mirror of
https://github.com/goauthentik/authentik
synced 2026-04-25 17:15:26 +02:00
15b93a5e9d
* add passkey_login to identification stage * handle passkey auth in identification stage * Add passkey settings in identification stage in the admin UI * Add UI changes for basic passkey conditional login * Fix linting * rework Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update tests * update admin form * allow passing stage to validate_challenge_webauthn * update flows/tests/test_inspector.py * update for new field * Fix linting * update go solvers for identification challenge * Refactor tests * Skip mfa validation if user already authenticated via passkey at identification stage * Add skip_if_passkey_authenticated option to authenticator validate stage and UI * Add e2e test for passkey login conditional ui * add policy Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Remove skip_if_passkey_authenticated * fix blueprint * Set backend so password stage policy knows user is already authenticated * Set backend so password stage policy knows user is already authenticated * fix linting * slight tweaks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * simplify e2e test --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Marcelo Elizeche Landó <marcelo@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
108 lines
3.7 KiB
YAML
108 lines
3.7 KiB
YAML
version: 1
|
|
metadata:
|
|
name: Default - Authentication flow
|
|
entries:
|
|
- model: authentik_blueprints.metaapplyblueprint
|
|
attrs:
|
|
identifiers:
|
|
name: Default - Password change flow
|
|
required: false
|
|
- attrs:
|
|
designation: authentication
|
|
name: Welcome to authentik!
|
|
title: Welcome to authentik!
|
|
authentication: none
|
|
identifiers:
|
|
slug: default-authentication-flow
|
|
model: authentik_flows.flow
|
|
id: flow
|
|
- attrs:
|
|
backends:
|
|
- authentik.core.auth.InbuiltBackend
|
|
- authentik.sources.kerberos.auth.KerberosBackend
|
|
- authentik.sources.ldap.auth.LDAPBackend
|
|
- authentik.core.auth.TokenBackend
|
|
configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
|
|
identifiers:
|
|
name: default-authentication-password
|
|
id: default-authentication-password
|
|
model: authentik_stages_password.passwordstage
|
|
- identifiers:
|
|
name: default-authentication-mfa-validation
|
|
id: default-authentication-mfa-validation
|
|
model: authentik_stages_authenticator_validate.authenticatorvalidatestage
|
|
- attrs:
|
|
user_fields:
|
|
- email
|
|
- username
|
|
identifiers:
|
|
name: default-authentication-identification
|
|
id: default-authentication-identification
|
|
model: authentik_stages_identification.identificationstage
|
|
- identifiers:
|
|
name: default-authentication-login
|
|
id: default-authentication-login
|
|
model: authentik_stages_user_login.userloginstage
|
|
- identifiers:
|
|
order: 10
|
|
stage: !KeyOf default-authentication-identification
|
|
target: !KeyOf flow
|
|
model: authentik_flows.flowstagebinding
|
|
- identifiers:
|
|
order: 20
|
|
stage: !KeyOf default-authentication-password
|
|
target: !KeyOf flow
|
|
attrs:
|
|
re_evaluate_policies: true
|
|
id: default-authentication-flow-password-binding
|
|
model: authentik_flows.flowstagebinding
|
|
- identifiers:
|
|
order: 30
|
|
stage: !KeyOf default-authentication-mfa-validation
|
|
target: !KeyOf flow
|
|
id: default-authentication-flow-authenticator-validation-binding
|
|
model: authentik_flows.flowstagebinding
|
|
- identifiers:
|
|
order: 100
|
|
stage: !KeyOf default-authentication-login
|
|
target: !KeyOf flow
|
|
model: authentik_flows.flowstagebinding
|
|
- model: authentik_policies_expression.expressionpolicy
|
|
id: default-authentication-flow-password-optional
|
|
identifiers:
|
|
name: default-authentication-flow-password-stage
|
|
attrs:
|
|
expression: |
|
|
flow_plan = request.context.get("flow_plan")
|
|
if not flow_plan:
|
|
return True
|
|
# If the user does not have a backend attached to it, they haven't
|
|
# been authenticated yet and we need the password stage
|
|
return not hasattr(flow_plan.context.get("pending_user"), "backend")
|
|
- model: authentik_policies_expression.expressionpolicy
|
|
id: default-authentication-flow-authenticator-validate-optional
|
|
identifiers:
|
|
name: default-authentication-flow-authenticator-validate-stage
|
|
attrs:
|
|
expression: |
|
|
flow_plan = request.context.get("flow_plan")
|
|
if not flow_plan:
|
|
return True
|
|
# if the authentication method is webauthn (passwordless), then we skip the authenticator
|
|
# validation stage by returning false (true will execute the stage)
|
|
return not (flow_plan.context.get("auth_method") == "auth_webauthn_pwl")
|
|
- model: authentik_policies.policybinding
|
|
identifiers:
|
|
order: 10
|
|
target: !KeyOf default-authentication-flow-password-binding
|
|
policy: !KeyOf default-authentication-flow-password-optional
|
|
attrs:
|
|
failure_result: true
|
|
- model: authentik_policies.policybinding
|
|
identifiers:
|
|
order: 10
|
|
target: !KeyOf default-authentication-flow-authenticator-validation-binding
|
|
policy: !KeyOf default-authentication-flow-authenticator-validate-optional
|
|
attrs:
|
|
failure_result: true
|