Flows

4min

Flows are a way to describe a series of stages. A stage is a single logic or verification step. They are used to authenticate users, enroll them, and more.
For instance, a standard login flow would consist of the following steps:
Identification - users identify themselves via a username or email address
Password - the user's password is checked against the hash in the database
Log in
Flows context
Flows can be configured by setting up the independent context which holds all of the arbitrary data about the specific flow.
The flow context is created and managed by configuring policies, stages, and bindings, and it contains information about the configuration of the flow. The Identification Stage, for example, allows the definition of whether users will be prompted for an email address, a username, or both. While any data can be stored in the flow context, there are some reserved keys used by authentik stages.
Below you will find a list with all the keys and their explanation.
Common keys
Key
Description
pending_user
The data of the user that is executing the flow. This value is not set automatically, it is set via the Identification stage
prompt_data
Used in the Prompt stage; the value of any field within a prompt stage is written to the prompt_data
redirect
Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully.
pending_user_identifier
Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully
application
When an unauthenticated user attempts to access a secured resource, they are redirected to an authentication flow. The application they attempted to access will be stored in the key attached to this object. For example: application.github, with applicationbeing the key and github the value.
source
When a user authenticates/enrolls via an external source, this will be set to the source they are using
Scenario-specific keys
Key
Description
consent_header
The title of the consent prompt shown in the Consent stage.
consent_permissions
An optional list of all permissions that will be given to the application by granting consent in the Consent stage
title
Optional title of the form shown to the user in the Autosubmit stage.
url
URL that the form will be submitted to in the Autosubmit stage.
attrs
Key-value pairs of the data that is included in the form and will be submitted to the URL in the Autosubmit stage.
groups
Used in the User write stage and represents the groups that the pending_user will be added to.
user_path
Path the pending_user will be written to in the User write stage
user_backend
Set by the Password stage after successfully authenticating the user and contains a dot-notation to the authentication backend that was used to authenticate the user.
auth_method
Set by the Password stage, the Authenticator validation stage, the OAuth2 Provider, and the API authentication depending on which method is used.
﻿

Key	Description
pending_user	The data of the user that is executing the flow. This value is not set automatically, it is set via the Identification stage
prompt_data	Used in the Prompt stage; the value of any field within a prompt stage is written to the prompt_data
redirect	Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully.
pending_user_identifier	Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully
application	When an unauthenticated user attempts to access a secured resource, they are redirected to an authentication flow. The application they attempted to access will be stored in the key attached to this object. For example: application.github, with applicationbeing the key and github the value.
source	When a user authenticates/enrolls via an external source, this will be set to the source they are using

Key	Description
consent_header	The title of the consent prompt shown in the Consent stage.
consent_permissions	An optional list of all permissions that will be given to the application by granting consent in the Consent stage
title	Optional title of the form shown to the user in the Autosubmit stage.
url	URL that the form will be submitted to in the Autosubmit stage.
attrs	Key-value pairs of the data that is included in the form and will be submitted to the URL in the Autosubmit stage.
groups	Used in the User write stage and represents the groups that the pending_user will be added to.
user_path	Path the pending_user will be written to in the User write stage
user_backend	Set by the Password stage after successfully authenticating the user and contains a dot-notation to the authentication backend that was used to authenticate the user.
auth_method	Set by the Password stage, the Authenticator validation stage, the OAuth2 Provider, and the API authentication depending on which method is used.

Certificates

Stages