version: 1 metadata: name: enrollment-flow entries: # --- Brand configuration --- - model: authentik_brands.brand identifiers: domain: authentik-default state: present attrs: branding_title: {{ domain }} {% if branding_logo is defined %} branding_logo: {{ branding_logo }} {% endif %} {% if branding_favicon is defined %} branding_favicon: {{ branding_favicon }} {% endif %} # --- Enrollment flow --- - model: authentik_flows.flow id: enrollment-flow identifiers: slug: default-enrollment-flow attrs: name: Sign Up title: Create an account designation: enrollment authentication: require_unauthenticated # --- Recovery flow --- - model: authentik_flows.flow id: recovery-flow identifiers: slug: default-recovery-flow attrs: name: Password Recovery title: Reset your password designation: recovery authentication: require_unauthenticated # --- Prompt fields --- - model: authentik_stages_prompt.prompt id: field-email identifiers: name: enrollment-field-email attrs: field_key: email label: Email type: email required: true placeholder: Email placeholder_expression: false order: 0 - model: authentik_stages_prompt.prompt id: field-username identifiers: name: enrollment-field-username attrs: field_key: username label: Username type: username required: true placeholder: Username placeholder_expression: false order: 1 - model: authentik_stages_prompt.prompt id: field-password identifiers: name: enrollment-field-password attrs: field_key: password label: Password type: password required: true placeholder: Password placeholder_expression: false order: 2 - model: authentik_stages_prompt.prompt id: field-password-repeat identifiers: name: enrollment-field-password-repeat attrs: field_key: password_repeat label: Password (repeat) type: password required: true placeholder: Password (repeat) placeholder_expression: false order: 3 # --- Password policy --- - model: authentik_policies_password.passwordpolicy id: password-policy identifiers: name: enrollment-password-policy attrs: name: enrollment-password-policy length_min: 10 amount_uppercase: 1 amount_lowercase: 1 amount_digits: 1 amount_symbols: 1 check_static_rules: true check_have_i_been_pwned: true check_zxcvbn: true zxcvbn_score_threshold: 3 error_message: "Password must be at least 10 characters with uppercase, lowercase, digit, and symbol." # --- Enrollment stages --- - model: authentik_stages_prompt.promptstage id: enrollment-prompt-stage identifiers: name: enrollment-prompt attrs: fields: - !KeyOf field-email - !KeyOf field-username - !KeyOf field-password - !KeyOf field-password-repeat validation_policies: - !KeyOf password-policy - model: authentik_stages_user_write.userwritestage id: enrollment-user-write identifiers: name: enrollment-user-write attrs: user_creation_mode: always_create create_users_as_inactive: true - model: authentik_stages_email.emailstage id: enrollment-email-verification identifiers: name: enrollment-email-verification attrs: use_global_settings: true activate_user_on_success: true subject: Verify your email address template: email/account-confirmation.html - model: authentik_stages_user_login.userloginstage id: enrollment-user-login identifiers: name: enrollment-user-login # --- Enrollment flow stage bindings --- - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf enrollment-flow stage: !KeyOf enrollment-prompt-stage order: 10 - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf enrollment-flow stage: !KeyOf enrollment-user-write order: 20 - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf enrollment-flow stage: !KeyOf enrollment-email-verification order: 30 - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf enrollment-flow stage: !KeyOf enrollment-user-login order: 100 # --- Recovery stages --- - model: authentik_stages_identification.identificationstage id: recovery-identification identifiers: name: recovery-identification attrs: user_fields: - email - model: authentik_stages_email.emailstage id: recovery-email identifiers: name: recovery-email attrs: use_global_settings: true subject: Reset your password template: email/password-reset.html - model: authentik_stages_prompt.prompt id: field-recovery-password identifiers: name: recovery-field-password attrs: field_key: password label: New Password type: password required: true placeholder: New Password placeholder_expression: false order: 0 - model: authentik_stages_prompt.prompt id: field-recovery-password-repeat identifiers: name: recovery-field-password-repeat attrs: field_key: password_repeat label: New Password (repeat) type: password required: true placeholder: New Password (repeat) placeholder_expression: false order: 1 - model: authentik_stages_prompt.promptstage id: recovery-password-stage identifiers: name: recovery-password-prompt attrs: fields: - !KeyOf field-recovery-password - !KeyOf field-recovery-password-repeat validation_policies: - !KeyOf password-policy - model: authentik_stages_user_write.userwritestage id: recovery-user-write identifiers: name: recovery-user-write attrs: user_creation_mode: never_create - model: authentik_stages_user_login.userloginstage id: recovery-user-login identifiers: name: recovery-user-login # --- Recovery flow stage bindings --- - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf recovery-flow stage: !KeyOf recovery-identification order: 10 - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf recovery-flow stage: !KeyOf recovery-email order: 20 - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf recovery-flow stage: !KeyOf recovery-password-stage order: 30 - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf recovery-flow stage: !KeyOf recovery-user-write order: 40 - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf recovery-flow stage: !KeyOf recovery-user-login order: 100 # --- Unenrollment (account deletion) flow --- - model: authentik_flows.flow id: unenrollment-flow identifiers: slug: default-unenrollment-flow attrs: name: Delete Account title: Delete your account designation: unenrollment - model: authentik_stages_consent.consentstage id: unenrollment-consent identifiers: name: unenrollment-consent attrs: mode: always_require - model: authentik_stages_user_delete.userdeletestage id: unenrollment-user-delete identifiers: name: unenrollment-user-delete - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf unenrollment-flow stage: !KeyOf unenrollment-consent order: 10 - model: authentik_flows.flowstagebinding identifiers: target: !KeyOf unenrollment-flow stage: !KeyOf unenrollment-user-delete order: 20 # --- Set recovery and unenrollment flows on brand --- - model: authentik_brands.brand identifiers: domain: authentik-default state: present attrs: flow_recovery: !KeyOf recovery-flow flow_unenrollment: !KeyOf unenrollment-flow {% if social_login_sources is not defined or social_login_sources | length == 0 %} # --- Bind enrollment flow to the default login identification stage --- - model: authentik_stages_identification.identificationstage identifiers: name: default-authentication-identification state: present attrs: user_fields: - email - username enrollment_flow: !KeyOf enrollment-flow {% endif %}