Skip to main content

Default flows

When you create a new provider, you can select certain default flows that will be used with the provider and its associated application. For example, you can create a custom flow that override the defaults configured on the brand.

If no default flow is selected when the provider is created, to determine which flow should be used authentik will first check if there is a default flow configured in the active Brand. If no default is configured there, authentik will go through all flows with the matching designation, sorted by slug and evaluate policies bound directly to the flows, and the first flow whose policies allow access will be picked.

  • Authentication: this option designates a flow to be used for authentication. The authentication flow should always contain a User Login stage, which attaches the staged user to the current session.

  • Authorization: designates a flow to be used for authorization of an application. Can be used to add additional verification steps before the user is allowed to access an application. This flow is defined per provider, when the provider is created, to state whether implicit or explicit authorization is required.

  • Enrollment: designates a flow for enrollment. This flow can contain any amount of verification stages, such as Email or Captcha. At the end, to create the user, you can use the User Write stage, which either updates the currently staged user, or if none exists, creates a new one.

  • Invalidation: designates a default flow to be used to invalidate a session. Use default-invalidation-flow for invalidation from authentik itself, or use default-provider-invalidation-flow to invalidate when the session of an application ends. When you use the default-invalidation-flow as a global invalidation flow, it should contain a User Logout stage. When you use the default-provider-invalidation-flow (supported with OIDC, SAML, Proxy, and RAC providers), you can configure this default flow to present users log-off options such as "log out of the app but remain logged in to authentik" or "return to the My Applications page", or "log out completely". (Alternatively, you can create a custom invalidation flow, with a branded background image.)

  • Recovery: designates a flow for recovery. This flow normally contains an Identification stage to find the user. It can also contain any amount of verification stages, such as Email or CAPTCHA. Afterwards, use the Prompt stage to ask the user for a new password and the User Write stage to update the password.

  • Stage configuration: designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure authenticators, like change a password and set up TOTP.

  • Unenrollment: designates a flow for unenrollment. This flow can contain any amount of verification stages, such as email or Captcha. As a final stage, to delete the account, use the user_delete stage.