null) {
queryParameters["set_unusable_password"] = requestParameters["setUnusablePassword"];
}
if (requestParameters["stageUuid"] != null) {
queryParameters["stage_uuid"] = requestParameters["stageUuid"];
}
const headerParameters: runtime.HTTPHeaders = {};
if (this.configuration && this.configuration.accessToken) {
const token = this.configuration.accessToken;
const tokenString = await token("authentik", []);
if (tokenString) {
headerParameters["Authorization"] = `Bearer ${tokenString}`;
}
}
let urlPath = `/stages/account_lockdown/`;
return {
path: urlPath,
method: "GET",
headers: headerParameters,
query: queryParameters,
};
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownListRaw(
requestParameters: StagesAccountLockdownListRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<runtime.ApiResponse<PaginatedAccountLockdownStageList>> {
const requestOptions = await this.stagesAccountLockdownListRequestOpts(requestParameters);
const response = await this.request(requestOptions, initOverrides);
return new runtime.JSONApiResponse(response, (jsonValue) =>
PaginatedAccountLockdownStageListFromJSON(jsonValue),
);
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownList(
requestParameters: StagesAccountLockdownListRequest = {},
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<PaginatedAccountLockdownStageList> {
const response = await this.stagesAccountLockdownListRaw(requestParameters, initOverrides);
return await response.value();
}
/**
* Creates request options for stagesAccountLockdownPartialUpdate without sending the request
*/
async stagesAccountLockdownPartialUpdateRequestOpts(
requestParameters: StagesAccountLockdownPartialUpdateRequest,
): Promise<runtime.RequestOpts> {
if (requestParameters["stageUuid"] == null) {
throw new runtime.RequiredError(
"stageUuid",
'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownPartialUpdate().',
);
}
const queryParameters: any = {};
const headerParameters: runtime.HTTPHeaders = {};
headerParameters["Content-Type"] = "application/json";
if (this.configuration && this.configuration.accessToken) {
const token = this.configuration.accessToken;
const tokenString = await token("authentik", []);
if (tokenString) {
headerParameters["Authorization"] = `Bearer ${tokenString}`;
}
}
let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
urlPath = urlPath.replace(
`{${"stage_uuid"}}`,
encodeURIComponent(String(requestParameters["stageUuid"])),
);
return {
path: urlPath,
method: "PATCH",
headers: headerParameters,
query: queryParameters,
body: PatchedAccountLockdownStageRequestToJSON(
requestParameters["patchedAccountLockdownStageRequest"],
),
};
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownPartialUpdateRaw(
requestParameters: StagesAccountLockdownPartialUpdateRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<runtime.ApiResponse<AccountLockdownStage>> {
const requestOptions =
await this.stagesAccountLockdownPartialUpdateRequestOpts(requestParameters);
const response = await this.request(requestOptions, initOverrides);
return new runtime.JSONApiResponse(response, (jsonValue) =>
AccountLockdownStageFromJSON(jsonValue),
);
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownPartialUpdate(
requestParameters: StagesAccountLockdownPartialUpdateRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<AccountLockdownStage> {
const response = await this.stagesAccountLockdownPartialUpdateRaw(
requestParameters,
initOverrides,
);
return await response.value();
}
/**
* Creates request options for stagesAccountLockdownRetrieve without sending the request
*/
async stagesAccountLockdownRetrieveRequestOpts(
requestParameters: StagesAccountLockdownRetrieveRequest,
): Promise<runtime.RequestOpts> {
if (requestParameters["stageUuid"] == null) {
throw new runtime.RequiredError(
"stageUuid",
'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownRetrieve().',
);
}
const queryParameters: any = {};
const headerParameters: runtime.HTTPHeaders = {};
if (this.configuration && this.configuration.accessToken) {
const token = this.configuration.accessToken;
const tokenString = await token("authentik", []);
if (tokenString) {
headerParameters["Authorization"] = `Bearer ${tokenString}`;
}
}
let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
urlPath = urlPath.replace(
`{${"stage_uuid"}}`,
encodeURIComponent(String(requestParameters["stageUuid"])),
);
return {
path: urlPath,
method: "GET",
headers: headerParameters,
query: queryParameters,
};
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownRetrieveRaw(
requestParameters: StagesAccountLockdownRetrieveRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<runtime.ApiResponse<AccountLockdownStage>> {
const requestOptions =
await this.stagesAccountLockdownRetrieveRequestOpts(requestParameters);
const response = await this.request(requestOptions, initOverrides);
return new runtime.JSONApiResponse(response, (jsonValue) =>
AccountLockdownStageFromJSON(jsonValue),
);
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownRetrieve(
requestParameters: StagesAccountLockdownRetrieveRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<AccountLockdownStage> {
const response = await this.stagesAccountLockdownRetrieveRaw(
requestParameters,
initOverrides,
);
return await response.value();
}
/**
* Creates request options for stagesAccountLockdownUpdate without sending the request
*/
async stagesAccountLockdownUpdateRequestOpts(
requestParameters: StagesAccountLockdownUpdateRequest,
): Promise<runtime.RequestOpts> {
if (requestParameters["stageUuid"] == null) {
throw new runtime.RequiredError(
"stageUuid",
'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownUpdate().',
);
}
if (requestParameters["accountLockdownStageRequest"] == null) {
throw new runtime.RequiredError(
"accountLockdownStageRequest",
'Required parameter "accountLockdownStageRequest" was null or undefined when calling stagesAccountLockdownUpdate().',
);
}
const queryParameters: any = {};
const headerParameters: runtime.HTTPHeaders = {};
headerParameters["Content-Type"] = "application/json";
if (this.configuration && this.configuration.accessToken) {
const token = this.configuration.accessToken;
const tokenString = await token("authentik", []);
if (tokenString) {
headerParameters["Authorization"] = `Bearer ${tokenString}`;
}
}
let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
urlPath = urlPath.replace(
`{${"stage_uuid"}}`,
encodeURIComponent(String(requestParameters["stageUuid"])),
);
return {
path: urlPath,
method: "PUT",
headers: headerParameters,
query: queryParameters,
body: AccountLockdownStageRequestToJSON(
requestParameters["accountLockdownStageRequest"],
),
};
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownUpdateRaw(
requestParameters: StagesAccountLockdownUpdateRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<runtime.ApiResponse<AccountLockdownStage>> {
const requestOptions = await this.stagesAccountLockdownUpdateRequestOpts(requestParameters);
const response = await this.request(requestOptions, initOverrides);
return new runtime.JSONApiResponse(response, (jsonValue) =>
AccountLockdownStageFromJSON(jsonValue),
);
}
/**
* AccountLockdownStage Viewset
*/
async stagesAccountLockdownUpdate(
requestParameters: StagesAccountLockdownUpdateRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<AccountLockdownStage> {
const response = await this.stagesAccountLockdownUpdateRaw(
requestParameters,
initOverrides,
);
return await response.value();
}
/**
* Creates request options for stagesAccountLockdownUsedByList without sending the request
*/
async stagesAccountLockdownUsedByListRequestOpts(
requestParameters: StagesAccountLockdownUsedByListRequest,
): Promise<runtime.RequestOpts> {
if (requestParameters["stageUuid"] == null) {
throw new runtime.RequiredError(
"stageUuid",
'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownUsedByList().',
);
}
const queryParameters: any = {};
const headerParameters: runtime.HTTPHeaders = {};
if (this.configuration && this.configuration.accessToken) {
const token = this.configuration.accessToken;
const tokenString = await token("authentik", []);
if (tokenString) {
headerParameters["Authorization"] = `Bearer ${tokenString}`;
}
}
let urlPath = `/stages/account_lockdown/{stage_uuid}/used_by/`;
urlPath = urlPath.replace(
`{${"stage_uuid"}}`,
encodeURIComponent(String(requestParameters["stageUuid"])),
);
return {
path: urlPath,
method: "GET",
headers: headerParameters,
query: queryParameters,
};
}
/**
* Get a list of all objects that use this object
*/
async stagesAccountLockdownUsedByListRaw(
requestParameters: StagesAccountLockdownUsedByListRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<runtime.ApiResponse<Array<UsedBy>>> {
const requestOptions =
await this.stagesAccountLockdownUsedByListRequestOpts(requestParameters);
const response = await this.request(requestOptions, initOverrides);
return new runtime.JSONApiResponse(response, (jsonValue) => jsonValue.map(UsedByFromJSON));
}
/**
* Get a list of all objects that use this object
*/
async stagesAccountLockdownUsedByList(
requestParameters: StagesAccountLockdownUsedByListRequest,
initOverrides?: RequestInit | runtime.InitOverrideFunction,
): Promise<Array<UsedBy>> {
const response = await this.stagesAccountLockdownUsedByListRaw(
requestParameters,
initOverrides,
);
return await response.value();
}
/**
* Creates request options for stagesAllDestroy without sending the request
*/
packages/client-ts/src/models/AccountLockdownStage.ts
Generated
+166
View File
@@ -0,0 +1,166 @@
/* tslint:disable */
/* eslint-disable */
/**
* authentik
* Making authentication simple.
*
* The version of the OpenAPI document: 2026.5.0-rc1
* Contact: hello@goauthentik.io
*
* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
* https://openapi-generator.tech
* Do not edit the class manually.
*/
import type { FlowSet } from "./FlowSet";
import { FlowSetFromJSON } from "./FlowSet";
/**
* AccountLockdownStage Serializer
* @export
* @interface AccountLockdownStage
*/
export interface AccountLockdownStage {
/**
*
* @type {string}
* @memberof AccountLockdownStage
*/
readonly pk: string;
/**
*
* @type {string}
* @memberof AccountLockdownStage
*/
name: string;
/**
* Get object type so that we know how to edit the object
* @type {string}
* @memberof AccountLockdownStage
*/
readonly component: string;
/**
* Return object's verbose_name
* @type {string}
* @memberof AccountLockdownStage
*/
readonly verboseName: string;
/**
* Return object's plural verbose_name
* @type {string}
* @memberof AccountLockdownStage
*/
readonly verboseNamePlural: string;
/**
* Return internal model name
* @type {string}
* @memberof AccountLockdownStage
*/
readonly metaModelName: string;
/**
*
* @type {Array<FlowSet>}
* @memberof AccountLockdownStage
*/
readonly flowSet: Array<FlowSet>;
/**
* Deactivate the user account (set is_active to False)
* @type {boolean}
* @memberof AccountLockdownStage
*/
deactivateUser?: boolean;
/**
* Set an unusable password for the user
* @type {boolean}
* @memberof AccountLockdownStage
*/
setUnusablePassword?: boolean;
/**
* Delete all active sessions for the user
* @type {boolean}
* @memberof AccountLockdownStage
*/
deleteSessions?: boolean;
/**
* Revoke all tokens for the user (API, app password, recovery, verification, OAuth)
* @type {boolean}
* @memberof AccountLockdownStage
*/
revokeTokens?: boolean;
/**
* Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.
* @type {string}
* @memberof AccountLockdownStage
*/
selfServiceCompletionFlow?: string | null;
}
/**
* Check if a given object implements the AccountLockdownStage interface.
*/
export function instanceOfAccountLockdownStage(value: object): value is AccountLockdownStage {
if (!("pk" in value) || value["pk"] === undefined) return false;
if (!("name" in value) || value["name"] === undefined) return false;
if (!("component" in value) || value["component"] === undefined) return false;
if (!("verboseName" in value) || value["verboseName"] === undefined) return false;
if (!("verboseNamePlural" in value) || value["verboseNamePlural"] === undefined) return false;
if (!("metaModelName" in value) || value["metaModelName"] === undefined) return false;
if (!("flowSet" in value) || value["flowSet"] === undefined) return false;
return true;
}
export function AccountLockdownStageFromJSON(json: any): AccountLockdownStage {
return AccountLockdownStageFromJSONTyped(json, false);
}
export function AccountLockdownStageFromJSONTyped(
json: any,
ignoreDiscriminator: boolean,
): AccountLockdownStage {
if (json == null) {
return json;
}
return {
pk: json["pk"],
name: json["name"],
component: json["component"],
verboseName: json["verbose_name"],
verboseNamePlural: json["verbose_name_plural"],
metaModelName: json["meta_model_name"],
flowSet: (json["flow_set"] as Array<any>).map(FlowSetFromJSON),
deactivateUser: json["deactivate_user"] == null ? undefined : json["deactivate_user"],
setUnusablePassword:
json["set_unusable_password"] == null ? undefined : json["set_unusable_password"],
deleteSessions: json["delete_sessions"] == null ? undefined : json["delete_sessions"],
revokeTokens: json["revoke_tokens"] == null ? undefined : json["revoke_tokens"],
selfServiceCompletionFlow:
json["self_service_completion_flow"] == null
? undefined
: json["self_service_completion_flow"],
};
}
export function AccountLockdownStageToJSON(json: any): AccountLockdownStage {
return AccountLockdownStageToJSONTyped(json, false);
}
export function AccountLockdownStageToJSONTyped(
value?: Omit<
AccountLockdownStage,
"pk" | "component" | "verbose_name" | "verbose_name_plural" | "meta_model_name" | "flow_set"
> | null,
ignoreDiscriminator: boolean = false,
): any {
if (value == null) {
return value;
}
return {
name: value["name"],
deactivate_user: value["deactivateUser"],
set_unusable_password: value["setUnusablePassword"],
delete_sessions: value["deleteSessions"],
revoke_tokens: value["revokeTokens"],
self_service_completion_flow: value["selfServiceCompletionFlow"],
};
}
packages/client-ts/src/models/AccountLockdownStageRequest.ts
Generated
+114
View File
@@ -0,0 +1,114 @@
/* tslint:disable */
/* eslint-disable */
/**
* authentik
* Making authentication simple.
*
* The version of the OpenAPI document: 2026.5.0-rc1
* Contact: hello@goauthentik.io
*
* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
* https://openapi-generator.tech
* Do not edit the class manually.
*/
/**
* AccountLockdownStage Serializer
* @export
* @interface AccountLockdownStageRequest
*/
export interface AccountLockdownStageRequest {
/**
*
* @type {string}
* @memberof AccountLockdownStageRequest
*/
name: string;
/**
* Deactivate the user account (set is_active to False)
* @type {boolean}
* @memberof AccountLockdownStageRequest
*/
deactivateUser?: boolean;
/**
* Set an unusable password for the user
* @type {boolean}
* @memberof AccountLockdownStageRequest
*/
setUnusablePassword?: boolean;
/**
* Delete all active sessions for the user
* @type {boolean}
* @memberof AccountLockdownStageRequest
*/
deleteSessions?: boolean;
/**
* Revoke all tokens for the user (API, app password, recovery, verification, OAuth)
* @type {boolean}
* @memberof AccountLockdownStageRequest
*/
revokeTokens?: boolean;
/**
* Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.
* @type {string}
* @memberof AccountLockdownStageRequest
*/
selfServiceCompletionFlow?: string | null;
}
/**
* Check if a given object implements the AccountLockdownStageRequest interface.
*/
export function instanceOfAccountLockdownStageRequest(
value: object,
): value is AccountLockdownStageRequest {
if (!("name" in value) || value["name"] === undefined) return false;
return true;
}
export function AccountLockdownStageRequestFromJSON(json: any): AccountLockdownStageRequest {
return AccountLockdownStageRequestFromJSONTyped(json, false);
}
export function AccountLockdownStageRequestFromJSONTyped(
json: any,
ignoreDiscriminator: boolean,
): AccountLockdownStageRequest {
if (json == null) {
return json;
}
return {
name: json["name"],
deactivateUser: json["deactivate_user"] == null ? undefined : json["deactivate_user"],
setUnusablePassword:
json["set_unusable_password"] == null ? undefined : json["set_unusable_password"],
deleteSessions: json["delete_sessions"] == null ? undefined : json["delete_sessions"],
revokeTokens: json["revoke_tokens"] == null ? undefined : json["revoke_tokens"],
selfServiceCompletionFlow:
json["self_service_completion_flow"] == null
? undefined
: json["self_service_completion_flow"],
};
}
export function AccountLockdownStageRequestToJSON(json: any): AccountLockdownStageRequest {
return AccountLockdownStageRequestToJSONTyped(json, false);
}
export function AccountLockdownStageRequestToJSONTyped(
value?: AccountLockdownStageRequest | null,
ignoreDiscriminator: boolean = false,
): any {
if (value == null) {
return value;
}
return {
name: value["name"],
deactivate_user: value["deactivateUser"],
set_unusable_password: value["setUnusablePassword"],
delete_sessions: value["deleteSessions"],
revoke_tokens: value["revokeTokens"],
self_service_completion_flow: value["selfServiceCompletionFlow"],
};
}
packages/client-ts/src/models/AppEnum.ts
Generated
+1
View File
@@ -94,6 +94,7 @@ export const AppEnum = {
AuthentikEnterpriseProvidersSsf: "authentik.enterprise.providers.ssf",
AuthentikEnterpriseProvidersWsFederation: "authentik.enterprise.providers.ws_federation",
AuthentikEnterpriseReports: "authentik.enterprise.reports",
AuthentikEnterpriseStagesAccountLockdown: "authentik.enterprise.stages.account_lockdown",
AuthentikEnterpriseStagesAuthenticatorEndpointGdtc:
"authentik.enterprise.stages.authenticator_endpoint_gdtc",
AuthentikEnterpriseStagesMtls: "authentik.enterprise.stages.mtls",
packages/client-ts/src/models/Brand.ts
Generated
+8
View File
@@ -102,6 +102,12 @@ export interface Brand {
* @memberof Brand
*/
flowDeviceCode?: string | null;
/**
*
* @type {string}
* @memberof Brand
*/
flowLockdown?: string | null;
/**
* When set, external users will be redirected to this application after authenticating.
* @type {string}
@@ -166,6 +172,7 @@ export function BrandFromJSONTyped(json: any, ignoreDiscriminator: boolean): Bra
flowUserSettings:
json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
defaultApplication:
json["default_application"] == null ? undefined : json["default_application"],
webCertificate: json["web_certificate"] == null ? undefined : json["web_certificate"],
@@ -201,6 +208,7 @@ export function BrandToJSONTyped(
flow_unenrollment: value["flowUnenrollment"],
flow_user_settings: value["flowUserSettings"],
flow_device_code: value["flowDeviceCode"],
flow_lockdown: value["flowLockdown"],
default_application: value["defaultApplication"],
web_certificate: value["webCertificate"],
client_certificates: value["clientCertificates"],
packages/client-ts/src/models/BrandRequest.ts
Generated
+8
View File
@@ -96,6 +96,12 @@ export interface BrandRequest {
* @memberof BrandRequest
*/
flowDeviceCode?: string | null;
/**
*
* @type {string}
* @memberof BrandRequest
*/
flowLockdown?: string | null;
/**
* When set, external users will be redirected to this application after authenticating.
* @type {string}
@@ -158,6 +164,7 @@ export function BrandRequestFromJSONTyped(json: any, ignoreDiscriminator: boolea
flowUserSettings:
json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
defaultApplication:
json["default_application"] == null ? undefined : json["default_application"],
webCertificate: json["web_certificate"] == null ? undefined : json["web_certificate"],
@@ -193,6 +200,7 @@ export function BrandRequestToJSONTyped(
flow_unenrollment: value["flowUnenrollment"],
flow_user_settings: value["flowUserSettings"],
flow_device_code: value["flowDeviceCode"],
flow_lockdown: value["flowLockdown"],
default_application: value["defaultApplication"],
web_certificate: value["webCertificate"],
client_certificates: value["clientCertificates"],
packages/client-ts/src/models/CurrentBrand.ts
Generated
+8
View File
@@ -117,6 +117,12 @@ export interface CurrentBrand {
* @memberof CurrentBrand
*/
flowDeviceCode?: string;
/**
*
* @type {string}
* @memberof CurrentBrand
*/
flowLockdown?: string;
/**
*
* @type {string}
@@ -177,6 +183,7 @@ export function CurrentBrandFromJSONTyped(json: any, ignoreDiscriminator: boolea
flowUserSettings:
json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
defaultLocale: json["default_locale"],
flags: CurrentBrandFlagsFromJSON(json["flags"]),
};
@@ -213,6 +220,7 @@ export function CurrentBrandToJSONTyped(
flow_unenrollment: value["flowUnenrollment"],
flow_user_settings: value["flowUserSettings"],
flow_device_code: value["flowDeviceCode"],
flow_lockdown: value["flowLockdown"],
flags: CurrentBrandFlagsToJSON(value["flags"]),
};
}
packages/client-ts/src/models/ModelEnum.ts
Generated
+2
View File
@@ -175,6 +175,8 @@ export const ModelEnum = {
AuthentikProvidersWsFederationWsfederationprovider:
"authentik_providers_ws_federation.wsfederationprovider",
AuthentikReportsDataexport: "authentik_reports.dataexport",
AuthentikStagesAccountLockdownAccountlockdownstage:
"authentik_stages_account_lockdown.accountlockdownstage",
AuthentikStagesAuthenticatorEndpointGdtcAuthenticatorendpointgdtcstage:
"authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
AuthentikStagesMtlsMutualtlsstage: "authentik_stages_mtls.mutualtlsstage",
packages/client-ts/src/models/PaginatedAccountLockdownStageList.ts
Generated
+97
View File
@@ -0,0 +1,97 @@
/* tslint:disable */
/* eslint-disable */
/**
* authentik
* Making authentication simple.
*
* The version of the OpenAPI document: 2026.5.0-rc1
* Contact: hello@goauthentik.io
*
* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
* https://openapi-generator.tech
* Do not edit the class manually.
*/
import type { AccountLockdownStage } from "./AccountLockdownStage";
import { AccountLockdownStageFromJSON, AccountLockdownStageToJSON } from "./AccountLockdownStage";
import type { Pagination } from "./Pagination";
import { PaginationFromJSON, PaginationToJSON } from "./Pagination";
/**
*
* @export
* @interface PaginatedAccountLockdownStageList
*/
export interface PaginatedAccountLockdownStageList {
/**
*
* @type {Pagination}
* @memberof PaginatedAccountLockdownStageList
*/
pagination: Pagination;
/**
*
* @type {Array<AccountLockdownStage>}
* @memberof PaginatedAccountLockdownStageList
*/
results: Array<AccountLockdownStage>;
/**
*
* @type {{ [key: string]: any; }}
* @memberof PaginatedAccountLockdownStageList
*/
autocomplete: { [key: string]: any };
}
/**
* Check if a given object implements the PaginatedAccountLockdownStageList interface.
*/
export function instanceOfPaginatedAccountLockdownStageList(
value: object,
): value is PaginatedAccountLockdownStageList {
if (!("pagination" in value) || value["pagination"] === undefined) return false;
if (!("results" in value) || value["results"] === undefined) return false;
if (!("autocomplete" in value) || value["autocomplete"] === undefined) return false;
return true;
}
export function PaginatedAccountLockdownStageListFromJSON(
json: any,
): PaginatedAccountLockdownStageList {
return PaginatedAccountLockdownStageListFromJSONTyped(json, false);
}
export function PaginatedAccountLockdownStageListFromJSONTyped(
json: any,
ignoreDiscriminator: boolean,
): PaginatedAccountLockdownStageList {
if (json == null) {
return json;
}
return {
pagination: PaginationFromJSON(json["pagination"]),
results: (json["results"] as Array<any>).map(AccountLockdownStageFromJSON),
autocomplete: json["autocomplete"],
};
}
export function PaginatedAccountLockdownStageListToJSON(
json: any,
): PaginatedAccountLockdownStageList {
return PaginatedAccountLockdownStageListToJSONTyped(json, false);
}
export function PaginatedAccountLockdownStageListToJSONTyped(
value?: PaginatedAccountLockdownStageList | null,
ignoreDiscriminator: boolean = false,
): any {
if (value == null) {
return value;
}
return {
pagination: PaginationToJSON(value["pagination"]),
results: (value["results"] as Array<any>).map(AccountLockdownStageToJSON),
autocomplete: value["autocomplete"],
};
}
packages/client-ts/src/models/PatchedAccountLockdownStageRequest.ts
Generated
+117
View File
@@ -0,0 +1,117 @@
/* tslint:disable */
/* eslint-disable */
/**
* authentik
* Making authentication simple.
*
* The version of the OpenAPI document: 2026.5.0-rc1
* Contact: hello@goauthentik.io
*
* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
* https://openapi-generator.tech
* Do not edit the class manually.
*/
/**
* AccountLockdownStage Serializer
* @export
* @interface PatchedAccountLockdownStageRequest
*/
export interface PatchedAccountLockdownStageRequest {
/**
*
* @type {string}
* @memberof PatchedAccountLockdownStageRequest
*/
name?: string;
/**
* Deactivate the user account (set is_active to False)
* @type {boolean}
* @memberof PatchedAccountLockdownStageRequest
*/
deactivateUser?: boolean;
/**
* Set an unusable password for the user
* @type {boolean}
* @memberof PatchedAccountLockdownStageRequest
*/
setUnusablePassword?: boolean;
/**
* Delete all active sessions for the user
* @type {boolean}
* @memberof PatchedAccountLockdownStageRequest
*/
deleteSessions?: boolean;
/**
* Revoke all tokens for the user (API, app password, recovery, verification, OAuth)
* @type {boolean}
* @memberof PatchedAccountLockdownStageRequest
*/
revokeTokens?: boolean;
/**
* Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.
* @type {string}
* @memberof PatchedAccountLockdownStageRequest
*/
selfServiceCompletionFlow?: string | null;
}
/**
* Check if a given object implements the PatchedAccountLockdownStageRequest interface.
*/
export function instanceOfPatchedAccountLockdownStageRequest(
value: object,
): value is PatchedAccountLockdownStageRequest {
return true;
}
export function PatchedAccountLockdownStageRequestFromJSON(
json: any,
): PatchedAccountLockdownStageRequest {
return PatchedAccountLockdownStageRequestFromJSONTyped(json, false);
}
export function PatchedAccountLockdownStageRequestFromJSONTyped(
json: any,
ignoreDiscriminator: boolean,
): PatchedAccountLockdownStageRequest {
if (json == null) {
return json;
}
return {
name: json["name"] == null ? undefined : json["name"],
deactivateUser: json["deactivate_user"] == null ? undefined : json["deactivate_user"],
setUnusablePassword:
json["set_unusable_password"] == null ? undefined : json["set_unusable_password"],
deleteSessions: json["delete_sessions"] == null ? undefined : json["delete_sessions"],
revokeTokens: json["revoke_tokens"] == null ? undefined : json["revoke_tokens"],
selfServiceCompletionFlow:
json["self_service_completion_flow"] == null
? undefined
: json["self_service_completion_flow"],
};
}
export function PatchedAccountLockdownStageRequestToJSON(
json: any,
): PatchedAccountLockdownStageRequest {
return PatchedAccountLockdownStageRequestToJSONTyped(json, false);
}
export function PatchedAccountLockdownStageRequestToJSONTyped(
value?: PatchedAccountLockdownStageRequest | null,
ignoreDiscriminator: boolean = false,
): any {
if (value == null) {
return value;
}
return {
name: value["name"],
deactivate_user: value["deactivateUser"],
set_unusable_password: value["setUnusablePassword"],
delete_sessions: value["deleteSessions"],
revoke_tokens: value["revokeTokens"],
self_service_completion_flow: value["selfServiceCompletionFlow"],
};
}
packages/client-ts/src/models/PatchedBrandRequest.ts
Generated
+8
View File
@@ -96,6 +96,12 @@ export interface PatchedBrandRequest {
* @memberof PatchedBrandRequest
*/
flowDeviceCode?: string | null;
/**
*
* @type {string}
* @memberof PatchedBrandRequest
*/
flowLockdown?: string | null;
/**
* When set, external users will be redirected to this application after authenticating.
* @type {string}
@@ -160,6 +166,7 @@ export function PatchedBrandRequestFromJSONTyped(
flowUserSettings:
json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
defaultApplication:
json["default_application"] == null ? undefined : json["default_application"],
webCertificate: json["web_certificate"] == null ? undefined : json["web_certificate"],
@@ -195,6 +202,7 @@ export function PatchedBrandRequestToJSONTyped(
flow_unenrollment: value["flowUnenrollment"],
flow_user_settings: value["flowUserSettings"],
flow_device_code: value["flowDeviceCode"],
flow_lockdown: value["flowLockdown"],
default_application: value["defaultApplication"],
web_certificate: value["webCertificate"],
client_certificates: value["clientCertificates"],
packages/client-ts/src/models/PromptTypeEnum.ts
Generated
+3
View File
@@ -34,6 +34,9 @@ export const PromptTypeEnum = {
Separator: "separator",
Hidden: "hidden",
Static: "static",
AlertInfo: "alert_info",
AlertWarning: "alert_warning",
AlertDanger: "alert_danger",
AkLocale: "ak-locale",
UnknownDefaultOpenApi: "11184809",
} as const;
packages/client-ts/src/models/UserAccountLockdownRequest.ts
Generated
+69
View File
@@ -0,0 +1,69 @@
/* tslint:disable */
/* eslint-disable */
/**
* authentik
* Making authentication simple.
*
* The version of the OpenAPI document: 2026.5.0-rc1
* Contact: hello@goauthentik.io
*
* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
* https://openapi-generator.tech
* Do not edit the class manually.
*/
/**
* Choose the target account before starting the lockdown flow.
* @export
* @interface UserAccountLockdownRequest
*/
export interface UserAccountLockdownRequest {
/**
* User to lock. If omitted, locks the current user (self-service).
* @type {number}
* @memberof UserAccountLockdownRequest
*/
user?: number | null;
}
/**
* Check if a given object implements the UserAccountLockdownRequest interface.
*/
export function instanceOfUserAccountLockdownRequest(
value: object,
): value is UserAccountLockdownRequest {
return true;
}
export function UserAccountLockdownRequestFromJSON(json: any): UserAccountLockdownRequest {
return UserAccountLockdownRequestFromJSONTyped(json, false);
}
export function UserAccountLockdownRequestFromJSONTyped(
json: any,
ignoreDiscriminator: boolean,
): UserAccountLockdownRequest {
if (json == null) {
return json;
}
return {
user: json["user"] == null ? undefined : json["user"],
};
}
export function UserAccountLockdownRequestToJSON(json: any): UserAccountLockdownRequest {
return UserAccountLockdownRequestToJSONTyped(json, false);
}
export function UserAccountLockdownRequestToJSONTyped(
value?: UserAccountLockdownRequest | null,
ignoreDiscriminator: boolean = false,
): any {
if (value == null) {
return value;
}
return {
user: value["user"],
};
}
packages/client-ts/src/models/index.ts
Generated
+5
View File
@@ -1,6 +1,8 @@
/* tslint:disable */
/* eslint-disable */
export * from "./AccessDeniedChallenge";
export * from "./AccountLockdownStage";
export * from "./AccountLockdownStageRequest";
export * from "./AgentAuthenticationResponse";
export * from "./AgentConfig";
export * from "./AgentConnector";
@@ -352,6 +354,7 @@ export * from "./OutpostHealth";
export * from "./OutpostRequest";
export * from "./OutpostTypeEnum";
export * from "./PKCEMethodEnum";
export * from "./PaginatedAccountLockdownStageList";
export * from "./PaginatedAgentConnectorList";
export * from "./PaginatedAppleIndependentSecureEnclaveList";
export * from "./PaginatedApplicationEntitlementList";
@@ -518,6 +521,7 @@ export * from "./PasswordPolicy";
export * from "./PasswordPolicyRequest";
export * from "./PasswordStage";
export * from "./PasswordStageRequest";
export * from "./PatchedAccountLockdownStageRequest";
export * from "./PatchedAgentConnectorRequest";
export * from "./PatchedAppleIndependentSecureEnclaveRequest";
export * from "./PatchedApplicationEntitlementRequest";
@@ -822,6 +826,7 @@ export * from "./UsageEnum";
export * from "./UsedBy";
export * from "./UsedByActionEnum";
export * from "./User";
export * from "./UserAccountLockdownRequest";
export * from "./UserAccountRequest";
export * from "./UserAccountSerializerForRoleRequest";
export * from "./UserAttributeEnum";
schema.yml
+405
View File
@@ -3172,6 +3172,11 @@ paths:
schema:
type: string
format: uuid
- in: query
name: flow_lockdown
schema:
type: string
format: uuid
- in: query
name: flow_recovery
schema:
@@ -4585,6 +4590,35 @@ paths:
$ref: '#/components/responses/ValidationErrorResponse'
'403':
$ref: '#/components/responses/GenericErrorResponse'
/core/users/account_lockdown/:
post:
operationId: core_users_account_lockdown_create
description: Choose the target account, then return a flow link.
tags:
- core
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/UserAccountLockdownRequest'
security:
- authentik: []
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Link'
examples:
LockdownFlowURL:
value:
link: https://example.invalid/if/flow/default-account-lockdown/
summary: Lockdown flow URL
description: ''
'400':
description: No lockdown flow configured or the flow is not applicable
'403':
description: Permission denied (when targeting another user)
/core/users/export/:
post:
operationId: core_users_export_create
@@ -26901,6 +26935,222 @@ paths:
$ref: '#/components/responses/ValidationErrorResponse'
'403':
$ref: '#/components/responses/GenericErrorResponse'
/stages/account_lockdown/:
get:
operationId: stages_account_lockdown_list
description: AccountLockdownStage Viewset
parameters:
- in: query
name: deactivate_user
schema:
type: boolean
- in: query
name: delete_sessions
schema:
type: boolean
- $ref: '#/components/parameters/QueryName'
- $ref: '#/components/parameters/QueryPaginationOrdering'
- $ref: '#/components/parameters/QueryPaginationPage'
- $ref: '#/components/parameters/QueryPaginationPageSize'
- in: query
name: revoke_tokens
schema:
type: boolean
- $ref: '#/components/parameters/QuerySearch'
- in: query
name: self_service_completion_flow
schema:
type: string
format: uuid
- in: query
name: set_unusable_password
schema:
type: boolean
- in: query
name: stage_uuid
schema:
type: string
format: uuid
tags:
- stages
security:
- authentik: []
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/PaginatedAccountLockdownStageList'
description: ''
'400':
$ref: '#/components/responses/ValidationErrorResponse'
'403':
$ref: '#/components/responses/GenericErrorResponse'
post:
operationId: stages_account_lockdown_create
description: AccountLockdownStage Viewset
tags:
- stages
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/AccountLockdownStageRequest'
required: true
security:
- authentik: []
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/AccountLockdownStage'
description: ''
'400':
$ref: '#/components/responses/ValidationErrorResponse'
'403':
$ref: '#/components/responses/GenericErrorResponse'
/stages/account_lockdown/{stage_uuid}/:
get:
operationId: stages_account_lockdown_retrieve
description: AccountLockdownStage Viewset
parameters:
- in: path
name: stage_uuid
schema:
type: string
format: uuid
description: A UUID string identifying this Account Lockdown Stage.
required: true
tags:
- stages
security:
- authentik: []
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/AccountLockdownStage'
description: ''
'400':
$ref: '#/components/responses/ValidationErrorResponse'
'403':
$ref: '#/components/responses/GenericErrorResponse'
put:
operationId: stages_account_lockdown_update
description: AccountLockdownStage Viewset
parameters:
- in: path
name: stage_uuid
schema:
type: string
format: uuid
description: A UUID string identifying this Account Lockdown Stage.
required: true
tags:
- stages
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/AccountLockdownStageRequest'
required: true
security:
- authentik: []
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/AccountLockdownStage'
description: ''
'400':
$ref: '#/components/responses/ValidationErrorResponse'
'403':
$ref: '#/components/responses/GenericErrorResponse'
patch:
operationId: stages_account_lockdown_partial_update
description: AccountLockdownStage Viewset
parameters:
- in: path
name: stage_uuid
schema:
type: string
format: uuid
description: A UUID string identifying this Account Lockdown Stage.
required: true
tags:
- stages
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/PatchedAccountLockdownStageRequest'
security:
- authentik: []
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/AccountLockdownStage'
description: ''
'400':
$ref: '#/components/responses/ValidationErrorResponse'
'403':
$ref: '#/components/responses/GenericErrorResponse'
delete:
operationId: stages_account_lockdown_destroy
description: AccountLockdownStage Viewset
parameters:
- in: path
name: stage_uuid
schema:
type: string
format: uuid
description: A UUID string identifying this Account Lockdown Stage.
required: true
tags:
- stages
security:
- authentik: []
responses:
'204':
description: No response body
'400':
$ref: '#/components/responses/ValidationErrorResponse'
'403':
$ref: '#/components/responses/GenericErrorResponse'
/stages/account_lockdown/{stage_uuid}/used_by/:
get:
operationId: stages_account_lockdown_used_by_list
description: Get a list of all objects that use this object
parameters:
- in: path
name: stage_uuid
schema:
type: string
format: uuid
description: A UUID string identifying this Account Lockdown Stage.
required: true
tags:
- stages
security:
- authentik: []
responses:
'200':
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/UsedBy'
description: ''
'400':
$ref: '#/components/responses/ValidationErrorResponse'
'403':
$ref: '#/components/responses/GenericErrorResponse'
/stages/all/:
get:
operationId: stages_all_list
@@ -33669,6 +33919,93 @@ components:
required:
- pending_user
- pending_user_avatar
AccountLockdownStage:
type: object
description: AccountLockdownStage Serializer
properties:
pk:
type: string
format: uuid
readOnly: true
title: Stage uuid
name:
type: string
component:
type: string
description: Get object type so that we know how to edit the object
readOnly: true
verbose_name:
type: string
description: Return object's verbose_name
readOnly: true
verbose_name_plural:
type: string
description: Return object's plural verbose_name
readOnly: true
meta_model_name:
type: string
description: Return internal model name
readOnly: true
flow_set:
type: array
items:
$ref: '#/components/schemas/FlowSet'
readOnly: true
deactivate_user:
type: boolean
description: Deactivate the user account (set is_active to False)
set_unusable_password:
type: boolean
description: Set an unusable password for the user
delete_sessions:
type: boolean
description: Delete all active sessions for the user
revoke_tokens:
type: boolean
description: Revoke all tokens for the user (API, app password, recovery,
verification, OAuth)
self_service_completion_flow:
type: string
format: uuid
nullable: true
description: Flow to redirect users to after self-service lockdown. This
flow should not require authentication since the user's session is deleted.
required:
- component
- flow_set
- meta_model_name
- name
- pk
- verbose_name
- verbose_name_plural
AccountLockdownStageRequest:
type: object
description: AccountLockdownStage Serializer
properties:
name:
type: string
minLength: 1
deactivate_user:
type: boolean
description: Deactivate the user account (set is_active to False)
set_unusable_password:
type: boolean
description: Set an unusable password for the user
delete_sessions:
type: boolean
description: Delete all active sessions for the user
revoke_tokens:
type: boolean
description: Revoke all tokens for the user (API, app password, recovery,
verification, OAuth)
self_service_completion_flow:
type: string
format: uuid
nullable: true
description: Flow to redirect users to after self-service lockdown. This
flow should not require authentication since the user's session is deleted.
required:
- name
AgentAuthenticationResponse:
type: object
description: Base serializer class which doesn't implement create/update methods
@@ -34006,6 +34343,7 @@ components:
- authentik.enterprise.providers.ssf
- authentik.enterprise.providers.ws_federation
- authentik.enterprise.reports
- authentik.enterprise.stages.account_lockdown
- authentik.enterprise.stages.authenticator_endpoint_gdtc
- authentik.enterprise.stages.mtls
- authentik.enterprise.stages.source
@@ -35754,6 +36092,10 @@ components:
type: string
format: uuid
nullable: true
flow_lockdown:
type: string
format: uuid
nullable: true
default_application:
type: string
format: uuid
@@ -35826,6 +36168,10 @@ components:
type: string
format: uuid
nullable: true
flow_lockdown:
type: string
format: uuid
nullable: true
default_application:
type: string
format: uuid
@@ -36814,6 +37160,8 @@ components:
type: string
flow_device_code:
type: string
flow_lockdown:
type: string
default_locale:
type: string
readOnly: true
@@ -43142,6 +43490,7 @@ components:
- authentik_providers_ssf.ssfprovider
- authentik_providers_ws_federation.wsfederationprovider
- authentik_reports.dataexport
- authentik_stages_account_lockdown.accountlockdownstage
- authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage
- authentik_stages_mtls.mutualtlsstage
- authentik_stages_source.sourcestage
@@ -44584,6 +44933,21 @@ components:
- plain
- S256
type: string
PaginatedAccountLockdownStageList:
type: object
properties:
pagination:
$ref: '#/components/schemas/Pagination'
results:
type: array
items:
$ref: '#/components/schemas/AccountLockdownStage'
autocomplete:
$ref: '#/components/schemas/Autocomplete'
required:
- autocomplete
- pagination
- results
PaginatedAgentConnectorList:
type: object
properties:
@@ -47352,6 +47716,32 @@ components:
required:
- backends
- name
PatchedAccountLockdownStageRequest:
type: object
description: AccountLockdownStage Serializer
properties:
name:
type: string
minLength: 1
deactivate_user:
type: boolean
description: Deactivate the user account (set is_active to False)
set_unusable_password:
type: boolean
description: Set an unusable password for the user
delete_sessions:
type: boolean
description: Delete all active sessions for the user
revoke_tokens:
type: boolean
description: Revoke all tokens for the user (API, app password, recovery,
verification, OAuth)
self_service_completion_flow:
type: string
format: uuid
nullable: true
description: Flow to redirect users to after self-service lockdown. This
flow should not require authentication since the user's session is deleted.
PatchedAgentConnectorRequest:
type: object
properties:
@@ -47795,6 +48185,10 @@ components:
type: string
format: uuid
nullable: true
flow_lockdown:
type: string
format: uuid
nullable: true
default_application:
type: string
format: uuid
@@ -52081,6 +52475,9 @@ components:
- separator
- hidden
- static
- alert_info
- alert_warning
- alert_danger
- ak-locale
type: string
PropertyMapping:
@@ -57179,6 +57576,14 @@ components:
- uid
- username
- uuid
UserAccountLockdownRequest:
type: object
description: Choose the target account before starting the lockdown flow.
properties:
user:
type: integer
nullable: true
description: User to lock. If omitted, locks the current user (self-service).
UserAccountRequest:
type: object
description: Account adding/removing operations
web/src/admin/brands/BrandForm.ts
+69 -8
View File
@@ -1,6 +1,7 @@
import "#admin/common/ak-crypto-certificate-search";
import "#admin/common/ak-flow-search/ak-flow-search";
import "#elements/CodeMirror";
import "#elements/Alert";
import "#elements/ak-dual-select/ak-dual-select-dynamic-selected-provider";
import "#elements/ak-dual-select/ak-dual-select-provider";
import "#elements/forms/FormGroup";
@@ -25,42 +26,79 @@ import {
Brand,
CoreApi,
CoreApplicationsListRequest,
Flow,
FlowDesignationEnum,
FlowsApi,
UsageEnum,
} from "@goauthentik/api";
import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum.js";
import YAML from "yaml";
import { msg } from "@lit/localize";
import { html, TemplateResult } from "lit";
import { customElement } from "lit/decorators.js";
import { customElement, state } from "lit/decorators.js";
@customElement("ak-brand-form")
export class BrandForm extends ModelForm<Brand, string> {
public static override verboseName = msg("Brand");
public static override verboseNamePlural = msg("Brands");
loadInstance(pk: string): Promise<Brand> {
return new CoreApi(DEFAULT_CONFIG).coreBrandsRetrieve({
brandUuid: pk,
#coreAPI = new CoreApi(DEFAULT_CONFIG);
#flowsAPI = new FlowsApi(DEFAULT_CONFIG);
@state()
protected lockdownFlowAuthentication: AuthenticationEnum | null = null;
async loadInstance(pk: string): Promise<Brand> {
return this.#coreAPI.coreBrandsRetrieve({ brandUuid: pk }).then(async (brand) => {
if (!brand.flowLockdown) {
this.lockdownFlowAuthentication = null;
return brand;
}
return this.#flowsAPI
.flowsInstancesList({ flowUuid: brand.flowLockdown })
.then((flows) => {
this.lockdownFlowAuthentication = flows.results[0]?.authentication ?? null;
return brand;
});
});
}
getSuccessMessage(): string {
protected lockdownFlowInputListener = (event: Event): void => {
const target = event.currentTarget as HTMLElement & {
selectedFlow?: Flow | null;
};
this.lockdownFlowAuthentication = target.selectedFlow?.authentication ?? null;
};
protected get lockdownWarningVisible(): boolean {
return !!(
this.lockdownFlowAuthentication &&
this.lockdownFlowAuthentication !== AuthenticationEnum.RequireAuthenticated
);
}
public override getSuccessMessage(): string {
return this.instance
? msg("Successfully updated brand.")
: msg("Successfully created brand.");
}
async send(data: Brand): Promise<Brand> {
protected override async send(data: Brand): Promise<Brand> {
data.attributes ??= {};
if (this.instance?.brandUuid) {
return new CoreApi(DEFAULT_CONFIG).coreBrandsPartialUpdate({
return this.#coreAPI.coreBrandsPartialUpdate({
brandUuid: this.instance.brandUuid,
patchedBrandRequest: data,
});
}
return new CoreApi(DEFAULT_CONFIG).coreBrandsCreate({
return this.#coreAPI.coreBrandsCreate({
brandRequest: data,
});
}
@@ -285,6 +323,29 @@ export class BrandForm extends ModelForm<Brand, string> {
)}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${msg("Account lockdown flow")}
name="flowLockdown"
>
<ak-flow-search
placeholder=${msg("Select an account lockdown flow...")}
flowType=${FlowDesignationEnum.StageConfiguration}
.currentFlow=${this.instance?.flowLockdown}
@input=${this.lockdownFlowInputListener}
></ak-flow-search>
<p class="pf-c-form__helper-text">
${msg(
"Flow used when a user triggers account lockdown (e.g. in case of compromise). Should contain an Account Lockdown stage.",
)}
</p>
${this.lockdownWarningVisible
? html`<ak-alert inline>
${msg(
"Account lockdown flows should require authentication so they can only be started from a signed-in session.",
)}
</ak-alert>`
: null}
</ak-form-element-horizontal>
</div>
</ak-form-group>
<ak-form-group label="${msg("Other global settings")} ">
web/src/admin/events/RuleForm.ts
+2 -2
View File
@@ -104,7 +104,7 @@ export class RuleForm extends ModelForm<NotificationRule, string> {
</p>
<p class="pf-c-form__helper-text">
${msg(
"If no group is selected and 'Send notification to event user' is disabled the rule is disabled. ",
"If no group is selected and 'Send notification to event user' is disabled, the rule is disabled.",
)}
</p>
</ak-form-element-horizontal>
@@ -113,7 +113,7 @@ export class RuleForm extends ModelForm<NotificationRule, string> {
label=${msg("Send notification to event user")}
?checked=${this.instance?.destinationEventUser ?? false}
help=${msg(
"When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. ",
"When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.",
)}
>
</ak-switch-input>
web/src/admin/events/RuleListPage.ts
+1 -1
View File
@@ -80,7 +80,7 @@ export class RuleListPage extends TablePage<NotificationRule> {
protected override row(item: NotificationRule): SlottedTemplateResult[] {
const enabled = !!item.destinationGroupObj || item.destinationEventUser;
return [
html`<ak-status-label type="warning" ?good=${enabled}></ak-status-label>`,
html`<ak-status-label ?good=${enabled}></ak-status-label>`,
html`${item.name}`,
html`${severityToLabel(item.severity)}`,
html`${item.destinationGroupObj
web/src/admin/stages/BaseStageForm.ts
+1 -1
View File
@@ -8,7 +8,7 @@ export abstract class BaseStageForm<T extends Stage> extends ModelForm<T, string
public static override verboseName = msg("Stage");
public static override verboseNamePlural = msg("Stages");
getSuccessMessage(): string {
public override getSuccessMessage(): string {
return this.instance
? msg("Successfully updated stage.")
: msg("Successfully created stage.");
web/src/admin/stages/account_lockdown/AccountLockdownStageForm.ts
+119
View File
@@ -0,0 +1,119 @@
import "#elements/forms/HorizontalFormElement";
import "#admin/common/ak-flow-search/ak-flow-search";
import "#components/ak-switch-input";
import "#components/ak-text-input";
import { DEFAULT_CONFIG } from "#common/api/config";
import { SlottedTemplateResult } from "#elements/types";
import { ifPresent } from "#elements/utils/attributes";
import { BaseStageForm } from "#admin/stages/BaseStageForm";
import { AccountLockdownStage, StagesApi } from "@goauthentik/api";
import { msg } from "@lit/localize";
import { html } from "lit";
import { customElement } from "lit/decorators.js";
@customElement("ak-stage-account-lockdown-form")
export class AccountLockdownStageForm extends BaseStageForm<AccountLockdownStage> {
#api = new StagesApi(DEFAULT_CONFIG);
protected override loadInstance(pk: string): Promise<AccountLockdownStage> {
return this.#api.stagesAccountLockdownRetrieve({ stageUuid: pk });
}
protected override async send(data: AccountLockdownStage): Promise<AccountLockdownStage> {
if (this.instance) {
return this.#api.stagesAccountLockdownUpdate({
stageUuid: this.instance.pk || "",
accountLockdownStageRequest: data,
});
}
return this.#api.stagesAccountLockdownCreate({
accountLockdownStageRequest: data,
});
}
protected override renderForm(): SlottedTemplateResult {
return html`<span>
${msg(
"This stage executes account lockdown actions on a target user. Configure which actions to perform when this stage runs.",
)}
</span>
<ak-text-input
label=${msg("Stage Name")}
placeholder=${msg("Type a name for this stage...")}
required
name="name"
value=${ifPresent(this.instance?.name || "")}
?autofocus=${!this.instance}
></ak-text-input>
<ak-form-group open label=${msg("Stage-specific settings")}>
<div class="pf-c-form">
<ak-switch-input
name="deactivateUser"
label=${msg("Deactivate user")}
?checked=${this.instance?.deactivateUser ?? true}
help=${msg("Deactivate the user account (set is_active to False).")}
>
</ak-switch-input>
<ak-switch-input
name="setUnusablePassword"
label=${msg("Set unusable password")}
?checked=${this.instance?.setUnusablePassword ?? true}
help=${msg("Set an unusable password for the user.")}
>
</ak-switch-input>
<ak-switch-input
name="deleteSessions"
label=${msg("Delete sessions")}
?checked=${this.instance?.deleteSessions ?? true}
help=${msg("Delete all active sessions for the user.")}
>
</ak-switch-input>
<ak-switch-input
name="revokeTokens"
label=${msg("Revoke tokens")}
?checked=${this.instance?.revokeTokens ?? true}
help=${msg(
"Revoke all tokens for the user (API, app password, recovery, verification).",
)}
>
</ak-switch-input>
</div>
</ak-form-group>
<ak-form-group
label=${msg("Self-service completion")}
open
description=${msg(
"Configure what happens after a user locks their own account. Since all sessions are deleted, the user cannot continue in the current flow and will be redirected to a separate completion flow.",
)}
>
<div class="pf-c-form">
<ak-form-element-horizontal
label=${msg("Completion flow")}
name="selfServiceCompletionFlow"
>
<ak-flow-search
placeholder=${msg("Select a completion flow...")}
.currentFlow=${this.instance?.selfServiceCompletionFlow}
></ak-flow-search>
<p class="pf-c-form__helper-text">
${msg(
"Flow to redirect users to after self-service lockdown. This flow must not require authentication since the user's session is deleted.",
)}
</p>
</ak-form-element-horizontal>
</div>
</ak-form-group>`;
}
}
declare global {
interface HTMLElementTagNameMap {
"ak-stage-account-lockdown-form": AccountLockdownStageForm;
}
}
web/src/admin/stages/prompt/PromptForm.ts
+3
View File
@@ -148,6 +148,9 @@ export class PromptForm extends ModelForm<Prompt, string> {
[PromptTypeEnum.Separator, msg("Separator: Static Separator Line")],
[PromptTypeEnum.Hidden, msg("Hidden: Hidden field, can be used to insert data into form.")],
[PromptTypeEnum.Static, msg("Static: Static value, displayed as-is.")],
[PromptTypeEnum.AlertInfo, msg("Alert (Info): Static alert box with info styling")],
[PromptTypeEnum.AlertWarning, msg("Alert (Warning): Static alert box with warning styling")],
[PromptTypeEnum.AlertDanger, msg("Alert (Danger): Static alert box with danger styling")],
[PromptTypeEnum.AkLocale, msg("authentik: Locale: Displays a list of locales authentik supports.")],
];
const currentType = this.instance?.type;
web/src/admin/stages/register.ts
+1
View File
@@ -22,6 +22,7 @@ import "#admin/stages/password/PasswordStageForm";
import "#admin/stages/prompt/PromptStageForm";
import "#admin/stages/redirect/RedirectStageForm";
import "#admin/stages/source/SourceStageForm";
import "#admin/stages/account_lockdown/AccountLockdownStageForm";
import "#admin/stages/user_delete/UserDeleteStageForm";
import "#admin/stages/user_login/UserLoginStageForm";
import "#admin/stages/user_logout/UserLogoutStageForm";
web/src/admin/users/UserActiveForm.ts
-37
View File
@@ -4,9 +4,7 @@ import "#elements/forms/FormGroup";
import { DEFAULT_CONFIG } from "#common/api/config";
import { formatDisambiguatedUserDisplayName } from "#common/users";
import { RawContent } from "#elements/ak-table/ak-simple-table";
import { modalInvoker } from "#elements/dialogs";
import { pluckEntityName } from "#elements/entities/names";
import { DestructiveModelForm } from "#elements/forms/DestructiveModelForm";
import { WithLocale } from "#elements/mixins/locale";
import { SlottedTemplateResult } from "#elements/types";
@@ -77,41 +75,6 @@ export class UserActivationToggleForm extends WithLocale(DestructiveModelForm<Us
return this.coreAPI.coreUsersUsedByList({ id: this.instance.pk });
};
protected override renderUsedBySection(): SlottedTemplateResult {
if (this.instance?.isActive) {
return super.renderUsedBySection();
}
const displayName = this.formatDisplayName();
const { usedByList, verboseName } = this;
return html`<ak-form-group
open
label=${msg("Objects associated with this user", {
id: "usedBy.associated-objects.label",
})}
>
<div
class="pf-m-monospace"
aria-description=${msg(
str`List of objects that are associated with this ${verboseName}.`,
{
id: "usedBy.description",
},
)}
slot="description"
>
${displayName}
</div>
<ak-simple-table
.columns=${[msg("Object Name"), msg("ID")]}
.content=${usedByList.map((ub): RawContent[] => {
return [pluckEntityName(ub) || msg("Unnamed"), html`<code>${ub.pk}</code>`];
})}
></ak-simple-table>
</ak-form-group>`;
}
}
declare global {
web/src/admin/users/UserListPage.ts
+4 -3
View File
@@ -22,6 +22,7 @@ import { formatUserDisplayName } from "#common/users";
import { IconEditButton, modalInvoker } from "#elements/dialogs";
import { WithBrandConfig } from "#elements/mixins/branding";
import { CapabilitiesEnum, WithCapabilitiesConfig } from "#elements/mixins/capabilities";
import { WithLicenseSummary } from "#elements/mixins/license";
import { WithSession } from "#elements/mixins/session";
import { getURLParam, updateURLParams } from "#elements/router/RouteMatch";
import { PaginatedResponse, TableColumn, Timestamp } from "#elements/table/Table";
@@ -56,8 +57,8 @@ const recoveryButtonStyles = css`
`;
@customElement("ak-user-list")
export class UserListPage extends WithBrandConfig(
WithCapabilitiesConfig(WithSession(TablePage<User>)),
export class UserListPage extends WithLicenseSummary(
WithBrandConfig(WithCapabilitiesConfig(WithSession(TablePage<User>))),
) {
static styles: CSSResult[] = [
...TablePage.styles,
@@ -195,7 +196,7 @@ export class UserListPage extends WithBrandConfig(
</div>
<h4 class="pf-c-alert__title">
${msg(
str`Warning: You're about to delete the user you're logged in as (${shouldShowWarning.username}). Proceed at your own risk.`,
str`Warning: You are about to delete user ${shouldShowWarning.username}, but you are currently logged in as this user. Proceed at your own risk.`,
)}
</h4>
</div>
web/src/admin/users/UserViewPage.ts
+41 -15
View File
@@ -30,7 +30,11 @@ import "#elements/ak-mdx/ak-mdx";
import { DEFAULT_CONFIG } from "#common/api/config";
import { AKRefreshEvent } from "#common/events";
import { userTypeToLabel } from "#common/labels";
import { formatDisambiguatedUserDisplayName, formatUserDisplayName } from "#common/users";
import {
formatDisambiguatedUserDisplayName,
formatUserDisplayName,
startAccountLockdown,
} from "#common/users";
import { AKElement } from "#elements/Base";
import { listen } from "#elements/decorators/listen";
@@ -41,7 +45,6 @@ import { WithLicenseSummary } from "#elements/mixins/license";
import { WithLocale } from "#elements/mixins/locale";
import { WithSession } from "#elements/mixins/session";
import { Timestamp } from "#elements/table/shared";
import { SlottedTemplateResult } from "#elements/types";
import { setPageDetails } from "#components/ak-page-navbar";
import { type DescriptionPair, renderDescriptionList } from "#components/DescriptionList";
@@ -151,19 +154,21 @@ export class UserViewPage extends WithLicenseSummary(
const user = this.user;
// prettier-ignore
const userInfo: DescriptionPair[] = [
[ msg("Username"), user.username ],
[ msg("Name"), user.name ],
[ msg("Email"), user.email || "-" ],
[ msg("Last login"), Timestamp(user.lastLogin) ],
[ msg("Last password change"), Timestamp(user.passwordChangeDate) ],
[ msg("Active"), html`<ak-status-label ?good=${user.isActive}></ak-status-label>` ],
[ msg("Type"), userTypeToLabel(user.type) ],
[ msg("Superuser"), html`<ak-status-label type="warning" ?good=${user.isSuperuser}></ak-status-label>` ],
[ msg("Actions"), this.renderActionButtons(user) ],
[ msg("Recovery"), this.renderRecoveryButtons(user) ],
]
[msg("Username"), user.username],
[msg("Name"), user.name],
[msg("Email"), user.email || "-"],
[msg("Last login"), Timestamp(user.lastLogin)],
[msg("Last password change"), Timestamp(user.passwordChangeDate)],
[msg("Active"), html`<ak-status-label ?good=${user.isActive}></ak-status-label>`],
[msg("Type"), userTypeToLabel(user.type)],
[
msg("Superuser"),
html`<ak-status-label type="warning" ?good=${user.isSuperuser}></ak-status-label>`,
],
[msg("Actions"), this.renderActionButtons(user)],
[msg("Recovery"), this.renderRecoveryButtons(user)],
];
return html`
<div class="pf-c-card__title">${msg("User Info")}</div>
@@ -173,9 +178,21 @@ export class UserViewPage extends WithLicenseSummary(
`;
}
protected renderActionButtons(user: User): SlottedTemplateResult {
/**
* Initiates the account lockdown flow for this user, if any.
*/
protected lockdownUser = async () => {
if (!this.user) {
return;
}
return startAccountLockdown(this.user.pk).catch(showAPIErrorMessage);
};
protected renderActionButtons(user: User) {
const showImpersonate =
this.can(CapabilitiesEnum.CanImpersonate) && user.pk !== this.currentUser?.pk;
const showLockdown = this.hasEnterpriseLicense && user.pk !== this.currentUser?.pk;
const displayName = formatUserDisplayName(user);
@@ -188,6 +205,15 @@ export class UserViewPage extends WithLicenseSummary(
</button>
${ToggleUserActivationButton(user, { className: "pf-m-block" })}
${showLockdown
? html`<button
class="pf-c-button pf-m-danger pf-m-block"
@click=${this.lockdownUser}
type="button"
>
${msg("Account Lockdown")}
</button>`
: null}
${showImpersonate
? html`<button
class="pf-c-button pf-m-tertiary pf-m-block"
web/src/common/users.ts
+12
View File
@@ -157,6 +157,18 @@ export function redirectToAuthFlow(nextPathname = "/flows/-/default/authenticati
window.location.assign(authFlowRedirectURL);
}
/**
* Start account lockdown and follow the returned flow link.
*/
export async function startAccountLockdown(user?: number): Promise<void> {
const response = await new CoreApi(DEFAULT_CONFIG).coreUsersAccountLockdownCreate({
userAccountLockdownRequest: user !== undefined ? { user } : {},
});
if (response.link) {
window.location.assign(response.link);
}
}
/**
* Retrieve the current user session.
*
web/src/flow/stages/prompt/PromptStage.ts
+38 -5
View File
@@ -19,13 +19,14 @@ import {
} from "@goauthentik/api";
import { msg } from "@lit/localize";
import { css, CSSResult, html, nothing } from "lit";
import { css, CSSResult, html } from "lit";
import { customElement } from "lit/decorators.js";
import { unsafeHTML } from "lit/directives/unsafe-html.js";
import PFAlert from "@patternfly/patternfly/components/Alert/alert.css";
import PFButton from "@patternfly/patternfly/components/Button/button.css";
import PFCheck from "@patternfly/patternfly/components/Check/check.css";
import PFContent from "@patternfly/patternfly/components/Content/content.css";
import PFForm from "@patternfly/patternfly/components/Form/form.css";
import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
import PFInputGroup from "@patternfly/patternfly/components/InputGroup/input-group.css";
@@ -47,6 +48,7 @@ export class PromptStage extends WithCapabilitiesConfig(
static styles: CSSResult[] = [
PFLogin,
PFAlert,
PFContent,
PFForm,
PFFormControl,
PFInputGroup,
@@ -62,6 +64,30 @@ export class PromptStage extends WithCapabilitiesConfig(
`,
];
protected isAlertPromptType(prompt: StagePrompt): boolean {
return (
prompt.type === PromptTypeEnum.AlertInfo ||
prompt.type === PromptTypeEnum.AlertWarning ||
prompt.type === PromptTypeEnum.AlertDanger
);
}
protected renderPromptAlert(
prompt: StagePrompt,
level: "info" | "warning" | "danger",
icon: string,
): SlottedTemplateResult {
return html`<div class="pf-c-alert pf-m-${level} pf-m-inline">
<div class="pf-c-alert__icon">
<i class="fas fa-fw ${icon}" aria-hidden="true"></i>
</div>
${prompt.label ? html`<h4 class="pf-c-alert__title">${prompt.label}</h4>` : null}
<div class="pf-c-alert__description pf-c-content">
${unsafeHTML(prompt.initialValue)}
</div>
</div>`;
}
protected renderPromptInner(prompt: StagePrompt): SlottedTemplateResult {
const fieldId = `field-${prompt.fieldKey}`;
@@ -194,6 +220,12 @@ ${prompt.initialValue}</textarea
/>`;
case PromptTypeEnum.Static:
return html`<p>${unsafeHTML(prompt.initialValue)}</p>`;
case PromptTypeEnum.AlertInfo:
return this.renderPromptAlert(prompt, "info", "fa-info-circle");
case PromptTypeEnum.AlertWarning:
return this.renderPromptAlert(prompt, "warning", "fa-exclamation-triangle");
case PromptTypeEnum.AlertDanger:
return this.renderPromptAlert(prompt, "danger", "fa-exclamation-circle");
case PromptTypeEnum.Dropdown:
return html`<select class="pf-c-form-control" name="${prompt.fieldKey}">
${prompt.choices?.map((choice) => {
@@ -234,9 +266,9 @@ ${prompt.initialValue}</textarea
}
}
protected renderPromptHelpText(prompt: StagePrompt) {
protected renderPromptHelpText(prompt: StagePrompt): SlottedTemplateResult {
if (!prompt.subText) {
return nothing;
return null;
}
return html`<p class="pf-c-form__helper-text">${unsafeHTML(prompt.subText)}</p>`;
@@ -247,7 +279,8 @@ ${prompt.initialValue}</textarea
return !(
prompt.type === PromptTypeEnum.Static ||
prompt.type === PromptTypeEnum.Hidden ||
prompt.type === PromptTypeEnum.Separator
prompt.type === PromptTypeEnum.Separator ||
this.isAlertPromptType(prompt)
);
}
@@ -266,7 +299,7 @@ ${prompt.initialValue}</textarea
<label class="pf-c-check__label" for="${prompt.fieldKey}">${prompt.label}</label>
${prompt.required
? html`<p class="pf-c-form__helper-text">${msg("Required.")}</p>`
: nothing}
: null}
<p class="pf-c-form__helper-text">${unsafeHTML(prompt.subText)}</p>
</div>`;
}
web/src/user/user-settings/UserSettingsPage.ts
+64 -9
View File
@@ -9,10 +9,14 @@ import "#user/user-settings/tokens/UserTokenList";
import { DEFAULT_CONFIG } from "#common/api/config";
import { EVENT_REFRESH } from "#common/constants";
import { startAccountLockdown } from "#common/users";
import { AKSkipToContent } from "#elements/a11y/ak-skip-to-content";
import { AKElement } from "#elements/Base";
import { showAPIErrorMessage } from "#elements/messages/MessageContainer";
import { WithLicenseSummary } from "#elements/mixins/license";
import { WithSession } from "#elements/mixins/session";
import { SlottedTemplateResult } from "#elements/types";
import { ifPresent } from "#elements/utils/attributes";
import Styles from "#user/user-settings/styles.css";
@@ -20,10 +24,11 @@ import Styles from "#user/user-settings/styles.css";
import { StagesApi, UserSetting } from "@goauthentik/api";
import { msg } from "@lit/localize";
import { CSSResult, html, nothing, TemplateResult } from "lit";
import { CSSResult, html, nothing } from "lit";
import { customElement, state } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js";
import PFButton from "@patternfly/patternfly/components/Button/button.css";
import PFCard from "@patternfly/patternfly/components/Card/card.css";
import PFContent from "@patternfly/patternfly/components/Content/content.css";
import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
@@ -36,9 +41,10 @@ import PFDisplay from "@patternfly/patternfly/utilities/Display/display.css";
import PFSizing from "@patternfly/patternfly/utilities/Sizing/sizing.css";
@customElement("ak-user-settings")
export class UserSettingsPage extends WithSession(AKElement) {
export class UserSettingsPage extends WithLicenseSummary(WithSession(AKElement)) {
static styles: CSSResult[] = [
PFPage,
PFButton,
PFDisplay,
PFGallery,
PFContent,
@@ -51,21 +57,69 @@ export class UserSettingsPage extends WithSession(AKElement) {
Styles,
];
protected stagesAPI = new StagesApi(DEFAULT_CONFIG);
@state()
userSettings?: UserSetting[];
protected userSettings: UserSetting[] | null = null;
protected refresh = () => {
return this.stagesAPI
.stagesAllUserSettingsList()
.then((nextUserSettings) => {
this.userSettings = nextUserSettings;
})
.catch(showAPIErrorMessage);
};
constructor() {
super();
this.addEventListener(EVENT_REFRESH, () => {
this.firstUpdated();
});
this.addEventListener(EVENT_REFRESH, this.refresh);
}
async firstUpdated(): Promise<void> {
this.userSettings = await new StagesApi(DEFAULT_CONFIG).stagesAllUserSettingsList();
public async firstUpdated(): Promise<void> {
this.refresh();
}
render(): TemplateResult {
protected lockAccount = () => {
return startAccountLockdown().catch(showAPIErrorMessage);
};
protected renderSecuritySettings(): SlottedTemplateResult {
if (!this.hasEnterpriseLicense) {
return null;
}
return html`<div
id="page-security"
role="tabpanel"
tabindex="0"
slot="page-security"
aria-label=${msg("Security")}
class="pf-c-page__main-section pf-m-no-padding-mobile"
>
<div class="pf-l-stack pf-m-gutter">
<div class="pf-l-stack__item">
<div class="pf-c-card">
<div class="pf-c-card__title">${msg("Account Lockdown")}</div>
<div class="pf-c-card__body">
<p>
${msg(
"If you suspect your account has been compromised, you can immediately lock it to prevent unauthorized access.",
)}
</p>
</div>
<div class="pf-c-card__footer">
<button class="pf-c-button pf-m-danger" @click=${this.lockAccount}>
${msg("Lock my account")}
</button>
</div>
</div>
</div>
</div>
</div>`;
}
protected override render(): SlottedTemplateResult {
const pwStage =
this.userSettings?.filter((stage) => stage.component === "ak-user-settings-password") ||
[];
@@ -176,6 +230,7 @@ export class UserSettingsPage extends WithSession(AKElement) {
></ak-user-settings-source>
</div>
</div>
${this.renderSecuritySettings()}
</ak-tabs>
</div>
</div>`;
website/docs/add-secure-apps/flows-stages/stages/account_lockdown/index.md
+117
View File
@@ -0,0 +1,117 @@
---
title: Account Lockdown stage
authentik_version: "2025.5.0"
authentik_enterprise: true
---
:::danger
This stage performs destructive actions on a user account. Ensure the flow includes appropriate warnings and confirmation steps before this stage executes.
:::
The Account Lockdown stage executes security lockdown actions on a target user account. For the feature overview and usage instructions, see [Account Lockdown](../../../../security/account-lockdown.md).
## Stage behavior
1. **Resolves the target account** from the flow query parameters (see [Target user resolution](#target-user-resolution))
2. **Applies the configured actions** to that account
3. **Creates an event** for the locked account
4. **For self-service**: if sessions are deleted, redirects to the completion flow
## Stage settings
| Setting | Description | Default |
| ------------------------- | ----------------------------------------------------------------------------------- | ------- |
| **Deactivate user** | Set `is_active` to False | Enabled |
| **Set unusable password** | Invalidate the local authentik password. External source passwords are not changed. | Enabled |
| **Delete sessions** | Terminate all active sessions | Enabled |
| **Revoke tokens** | Delete all tokens and grants (API, app password, recovery, verification, OAuth) | Enabled |
| **Completion flow** | Flow for self-service completion (must not require auth) | None |
:::warning
Disabling **Delete sessions** is not recommended as it would allow an attacker with an active session to continue using the account.
:::
## Target user resolution
The account lockdown API pre-plans the flow with the selected user as the flow's `pending_user`. The stage uses that `pending_user` as the account to lock.
The resolved target must be:
- a real user account
- not the anonymous user
- not an internal service account
If no valid target user can be resolved, the stage returns an invalid response.
## Reason input
The stage reads the lockdown reason from:
1. `prompt_data.lockdown_reason`
2. `lockdown_reason` in the flow plan context
3. an empty string if neither is set
## Self-service behavior
When the resolved target user is the same user who is currently authenticated and **Delete sessions** is enabled, the user's session is deleted during lockdown. The stage cannot continue to the next stage, so it redirects to the **Completion flow**.
If **Delete sessions** is disabled, the flow continues normally and can show its own completion stages.
The completion flow must have **Authentication** set to **No authentication required**.
## Events
Creates a **User Write** event with an account-lockdown action ID. Use [Notification Rules](../../../../sys-mgmt/events/index.md) to send alerts. To match account-lockdown events, use action `user_write` and query `context.action_id = "account_lockdown"`.
```json
{
"action": "user_write",
"context": {
"action_id": "account_lockdown",
"reason": "User-provided reason",
"affected_user": "username"
}
}
```
## Usage examples
### Policy to show a completion stage only for administrator-triggered lockdowns
```python
target_user = request.context.get("pending_user")
current_user = request.http_request.user
return bool(target_user and current_user and target_user.pk != current_user.pk)
```
### Dynamic warning message
Prompt field with **Initial value expression** enabled:
```python
target = user
current_user = http_request.user
is_self_service = bool(target and current_user and target.pk == current_user.pk)
from django.utils.html import escape
if is_self_service:
return """<p><strong>This will immediately:</strong></p>
<ul>
<li>Invalidate your local authentik password</li>
<li>Deactivate your account</li>
<li>Terminate all sessions</li>
<li>Revoke all tokens</li>
</ul>"""
else:
if target:
return f"<p><strong>Locking down:</strong></p><p><code>{escape(target.username)}</code></p>"
return "<p><strong>Locking down the selected account.</strong></p>"
```
## Error handling
| Error | Cause |
| -------------------------- | --------------------------------------- |
| "No target user specified" | No valid pending user found in the flow |
| Failure | The stage returns an invalid response |
website/docs/security/account-lockdown.md
+128
View File
@@ -0,0 +1,128 @@
---
title: Account Lockdown
authentik_version: "2025.5.0"
authentik_enterprise: true
---
Account Lockdown is a security feature that allows administrators to quickly secure a user account during emergencies, such as suspected compromise or unauthorized access. Users can also lock down their own account if they believe it has been compromised.
## What Account Lockdown does
When triggered, Account Lockdown performs the following actions (all configurable):
- **Deactivates the user account**: The user can no longer log in
- **Sets an unusable password**: Invalidates the user's password
- **Terminates all active sessions**: Immediately logs the user out of all devices and applications
- **Revokes all tokens**: Invalidates API, app password, recovery, verification, and OAuth2 tokens and grants
- **Creates an audit event**: Records the lockdown with the provided reason (can trigger [notifications](#configure-notifications))
:::note Protected accounts
Account Lockdown cannot be triggered on the anonymous user or internal service accounts.
:::
## Prerequisites
1. A **Lockdown Flow** must be configured on your Brand (**System** > **Brands**)
2. The flow must contain an [Account Lockdown Stage](../add-secure-apps/flows-stages/stages/account_lockdown/index.md) (Enterprise)
3. For self-service lockdown, configure a **Completion Flow** on the stage
## Use the packaged lockdown blueprint
authentik includes a packaged lockdown blueprint that creates a default lockdown flow (`default-account-lockdown`) and a self-service completion flow (`default-account-lockdown-complete`).
The blueprint creates:
| Order | Stage | Purpose |
| ----- | ------------------------- | -------------------------------- |
| 0 | Prompt Stage | Warning message and reason input |
| 10 | Account Lockdown Stage | Executes lockdown actions |
| 20 | Prompt Stage (admin only) | Shows a confirmation message |
A separate completion flow (`default-account-lockdown-complete`) displays a message after self-service lockdowns.
### Step 1. Download the blueprint
Download the lockdown blueprint by running:
```shell
wget https://goauthentik.io/blueprints/example/flow-default-account-lockdown.yaml
```
Alternatively, use this [link](/blueprints/example/flow-default-account-lockdown.yaml) to view and save the file.
### Step 2. Import the blueprint file
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Flows and Stages** > **Flows** and click **Import**.
3. Click **Choose file**, select `flow-default-account-lockdown.yaml`, and then click **Import**.
### Step 3. Set the lockdown flow on your brand
1. Navigate to **System** > **Brands**.
2. Edit your brand and set **Lockdown flow** to `default-account-lockdown`.
## Create a custom flow
1. Navigate to **Flows and Stages** > **Flows** and create a flow with:
- **Designation**: Stage Configuration
- **Authentication**: Require authenticated user
2. Add a Prompt Stage for warnings and reason collection
3. Add an Account Lockdown Stage
4. Optionally add an administrator-only completion Prompt Stage
5. Set this flow as **Lockdown flow** on your Brand
For stage configuration details, see the [Account Lockdown Stage documentation](../add-secure-apps/flows-stages/stages/account_lockdown/index.md).
## Trigger an Account Lockdown
### From a User's detail page
1. Navigate to **Directory** > **Users** and click on a user.
2. Click **Account Lockdown**.
3. Review the warning, enter a reason (recorded in the audit log), and click **Continue**.
4. If your flow includes an administrator-only completion stage, it is shown after the lockdown completes.
## Self-service Account Lockdown
Users can lock their own account from the User interface:
1. Navigate to **Settings**.
2. In the **Account Lockdown** section, click **Lock my account**.
3. Enter a reason and click **Continue**.
After lockdown, the user is redirected to the configured completion page. They cannot log back in until an administrator restores access.
### Configure the completion message
Since the user's session is deleted, the stage redirects to a separate unauthenticated flow:
1. Create a flow with **Authentication** set to **No authentication required**
2. Add a Prompt Stage with an alert field containing your message
3. On your Account Lockdown Stage, set **Completion flow** to this flow
## Configure notifications
Use Notification Rules to alert when lockdowns occur:
1. Navigate to **Customization** > **Policies** and create an **Event Matcher Policy**
2. Set **Action** to **User Write**
3. Set **Query** to `action = "user_write" and context.action_id = "account_lockdown"`
4. Navigate to **Events** > **Notification Rules** and create a rule
5. Select a notification transport, such as `default-email-transport`
6. Select a destination group, or enable **Send notification to event user** to notify the locked user
7. Bind the Event Matcher Policy to the rule
## Restore access after lockdown
1. Navigate to **Directory** > **Users** and find the locked user (shown as inactive).
2. Click **Activate** to re-enable the account.
3. Use **Set password** or **Create Recovery Link** to set a new password.
4. Advise the user to re-enroll MFA devices.
## Troubleshooting
| Issue | Solution |
| ----------------------------- | -------------------------------------------------------------------------------- |
| "No lockdown flow configured" | Set a lockdown flow on your Brand (**System** > **Brands**) |
| Self-service shows login page | Configure a **Completion flow** on the stage with **No authentication required** |
| Warning message not showing | Ensure **Initial value expression** is enabled and field type is an alert type |
website/docs/sidebar.mjs
+2
View File
@@ -321,6 +321,7 @@ const items = [
id: "add-secure-apps/flows-stages/stages/index",
},
items: [
"add-secure-apps/flows-stages/stages/account_lockdown/index",
"add-secure-apps/flows-stages/stages/authenticator_duo/index",
"add-secure-apps/flows-stages/stages/authenticator_email/index",
"add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index",
@@ -972,6 +973,7 @@ const items = [
items: [
"security/policy",
"security/security-hardening",
"security/account-lockdown",
{
//#endregion
website/docs/sys-mgmt/events/notifications.md
+1 -1
View File
@@ -54,7 +54,7 @@ After you've created the policies to match the events you want, create a notific
3. Define the policy configurations, and then click **Create Notification Rule** or **Update** to save the settings.
- Note that policies are executed regardless of whether a group is selected. However, notifications are only triggered when a group is selected.
- Note that policies are executed regardless of whether a destination is selected. However, notifications are only created when a destination group is selected or **Send notification to event user** is enabled.
- You also have to select which [notification transport](./transports.md) should be used to send the notification. Two notification transports are created by default:
- `default-email-transport`: Delivers notifications via email using the [global email configuration](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended).
- `default-local-transport`: Delivers notifications within the authentik UI.