stages/identification: add option to pretend user exists (#7610)

* stages/identification: add option to pretend user exists Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * test CI permission fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-11-18 01:55:48 +01:00 · 2023-11-18 01:55:48 +01:00 · 44fc9ee80c
parent 98a07cd0ef
commit 44fc9ee80c
26 changed files with 220 additions and 28 deletions
--- a/.github/workflows/gha-cache-cleanup.yml
+++ b/.github/workflows/gha-cache-cleanup.yml
@ -6,6 +6,10 @@ on:
    types:
      - closed
 permissions:
  # Permission to delete cache
  actions: write
 jobs:
  cleanup:
    runs-on: ubuntu-latest
--- a/.github/workflows/translation-advice.yml
+++ b/.github/workflows/translation-advice.yml
@ -10,6 +10,10 @@ on:
      - "!locale/en/**"
      - "web/xliff/**"
 permissions:
  # Permission to write comment
  pull-requests: write
 jobs:
  post-comment:
    runs-on: ubuntu-latest
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@ -6,6 +6,10 @@ on:
  pull_request:
    types: [opened, reopened]
 permissions:
  # Permission to rename PR
  pull-requests: write
 jobs:
  rename_pr:
    runs-on: ubuntu-latest
--- a/authentik/flows/tests/test_executor.py
+++ b/authentik/flows/tests/test_executor.py
@ -472,6 +472,7 @@ class TestFlowExecutor(FlowTestCase):
        ident_stage = IdentificationStage.objects.create(
            name="ident",
            user_fields=[UserFields.E_MAIL],
            pretend_user_exists=False,
        )
        FlowStageBinding.objects.create(
            target=flow,
--- a/authentik/lib/avatars.py
+++ b/authentik/lib/avatars.py
@ -154,7 +154,15 @@ def generate_avatar_from_name(
 def avatar_mode_generated(user: "User", mode: str) -> Optional[str]:
    """Wrapper that converts generated avatar to base64 svg"""
-    svg = generate_avatar_from_name(user.name if user.name.strip() != "" else "a k")
+    # By default generate based off of user's display name
    name = user.name.strip()
    if name == "":
        # Fallback to username
        name = user.username.strip()
    # If we still don't have anything, fallback to `a k`
    if name == "":
        name = "a k"
    svg = generate_avatar_from_name(name)
    return f"data:image/svg+xml;base64,{b64encode(svg.encode('utf-8')).decode('utf-8')}"
--- a/authentik/stages/authenticator_totp/migrations/0010_alter_totpdevice_key.py
+++ b/authentik/stages/authenticator_totp/migrations/0010_alter_totpdevice_key.py
@ -29,4 +29,14 @@ class Migration(migrations.Migration):
            name="totpdevice",
            options={"verbose_name": "TOTP Device", "verbose_name_plural": "TOTP Devices"},
        ),
        migrations.AlterField(
            model_name="authenticatortotpstage",
            name="digits",
            field=models.IntegerField(
                choices=[
                    ("6", "6 digits, widely compatible"),
                    ("8", "8 digits, not compatible with apps like Google Authenticator"),
                ]
            ),
        ),
    ]
--- a/authentik/stages/identification/api.py
+++ b/authentik/stages/identification/api.py
@ -33,6 +33,7 @@ class IdentificationStageSerializer(StageSerializer):
            "passwordless_flow",
            "sources",
            "show_source_labels",
            "pretend_user_exists",
        ]
--- a/authentik/stages/identification/migrations/0014_identificationstage_pretend.py
+++ b/authentik/stages/identification/migrations/0014_identificationstage_pretend.py
@ -0,0 +1,23 @@
 # Generated by Django 4.2.7 on 2023-11-17 16:32
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        (
            "authentik_stages_identification",
            "0002_auto_20200530_2204_squashed_0013_identificationstage_passwordless_flow",
        ),
    ]
    operations = [
        migrations.AddField(
            model_name="identificationstage",
            name="pretend_user_exists",
            field=models.BooleanField(
                default=True,
                help_text="When enabled, the stage will succeed and continue even when incorrect user info is entered.",
            ),
        ),
    ]
--- a/authentik/stages/identification/models.py
+++ b/authentik/stages/identification/models.py
@ -54,6 +54,13 @@ class IdentificationStage(Stage):
            "entered will be shown"
        ),
    )
    pretend_user_exists = models.BooleanField(
        default=True,
        help_text=_(
            "When enabled, the stage will succeed and continue even when incorrect user info "
            "is entered."
        ),
    )
    enrollment_flow = models.ForeignKey(
        Flow,
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@ -121,8 +121,8 @@ class IdentificationChallengeResponse(ChallengeResponse):
            self.pre_user = self.stage.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
            if not current_stage.show_matched_user:
                self.stage.executor.plan.context[PLAN_CONTEXT_PENDING_USER_IDENTIFIER] = uid_field
-            if self.stage.executor.flow.designation == FlowDesignation.RECOVERY:
+            # when `pretend` is enabled, continue regardless
-                # When used in a recovery flow, always continue to not disclose if a user exists
+            if current_stage.pretend_user_exists:
                return attrs
            raise ValidationError("Failed to authenticate.")
        self.pre_user = pre_user
--- a/authentik/stages/identification/tests.py
+++ b/authentik/stages/identification/tests.py
@ -28,6 +28,7 @@ class TestIdentificationStage(FlowTestCase):
        self.stage = IdentificationStage.objects.create(
            name="identification",
            user_fields=[UserFields.E_MAIL],
            pretend_user_exists=False,
        )
        self.stage.sources.set([source])
        self.stage.save()
@ -106,6 +107,26 @@ class TestIdentificationStage(FlowTestCase):
            form_data,
        )
        self.assertEqual(response.status_code, 200)
        self.assertStageResponse(
            response,
            self.flow,
            component="ak-stage-identification",
            response_errors={
                "non_field_errors": [{"string": "Failed to authenticate.", "code": "invalid"}]
            },
        )
    def test_invalid_with_username_pretend(self):
        """Test invalid with username (user exists but stage only allows email)"""
        self.stage.pretend_user_exists = True
        self.stage.save()
        form_data = {"uid_field": self.user.username}
        response = self.client.post(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            form_data,
        )
        self.assertEqual(response.status_code, 200)
        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
    def test_invalid_no_fields(self):
        """Test invalid with username (no user fields are enabled)"""
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -7425,6 +7425,11 @@
                "show_source_labels": {
                    "type": "boolean",
                    "title": "Show source labels"
                },
                "pretend_user_exists": {
                    "type": "boolean",
                    "title": "Pretend user exists",
                    "description": "When enabled, the stage will succeed and continue even when incorrect user info is entered."
                }
            },
            "required": []
--- a/schema.yml
+++ b/schema.yml
@ -32013,6 +32013,10 @@ components:
          description: Specify which sources should be shown.
        show_source_labels:
          type: boolean
        pretend_user_exists:
          type: boolean
          description: When enabled, the stage will succeed and continue even when
            incorrect user info is entered.
      required:
      - component
      - meta_model_name
@ -32077,6 +32081,10 @@ components:
          description: Specify which sources should be shown.
        show_source_labels:
          type: boolean
        pretend_user_exists:
          type: boolean
          description: When enabled, the stage will succeed and continue even when
            incorrect user info is entered.
      required:
      - name
    InstallID:
@ -36560,6 +36568,10 @@ components:
          description: Specify which sources should be shown.
        show_source_labels:
          type: boolean
        pretend_user_exists:
          type: boolean
          description: When enabled, the stage will succeed and continue even when
            incorrect user info is entered.
    PatchedInvitationRequest:
      type: object
      description: Invitation Serializer
--- a/web/src/admin/stages/identification/IdentificationStageForm.ts
+++ b/web/src/admin/stages/identification/IdentificationStageForm.ts
@ -68,7 +68,7 @@ export class IdentificationStageForm extends ModelForm<IdentificationStage, stri
    }
    renderForm(): TemplateResult {
-        return html` <span>
+        return html`<span>
                ${msg("Let the user identify themselves with their username or Email address.")}
            </span>
            <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
@ -169,6 +169,26 @@ export class IdentificationStageForm extends ModelForm<IdentificationStage, stri
                            )}
                        </p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal name="pretendUserExists">
                        <label class="pf-c-switch">
                            <input
                                class="pf-c-switch__input"
                                type="checkbox"
                                ?checked=${first(this.instance?.pretendUserExists, true)}
                            />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
                                    <i class="fas fa-check" aria-hidden="true"></i>
                                </span>
                            </span>
                            <span class="pf-c-switch__label">${msg("Pretend user exists")}</span>
                        </label>
                        <p class="pf-c-form__helper-text">
                            ${msg(
                                "When enabled, the stage will always accept the given user identifier and continue.",
                            )}
                        </p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal name="showMatchedUser">
                        <label class="pf-c-switch">
                            <input
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -6069,6 +6069,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
  <source>Pretend user exists</source>
 </trans-unit>
 <trans-unit id="s52bdc80690a9a8dc">
  <source>When enabled, the stage will always accept the given user identifier and continue.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@ -6346,6 +6346,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
  <source>Pretend user exists</source>
 </trans-unit>
 <trans-unit id="s52bdc80690a9a8dc">
  <source>When enabled, the stage will always accept the given user identifier and continue.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/es.xlf
+++ b/web/xliff/es.xlf
@ -5985,6 +5985,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
  <source>Pretend user exists</source>
 </trans-unit>
 <trans-unit id="s52bdc80690a9a8dc">
  <source>When enabled, the stage will always accept the given user identifier and continue.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@ -7971,6 +7971,12 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
  <source>Pretend user exists</source>
 </trans-unit>
 <trans-unit id="s52bdc80690a9a8dc">
  <source>When enabled, the stage will always accept the given user identifier and continue.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pl.xlf
+++ b/web/xliff/pl.xlf
@ -6193,6 +6193,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
  <source>Pretend user exists</source>
 </trans-unit>
 <trans-unit id="s52bdc80690a9a8dc">
  <source>When enabled, the stage will always accept the given user identifier and continue.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pseudo-LOCALE.xlf
+++ b/web/xliff/pseudo-LOCALE.xlf
@ -7871,4 +7871,10 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s824e0943a7104668">
  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
  <source>Pretend user exists</source>
 </trans-unit>
 <trans-unit id="s52bdc80690a9a8dc">
  <source>When enabled, the stage will always accept the given user identifier and continue.</source>
 </trans-unit>
 </body></file></xliff>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -5978,6 +5978,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
  <source>Pretend user exists</source>
 </trans-unit>
 <trans-unit id="s52bdc80690a9a8dc">
  <source>When enabled, the stage will always accept the given user identifier and continue.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -1,4 +1,4 @@
-<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
  <file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
    <body>
      <trans-unit id="s4caed5b7a7e5d89b">
@ -613,9 +613,9 @@
      </trans-unit>
      <trans-unit id="saa0e2675da69651b">
-        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
+        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
-        <target>未找到 URL &quot; 
+        <target>未找到 URL " 
-        <x id="0" equiv-text="${this.url}"/>&quot;。</target>
+        <x id="0" equiv-text="${this.url}"/>"。</target>
      </trans-unit>
      <trans-unit id="s58cd9c2fe836d9c6">
@ -1057,8 +1057,8 @@
      </trans-unit>
      <trans-unit id="sa8384c9c26731f83">
-        <source>To allow any redirect URI, set this value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
+        <source>To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.</source>
-        <target>要允许任何重定向 URI，请将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
+        <target>要允许任何重定向 URI，请将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
      </trans-unit>
      <trans-unit id="s55787f4dfcdce52b">
@ -1799,8 +1799,8 @@
      </trans-unit>
      <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
-        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
+        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
      </trans-unit>
      <trans-unit id="s0410779cb47de312">
@ -2988,8 +2988,8 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>包含组成员的字段。请注意，如果使用 &quot;memberUid&quot; 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
+        <target>包含组成员的字段。请注意，如果使用 "memberUid" 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
      </trans-unit>
      <trans-unit id="s026555347e589f0e">
@ -3781,8 +3781,8 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s7b1fba26d245cb1c">
-        <source>When using an external logging solution for archiving, this can be set to &quot;minutes=5&quot;.</source>
+        <source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
-        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 &quot;minutes=5&quot;。</target>
+        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 "minutes=5"。</target>
      </trans-unit>
      <trans-unit id="s44536d20bb5c8257">
@ -3791,8 +3791,8 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s3bb51cabb02b997e">
-        <source>Format: &quot;weeks=3;days=2;hours=3,seconds=2&quot;.</source>
+        <source>Format: "weeks=3;days=2;hours=3,seconds=2".</source>
-        <target>格式：&quot;weeks=3;days=2;hours=3,seconds=2&quot;。</target>
+        <target>格式："weeks=3;days=2;hours=3,seconds=2"。</target>
      </trans-unit>
      <trans-unit id="s04bfd02201db5ab8">
@ -3988,10 +3988,10 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
        <target>您确定要更新 
-        <x id="0" equiv-text="${this.objectLabel}"/>&quot; 
+        <x id="0" equiv-text="${this.objectLabel}"/>" 
-        <x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗？</target>
+        <x id="1" equiv-text="${this.obj?.name}"/>" 吗？</target>
      </trans-unit>
      <trans-unit id="sc92d7cfb6ee1fec6">
@ -5077,7 +5077,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="sdf1d8edef27236f0">
-        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
+        <source>A "roaming" authenticator, like a YubiKey</source>
        <target>像 YubiKey 这样的“漫游”身份验证器</target>
      </trans-unit>
@ -5412,10 +5412,10 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s2d5f69929bb7221d">
-        <source><x id="0" equiv-text="${prompt.name}"/> (&quot;<x id="1" equiv-text="${prompt.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${prompt.type}"/>)</source>
+        <source><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", of type <x id="2" equiv-text="${prompt.type}"/>)</source>
        <target>
-        <x id="0" equiv-text="${prompt.name}"/>（&quot; 
+        <x id="0" equiv-text="${prompt.name}"/>（" 
-        <x id="1" equiv-text="${prompt.fieldKey}"/>&quot;，类型为 
+        <x id="1" equiv-text="${prompt.fieldKey}"/>"，类型为 
        <x id="2" equiv-text="${prompt.type}"/>）</target>
      </trans-unit>
@ -5464,7 +5464,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
+        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
        <target>如果设置时长大于 0，用户可以选择“保持登录”选项，这将使用户的会话延长此处设置的时间。</target>
      </trans-unit>
@ -7978,9 +7978,15 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>成功创建用户并添加到组 <x id="0" equiv-text="${this.group.name}"/></target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
+  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
  <target>此用户将会被添加到组 &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;。</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
  <source>Pretend user exists</source>
 </trans-unit>
 <trans-unit id="s52bdc80690a9a8dc">
  <source>When enabled, the stage will always accept the given user identifier and continue.</source>
 </trans-unit>
    </body>
  </file>
-</xliff>
+</xliff>
--- a/web/xliff/zh-Hant.xlf
+++ b/web/xliff/zh-Hant.xlf
@ -6026,6 +6026,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
  <source>Pretend user exists</source>
 </trans-unit>
 <trans-unit id="s52bdc80690a9a8dc">
  <source>When enabled, the stage will always accept the given user identifier and continue.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_TW.xlf
+++ b/web/xliff/zh_TW.xlf
@ -6025,6 +6025,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
  <source>Pretend user exists</source>
 </trans-unit>
 <trans-unit id="s52bdc80690a9a8dc">
  <source>When enabled, the stage will always accept the given user identifier and continue.</source>
 </trans-unit>
    </body>
  </file>
--- a/website/docs/flow/stages/identification/index.md
+++ b/website/docs/flow/stages/identification/index.md
@ -25,3 +25,11 @@ To prompt users for their password on the same step as identifying themselves, a
 ## Enrollment/Recovery Flow
 These fields specify if and which flows are linked on the form. The enrollment flow is linked as `Need an account? Sign up.`, and the recovery flow is linked as `Forgot username or password?`.
 ## Pretend user exists
 :::info
 Requires authentik 2024.1
 :::
 When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
--- a/website/docs/releases/2024/v2024.1.md
+++ b/website/docs/releases/2024/v2024.1.md
@ -19,6 +19,10 @@ slug: "/releases/2024.1"
 ## New features
 -   "Pretend user exists" option for Identification stage
    Previously the identification stage would only continue if a user matching the user identifier exists. While this was the intended functionality, this release adds an option to continue to the next stage even if no matching user was found. "Pretend" users cannot authenticate nor receive emails, and don't exist in the database. **This feature is enabled by default.**
 ## Upgrading
 This release does not introduce any new requirements.