Flows are a way to describe a series of stages. A stage is a single logic or verification step. They are used to authenticate users, enroll them, and more.
For instance, a standard login flow would consist of the following steps:
- Identification - users identify themselves via a username or email address
- Password - the user's password is checked against the hash in the database
- Log in
Flows can be configured by setting up the independent context which holds all of the arbitrary data about the specific flow.
The flow context is created and managed by configuring policies, stages, and bindings, and it contains information about the configuration of the flow. The Identification Stage, for example, allows the definition of whether users will be prompted for an email address, a username, or both. While any data can be stored in the flow context, there are some reserved keys used by authentik stages.
Below you will find a list with all the keys and their explanation.
The data of the user that is executing the flow. This value is not set automatically, it is set via the Identification stage
Used in the Prompt stage; the value of any field within a prompt stage is written to the prompt_data
Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully.
Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully
When an unauthenticated user attempts to access a secured resource, they are redirected to an authentication flow. The application they attempted to access will be stored in the key attached to this object. For example: application.github, with applicationbeing the key and github the value.
When a user authenticates/enrolls via an external source, this will be set to the source they are using
The title of the consent prompt shown in the Consent stage.
An optional list of all permissions that will be given to the application by granting consent in the Consent stage
Optional title of the form shown to the user in the Autosubmit stage.
URL that the form will be submitted to in the Autosubmit stage.
Key-value pairs of the data that is included in the form and will be submitted to the URL in the Autosubmit stage.
Used in the User write stage and represents the groups that the pending_user will be added to.
Path the pending_user will be written to in the User write stage
Set by the Password stage after successfully authenticating the user and contains a dot-notation to the authentication backend that was used to authenticate the user.
Set by the Password stage, the Authenticator validation stage, the OAuth2 Provider, and the API authentication depending on which method is used.