blueprints: docs (#3376)

* further blueprint cleanup

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* more

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* make group users and parent optional

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix api client usage

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/blueprints/management/commands/schema_template.json

@@ -57,6 +57,7 @@
                                 "description": "Commonly available field, may not exist on all models"
                             }
                         },
+                        "default": {},
                         "additionalProperties": true
                     },
                     "identifiers": {

authentik/blueprints/v1/common.py

@@ -40,7 +40,7 @@ class BlueprintEntry:
 
     identifiers: dict[str, Any]
     model: str
-    attrs: dict[str, Any]
+    attrs: Optional[dict[str, Any]] = field(default_factory=dict)
 
     # pylint: disable=invalid-name
     id: Optional[str] = None

authentik/core/api/groups.py

@@ -62,6 +62,11 @@ class GroupSerializer(ModelSerializer):
             "attributes",
             "users_obj",
         ]
+        extra_kwargs = {
+            "users": {
+                "default": list,
+            }
+        }
 
 
 class GroupFilter(FilterSet):

authentik/core/migrations/0022_alter_group_parent.py

@@ -0,0 +1,26 @@
+# Generated by Django 4.0.6 on 2022-08-05 22:01
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0021_source_user_path_user_path"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="group",
+            name="parent",
+            field=models.ForeignKey(
+                blank=True,
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="children",
+                to="authentik_core.group",
+            ),
+        ),
+    ]

authentik/core/models.py

@@ -82,6 +82,7 @@ class Group(SerializerModel):
         "Group",
         blank=True,
         null=True,
+        default=None,
         on_delete=models.SET_NULL,
         related_name="children",
     )

blueprints/default/0-flow-password-change.yaml

@@ -1,12 +1,10 @@
+version: 1
 metadata:
   name: Default - Password change flow
 entries:
 - attrs:
-    compatibility_mode: false
     designation: stage_configuration
-    layout: stacked
     name: Change Password
-    policy_engine_mode: all
     title: Change password
   identifiers:
     slug: default-password-change
@@ -17,7 +15,6 @@ entries:
     placeholder: Password
     placeholder_expression: false
     required: true
-    sub_text: ''
     type: password
   identifiers:
     field_key: password
@@ -29,7 +26,6 @@ entries:
     placeholder: Password (repeat)
     placeholder_expression: false
     required: true
-    sub_text: ''
     type: password
   identifiers:
     field_key: password_repeat
@@ -40,39 +36,21 @@ entries:
     fields:
     - !KeyOf prompt-field-password
     - !KeyOf prompt-field-password-repeat
-    meta_model_name: authentik_stages_prompt.promptstage
-    validation_policies: []
   identifiers:
     name: default-password-change-prompt
   id: default-password-change-prompt
   model: authentik_stages_prompt.promptstage
-- attrs:
+- identifiers:
-    create_users_as_inactive: false
-    create_users_group: null
-    meta_model_name: authentik_stages_user_write.userwritestage
-    user_path_template: ''
-  identifiers:
     name: default-password-change-write
   id: default-password-change-write
   model: authentik_stages_user_write.userwritestage
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
-    re_evaluate_policies: false
-  identifiers:
     order: 0
     stage: !KeyOf default-password-change-prompt
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
-    re_evaluate_policies: false
-  identifiers:
     order: 1
     stage: !KeyOf default-password-change-write
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-version: 1

blueprints/default/10-flow-default-authentication-flow.yaml

@@ -1,13 +1,11 @@
+version: 1
 metadata:
   name: Default - Authentication flow
 entries:
 - attrs:
-    cache_count: 1
-    compatibility_mode: false
     designation: authentication
     layout: stacked
     name: Welcome to authentik!
-    policy_engine_mode: all
     title: Welcome to authentik!
   identifiers:
     slug: default-authentication-flow
@@ -21,32 +19,23 @@ entries:
     - authentik.core.auth.TokenBackend
     configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
     failed_attempts_before_cancel: 5
-    meta_model_name: authentik_stages_password.passwordstage
   identifiers:
     name: default-authentication-password
   id: default-authentication-password
   model: authentik_stages_password.passwordstage
 - attrs:
-    configuration_stages: []
     device_classes:
     - static
     - totp
     - webauthn
     - duo
     - sms
-    last_auth_threshold: seconds=0
-    meta_model_name: authentik_stages_authenticator_validate.authenticatorvalidatestage
     not_configured_action: skip
   identifiers:
     name: default-authentication-mfa-validation
   id: default-authentication-mfa-validation
   model: authentik_stages_authenticator_validate.authenticatorvalidatestage
 - attrs:
-    case_insensitive_matching: true
-    meta_model_name: authentik_stages_identification.identificationstage
-    show_matched_user: true
-    show_source_labels: false
-    sources: []
     user_fields:
     - email
     - username
@@ -55,50 +44,28 @@ entries:
   id: default-authentication-identification
   model: authentik_stages_identification.identificationstage
 - attrs:
-    meta_model_name: authentik_stages_user_login.userloginstage
     session_duration: seconds=0
   identifiers:
     name: default-authentication-login
   id: default-authentication-login
   model: authentik_stages_user_login.userloginstage
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
-    re_evaluate_policies: false
-  identifiers:
     order: 10
     stage: !KeyOf default-authentication-identification
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
-    re_evaluate_policies: false
-  identifiers:
     order: 20
     stage: !KeyOf default-authentication-password
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: any
-    re_evaluate_policies: false
-  identifiers:
     order: 30
     stage: !KeyOf default-authentication-mfa-validation
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
-    re_evaluate_policies: false
-  identifiers:
     order: 100
     stage: !KeyOf default-authentication-login
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-version: 1

blueprints/default/10-flow-default-invalidation-flow.yaml

@@ -1,32 +1,21 @@
+version: 1
 metadata:
   name: Default - Invalidation flow
 entries:
 - attrs:
-    compatibility_mode: false
     designation: invalidation
-    layout: stacked
     name: Logout
-    policy_engine_mode: all
     title: Default Invalidation Flow
   identifiers:
-    pk: 46979d76-94d3-43b5-ad07-43e924c15d2c
     slug: default-invalidation-flow
   model: authentik_flows.flow
   id: flow
-- attrs:
+- identifiers:
-    meta_model_name: authentik_stages_user_logout.userlogoutstage
-  identifiers:
     name: default-invalidation-logout
   id: default-invalidation-logout
   model: authentik_stages_user_logout.userlogoutstage
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
-    re_evaluate_policies: false
-  identifiers:
     order: 0
     stage: !KeyOf default-invalidation-logout
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-version: 1

blueprints/default/20-flow-default-authenticator-static-setup.yaml

@@ -1,10 +1,9 @@
+version: 1
 metadata:
   name: Default - Static MFA setup flow
 entries:
 - attrs:
-    compatibility_mode: false
     designation: stage_configuration
-    layout: stacked
     name: default-authenticator-static-setup
     policy_engine_mode: any
     title: Setup Static OTP Tokens
@@ -14,20 +13,13 @@ entries:
   id: flow
 - attrs:
     configure_flow: !KeyOf flow
-    meta_model_name: authentik_stages_authenticator_static.authenticatorstaticstage
     token_count: 6
   identifiers:
     name: default-authenticator-static-setup
   id: default-authenticator-static-setup
   model: authentik_stages_authenticator_static.authenticatorstaticstage
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: any
-    re_evaluate_policies: false
-  identifiers:
     order: 0
     stage: !KeyOf default-authenticator-static-setup
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-version: 1

blueprints/default/20-flow-default-authenticator-totp-setup.yaml

@@ -1,12 +1,10 @@
+version: 1
 metadata:
   name: Default - TOTP MFA setup flow
 entries:
 - attrs:
-    compatibility_mode: false
     designation: stage_configuration
-    layout: stacked
     name: default-authenticator-totp-setup
-    policy_engine_mode: any
     title: Setup Two-Factor authentication
   identifiers:
     slug: default-authenticator-totp-setup
@@ -15,19 +13,12 @@ entries:
 - attrs:
     configure_flow: !KeyOf flow
     digits: 6
-    meta_model_name: authentik_stages_authenticator_totp.authenticatortotpstage
   identifiers:
     name: default-authenticator-totp-setup
   id: default-authenticator-totp-setup
   model: authentik_stages_authenticator_totp.authenticatortotpstage
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: any
-    re_evaluate_policies: false
-  identifiers:
     order: 0
     stage: !KeyOf default-authenticator-totp-setup
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-version: 1

blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml

@@ -1,10 +1,9 @@
+version: 1
 metadata:
   name: Default - WebAuthn MFA setup flow
 entries:
 - attrs:
-    compatibility_mode: false
     designation: stage_configuration
-    layout: stacked
     name: default-authenticator-webauthn-setup
     policy_engine_mode: any
     title: Setup WebAuthn
@@ -13,23 +12,13 @@ entries:
   model: authentik_flows.flow
   id: flow
 - attrs:
-    authenticator_attachment: null
     configure_flow: !KeyOf flow
-    meta_model_name: authentik_stages_authenticator_webauthn.authenticatewebauthnstage
-    resident_key_requirement: preferred
-    user_verification: preferred
   identifiers:
     name: default-authenticator-webauthn-setup
   id: default-authenticator-webauthn-setup
   model: authentik_stages_authenticator_webauthn.authenticatewebauthnstage
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: any
-    re_evaluate_policies: false
-  identifiers:
     order: 0
     stage: !KeyOf default-authenticator-webauthn-setup
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-version: 1

blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml

@@ -1,33 +1,21 @@
+version: 1
 metadata:
   name: Default - Provider authorization flow (explicit consent)
 entries:
 - attrs:
-    compatibility_mode: false
     designation: authorization
-    layout: stacked
     name: Authorize Application
-    policy_engine_mode: all
     title: Redirecting to %(app)s
   identifiers:
     slug: default-provider-authorization-explicit-consent
   model: authentik_flows.flow
   id: flow
-- attrs:
+- identifiers:
-    consent_expire_in: weeks=4
-    meta_model_name: authentik_stages_consent.consentstage
-    mode: always_require
-  identifiers:
     name: default-provider-authorization-consent
   id: default-provider-authorization-consent
   model: authentik_stages_consent.consentstage
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
-    re_evaluate_policies: false
-  identifiers:
     order: 0
     stage: !KeyOf default-provider-authorization-consent
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-version: 1

blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml

@@ -1,14 +1,11 @@
+version: 1
 metadata:
   name: Default - Provider authorization flow (implicit consent)
 entries:
 - attrs:
-    compatibility_mode: false
     designation: authorization
-    layout: stacked
     name: Authorize Application
-    policy_engine_mode: all
     title: Redirecting to %(app)s
   identifiers:
     slug: default-provider-authorization-implicit-consent
   model: authentik_flows.flow
-version: 1

blueprints/default/20-flow-default-source-authentication.yaml

@@ -1,52 +1,37 @@
+version: 1
 metadata:
   name: Default - Source authentication flow
 entries:
 - attrs:
-    compatibility_mode: false
     designation: authentication
-    layout: stacked
     name: Welcome to authentik!
-    policy_engine_mode: all
     title: Welcome to authentik!
   identifiers:
     slug: default-source-authentication
   model: authentik_flows.flow
   id: flow
 - attrs:
-    execution_logging: false
     expression:  |
       # This policy ensures that this flow can only be used when the user
       # is in a SSO Flow (meaning they come from an external IdP)
       return ak_is_sso_flow
-    meta_model_name: authentik_policies_expression.expressionpolicy
   identifiers:
     name: default-source-authentication-if-sso
   id: default-source-authentication-if-sso
   model: authentik_policies_expression.expressionpolicy
 - attrs:
-    meta_model_name: authentik_stages_user_login.userloginstage
     session_duration: seconds=0
   identifiers:
     name: default-source-authentication-login
   id: default-source-authentication-login
   model: authentik_stages_user_login.userloginstage
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
-    re_evaluate_policies: false
-  identifiers:
     order: 0
     stage: !KeyOf default-source-authentication-login
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-- attrs:
+- identifiers:
-    enabled: true
-    negate: false
-    timeout: 30
-  identifiers:
     order: 0
     policy: !KeyOf default-source-authentication-if-sso
     target: !KeyOf flow
   model: authentik_policies.policybinding
-version: 1

blueprints/default/20-flow-default-source-enrollment.yaml

@@ -1,12 +1,10 @@
+version: 1
 metadata:
   name: Default - Source enrollment flow
 entries:
 - attrs:
-    compatibility_mode: false
     designation: enrollment
-    layout: stacked
     name: Welcome to authentik! Please select a username.
-    policy_engine_mode: all
     title: Welcome to authentik! Please select a username.
   identifiers:
     slug: default-source-enrollment
@@ -17,7 +15,6 @@ entries:
     placeholder: Username
     placeholder_expression: false
     required: true
-    sub_text: ''
     type: text
   identifiers:
     field_key: username
@@ -25,29 +22,24 @@ entries:
   id: prompt-field-username
   model: authentik_stages_prompt.prompt
 - attrs:
-    execution_logging: false
     expression: |
       # Check if we''ve not been given a username by the external IdP
       # and trigger the enrollment flow
       return 'username' not in context.get('prompt_data', {})
-    meta_model_name: authentik_policies_expression.expressionpolicy
   identifiers:
     name: default-source-enrollment-if-username
   id: default-source-enrollment-if-username
   model: authentik_policies_expression.expressionpolicy
 - attrs:
-    execution_logging: false
     expression: |
       # This policy ensures that this flow can only be used when the user
       # is in a SSO Flow (meaning they come from an external IdP)
       return ak_is_sso_flow
-    meta_model_name: authentik_policies_expression.expressionpolicy
   identifiers:
     name: default-source-enrollment-if-sso
   id: default-source-enrollment-if-sso
   model: authentik_policies_expression.expressionpolicy
 - attrs:
-    meta_model_name: authentik_stages_user_login.userloginstage
     session_duration: seconds=0
   identifiers:
     name: default-source-enrollment-login
@@ -56,25 +48,15 @@ entries:
 - attrs:
     fields:
     - !KeyOf prompt-field-username
-    meta_model_name: authentik_stages_prompt.promptstage
-    validation_policies: []
   identifiers:
     name: default-source-enrollment-prompt
   id: default-source-enrollment-prompt
   model: authentik_stages_prompt.promptstage
-- attrs:
+- identifiers:
-    create_users_as_inactive: false
-    create_users_group: null
-    meta_model_name: authentik_stages_user_write.userwritestage
-    user_path_template: ''
-  identifiers:
     name: default-source-enrollment-write
   id: default-source-enrollment-write
   model: authentik_stages_user_write.userwritestage
 - attrs:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
     re_evaluate_policies: true
   identifiers:
     order: 0
@@ -82,42 +64,23 @@ entries:
     target: !KeyOf flow
   id: prompt-binding
   model: authentik_flows.flowstagebinding
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
-    re_evaluate_policies: false
-  identifiers:
     order: 1
     stage: !KeyOf default-source-enrollment-write
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: all
-    re_evaluate_policies: false
-  identifiers:
     order: 2
     stage: !KeyOf default-source-enrollment-login
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-- attrs:
+- identifiers:
-    enabled: true
-    negate: false
-    timeout: 30
-  identifiers:
     order: 0
     policy: !KeyOf default-source-enrollment-if-sso
     target: !KeyOf flow
   model: authentik_policies.policybinding
-- attrs:
+- identifiers:
-    enabled: true
-    negate: false
-    timeout: 30
-  identifiers:
     order: 0
     policy: !KeyOf default-source-enrollment-if-username
     target: !KeyOf prompt-binding
   model: authentik_policies.policybinding
-version: 1

blueprints/default/20-flow-default-source-pre-authentication.yaml

@@ -1,14 +1,11 @@
+version: 1
 metadata:
   name: Default - Source pre-authentication flow
 entries:
 - attrs:
-    compatibility_mode: false
     designation: stage_configuration
-    layout: stacked
     name: Pre-Authentication
-    policy_engine_mode: any
     title: Pre-authentication
   identifiers:
     slug: default-source-pre-authentication
   model: authentik_flows.flow
-version: 1

blueprints/default/30-flow-default-user-settings-flow.yaml

@@ -1,12 +1,10 @@
+version: 1
 metadata:
   name: Default - User settings flow
 entries:
 - attrs:
-    compatibility_mode: false
     designation: stage_configuration
-    layout: stacked
     name: User settings
-    policy_engine_mode: any
     title: Update your info
   identifiers:
     slug: default-user-settings-flow
@@ -21,7 +19,6 @@ entries:
           return ''
     placeholder_expression: true
     required: true
-    sub_text: ''
     type: text
   identifiers:
     field_key: username
@@ -37,7 +34,6 @@ entries:
           return ''
     placeholder_expression: true
     required: true
-    sub_text: ''
     type: text
   identifiers:
     field_key: name
@@ -53,7 +49,6 @@ entries:
           return ''
     placeholder_expression: true
     required: true
-    sub_text: ''
     type: email
   identifiers:
     field_key: email
@@ -69,7 +64,6 @@ entries:
           return ''
     placeholder_expression: true
     required: true
-    sub_text: ''
     type: ak-locale
   identifiers:
     field_key: attributes.settings.locale
@@ -77,7 +71,6 @@ entries:
   id: prompt-field-locale
   model: authentik_stages_prompt.prompt
 - attrs:
-    execution_logging: false
     expression:  |
       from authentik.lib.config import CONFIG
       from authentik.core.models import (
@@ -109,17 +102,11 @@ entries:
               return False
 
       return True
-    meta_model_name: authentik_policies_expression.expressionpolicy
   identifiers:
     name: default-user-settings-authorization
   id: default-user-settings-authorization
   model: authentik_policies_expression.expressionpolicy
-- attrs:
+- identifiers:
-    create_users_as_inactive: false
-    create_users_group: null
-    meta_model_name: authentik_stages_user_write.userwritestage
-    user_path_template: ''
-  identifiers:
     name: default-user-settings-write
   id: default-user-settings-write
   model: authentik_stages_user_write.userwritestage
@@ -129,31 +116,19 @@ entries:
     - !KeyOf prompt-field-name
     - !KeyOf prompt-field-email
     - !KeyOf prompt-field-locale
-    meta_model_name: authentik_stages_prompt.promptstage
     validation_policies:
     - !KeyOf default-user-settings-authorization
   identifiers:
     name: default-user-settings
   id: default-user-settings
   model: authentik_stages_prompt.promptstage
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: any
-    re_evaluate_policies: false
-  identifiers:
     order: 20
     stage: !KeyOf default-user-settings
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-- attrs:
+- identifiers:
-    evaluate_on_plan: true
-    invalid_response_action: retry
-    policy_engine_mode: any
-    re_evaluate_policies: false
-  identifiers:
     order: 100
     stage: !KeyOf default-user-settings-write
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-version: 1

blueprints/default/40-events-default.yaml

@@ -18,10 +18,6 @@ entries:
   id: group
   identifiers:
     name: authentik Admins
-  attrs:
-    is_superuser: true
-    users: []
-    parent: null
 
 - model: authentik_policies_event_matcher.eventmatcherpolicy
   id: default-match-configuration-error
@@ -40,10 +36,6 @@ entries:
       - !KeyOf default-email-transport
       - !KeyOf default-local-transport
 - model: authentik_policies.policybinding
-  attrs:
-    enabled: true
-    negate: false
-    timeout: 30
   identifiers:
     order: 0
     policy: !KeyOf default-match-configuration-error
@@ -66,10 +58,6 @@ entries:
       - !KeyOf default-email-transport
       - !KeyOf default-local-transport
 - model: authentik_policies.policybinding
-  attrs:
-    enabled: true
-    negate: false
-    timeout: 30
   identifiers:
     order: 0
     policy: !KeyOf default-match-update
@@ -98,19 +86,11 @@ entries:
       - !KeyOf default-email-transport
       - !KeyOf default-local-transport
 - model: authentik_policies.policybinding
-  attrs:
-    enabled: true
-    negate: false
-    timeout: 30
   identifiers:
     order: 0
     policy: !KeyOf default-match-policy-exception
     target: !KeyOf default-notify-exception
 - model: authentik_policies.policybinding
-  attrs:
-    enabled: true
-    negate: false
-    timeout: 30
   identifiers:
     order: 1
     policy: !KeyOf default-match-property-mapping-exception

blueprints/default/90-default-tenant.yaml

@@ -9,4 +9,4 @@ entries:
   identifiers:
     domain: authentik-default
     default: True
-  model: authentik_tenants.Tenant
+  model: authentik_tenants.tenant

blueprints/default/91-flow-oobe.yaml

@@ -3,11 +3,9 @@ metadata:
 version: 1
 entries:
 - attrs:
-    compatibility_mode: false
     denied_action: message_continue
     designation: stage_configuration
     name: default-oobe-setup
-    policy_engine_mode: all
     title: Welcome to authentik!
   id: flow
   identifiers:
@@ -63,7 +61,6 @@ entries:
     label: Password (repeat)
   model: authentik_stages_prompt.prompt
 - attrs:
-    execution_logging: false
     expression: |
       # This policy sets the user for the currently running flow
       # by injecting "pending_user"
@@ -75,7 +72,6 @@ entries:
     name: default-oobe-prefill-user
   model: authentik_policies_expression.expressionpolicy
 - attrs:
-    execution_logging: false
     expression: |
       # This policy ensures that the setup flow can only be
       # executed when the admin user doesn''t have a password set
@@ -102,18 +98,13 @@ entries:
   identifiers:
     name: default-authentication-login
   model: authentik_stages_user_login.userloginstage
-- attrs:
+- id: stage-default-password-change-write
-    create_users_as_inactive: false
-    create_users_group: null
-    user_path_template: ''
-  id: stage-default-password-change-write
   identifiers:
     name: default-password-change-write
   model: authentik_stages_user_write.userwritestage
 - attrs:
     evaluate_on_plan: true
     invalid_response_action: retry
-    policy_engine_mode: all
     re_evaluate_policies: false
   identifiers:
     order: 10
@@ -123,7 +114,6 @@ entries:
 - attrs:
     evaluate_on_plan: false
     invalid_response_action: retry
-    policy_engine_mode: all
     re_evaluate_policies: true
   id: binding-password-write
   identifiers:
@@ -134,27 +124,18 @@ entries:
 - attrs:
     evaluate_on_plan: true
     invalid_response_action: retry
-    policy_engine_mode: all
     re_evaluate_policies: false
   identifiers:
     order: 100
     stage: !KeyOf stage-default-authentication-login
     target: !KeyOf flow
   model: authentik_flows.flowstagebinding
-- attrs:
+- identifiers:
-    enabled: true
-    negate: false
-    timeout: 30
-  identifiers:
     order: 0
     policy: !KeyOf policy-default-oobe-password-usable
     target: !KeyOf flow
   model: authentik_policies.policybinding
-- attrs:
+- identifiers:
-    enabled: true
-    negate: false
-    timeout: 30
-  identifiers:
     order: 0
     policy: !KeyOf policy-default-oobe-prefill-user
     target: !KeyOf binding-password-write

blueprints/example/flows-login-2fa.yaml

@@ -17,7 +17,6 @@ entries:
     id: test-not-app-password
     model: authentik_policies_expression.expressionpolicy
     attrs:
-      execution_logging: false
       expression: |
         return context["auth_method"] != "app_password"
   - identifiers:
@@ -35,13 +34,10 @@ entries:
         - email
         - username
       template: stages/identification/login.html
-      enrollment_flow: null
-      recovery_flow: null
   - identifiers:
       name: default-authentication-flow-mfa
     id: default-authentication-flow-mfa
-    model: authentik_stages_authenticator_validate.AuthenticatorValidateStage
+    model: authentik_stages_authenticator_validate.authenticatorvalidatestage
-    attrs: {}
   - identifiers:
       name: default-authentication-password
     id: default-authentication-password
@@ -56,15 +52,11 @@ entries:
       stage: !KeyOf default-authentication-identification
       order: 10
     model: authentik_flows.flowstagebinding
-    attrs:
-      re_evaluate_policies: false
   - identifiers:
       target: !KeyOf flow
       stage: !KeyOf default-authentication-password
       order: 20
     model: authentik_flows.flowstagebinding
-    attrs:
-      re_evaluate_policies: false
   - identifiers:
       target: !KeyOf flow
       stage: !KeyOf default-authentication-flow-mfa
@@ -72,23 +64,14 @@ entries:
     model: authentik_flows.flowstagebinding
     id: flow-binding-mfa
     attrs:
-      evaluate_on_plan: false
       re_evaluate_policies: true
-      policy_engine_mode: any
-      invalid_response_action: retry
   - identifiers:
       target: !KeyOf flow
       stage: !KeyOf default-authentication-login
       order: 100
     model: authentik_flows.flowstagebinding
-    attrs:
-      re_evaluate_policies: false
   - identifiers:
       policy: !KeyOf test-not-app-password
       target: !KeyOf flow-binding-mfa
       order: 0
     model: authentik_policies.policybinding
-    attrs:
-      negate: false
-      enabled: true
-      timeout: 30

blueprints/example/flows-login-conditional-captcha.yaml

@@ -34,8 +34,6 @@ entries:
         - email
         - username
       template: stages/identification/login.html
-      enrollment_flow: null
-      recovery_flow: null
   - identifiers:
       name: default-authentication-password
     id: default-authentication-password
@@ -50,15 +48,11 @@ entries:
       stage: !KeyOf default-authentication-identification
       order: 10
     model: authentik_flows.flowstagebinding
-    attrs:
-      re_evaluate_policies: false
   - identifiers:
       target: !KeyOf flow
       stage: !KeyOf default-authentication-password
       order: 20
     model: authentik_flows.flowstagebinding
-    attrs:
-      re_evaluate_policies: false
   - identifiers:
       target: !KeyOf flow
       stage: !KeyOf default-authentication-flow-captcha
@@ -73,8 +67,6 @@ entries:
       stage: !KeyOf default-authentication-login
       order: 100
     model: authentik_flows.flowstagebinding
-    attrs:
-      re_evaluate_policies: false
   - identifiers:
       name: default-authentication-flow-conditional-captcha
     id: default-authentication-flow-conditional-captcha
@@ -88,6 +80,3 @@ entries:
       target: !KeyOf flow-binding-captcha
       order: 0
     model: authentik_policies.policybinding
-    attrs:
-      enabled: true
-      timeout: 30

blueprints/example/flows-recovery-email-verification.yaml

@@ -12,10 +12,6 @@ entries:
       name: Default recovery flow
       title: Reset your password
       designation: recovery
-      cache_count: 0
-      policy_engine_mode: any
-      compatibility_mode: false
-      layout: stacked
   - identifiers:
       field_key: password
       label: Password
@@ -45,7 +41,6 @@ entries:
     id: default-recovery-skip-if-restored
     model: authentik_policies_expression.expressionpolicy
     attrs:
-      execution_logging: false
       expression: |
         return request.context.get('is_restored', False)
   - identifiers:
@@ -69,10 +64,6 @@ entries:
       name: default-recovery-user-write
     id: default-recovery-user-write
     model: authentik_stages_user_write.userwritestage
-    attrs:
-      create_users_as_inactive: false
-      create_users_group: null
-      user_path_template: ""
   - identifiers:
       name: default-recovery-identification
     id: default-recovery-identification
@@ -81,14 +72,6 @@ entries:
       user_fields:
         - email
         - username
-      password_stage: null
-      case_insensitive_matching: true
-      show_matched_user: true
-      enrollment_flow: null
-      recovery_flow: null
-      passwordless_flow: null
-      sources: []
-      show_source_labels: false
   - identifiers:
       name: default-recovery-user-login
     id: default-recovery-user-login

blueprints/schema.json

@@ -135,6 +135,7 @@
                                 "description": "Commonly available field, may not exist on all models"
                             }
                         },
+                        "default": {},
                         "additionalProperties": true
                     },
                     "identifiers": {

internal/outpost/ldap/search/memory/memory.go

@@ -135,7 +135,11 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 				for _, u := range g.UsersObj {
 					if flags.UserPk == u.Pk {
 						//TODO: Is there a better way to clone this object?
-						fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.Parent, g.ParentName, []int32{flags.UserPk}, []api.GroupMember{u})
+						fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.ParentName, []api.GroupMember{u})
+						fg.SetUsers([]int32{flags.UserPk})
+						if g.Parent.IsSet() {
+							fg.SetParent(*g.Parent.Get())
+						}
 						fg.SetAttributes(g.Attributes)
 						fg.SetIsSuperuser(*g.IsSuperuser)
 						groups = append(groups, group.FromAPIGroup(*fg, ms.si))

schema.yml

@@ -22723,10 +22723,8 @@ components:
       required:
       - name
       - num_pk
-      - parent
       - parent_name
       - pk
-      - users
       - users_obj
     GroupMember:
       type: object
@@ -22833,8 +22831,6 @@ components:
           additionalProperties: {}
       required:
       - name
-      - parent
-      - users
     HaveIBeenPwendPolicy:
       type: object
       description: Have I Been Pwned Policy Serializer

website/developer-docs/blueprints/index.md

@@ -0,0 +1,9 @@
+---
+title: Blueprints
+---
+
+:::info
+Requires authentik 2022.8
+:::
+
+Blueprints offer a new way to template, automate and distribute authentik configuration. Blueprints can be used to automatically configure instances, manage config as code without any external tools, and to distribute application configs.

website/developer-docs/blueprints/v1/structure.md

@@ -0,0 +1,61 @@
+---
+title: File structure
+---
+
+Blueprints are YAML files, which can use some additional tags to ease blueprint creation.
+
+## Additional Tags
+
+#### `!KeyOf`
+
+Example: `policy: !KeyOf my-policy-id`
+
+Resolves to the primary key of the model instance defined by id _my-policy-id_.
+
+If no matching entry can be found, an error is raised and the blueprint is invalid.
+
+#### `!Find`
+
+Example: `configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]`
+
+Looks up any model and resolves to the the matches' primary key.
+First argument is the model to be queried, remaining arguments are expected to be pairs of key=value pairs to query for.
+
+## Structure
+
+```yaml
+# The version of this blueprint, currently 1
+version: 1
+# Optional block of metadata, name is required if metadata is set
+metadata:
+    # Arbitrary key=value store, special labels are listed below
+    labels:
+        foo: bar
+    name: example-blueprint
+# List of entries (required)
+entries:
+    - # Model in app.model notation, possibilities are listed in the schema (required)
+      model: authentik_flows.flow
+      # Key:value filters to uniquely identify this object (required)
+      identifiers:
+          slug: initial-setup
+      # Optional ID for use with !KeyOf
+      id: flow
+      # Attributes to set on the object. Only explicitly required settings should be stated
+      # as these values will override existing attributes
+      attrs:
+          denied_action: message_continue
+          designation: stage_configuration
+          name: default-oobe-setup
+          title: Welcome to authentik!
+```
+
+## Special Labels
+
+#### `blueprints.goauthentik.io/system`:
+
+Used by authentik's packaged blueprints to keep globals up-to-date. Should only be removed in special cases.
+
+#### `blueprints.goauthentik.io/example`:
+
+Blueprints with this label are not automatically imported. They are still available when creating a new instance.

website/sidebarsDev.js

@@ -6,9 +6,21 @@ module.exports = {
         },
         {
             type: "category",
-            label: "Using the API",
+            label: "Blueprints",
+            link: {
+                type: "doc",
+                id: "blueprints/index",
+            },
+            items: ["blueprints/v1/structure"],
+        },
+        {
+            type: "category",
+            label: "API",
+            link: {
+                type: "doc",
+                id: "api/api",
+            },
             items: [
-                "api/api",
                 "api/flow-executor",
                 "api/making-schema-changes",
                 "api/websocket",