mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-17 19:09:11 +03:00
Jens L.
c6ee7b6881
* initial Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use same startup template Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix check not working Signed-off-by: Jens Langhammer <jens@goauthentik.io> * unrelated: fix inspector auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ensure oobe flow can only accessed via correct url Signed-off-by: Jens Langhammer <jens@goauthentik.io> * set setup flag when applying bootstrap blueprint when env is set Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add system visibility to flags to make them non-editable Signed-off-by: Jens Langhammer <jens@goauthentik.io> * set setup flag for e2e tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests and linting Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make github lint happy Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make tests have less assumptions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Update docs * include more heuristics in migration Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add management command to set any flag Signed-off-by: Jens Langhammer <jens@goauthentik.io> * migrate worker command to signal Signed-off-by: Jens Langhammer <jens@goauthentik.io> * improved api for setting flags Signed-off-by: Jens Langhammer <jens@goauthentik.io> * short circuit Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
157 lines
4.6 KiB
YAML
157 lines
4.6 KiB
YAML
metadata:
|
|
labels:
|
|
blueprints.goauthentik.io/system-oobe: "true"
|
|
blueprints.goauthentik.io/system: "true"
|
|
name: Default - Out-of-box-experience flow
|
|
version: 1
|
|
entries:
|
|
- attrs:
|
|
denied_action: message_continue
|
|
designation: stage_configuration
|
|
name: default-oobe-setup
|
|
title: Welcome to authentik!
|
|
id: flow
|
|
identifiers:
|
|
slug: initial-setup
|
|
model: authentik_flows.flow
|
|
- attrs:
|
|
order: 100
|
|
initial_value:
|
|
Welcome to authentik! Please set a password and email address for the default admin
|
|
user, akadmin.
|
|
placeholder_expression: false
|
|
required: true
|
|
type: static
|
|
field_key: oobe-header-text
|
|
label: oobe-header-text
|
|
id: prompt-field-header
|
|
identifiers:
|
|
name: initial-setup-field-header
|
|
model: authentik_stages_prompt.prompt
|
|
- attrs:
|
|
order: 101
|
|
placeholder: Admin email
|
|
placeholder_expression: false
|
|
required: true
|
|
type: email
|
|
field_key: email
|
|
label: Email
|
|
id: prompt-field-email
|
|
identifiers:
|
|
name: initial-setup-field-email
|
|
model: authentik_stages_prompt.prompt
|
|
- attrs:
|
|
order: 300
|
|
placeholder: Password
|
|
placeholder_expression: false
|
|
required: true
|
|
type: password
|
|
field_key: password
|
|
label: Password
|
|
id: prompt-field-password
|
|
identifiers:
|
|
name: initial-setup-field-password
|
|
model: authentik_stages_prompt.prompt
|
|
- attrs:
|
|
order: 301
|
|
placeholder: Password (repeat)
|
|
placeholder_expression: false
|
|
required: true
|
|
type: password
|
|
field_key: password_repeat
|
|
label: Password (repeat)
|
|
id: prompt-field-password-repeat
|
|
identifiers:
|
|
name: initial-setup-field-password-repeat
|
|
model: authentik_stages_prompt.prompt
|
|
- attrs:
|
|
expression: |
|
|
# This policy sets the user for the currently running flow
|
|
# by injecting "pending_user"
|
|
akadmin = ak_user_by(username="akadmin")
|
|
context["flow_plan"].context["pending_user"] = akadmin
|
|
return True
|
|
id: policy-default-oobe-prefill-user
|
|
identifiers:
|
|
name: default-oobe-prefill-user
|
|
model: authentik_policies_expression.expressionpolicy
|
|
- attrs:
|
|
expression: |
|
|
# This policy ensures that the setup flow can only be
|
|
# executed when the admin user doesn't have a password set
|
|
akadmin = ak_user_by(username="akadmin")
|
|
# Ensure flow was started correctly
|
|
started_by = context.get("goauthentik.io/core/setup/started-by")
|
|
if started_by != "setup":
|
|
setup_url = request.http_request.build_absolute_uri("/")
|
|
ak_message(f"Access the authentik setup by navigating to {setup_url}")
|
|
return False
|
|
return akadmin is None or not akadmin.has_usable_password()
|
|
id: policy-default-oobe-password-usable
|
|
identifiers:
|
|
name: default-oobe-password-usable
|
|
model: authentik_policies_expression.expressionpolicy
|
|
- state: absent
|
|
identifiers:
|
|
name: default-oobe-flow-set-authentication
|
|
model: authentik_policies_expression.expressionpolicy
|
|
- attrs:
|
|
fields:
|
|
- !KeyOf prompt-field-header
|
|
- !KeyOf prompt-field-email
|
|
- !KeyOf prompt-field-password
|
|
- !KeyOf prompt-field-password-repeat
|
|
id: stage-default-oobe-password
|
|
identifiers:
|
|
name: stage-default-oobe-password
|
|
model: authentik_stages_prompt.promptstage
|
|
- id: stage-default-authentication-login
|
|
identifiers:
|
|
name: default-authentication-login
|
|
model: authentik_stages_user_login.userloginstage
|
|
- id: stage-default-password-change-write
|
|
identifiers:
|
|
name: default-password-change-write
|
|
model: authentik_stages_user_write.userwritestage
|
|
attrs:
|
|
user_creation_mode: never_create
|
|
- attrs:
|
|
evaluate_on_plan: true
|
|
invalid_response_action: retry
|
|
re_evaluate_policies: false
|
|
identifiers:
|
|
order: 10
|
|
stage: !KeyOf stage-default-oobe-password
|
|
target: !KeyOf flow
|
|
model: authentik_flows.flowstagebinding
|
|
- attrs:
|
|
evaluate_on_plan: false
|
|
invalid_response_action: retry
|
|
re_evaluate_policies: true
|
|
id: binding-password-write
|
|
identifiers:
|
|
order: 20
|
|
stage: !KeyOf stage-default-password-change-write
|
|
target: !KeyOf flow
|
|
model: authentik_flows.flowstagebinding
|
|
- attrs:
|
|
evaluate_on_plan: true
|
|
invalid_response_action: retry
|
|
re_evaluate_policies: false
|
|
id: binding-login
|
|
identifiers:
|
|
order: 100
|
|
stage: !KeyOf stage-default-authentication-login
|
|
target: !KeyOf flow
|
|
model: authentik_flows.flowstagebinding
|
|
- identifiers:
|
|
order: 0
|
|
policy: !KeyOf policy-default-oobe-password-usable
|
|
target: !KeyOf flow
|
|
model: authentik_policies.policybinding
|
|
- identifiers:
|
|
order: 0
|
|
policy: !KeyOf policy-default-oobe-prefill-user
|
|
target: !KeyOf binding-password-write
|
|
model: authentik_policies.policybinding
|