Product Guide
...
Organization Administration
Kubeark Identity

Flows

4min

Flows are a way to describe a series of stages. A stage is a single logic or verification step. They are used to authenticate users, enroll them, and more.

For instance, a standard login flow would consist of the following steps:

  • Identification - users identify themselves via a username or email address
  • Password - the user's password is checked against the hash in the database
  • Log in

Flows context

Flows can be configured by setting up the independent context which holds all of the arbitrary data about the specific flow.

The flow context is created and managed by configuring policies, stages, and bindings, and it contains information about the configuration of the flow. The Identification Stage, for example, allows the definition of whether users will be prompted for an email address, a username, or both. While any data can be stored in the flow context, there are some reserved keys used by authentik stages.

Below you will find a list with all the keys and their explanation.

Common keys

Key

Description

pending_user

The data of the user that is executing the flow. This value is not set automatically, it is set via the Identification stage

prompt_data

Used in the Prompt stage; the value of any field within a prompt stage is written to the prompt_data

redirect

Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully.

pending_user_identifier

Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully

application

When an unauthenticated user attempts to access a secured resource, they are redirected to an authentication flow. The application they attempted to access will be stored in the key attached to this object. For example: application.github, with applicationbeing the key and github the value.

source

When a user authenticates/enrolls via an external source, this will be set to the source they are using

Scenario-specific keys

Key

Description

consent_header

The title of the consent prompt shown in the Consent stage.

consent_permissions

An optional list of all permissions that will be given to the application by granting consent in the Consent stage

title

Optional title of the form shown to the user in the Autosubmit stage.

url

URL that the form will be submitted to in the Autosubmit stage.

attrs

Key-value pairs of the data that is included in the form and will be submitted to the URL in the Autosubmit stage.

groups

Used in the User write stage and represents the groups that the pending_user will be added to.

user_path

Path the pending_user will be written to in the User write stage

user_backend

Set by the Password stage after successfully authenticating the user and contains a dot-notation to the authentication backend that was used to authenticate the user.

auth_method

Set by the Password stage, the Authenticator validation stage, the OAuth2 Provider, and the API authentication depending on which method is used.



Updated 12 Feb 2024
Doc contributor
Did this page help you?