home-server/ansible/roles/noble_authentik/templates/blueprints/21-noble-public-authentication-flow.yaml.j2

# Noble — **public** hostname(s): same behaviour as stock **default-authentication-flow** (optional password / MFA skip for WebAuthn PWL), isolated slug for Brand binding.
version: 1
metadata:
  name: noble-public-authentication-flow
  labels:
    blueprints.goauthentik.io/instantiate: "true"
entries:
  - model: authentik_blueprints.metaapplyblueprint
    attrs:
      identifiers:
        name: Default - Password change flow
      required: false
  - model: authentik_flows.flow
    id: flow
    identifiers:
      slug: {{ noble_authentik_blueprint_public_auth_flow_slug | trim | to_json }}
    attrs:
      name: Noble public sign-in
      title: Sign in
      designation: authentication
      authentication: none
  - id: noble-public-identification-binding
    model: authentik_flows.flowstagebinding
    identifiers:
      order: 10
      stage: !Find [authentik_stages_identification.identificationstage, [name, default-authentication-identification]]
      target: !KeyOf flow
  - id: noble-public-password-binding
    model: authentik_flows.flowstagebinding
    identifiers:
      order: 20
      stage: !Find [authentik_stages_password.passwordstage, [name, default-authentication-password]]
      target: !KeyOf flow
    attrs:
      re_evaluate_policies: true
  - id: noble-public-authenticator-binding
    model: authentik_flows.flowstagebinding
    identifiers:
      order: 30
      stage: !Find [authentik_stages_authenticator_validate.authenticatorvalidatestage, [name, default-authentication-mfa-validation]]
      target: !KeyOf flow
  - model: authentik_flows.flowstagebinding
    identifiers:
      order: 100
      stage: !Find [authentik_stages_user_login.userloginstage, [name, default-authentication-login]]
      target: !KeyOf flow
  - model: authentik_policies_expression.expressionpolicy
    id: noble-public-password-optional
    identifiers:
      name: noble-public-password-optional
    attrs:
      expression: |
        flow_plan = request.context.get("flow_plan")
        if not flow_plan:
            return True
        return not hasattr(flow_plan.context.get("pending_user"), "backend")
  - model: authentik_policies_expression.expressionpolicy
    id: noble-public-authenticator-validate-optional
    identifiers:
      name: noble-public-authenticator-validate-optional
    attrs:
      expression: |
        flow_plan = request.context.get("flow_plan")
        if not flow_plan:
            return True
        return not (flow_plan.context.get("auth_method") == "auth_webauthn_pwl")
  - model: authentik_policies.policybinding
    identifiers:
      order: 10
      target: !KeyOf noble-public-password-binding
      policy: !KeyOf noble-public-password-optional
    attrs:
      failure_result: true
  - model: authentik_policies.policybinding
    identifiers:
      order: 10
      target: !KeyOf noble-public-authenticator-binding
      policy: !KeyOf noble-public-authenticator-validate-optional
    attrs:
      failure_result: true