OOBE Blueprint can't be deleted

[EL-File4138]

I deployed an Authentik instance by default Docker Compose file. After a day of fiddling, I find that the removed default configuration would all reappear for about every hour. I assume It's the remaining OOBE blueprint, so I removed them both in the database and filesystem. However, they would all reappear again. I've searched all over the deployment and development documentation, but no luck.

I find it not only annoying but also a considerable security threat. Always keep a set of active auth flows is wide open for scanning and brute-force attacks.

Is this behavior intended or did I fiddle with some developer allowance? How could I disable this?

[rissson]

You can mount over blueprints to avoid that. Just mount an empty file over /blueprints/default/flow-default-authentication-flow.yaml for instance.

[EL-File4138]

So mounting over a list of files that are subjective to change between versions is the expected scaling solution? Just confirming.

[rissson]

Well, if I understand properly, you don't want those objects to be created. I'm providing a solution for this.

[EL-File4138]

So from a user view, I would think the blueprint mechanism have a definitive repo, either the file or the database entry with a delete option on the UI (preferably the file). Even if the default blueprints are critical for e.g. disaster recovery, they should not be rebuild and played every couple of hours (I mean it's oobe, I don't think anyone needs to oobe a perfectly running instance every few hours).
The best solution would be just symlink the default blueprints to live config folder, and the last step of oobe is removing the symlink. Also, make the definitive index based on actual files in folder rather than "rebuild lost blueprint from database for missing file". Since the file is inside container storage, if one really means to remove a existing blueprint, I think it's safe to assume that they do mean it.

[rissson]

I don't even know why I didn't think of this earlier, but you can associate a policy to the flows that just denies flow execution. That way, you don't have to mess with default files, and the flows you don't want live are not able to be ran.

[ojsef39]

This is probably not the most elegant solution for this, but this is how i do it.
I have a blueprint that cleans up parts i dont need or use. Im still new to Authentik so im not sure if this will work long-term tho.

I also let the blueprint delete my whole flow and recreate it since i noticed that the merge behaviour is not always working like i expect it to.

Hope this helps somebody who stumbles across this :)

Flow Blueprint configmap

apiVersion: v1
kind: ConfigMap
metadata:
  name: authentik-flows
  namespace: auth
data:
  cleanup-defaults.yaml: |
    # yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
    metadata:
      name: Cleanup default flows
      labels:
        blueprints.goauthentik.io/generated: 'true'
    entries:
      - model: authentik_flows.flow
        state: absent
        identifiers:
          slug: default-authentication-flow
      - model: authentik_flows.flow
        state: absent
        identifiers:
          slug: default-source-authentication

  jhc-authentication.yaml: |
    # yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
    version: 1
    metadata:
      name: JHC Authentication with Passwordless Option
      labels:
        blueprints.goauthentik.io/generated: 'true'
    entries:
      # Phase 1: Delete existing objects
      # Remove main authentication flow and its components
      - model: authentik_flows.flow
        state: absent
        identifiers:
          slug: jhc-authentication
          
      - model: authentik_flows.flow 
        state: absent
        identifiers:
          slug: jhc-webauthn-passwordless
          
      - model: authentik_flows.flow
        state: absent
        identifiers:
          slug: jhc-webauthn-setup
          
      # Remove specific stages by name
      - model: authentik_stages_authenticator_webauthn.authenticatorwebauthnstage
        state: absent
        identifiers:
          name: jhc-webauthn-configuration
          
      - model: authentik_stages_authenticator_validate.authenticatorvalidatestage
        state: absent
        identifiers:
          name: jhc-webauthn-validation
          
      - model: authentik_stages_authenticator_validate.authenticatorvalidatestage
        state: absent
        identifiers:
          name: jhc-mfa-validation
          
      - model: authentik_stages_identification.identificationstage
        state: absent
        identifiers:
          name: jhc-identification
          
      - model: authentik_stages_password.passwordstage
        state: absent
        identifiers:
          name: jhc-password
          
      - model: authentik_stages_user_login.userloginstage
        state: absent
        identifiers:
          name: jhc-login
          
      - model: authentik_stages_user_login.userloginstage
        state: absent
        identifiers:
          name: jhc-webauthn-login

      # Phase 2: Create fresh implementation
      # WebAuthn Configuration Stage (for setting up keys)
      - model: authentik_stages_authenticator_webauthn.authenticatorwebauthnstage
        state: present
        id: webauthn-config-stage
        identifiers:
          name: jhc-webauthn-configuration
        attrs:
          friendly_name: "Security Key"
          
      # WebAuthn Setup Flow (for users to register their keys)
      - model: authentik_flows.flow
        state: present
        id: webauthn-setup-flow
        identifiers:
          slug: jhc-webauthn-setup
        attrs:
          designation: stage_configuration
          name: Security Key Setup
          title: Set up your security key
          authentication: require_authenticated
          
      # Binding the config stage to the setup flow
      - model: authentik_flows.flowstagebinding
        state: present
        identifiers:
          order: 0
          stage: !KeyOf webauthn-config-stage
          target: !KeyOf webauthn-setup-flow
        attrs:
          policy_engine_mode: any
          
      # WebAuthn Passwordless Flow (this will be shown as a button option)
      - model: authentik_flows.flow
        state: present
        id: webauthn-passwordless-flow
        identifiers:
          slug: jhc-webauthn-passwordless
        attrs:
          authentication: none
          denied_action: message_continue
          designation: authentication
          layout: stacked
          name: Authenticate with Security Key
          policy_engine_mode: any
          title: Authenticate with Security Key
          
      # WebAuthn Validation Stage (for validating during login)
      - model: authentik_stages_authenticator_validate.authenticatorvalidatestage
        state: present
        id: webauthn-validation-stage
        identifiers:
          name: jhc-webauthn-validation
        attrs:
          configuration_stages:
            - !KeyOf webauthn-config-stage
          device_classes:
            - webauthn
          last_auth_threshold: seconds=0
          not_configured_action: configure
          webauthn_user_verification: required
            
      # User login stage for completing authentication
      - model: authentik_stages_user_login.userloginstage
        state: present
        id: webauthn-login-stage
        identifiers:
          name: jhc-webauthn-login
        attrs:
          session_duration: seconds=0
          
      # Binding stages to the passwordless flow - SIMPLIFIED
      - model: authentik_flows.flowstagebinding
        state: present
        identifiers:
          order: 0
          stage: !KeyOf webauthn-validation-stage
          target: !KeyOf webauthn-passwordless-flow
        attrs:
          policy_engine_mode: any
          
      - model: authentik_flows.flowstagebinding
        state: present
        identifiers:
          order: 100
          stage: !KeyOf webauthn-login-stage
          target: !KeyOf webauthn-passwordless-flow
        attrs:
          policy_engine_mode: any
          
      # Main Authentication Flow
      - model: authentik_flows.flow
        state: present
        id: main-auth-flow
        identifiers:
          slug: jhc-authentication
        attrs:
          authentication: none
          denied_action: message_continue
          designation: authentication
          layout: stacked
          name: JHC Authentication
          policy_engine_mode: any
          title: JHC Authentication
          
      # Password stage for main flow
      - model: authentik_stages_password.passwordstage
        state: present
        id: password-stage
        identifiers:
          name: jhc-password
        attrs:
          backends:
            - authentik.core.auth.InbuiltBackend
            - authentik.sources.ldap.auth.LDAPBackend
          configure_flow: !KeyOf webauthn-setup-flow
          failed_attempts_before_cancel: 5
          
      # MFA Validation Stage for main flow (optional)
      - model: authentik_stages_authenticator_validate.authenticatorvalidatestage
        state: present
        id: mfa-validation-stage
        identifiers:
          name: jhc-mfa-validation
        attrs:
          device_classes:
            - static
            - totp
            - webauthn
            - duo
            - sms
            - email
          last_auth_threshold: seconds=0
          not_configured_action: skip
          webauthn_user_verification: preferred
          
      # Main identification stage (with passwordless option)
      - model: authentik_stages_identification.identificationstage
        state: present
        id: main-identification-stage
        identifiers:
          name: jhc-identification
        attrs:
          case_insensitive_matching: true
          passwordless_flow: !KeyOf webauthn-passwordless-flow
          pretend_user_exists: true
          show_matched_user: true
          user_fields:
            - username
            - email
            
      # Main login stage
      - model: authentik_stages_user_login.userloginstage
        state: present
        id: main-login-stage
        identifiers:
          name: jhc-login
        attrs:
          session_duration: seconds=0
          
      # Binding stages to main authentication flow
      - model: authentik_flows.flowstagebinding
        state: present
        identifiers:
          order: 10
          stage: !KeyOf main-identification-stage
          target: !KeyOf main-auth-flow
        attrs:
          policy_engine_mode: any
          
      - model: authentik_flows.flowstagebinding
        state: present
        identifiers:
          order: 20
          stage: !KeyOf password-stage
          target: !KeyOf main-auth-flow
        attrs:
          policy_engine_mode: any
          
      - model: authentik_flows.flowstagebinding
        state: present
        identifiers:
          order: 30
          stage: !KeyOf mfa-validation-stage
          target: !KeyOf main-auth-flow
        attrs:
          policy_engine_mode: any
          
      - model: authentik_flows.flowstagebinding
        state: present
        identifiers:
          order: 100
          stage: !KeyOf main-login-stage
          target: !KeyOf main-auth-flow
        attrs:
          policy_engine_mode: any

      # Run/apply brand blueprint to make sure jhc-authentication flow is set after recreation of the flow
      - model: authentik_blueprints.metaapplyblueprint
        attrs:
          identifiers:
            path: mounted/cm-authentik-brands/jhc-brand.yaml