authentik/website/docs/flow/index.md

---
title: Overview
---

Flows are a method of describing a sequence of stages. A stage represents a single verification or logic step. They are used to authenticate users, enroll them, and more.

For example, a standard login flow would consist of the following stages:

-   Identification, user identifies themselves via a username or email address
-   Password, the user's password is checked against the hash in the database
-   Log the user in

Upon flow execution, a plan containing all stages is generated. This means that all attached policies are evaluated upon execution. This behaviour can be altered by enabling the **Re-evaluate Policies** option on the binding.

To determine which flow is linked, authentik searches all flows with the required designation and chooses the first instance the current user has access to.

## Permissions

Flows can have policies assigned to them. These policies determine if the current user is allowed to see and use this flow.

Keep in mind that in certain circumstances, policies cannot match against users and groups as there is no authenticated user yet.

### Denied action

Configure what happens when access to a flow is denied by a policy. By default, authentik will redirect to a `?next` parameter if set, and otherwise show an error message.

-   `MESSAGE_CONTINUE`: Show a message if no `?next` parameter is set, otherwise redirect.
-   `MESSAGE`: Always show error message.
-   `CONTINUE`: Always redirect, either to `?next` if set, otherwise to the default interface.

## Designation

Flows are designated for a single purpose. This designation changes when a flow is used. The following designations are available:

### Authentication

This is designates a flow to be used for authentication.

The authentication flow should always contain a [**User Login**](stages/user_login.md) stage, which attaches the staged user to the current session.

### Invalidation

This designates a flow to be used to invalidate a session.

This stage should always contain a [**User Logout**](stages/user_logout.md) stage, which resets the current session.

### Enrollment

This designates a flow for enrollment. This flow can contain any amount of verification stages, such as [**email**](stages/email/) or [**captcha**](stages/captcha/). At the end, to create the user, you can use the [**user_write**](stages/user_write.md) stage, which either updates the currently staged user, or if none exists, creates a new one.

### Unenrollment

This designates a flow for unenrollment. This flow can contain any amount of verification stages, such as [**email**](stages/email/) or [**captcha**](stages/captcha/). As a final stage, to delete the account, use the [**user_delete**](stages/user_delete.md) stage.

### Recovery

This designates a flow for recovery. This flow normally contains an [**identification**](stages/identification/) stage to find the user. It can also contain any amount of verification stages, such as [**email**](stages/email/) or [**captcha**](stages/captcha/).
Afterwards, use the [**prompt**](stages/prompt/) stage to ask the user for a new password and the [**user_write**](stages/user_write.md) stage to update the password.

### Stage configuration

This designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure Factors, like change a password and setup TOTP.
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00			`---`
website/docs: add azure ad docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-01 14:56:24 +00:00			`title: Overview`
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00			`---`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
			`Flows are a method of describing a sequence of stages. A stage represents a single verification or logic step. They are used to authenticate users, enroll them, and more.`

website/docs: improve docs for expressions Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-29 19:47:35 +00:00			`For example, a standard login flow would consist of the following stages:`

website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`- Identification, user identifies themselves via a username or email address`
			`- Password, the user's password is checked against the hash in the database`
			`- Log the user in`
website/docs: improve docs for expressions Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-29 19:47:35 +00:00
Merge branch 'pr/77' # Conflicts: # docs/flow/flows.md # docs/installation/docker-compose.md # docs/providers.md 2020-06-18 20:10:03 +00:00			`Upon flow execution, a plan containing all stages is generated. This means that all attached policies are evaluated upon execution. This behaviour can be altered by enabling the Re-evaluate Policies option on the binding.`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
wip: rename to authentik (#361) * root: initial rename * web: rename custom element prefix * root: rename external functions with pb_ prefix * root: fix formatting * root: replace domain with goauthentik.io * proxy: update path * root: rename remaining prefixes * flows: rename file extension * root: pbadmin -> akadmin * docs: fix image filenames * lifecycle: ignore migration files * ci: copy default config from current source before loading last tagged * : new sentry dsn tests: fix missing python3.9-dev package * root: add additional migrations for service accounts created by outposts * core: mark system-created service accounts with attribute * policies/expression: fix pb_ replacement not working * web: fix last linting errors, add lit-analyse * policies/expressions: fix lint errors * web: fix sidebar display on screens where not all items fit * proxy: attempt to fix proxy pipeline * proxy: use go env GOPATH to get gopath * lib: fix user_default naming inconsistency * docs: add upgrade docs * docs: update screenshots to use authentik * admin: fix create button on empty-state of outpost * web: fix modal submit not refreshing SiteShell and Table * web: fix height of app-card and height of generic icon * web: fix rendering of subtext * admin: fix version check error not being caught * web: fix worker count not being shown * docs: update screenshots * root: new icon * web: fix lint error * admin: fix linting error * root: migrate coverage config to pyproject 2020-12-05 21:08:42 +00:00			`To determine which flow is linked, authentik searches all flows with the required designation and chooses the first instance the current user has access to.`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
			`## Permissions`

docs(flows.md): grammar and clarity 2020-06-18 17:00:05 +00:00			`Flows can have policies assigned to them. These policies determine if the current user is allowed to see and use this flow.`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
website/docs: add docs for different flow executors Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-03-09 22:36:09 +00:00			`Keep in mind that in certain circumstances, policies cannot match against users and groups as there is no authenticated user yet.`

flows: denied action (#3194) 2022-07-02 15:37:57 +00:00			`### Denied action`

			Configure what happens when access to a flow is denied by a policy. By default, authentik will redirect to a `?next` parameter if set, and otherwise show an error message.

			- `MESSAGE_CONTINUE`: Show a message if no `?next` parameter is set, otherwise redirect.
			- `MESSAGE`: Always show error message.
			- `CONTINUE`: Always redirect, either to `?next` if set, otherwise to the default interface.

docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00			`## Designation`

docs(flows.md): grammar and clarity 2020-06-18 17:00:05 +00:00			`Flows are designated for a single purpose. This designation changes when a flow is used. The following designations are available:`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
			`### Authentication`

			`This is designates a flow to be used for authentication.`

docs: add example for login flow 2020-06-05 15:29:08 +00:00			`The authentication flow should always contain a [User Login](stages/user_login.md) stage, which attaches the staged user to the current session.`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
			`### Invalidation`

docs(flows.md): grammar and clarity 2020-06-18 17:00:05 +00:00			`This designates a flow to be used to invalidate a session.`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
docs: add example for login flow 2020-06-05 15:29:08 +00:00			`This stage should always contain a [User Logout](stages/user_logout.md) stage, which resets the current session.`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
			`### Enrollment`

website: remove remaining /index URLs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-13 17:57:13 +00:00			`This designates a flow for enrollment. This flow can contain any amount of verification stages, such as [email](stages/email/) or [captcha](stages/captcha/). At the end, to create the user, you can use the [user_write](stages/user_write.md) stage, which either updates the currently staged user, or if none exists, creates a new one.`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
			`### Unenrollment`

website: remove remaining /index URLs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-13 17:57:13 +00:00			`This designates a flow for unenrollment. This flow can contain any amount of verification stages, such as [email](stages/email/) or [captcha](stages/captcha/). As a final stage, to delete the account, use the [user_delete](stages/user_delete.md) stage.`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
			`### Recovery`

website: remove remaining /index URLs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-13 17:57:13 +00:00			`This designates a flow for recovery. This flow normally contains an [identification](stages/identification/) stage to find the user. It can also contain any amount of verification stages, such as [email](stages/email/) or [captcha](stages/captcha/).`
			`Afterwards, use the [prompt](stages/prompt/) stage to ask the user for a new password and the [user_write](stages/user_write.md) stage to update the password.`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
website/docs: add docs for different flow executors Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-03-09 22:36:09 +00:00			`### Stage configuration`
docs: add docs for flows, start docs for stages 2020-05-30 20:36:01 +00:00
policies: improve wording on denied tempaltes 2020-09-19 13:24:52 +00:00			`This designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure Factors, like change a password and setup TOTP.`