version: 1
metadata:
  name: Default - Authentication flow
entries:
- model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
      name: Default - Password change flow
    required: false
- attrs:
    designation: authentication
    name: Welcome to authentik!
    title: Welcome to authentik!
    authentication: none
  identifiers:
    slug: default-authentication-flow
  model: authentik_flows.flow
  id: flow
- attrs:
    backends:
    - authentik.core.auth.InbuiltBackend
    - authentik.sources.ldap.auth.LDAPBackend
    - authentik.core.auth.TokenBackend
    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
  identifiers:
    name: default-authentication-password
  id: default-authentication-password
  model: authentik_stages_password.passwordstage
- identifiers:
    name: default-authentication-mfa-validation
  id: default-authentication-mfa-validation
  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
- attrs:
    user_fields:
    - email
    - username
  identifiers:
    name: default-authentication-identification
  id: default-authentication-identification
  model: authentik_stages_identification.identificationstage
- identifiers:
    name: default-authentication-login
  id: default-authentication-login
  model: authentik_stages_user_login.userloginstage
- identifiers:
    order: 10
    stage: !KeyOf default-authentication-identification
    target: !KeyOf flow
  model: authentik_flows.flowstagebinding
- identifiers:
    order: 20
    stage: !KeyOf default-authentication-password
    target: !KeyOf flow
  attrs:
    re_evaluate_policies: true
  id: default-authentication-flow-password-binding
  model: authentik_flows.flowstagebinding
- identifiers:
    order: 30
    stage: !KeyOf default-authentication-mfa-validation
    target: !KeyOf flow
  model: authentik_flows.flowstagebinding
- identifiers:
    order: 100
    stage: !KeyOf default-authentication-login
    target: !KeyOf flow
  model: authentik_flows.flowstagebinding
- model: authentik_policies_expression.expressionpolicy
  id: default-authentication-flow-password-optional
  identifiers:
    name: default-authentication-flow-password-stage
  attrs:
    expression: |
      flow_plan = request.context.get("flow_plan")
      if not flow_plan:
          return True
      # If the user does not have a backend attached to it, they haven't
      # been authenticated yet and we need the password stage
      return not hasattr(flow_plan.context.get("pending_user"), "backend")
- model: authentik_policies.policybinding
  identifiers:
    order: 10
    target: !KeyOf default-authentication-flow-password-binding
    policy: !KeyOf default-authentication-flow-password-optional