Amazing video! This helped clear up a crucial part I was missing! For blocking enrollment, I dug in a little deeper and found that you can actually just create/bind an expression policy and set the priority to 0 (highest) So, in the default-source-enrollment Flow, click the "Policies / Groups / User Bindings" tab -> Click Create & bind Policy -> Select Expression Policy -> Name it whatever you want -> In expression, input: ak_message("Access Denied") return False The string "Access Denied" can be whatever you want. That's what will show when someone attempts to login/create an account. I use OAuth, so for me, I don't want anyone just willy nilly signing up and having accounts created! EDIT: Also, make sure other bound policies in that tab are disabled! Still learning the evaluation of "ANY" with policies, but it's a safe way to keep any other policies there around, but not active.
I have no thing to say except that you are a lifesaver and I am so glad someone shared your video on reddit. Cheers and thanks for making these videos for us. :)
What a fantastic guide for people new to configuring this technology like myself. Do you have any plans in the future to make a video about enrollment with OAuth by chance?
Thank you so much for your work ! I would never be able to get my Authentik setup up and running without you, you truly helped me to get on board with it. Authentik will be the key component of my media server. I can't say how much this content is important to me. Your tutorial works perfectly. But I think there is a small flaw : When someone creates his account, it will create as an inactive user. Then if the person doesn't validate his account by email, the email token disappear but the inactive user stay in the database. So now this username / email combo is now completely blocked for the end user. If he tries to log in, it can't because the user is disabled. If he tries to re-create his account, he can't because it already exists. That would force him to use another email and username and I would like to avoid this frustration. I guess the easiest way would be to auto-delete inactive accounts 30mins after creation (to match the email token expiry). Do you know how I could achieve that ? Or maybe there is another way around. Anyway have a great day and thank you so much for your work !
The email token/inactive user is good to prevent random sign-ups if you had open enrollment, however, since you are sending invites you can modify the flow to create active users if you'd like; which doesn't require email verification. The user would just get an email to the invitation enrollment page, as soon as they finish entering their info user write as an active account. Or if still wanting to use email but token timing out is the issue, you can always increase that duration also.
@@cooptonian Thanks a lot for your answer. I am not using invites, I do have open enrollement. What I am planning to do later is that user by default will be in a group where they don't have access to any of my applications. I will set a notification when new users are created and I will manually approve them by placing them in the group with access. But I will try to do that later. For now with my enrollement, I will keep email verification necessary as I will need that email valid to notify my users from my services. Increasing the timing for the email token is an idea, but I don't want it to last for days and in the end it is still the same issue. If this user has missed the email or is not receiving it and want to try again, his username is permanently locked until I manually delete the account myself. I see 2 ways out of this : either the inactive accounts are automatically deleted after a short period, or when account are created they are marked as active but are put in a "email not yet validated" group, where they can login but login redirects them to the page where they need to validate their email. So they can't do anything until their email is validated. I think the 1st way is the simplest, but I guess both would work. I don't see how to do this though.
...in my mind, visually I can see creating an expression policy for your 2nd suggested solution. The 1st solution seems like it would fit in with 1 of the many tasks (if you look in the System Tasks menu under Dashboard) but those are hardcoded into authentik...I wish there was a create task button there. But I agree the 1st solution would be the best, logically.
@@cooptonian I see, thanks a lot for your answer, it really helps a lot. I'm a begginer with expression policies. If I understood correctly, what I should do is : 1. binding a policy to my user login stage that will login if in the "email validated" group or redirect to email validation flow if in "email not yet validated" group. I'm not sure if I should do a new flow for email validation only or if there is a way to redirect to the enrollment flow. What I am thinking of is a duplicate of my enrollment flow, which allow them to change their email if they made a mistake, but lock the username to avoid duplicate accounts. I think I can sort that out myself. 2. create users as active right away before email validation, but in "email not yet validated" group 3. Have the email validation move them to the right group instead of activating the account when completed. That is the part that I don't know how to do.
sounds like a good start...I was thinking more of the line of user enters their name, email, and password for enrollment (inactive), write that to authentik and end the flow there (this way there isn't a token time running down). At next login, the expression checks if the user logging in is active via expression policy...if so, continue with login, if not prompt for email stage to confirm email (maybe follow the email stage with a prompt stage warning the user that they have a certain amount of time to confirm). This, however, again doesn't solve the issue if the user decides to ignore the warning and the token still times out.
Second video from you on authentik which I watched, both have really helped me set this up, I work with oauth2 but still struggle at home with authentik :/
Love the videos since one of your videos actually helped me get authentik somewhat working in the first place. Sadly neither the recovery email flow, nor the nrollment flow seem to be working. I am unsure if it's a config issue. You mentioned needing to reference the mail config from the .env in the docker compose, yet I haven't found any info about doing that. That might be my problem, but I can't find any info on it. Edit: Did it again today and for some reason it now works.
thanks, your videos are a great help. I don't think you should check the 'continue flow option' within the invitation stage otherwise the same link will never expire. I just tested it with the 2023-10 release
Thanks @Cooptonian for the step by step guide for Authentik novices. I had a question about enrollment flow. Is there a way to control self enrollment i.e. enable it but control it either by requiring admin consent before account becomes active or limiting it by email domain.
...I guess you can drop the email stage, their accounts would then be created but not active until you manually go in and activate the account. Just set up a new notification rule to be notified by email...unless you just check routinely.
Hey great vids! Unfortunatley I'm getting "Request has been denied" (Unknown error). " when using the invitation method. Link is valid and I've follwed every step in the video. Even multiple times.
...if you tried and followed every step exactly, maybe you have a caching issue. Test in either incognito mode, another browser, or from different device and/or network.
Thanks! For certain users to see only certain apps you would have to go into each app and bind a policy, group, or user. For instance if you bind all apps to the Admin group, none of your users in the users group will see apps (because default with no policies, everyone can see all apps). Another example is you can put all the apps shared/common to all users under a group named 'common' then simply add users to that group to give them access...anyone not added will not have access. If you want to be even more granular, you can make each app its own group, then you'd have to add each user to each app group you want them to have access to. There are so many combinations you can do here.
Amazing video! Thank you for the precious information! I'd be lost without you :) I have one question if you may: In my web app, a user is created and their password is set when they submit a form using the Authentik API. Everything seems to work, but the problem is I don't know how to send them a confirmation email since I'm not following any standard enrollment flows. Any ideas? Thank you in advance
Question what about if you want to leverage external authentication engines as Discord/Google/Apple but you want the user to have to be validated/approved prior to entry. Email the admin to approve?
...I'm not well versed in Python, but you would probably just create a new Prompt of email type and change the place holder to be an expression that pulls/sets the email address to be that of the admin's...once the user clicks to continue, the email would then be sent to the admin. (HTML template could also be created and copied to Authentik host/container tailored to this request for approval vs using the built-in account confirmation template...anyways, may need to ask this question in the Discord for specifics...
Thanks, this is helpful, but it would more helpful if you explained a bit about WHY you do all these things to set up the invitation flow. I don't currently understand what each of the individual components are for, or how they work in conjunction with one another. I'm struggling to find any material to help me understand these flows/stages/policies properly.
...yeah it was tough for me in the beginning as well with not much help. Its the reason I made these videos to maybe help others on the basic level... A quick summary from what I understand is the FLOW is the overall event you want to happen, the STAGES make up the flow (so these would be steps), and the policies modify the behavior of the stages to meet your particular needs (these are still tough for me as you need to write expressions with the correct syntax)
Definitely agree with this comment. These videos are great but as I’ve only started using Authentik yesterday the whole Flow/Stages thing is still pretty confusing. For example, in the previous video you created a new flow, then modified the login flow in a way that didn’t seem to reference the reset password flow, and yet it still showed up on the page. I’m still trying to wrap my head around how that happened 😅 Really do appreciate the videos though, and would be amazing if you just did a “Here’s an Intro to Authentik video where I explain what these things are and how these flows/stages interact and how modifying them makes things show up on the page” kind of thing.
Thank you for this video. I have followed your advice, but my enrolment flow gets "Request has been denied" (Unknown error). There is nothing in the Events > Logs. Nothing of note in docker logs. Authentik test mail can be sent from docker compose. Can't seem to put my finger on what is the issue. Using 2023.10 version.
Everything went smooth. Just one thing has me thinking. With the invitation link, I fill oout the form and submit it but it logs me in right away. In the video, the user is prompted to log in. My flow dows have a User Login Stage at the bottom with name default-source-enrollment-login
...you can have the write stage as your last stage. With it not having a next stage it will kick you back to the login page. Or if you want it more elegantly done, after your write stage create/add a prompt stage of type 'static' as your last stage letting the newly enrolled user know that the process is complete or finished (this will leave a 'continue' button to be clicked on). The enrolled person clicks continue and it will bring up the login page...
I have implemented Authentik with your videos and just realized that the sign up link still works even with the deny-enrollment stage binding created as described. Any ideas on how else I can get rid of the sign up option? If I turn off "evaluate on plan" on the deny-enrollment binding, then I get the expected error message. However, the enrollment via invitation link is also blocked, and the same error is shown.
...weird, it shouldn't work especially if it is at the top of the flow as it is the very first thing evaluated. Are you sure you are not pulling up a cached page? Maybe the latest version broke something? In any case, if you are done with enrollment from the main page, just remove the link. Edit your default authentication flow > Identification stage and remove the option for enrollment... You can probably also create a deny policy; for more info on that, it is best to ask in the discord for ideas...
@@cooptonian I tried removing the enrollment link and works, but if I paste the url then it loads the enrollment page. For some magical reason the expected error message now pops up again. There is no signup link now, the invitation works. Thanks
Another UA-cam user on here by the name of Rob Hedrick or better yet in the Authentik Discord server @Hooray4Rob has actually submitted a PR request that has been merged to Authentik's docs regarding Generic LDAP setup...have you seen it >> goauthentik.io/docs/providers/ldap/generic_setup ? It is pretty awesome as it is clear and concise with exact screenshots of the steps...
I had this working but now after attempting to sign up I just get a spinning wheel and it never sends the email, verified I still have the correct settings in my .env
...check for errors in your event logs as well as docker logs to narrow your issue... Also check that all related authentik containers are up and running and haven't exited/stopped for whatever reason. If nothing has changed at all, doesn't hurt to just restart all the containers.
Not sure if this is possible with Authentik, but if it is possible, can you create a video on how to setup a flow that deactivates a user and forces them to change their password to get reactivated?
...yeah, I am not sure if this is possible or not either. But if it was, I imagine it would be through an expression policy. For example, if the last log in for a user currently logging in is more than 90 days (if the expression policy can check login logs), then force a password reset...but this would only trigger for that user currently logging in. What would be better would be some kind of cronjob that checks the length of time between logins then runs a script/authentik command to disable the user... Unfortunately, I didn't see any documentation for ALL Authentik command line commands available...
Amazing video, but I have a slightly different scenario to cover and need some help. My users just need to assign a password for themselves because their name, username and email are used to create their account beforehand. Now what I want is to send an email to each new user which tells them to set a password by following a link. Currently the accounts get created and the users have to set a password on their first login, but they don't get informed about the creation of their account. Any advice would be neat.
...you can add a custom prompt stage of type static at the very end of the flow to let them know the account has been created (this is a message prompt with a continue button). Once they click continue it just reloads the main login page (to add some actual logic to it, you can add an expression policy to check that the user exists). Or if you really want to send an email, add another email stage and use the reset password template.
Amazing video! This helped clear up a crucial part I was missing! For blocking enrollment, I dug in a little deeper and found that you can actually just create/bind an expression policy and set the priority to 0 (highest)
So, in the default-source-enrollment Flow, click the "Policies / Groups / User Bindings" tab -> Click Create & bind Policy -> Select Expression Policy -> Name it whatever you want -> In expression, input:
ak_message("Access Denied")
return False
The string "Access Denied" can be whatever you want. That's what will show when someone attempts to login/create an account. I use OAuth, so for me, I don't want anyone just willy nilly signing up and having accounts created!
EDIT: Also, make sure other bound policies in that tab are disabled! Still learning the evaluation of "ANY" with policies, but it's a safe way to keep any other policies there around, but not active.
Thanks! And yeah, figured something like that later...but great detailed info in your comment for anyone else to follow.
How do you disable other bound policies? policies or stages?
...just go to edit binding for whatever policy and flip the enabled switch
@@cooptonian The version I have does not show an enable button.
I have no thing to say except that you are a lifesaver and I am so glad someone shared your video on reddit. Cheers and thanks for making these videos for us. :)
You're welcome!
I do love you! I just want you to know that. Your videos are the best Authentik videos out there - For Sure! Keep 'em coming, please! Thanks a ton!
Ha ha, thanks! I appreciate you appreciating them.
I am so exciting to find this amazing video over the endless sea of Internet! Thank you bro, you have save my day!
Glad I could help!
Love your Authentik Videos, great stuff, Thanks a lot
Glad you like them!
What a fantastic guide for people new to configuring this technology like myself. Do you have any plans in the future to make a video about enrollment with OAuth by chance?
Awesome video, thank you so much! Subscribed!
bro, you are the true hero. may I ask whether you can make a video to explain how to add SMS? I was tortured by this for a week.
Thank you so much for your work ! I would never be able to get my Authentik setup up and running without you, you truly helped me to get on board with it. Authentik will be the key component of my media server. I can't say how much this content is important to me.
Your tutorial works perfectly. But I think there is a small flaw : When someone creates his account, it will create as an inactive user. Then if the person doesn't validate his account by email, the email token disappear but the inactive user stay in the database. So now this username / email combo is now completely blocked for the end user. If he tries to log in, it can't because the user is disabled. If he tries to re-create his account, he can't because it already exists. That would force him to use another email and username and I would like to avoid this frustration.
I guess the easiest way would be to auto-delete inactive accounts 30mins after creation (to match the email token expiry). Do you know how I could achieve that ? Or maybe there is another way around.
Anyway have a great day and thank you so much for your work !
The email token/inactive user is good to prevent random sign-ups if you had open enrollment, however, since you are sending invites you can modify the flow to create active users if you'd like; which doesn't require email verification. The user would just get an email to the invitation enrollment page, as soon as they finish entering their info user write as an active account. Or if still wanting to use email but token timing out is the issue, you can always increase that duration also.
@@cooptonian Thanks a lot for your answer. I am not using invites, I do have open enrollement. What I am planning to do later is that user by default will be in a group where they don't have access to any of my applications. I will set a notification when new users are created and I will manually approve them by placing them in the group with access. But I will try to do that later.
For now with my enrollement, I will keep email verification necessary as I will need that email valid to notify my users from my services. Increasing the timing for the email token is an idea, but I don't want it to last for days and in the end it is still the same issue. If this user has missed the email or is not receiving it and want to try again, his username is permanently locked until I manually delete the account myself. I see 2 ways out of this : either the inactive accounts are automatically deleted after a short period, or when account are created they are marked as active but are put in a "email not yet validated" group, where they can login but login redirects them to the page where they need to validate their email. So they can't do anything until their email is validated. I think the 1st way is the simplest, but I guess both would work. I don't see how to do this though.
...in my mind, visually I can see creating an expression policy for your 2nd suggested solution. The 1st solution seems like it would fit in with 1 of the many tasks (if you look in the System Tasks menu under Dashboard) but those are hardcoded into authentik...I wish there was a create task button there. But I agree the 1st solution would be the best, logically.
@@cooptonian I see, thanks a lot for your answer, it really helps a lot. I'm a begginer with expression policies. If I understood correctly, what I should do is :
1. binding a policy to my user login stage that will login if in the "email validated" group or redirect to email validation flow if in "email not yet validated" group. I'm not sure if I should do a new flow for email validation only or if there is a way to redirect to the enrollment flow. What I am thinking of is a duplicate of my enrollment flow, which allow them to change their email if they made a mistake, but lock the username to avoid duplicate accounts. I think I can sort that out myself.
2. create users as active right away before email validation, but in "email not yet validated" group
3. Have the email validation move them to the right group instead of activating the account when completed. That is the part that I don't know how to do.
sounds like a good start...I was thinking more of the line of user enters their name, email, and password for enrollment (inactive), write that to authentik and end the flow there (this way there isn't a token time running down). At next login, the expression checks if the user logging in is active via expression policy...if so, continue with login, if not prompt for email stage to confirm email (maybe follow the email stage with a prompt stage warning the user that they have a certain amount of time to confirm). This, however, again doesn't solve the issue if the user decides to ignore the warning and the token still times out.
Great video! but is there a way, in the write stage, to have the user join more than one group ?
This is so great. Thanks a lot for your work here
Thanks!
Second video from you on authentik which I watched, both have really helped me set this up, I work with oauth2 but still struggle at home with authentik :/
Glad you have found them useful!
That joke at the beginning was underrated. Laughed when I understood.
Love the videos since one of your videos actually helped me get authentik somewhat working in the first place. Sadly neither the recovery email flow, nor the nrollment flow seem to be working. I am unsure if it's a config issue. You mentioned needing to reference the mail config from the .env in the docker compose, yet I haven't found any info about doing that. That might be my problem, but I can't find any info on it.
Edit:
Did it again today and for some reason it now works.
Great to hear!
Hi! How can I add Google login on the enrollment page? I have already Google login on my login page
thanks, your videos are a great help.
I don't think you should check the 'continue flow option' within the invitation stage otherwise the same link will never expire. I just tested it with the 2023-10 release
Thanks, good to know...and I'll have to test that myself.
Thanks @Cooptonian for the step by step guide for Authentik novices. I had a question about enrollment flow. Is there a way to control self enrollment i.e. enable it but control it either by requiring admin consent before account becomes active or limiting it by email domain.
Yes, you should be able to do this with policies...
Thank you very much. This vide is so useful for who is new to authentic like me :)
Thanks and you're welcome!
thank you sooo much for the help on this!
You're so welcome!
I am using the API to create the users myself however, I want to generate a link they can click on to verify their email. How can i do this?
Is there a third option whereby I can have a user enrol with the first flow, but then I get the option to approve or deny the enrollment?
...I guess you can drop the email stage, their accounts would then be created but not active until you manually go in and activate the account. Just set up a new notification rule to be notified by email...unless you just check routinely.
Hey great vids! Unfortunatley I'm getting "Request has been denied" (Unknown error). " when using the invitation method. Link is valid and I've follwed every step in the video. Even multiple times.
...if you tried and followed every step exactly, maybe you have a caching issue. Test in either incognito mode, another browser, or from different device and/or network.
This is awesome. Thanks a lot for this man! Do you know a way to only allow certain users to see certain applications?
Thanks! For certain users to see only certain apps you would have to go into each app and bind a policy, group, or user. For instance if you bind all apps to the Admin group, none of your users in the users group will see apps (because default with no policies, everyone can see all apps). Another example is you can put all the apps shared/common to all users under a group named 'common' then simply add users to that group to give them access...anyone not added will not have access. If you want to be even more granular, you can make each app its own group, then you'd have to add each user to each app group you want them to have access to. There are so many combinations you can do here.
@@cooptonian Awesome. Thanks for these man, you've been saving me a lot of headache. Keep it up!
...well, no one likes headaches! LOL...you're welcome
Amazing video! Thank you for the precious information! I'd be lost without you :) I have one question if you may: In my web app, a user is created and their password is set when they submit a form using the Authentik API. Everything seems to work, but the problem is I don't know how to send them a confirmation email since I'm not following any standard enrollment flows. Any ideas? Thank you in advance
...you can probably create an event policy for when a user is created, send an email
Question what about if you want to leverage external authentication engines as Discord/Google/Apple but you want the user to have to be validated/approved prior to entry. Email the admin to approve?
...I'm not well versed in Python, but you would probably just create a new Prompt of email type and change the place holder to be an expression that pulls/sets the email address to be that of the admin's...once the user clicks to continue, the email would then be sent to the admin. (HTML template could also be created and copied to Authentik host/container tailored to this request for approval vs using the built-in account confirmation template...anyways, may need to ask this question in the Discord for specifics...
Thanks, this is helpful, but it would more helpful if you explained a bit about WHY you do all these things to set up the invitation flow. I don't currently understand what each of the individual components are for, or how they work in conjunction with one another. I'm struggling to find any material to help me understand these flows/stages/policies properly.
...yeah it was tough for me in the beginning as well with not much help. Its the reason I made these videos to maybe help others on the basic level... A quick summary from what I understand is the FLOW is the overall event you want to happen, the STAGES make up the flow (so these would be steps), and the policies modify the behavior of the stages to meet your particular needs (these are still tough for me as you need to write expressions with the correct syntax)
Definitely agree with this comment. These videos are great but as I’ve only started using Authentik yesterday the whole Flow/Stages thing is still pretty confusing. For example, in the previous video you created a new flow, then modified the login flow in a way that didn’t seem to reference the reset password flow, and yet it still showed up on the page. I’m still trying to wrap my head around how that happened 😅 Really do appreciate the videos though, and would be amazing if you just did a “Here’s an Intro to Authentik video where I explain what these things are and how these flows/stages interact and how modifying them makes things show up on the page” kind of thing.
Thank you for this video. I have followed your advice, but my enrolment flow gets "Request has been denied" (Unknown error). There is nothing in the Events > Logs. Nothing of note in docker logs. Authentik test mail can be sent from docker compose. Can't seem to put my finger on what is the issue. Using 2023.10 version.
...maybe your token expired? Or do you have a policy that is failing?
this is exactly what I was looking for thanks! Question, how might I require a user to select a 2fa method during enrollment?
You're welcome...I am actually working on a video for that now which may include a bonus of using Duo (which isn't straight forward)
...here you go: ua-cam.com/video/whSBD8YbVlc/v-deo.html
hahah good joke at the beginning mate! thanks for the vids, they helped me a lot. Greetings from Colombia
Glad you found them helpful!
Everything went smooth. Just one thing has me thinking. With the invitation link, I fill oout the form and submit it but it logs me in right away. In the video, the user is prompted to log in. My flow dows have a User Login Stage at the bottom with name default-source-enrollment-login
...you can have the write stage as your last stage. With it not having a next stage it will kick you back to the login page. Or if you want it more elegantly done, after your write stage create/add a prompt stage of type 'static' as your last stage letting the newly enrolled user know that the process is complete or finished (this will leave a 'continue' button to be clicked on). The enrolled person clicks continue and it will bring up the login page...
@@cooptonian Thank you, I will try it tomorrow.
Videos are definitely "Authentik" 😂
I have implemented Authentik with your videos and just realized that the sign up link still works even with the deny-enrollment stage binding created as described. Any ideas on how else I can get rid of the sign up option? If I turn off "evaluate on plan" on the deny-enrollment binding, then I get the expected error message. However, the enrollment via invitation link is also blocked, and the same error is shown.
...weird, it shouldn't work especially if it is at the top of the flow as it is the very first thing evaluated. Are you sure you are not pulling up a cached page? Maybe the latest version broke something? In any case, if you are done with enrollment from the main page, just remove the link. Edit your default authentication flow > Identification stage and remove the option for enrollment... You can probably also create a deny policy; for more info on that, it is best to ask in the discord for ideas...
@@cooptonian I tried removing the enrollment link and works, but if I paste the url then it loads the enrollment page. For some magical reason the expected error message now pops up again. There is no signup link now, the invitation works. Thanks
@@rguifa sure, you're welcome!
Can you do one showing ldap integration?
Another UA-cam user on here by the name of Rob Hedrick or better yet in the Authentik Discord server @Hooray4Rob has actually submitted a PR request that has been merged to Authentik's docs regarding Generic LDAP setup...have you seen it >> goauthentik.io/docs/providers/ldap/generic_setup ? It is pretty awesome as it is clear and concise with exact screenshots of the steps...
I had this working but now after attempting to sign up I just get a spinning wheel and it never sends the email, verified I still have the correct settings in my .env
...check for errors in your event logs as well as docker logs to narrow your issue... Also check that all related authentik containers are up and running and haven't exited/stopped for whatever reason. If nothing has changed at all, doesn't hurt to just restart all the containers.
in which video do you set up password-complexity? you refer to something, but do not link the actual video. i am confused
...previous to this video was my Authentik - Password Recovery Flow Setup ( ua-cam.com/video/NKJkYz0BIlA/v-deo.html )
@@cooptonian thanks mate, your tutorials are awesome!
how to return that application main page if login or register succesfully?
...not sure what you mean? The application dashboard? The user would just need to login to the main authentik page after registering...
Not sure if this is possible with Authentik, but if it is possible, can you create a video on how to setup a flow that deactivates a user and forces them to change their password to get reactivated?
...yeah, I am not sure if this is possible or not either. But if it was, I imagine it would be through an expression policy. For example, if the last log in for a user currently logging in is more than 90 days (if the expression policy can check login logs), then force a password reset...but this would only trigger for that user currently logging in. What would be better would be some kind of cronjob that checks the length of time between logins then runs a script/authentik command to disable the user... Unfortunately, I didn't see any documentation for ALL Authentik command line commands available...
The one thing that authentik is better with is for the registration process - authelia’s process is to manual.
agreed!
The poor mosaic greatly reduces the quality of these videos.
Amazing video, but I have a slightly different scenario to cover and need some help. My users just need to assign a password for themselves because their name, username and email are used to create their account beforehand. Now what I want is to send an email to each new user which tells them to set a password by following a link. Currently the accounts get created and the users have to set a password on their first login, but they don't get informed about the creation of their account. Any advice would be neat.
...you can add a custom prompt stage of type static at the very end of the flow to let them know the account has been created (this is a message prompt with a continue button). Once they click continue it just reloads the main login page (to add some actual logic to it, you can add an expression policy to check that the user exists). Or if you really want to send an email, add another email stage and use the reset password template.