version: 1 metadata: labels: blueprints.goauthentik.io/instantiate: "false" name: Example - Recovery with email verification entries: - identifiers: slug: default-recovery-flow id: flow model: authentik_flows.flow attrs: name: Default recovery flow title: Reset your password designation: recovery authentication: require_unauthenticated - identifiers: name: default-recovery-field-password id: prompt-field-password model: authentik_stages_prompt.prompt attrs: field_key: password label: Password type: password required: true placeholder: Password order: 0 placeholder_expression: false - identifiers: name: default-recovery-field-password-repeat id: prompt-field-password-repeat model: authentik_stages_prompt.prompt attrs: field_key: password_repeat label: Password (repeat) type: password required: true placeholder: Password (repeat) order: 1 placeholder_expression: false - identifiers: name: default-recovery-skip-if-restored id: default-recovery-skip-if-restored model: authentik_policies_expression.expressionpolicy attrs: expression: | return bool(request.context.get('is_restored', True)) - identifiers: name: default-recovery-email id: default-recovery-email model: authentik_stages_email.emailstage attrs: use_global_settings: true host: localhost port: 25 username: "" use_tls: false use_ssl: false timeout: 10 from_address: system@authentik.local token_expiry: 30 subject: authentik template: email/password_reset.html activate_user_on_success: true - identifiers: name: default-recovery-user-write id: default-recovery-user-write model: authentik_stages_user_write.userwritestage attrs: user_creation_mode: never_create - identifiers: name: default-recovery-identification id: default-recovery-identification model: authentik_stages_identification.identificationstage attrs: user_fields: - email - username - identifiers: name: default-recovery-user-login id: default-recovery-user-login model: authentik_stages_user_login.userloginstage - identifiers: name: Change your password id: stages-prompt-password model: authentik_stages_prompt.promptstage attrs: fields: - !KeyOf prompt-field-password - !KeyOf prompt-field-password-repeat validation_policies: [] - identifiers: target: !KeyOf flow stage: !KeyOf default-recovery-identification order: 10 model: authentik_flows.flowstagebinding id: flow-binding-identification attrs: evaluate_on_plan: true re_evaluate_policies: true policy_engine_mode: any invalid_response_action: retry - identifiers: target: !KeyOf flow stage: !KeyOf default-recovery-email order: 20 model: authentik_flows.flowstagebinding id: flow-binding-email attrs: evaluate_on_plan: true re_evaluate_policies: true policy_engine_mode: any invalid_response_action: retry - identifiers: pk: 1219d06e-2c06-4c5b-a162-78e3959c6cf0 target: !KeyOf flow stage: !KeyOf stages-prompt-password order: 30 model: authentik_flows.flowstagebinding attrs: evaluate_on_plan: true re_evaluate_policies: false policy_engine_mode: any invalid_response_action: retry - identifiers: target: !KeyOf flow stage: !KeyOf default-recovery-user-write order: 40 model: authentik_flows.flowstagebinding attrs: evaluate_on_plan: true re_evaluate_policies: false policy_engine_mode: any invalid_response_action: retry - identifiers: target: !KeyOf flow stage: !KeyOf default-recovery-user-login order: 100 model: authentik_flows.flowstagebinding attrs: evaluate_on_plan: true re_evaluate_policies: false policy_engine_mode: any invalid_response_action: retry - identifiers: policy: !KeyOf default-recovery-skip-if-restored target: !KeyOf flow-binding-identification order: 0 model: authentik_policies.policybinding attrs: negate: false enabled: true timeout: 30 - identifiers: policy: !KeyOf default-recovery-skip-if-restored target: !KeyOf flow-binding-email order: 0 state: absent model: authentik_policies.policybinding attrs: negate: false enabled: true timeout: 30