mirror of
https://github.com/goauthentik/authentik
synced 2026-04-27 18:07:15 +02:00
9802d4bcdd
* Add flows-invitation-enrollment.yaml blueprint example, make serializer add default anonymous user in blueprint context * Add tests * fix linting * Update invitations docs * Use custom attributes instead of fixed_data * remove clutter * Reworks the invitations doc to new styling standards * Apply suggestions * fix field Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Add manual steps for invitation creation * add both options at the beginning * use serializer.context in InvitationViewSet.perform_create * Apply suggestions from code review Co-authored-by: Dominic R <dominic@sdko.org> Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com> * add description to bluprint * Apply suggestions from code review Co-authored-by: Dominic R <dominic@sdko.org> Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com> * tweaks to structure and formatting * Optimised images with calibre/image-actions * Update website/docs/users-sources/user/invitations.md Co-authored-by: Dominic R <dominic@sdko.org> Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com> * fix linting * imports Signed-off-by: Jens Langhammer <jens@goauthentik.io> * less branch Signed-off-by: Jens Langhammer <jens@goauthentik.io> * gen Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com> Co-authored-by: dewi-tik <dewi@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Dominic R <dominic@sdko.org> Co-authored-by: Tana M Berry <tana@goauthentik.io> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
397 lines
12 KiB
YAML
397 lines
12 KiB
YAML
# Example - Invitation-based Enrollment Blueprint
|
|
#
|
|
# This blueprint demonstrates invitation-based user enrollment with support for
|
|
# internal and external user types, automatic group assignment, and user path organization.
|
|
#
|
|
# What this blueprint creates:
|
|
# - 3 enrollment flows:
|
|
# * External users flow (invitation-enrollment-flow-external)
|
|
# * Internal users flow (invitation-enrollment-flow-internal)
|
|
# * Internal users flow with automatic group assignment (invitation-enrollment-flow-internal-engineering)
|
|
# - 3 invitation stages (one for each flow)
|
|
# - Prompt fields for collecting user credentials and details (username, password, name, email)
|
|
# - 2 prompt stages (credentials and user details)
|
|
# - 3 user write stages configured for different user types and paths:
|
|
# * External users: user_type=external, path=users/external
|
|
# * Internal users: user_type=internal, path=users/internal
|
|
# * Engineering team: user_type=internal, path=users/internal/engineering, auto-assigned to engineering-team group
|
|
# - 1 user login stage
|
|
# - 1 example group (engineering-team)
|
|
# - 5 example invitations demonstrating different use cases
|
|
#
|
|
# For detailed documentation, see:
|
|
# https://docs.goauthentik.io/users-sources/user/invitations/
|
|
#
|
|
version: 1
|
|
metadata:
|
|
labels:
|
|
blueprints.goauthentik.io/instantiate: "false"
|
|
name: Example - Invitation-based Enrollment
|
|
entries:
|
|
# Flow definition for external users
|
|
- identifiers:
|
|
slug: invitation-enrollment-flow-external
|
|
model: authentik_flows.flow
|
|
id: flow-external
|
|
attrs:
|
|
name: Invitation Enrollment Flow (External Users)
|
|
title: Welcome! Complete your enrollment
|
|
designation: enrollment
|
|
authentication: require_unauthenticated
|
|
|
|
# Flow definition for internal users
|
|
- identifiers:
|
|
slug: invitation-enrollment-flow-internal
|
|
model: authentik_flows.flow
|
|
id: flow-internal
|
|
attrs:
|
|
name: Invitation Enrollment Flow (Internal Users)
|
|
title: Welcome! Complete your enrollment
|
|
designation: enrollment
|
|
authentication: require_unauthenticated
|
|
|
|
# Flow definition for internal users with group assignment
|
|
- identifiers:
|
|
slug: invitation-enrollment-flow-internal-engineering
|
|
model: authentik_flows.flow
|
|
id: flow-internal-engineering
|
|
attrs:
|
|
name: Invitation Enrollment Flow (Internal - Engineering Team)
|
|
title: Welcome to the Engineering Team!
|
|
designation: enrollment
|
|
authentication: require_unauthenticated
|
|
|
|
# Invitation Stage for external users
|
|
- identifiers:
|
|
name: invitation-enrollment-invitation-external
|
|
id: invitation-stage-external
|
|
model: authentik_stages_invitation.invitationstage
|
|
attrs:
|
|
continue_flow_without_invitation: false
|
|
|
|
# Invitation Stage for internal users
|
|
- identifiers:
|
|
name: invitation-enrollment-invitation-internal
|
|
id: invitation-stage-internal
|
|
model: authentik_stages_invitation.invitationstage
|
|
attrs:
|
|
continue_flow_without_invitation: false
|
|
|
|
# Invitation Stage for internal engineering users
|
|
- identifiers:
|
|
name: invitation-enrollment-invitation-internal-engineering
|
|
id: invitation-stage-internal-engineering
|
|
model: authentik_stages_invitation.invitationstage
|
|
attrs:
|
|
continue_flow_without_invitation: false
|
|
|
|
# Prompt fields for user information
|
|
- id: prompt-field-username
|
|
model: authentik_stages_prompt.prompt
|
|
identifiers:
|
|
name: invitation-enrollment-field-username
|
|
attrs:
|
|
field_key: username
|
|
label: Username
|
|
type: username
|
|
required: true
|
|
placeholder: Username
|
|
placeholder_expression: false
|
|
order: 0
|
|
|
|
- identifiers:
|
|
name: invitation-enrollment-field-password
|
|
id: prompt-field-password
|
|
model: authentik_stages_prompt.prompt
|
|
attrs:
|
|
field_key: password
|
|
label: Password
|
|
type: password
|
|
required: true
|
|
placeholder: Password
|
|
placeholder_expression: false
|
|
order: 1
|
|
|
|
- identifiers:
|
|
name: invitation-enrollment-field-password-repeat
|
|
id: prompt-field-password-repeat
|
|
model: authentik_stages_prompt.prompt
|
|
attrs:
|
|
field_key: password_repeat
|
|
label: Password (repeat)
|
|
type: password
|
|
required: true
|
|
placeholder: Password (repeat)
|
|
placeholder_expression: false
|
|
order: 2
|
|
|
|
- identifiers:
|
|
name: invitation-enrollment-field-name
|
|
id: prompt-field-name
|
|
model: authentik_stages_prompt.prompt
|
|
attrs:
|
|
field_key: name
|
|
label: Name
|
|
type: text
|
|
required: true
|
|
placeholder: Name
|
|
placeholder_expression: false
|
|
order: 0
|
|
|
|
- identifiers:
|
|
name: invitation-enrollment-field-email
|
|
id: prompt-field-email
|
|
model: authentik_stages_prompt.prompt
|
|
attrs:
|
|
field_key: email
|
|
label: Email
|
|
type: email
|
|
required: true
|
|
placeholder: Email
|
|
placeholder_expression: false
|
|
order: 1
|
|
|
|
# Prompt stage for credentials
|
|
- identifiers:
|
|
name: invitation-enrollment-prompt-credentials
|
|
id: prompt-stage-credentials
|
|
model: authentik_stages_prompt.promptstage
|
|
attrs:
|
|
fields:
|
|
- !KeyOf prompt-field-username
|
|
- !KeyOf prompt-field-password
|
|
- !KeyOf prompt-field-password-repeat
|
|
|
|
# Prompt stage for user details
|
|
- identifiers:
|
|
name: invitation-enrollment-prompt-details
|
|
id: prompt-stage-details
|
|
model: authentik_stages_prompt.promptstage
|
|
attrs:
|
|
fields:
|
|
- !KeyOf prompt-field-name
|
|
- !KeyOf prompt-field-email
|
|
|
|
# User write stage for external users
|
|
- identifiers:
|
|
name: invitation-enrollment-user-write-external
|
|
id: user-write-stage-external
|
|
model: authentik_stages_user_write.userwritestage
|
|
attrs:
|
|
user_creation_mode: always_create
|
|
user_type: external
|
|
user_path_template: users/external
|
|
|
|
# User write stage for internal users
|
|
- identifiers:
|
|
name: invitation-enrollment-user-write-internal
|
|
id: user-write-stage-internal
|
|
model: authentik_stages_user_write.userwritestage
|
|
attrs:
|
|
user_creation_mode: always_create
|
|
user_type: internal
|
|
user_path_template: users/internal
|
|
|
|
# Example group for demonstrating group assignment
|
|
- identifiers:
|
|
name: engineering-team
|
|
id: group-engineering
|
|
model: authentik_core.group
|
|
attrs:
|
|
is_superuser: false
|
|
|
|
# User write stage for internal users with group assignment
|
|
- identifiers:
|
|
name: invitation-enrollment-user-write-internal-engineering
|
|
id: user-write-stage-internal-engineering
|
|
model: authentik_stages_user_write.userwritestage
|
|
attrs:
|
|
user_creation_mode: always_create
|
|
user_type: internal
|
|
user_path_template: users/internal/engineering
|
|
create_users_group: !KeyOf group-engineering
|
|
|
|
# User login stage
|
|
- identifiers:
|
|
name: invitation-enrollment-user-login
|
|
id: user-login-stage
|
|
model: authentik_stages_user_login.userloginstage
|
|
|
|
# Flow stage bindings for EXTERNAL users flow
|
|
- identifiers:
|
|
target: !KeyOf flow-external
|
|
stage: !KeyOf invitation-stage-external
|
|
order: 5
|
|
model: authentik_flows.flowstagebinding
|
|
attrs:
|
|
evaluate_on_plan: true
|
|
re_evaluate_policies: true
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-external
|
|
stage: !KeyOf prompt-stage-credentials
|
|
order: 10
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-external
|
|
stage: !KeyOf prompt-stage-details
|
|
order: 15
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-external
|
|
stage: !KeyOf user-write-stage-external
|
|
order: 20
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-external
|
|
stage: !KeyOf user-login-stage
|
|
order: 100
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
# Flow stage bindings for INTERNAL users flow
|
|
- identifiers:
|
|
target: !KeyOf flow-internal
|
|
stage: !KeyOf invitation-stage-internal
|
|
order: 5
|
|
model: authentik_flows.flowstagebinding
|
|
attrs:
|
|
evaluate_on_plan: true
|
|
re_evaluate_policies: true
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-internal
|
|
stage: !KeyOf prompt-stage-credentials
|
|
order: 10
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-internal
|
|
stage: !KeyOf prompt-stage-details
|
|
order: 15
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-internal
|
|
stage: !KeyOf user-write-stage-internal
|
|
order: 20
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-internal
|
|
stage: !KeyOf user-login-stage
|
|
order: 100
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
# Flow stage bindings for INTERNAL ENGINEERING users flow (with group assignment)
|
|
- identifiers:
|
|
target: !KeyOf flow-internal-engineering
|
|
stage: !KeyOf invitation-stage-internal-engineering
|
|
order: 5
|
|
model: authentik_flows.flowstagebinding
|
|
attrs:
|
|
evaluate_on_plan: true
|
|
re_evaluate_policies: true
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-internal-engineering
|
|
stage: !KeyOf prompt-stage-credentials
|
|
order: 10
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-internal-engineering
|
|
stage: !KeyOf prompt-stage-details
|
|
order: 15
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-internal-engineering
|
|
stage: !KeyOf user-write-stage-internal-engineering
|
|
order: 20
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
- identifiers:
|
|
target: !KeyOf flow-internal-engineering
|
|
stage: !KeyOf user-login-stage
|
|
order: 100
|
|
model: authentik_flows.flowstagebinding
|
|
|
|
# Example invitations
|
|
|
|
# EXTERNAL USER INVITATIONS
|
|
|
|
# Example 1: Basic single-use invitation for external user
|
|
- identifiers:
|
|
name: example-external-basic-invitation
|
|
model: authentik_stages_invitation.invitation
|
|
id: invitation-external-basic
|
|
attrs:
|
|
flow: !KeyOf flow-external
|
|
single_use: false
|
|
fixed_data: {}
|
|
|
|
# Example 2: Multi-use invitation for external users with pre-filled email
|
|
- identifiers:
|
|
name: example-external-prefilled-email-invitation
|
|
model: authentik_stages_invitation.invitation
|
|
id: invitation-external-prefilled-email
|
|
attrs:
|
|
flow: !KeyOf flow-external
|
|
single_use: true
|
|
expires: "2028-12-31T23:59:59Z"
|
|
fixed_data:
|
|
email: "external@example.com"
|
|
|
|
# INTERNAL USER INVITATIONS
|
|
|
|
# Example 3: Single-use invitation for internal user with pre-filled fields
|
|
- identifiers:
|
|
name: example-internal-prefilled-invitation
|
|
model: authentik_stages_invitation.invitation
|
|
id: invitation-internal-prefilled
|
|
attrs:
|
|
flow: !KeyOf flow-internal
|
|
single_use: true
|
|
expires: "2028-12-31T23:59:59Z"
|
|
fixed_data:
|
|
name: "Jane Smith"
|
|
email: "jane.smith@company.com"
|
|
|
|
# Example 4: Long-term multi-use invitation for internal department
|
|
- identifiers:
|
|
name: example-internal-department-invitation
|
|
model: authentik_stages_invitation.invitation
|
|
id: invitation-internal-department
|
|
attrs:
|
|
flow: !KeyOf flow-internal
|
|
single_use: false
|
|
expires: "2028-12-31T23:59:59Z"
|
|
fixed_data:
|
|
attributes:
|
|
department: "Engineering"
|
|
team: "Backend"
|
|
|
|
# Example 5: Invitation with automatic group assignment
|
|
- identifiers:
|
|
name: example-engineering-team-invitation
|
|
model: authentik_stages_invitation.invitation
|
|
id: invitation-engineering-team
|
|
attrs:
|
|
flow: !KeyOf flow-internal-engineering
|
|
single_use: false
|
|
expires: "2028-12-31T23:59:59Z"
|
|
fixed_data:
|
|
attributes:
|
|
department: "Engineering"
|
|
|
|
# Note: Group assignment works by using a flow with a UserWriteStage that has
|
|
# 'create_users_group' configured. See example 5 above - users enrolling via
|
|
# the 'invitation-enrollment-flow-internal-engineering' flow will automatically
|
|
# be added to the 'engineering-team' group.
|
|
#
|
|
# Groups cannot be set directly in invitation fixed_data because they require
|
|
# database relationships that must be established after user creation.
|