Enhance Authentik configuration by introducing dedicated authentication flows for public and lab brands, including stricter password policies and MFA requirements. Update README to clarify flow distinctions and invitation enrollment processes. Improve validation in Ansible tasks to ensure all necessary blueprint variables are set, enhancing deployment robustness.
This commit is contained in:
Nikholas Pcenicni
@@ -68,6 +68,37 @@ noble_authentik_blueprint_lab_operator_groups:
|
||||
- authentik Admins
|
||||
noble_authentik_blueprint_lab_brand_title: Noble lab (operators)
|
||||
noble_authentik_blueprint_public_brand_title_prefix: Noble public
|
||||
# Public hostname Brand(s) → dedicated authentication flow (**21-noble-public-…** blueprint).
|
||||
noble_authentik_blueprint_public_auth_flow_slug: noble-public-authentication-flow
|
||||
# Lab flow: password stage (**failed_attempts_before_cancel**) and strength checks (expression policy; skips when **password** not yet in request context).
|
||||
noble_authentik_blueprint_lab_password_failed_attempts: 3
|
||||
noble_authentik_blueprint_lab_password_policy_length_min: 16
|
||||
noble_authentik_blueprint_lab_password_policy_amount_uppercase: 1
|
||||
noble_authentik_blueprint_lab_password_policy_amount_lowercase: 1
|
||||
noble_authentik_blueprint_lab_password_policy_amount_digits: 1
|
||||
noble_authentik_blueprint_lab_password_policy_amount_symbols: 1
|
||||
noble_authentik_blueprint_lab_password_policy_check_zxcvbn: true
|
||||
noble_authentik_blueprint_lab_password_policy_zxcvbn_score_threshold: 3
|
||||
noble_authentik_blueprint_lab_password_policy_error_message: >-
|
||||
Lab password policy: at least 16 characters with upper, lower, digit, symbol, and sufficient strength.
|
||||
# Lab MFA when user has no compatible device: **skip** (like stock), **deny** (block), **configure** (TOTP setup via default stage).
|
||||
noble_authentik_blueprint_lab_mfa_not_configured_action: configure
|
||||
# Invitation-based **enrollment** flows (blueprint **22**). Brands do not select enrollment; each **Invitation** picks a flow.
|
||||
# Link shape: **`https://<host>/if/flow/<slug>/?itoken=<uuid>`** — use the **public** hostname for **`noble_authentik_blueprint_public_invitation_enrollment_flow_slug`** invites.
|
||||
noble_authentik_blueprint_public_invitation_enrollment_flow_slug: noble-public-invitation-enrollment
|
||||
noble_authentik_blueprint_lab_invitation_enrollment_flow_slug: noble-lab-invitation-enrollment
|
||||
noble_authentik_blueprint_public_invitation_flow_name: Noble public invitation enrollment
|
||||
noble_authentik_blueprint_public_invitation_flow_title: Complete your signup
|
||||
noble_authentik_blueprint_lab_invitation_flow_name: Noble lab invitation enrollment
|
||||
noble_authentik_blueprint_lab_invitation_flow_title: Lab access — complete enrollment
|
||||
# **User write** for public invites: must match an existing **Group** name from **`10-noble-public-groups`** (default **`noble-public-users`**; use **`nikflix-users`** if you only maintain Nikflix groups).
|
||||
noble_authentik_blueprint_public_invitation_user_group: noble-public-users
|
||||
noble_authentik_blueprint_public_invitation_user_type: external
|
||||
noble_authentik_blueprint_public_invitation_user_path: users/noble/public
|
||||
# Lab invites: blueprint creates **`noble_authentik_blueprint_lab_invitee_group_name`**; add members to **`noble_authentik_blueprint_lab_operator_groups`** manually when they should use the lab URL.
|
||||
noble_authentik_blueprint_lab_invitee_group_name: noble-lab-invited
|
||||
noble_authentik_blueprint_lab_invitation_user_type: internal
|
||||
noble_authentik_blueprint_lab_invitation_user_path: users/noble/lab
|
||||
|
||||
noble_authentik_oauth2_proxy_host: oauth2.apps.noble.lab.pcenicni.dev
|
||||
|
||||
|
||||
Reference in New Issue
Block a user