nwinkelstraeter
commented
5 months ago I also have this Problem in 2024.4 and 2024.6
Open Netti93 opened 6 months ago
nwinkelstraeter
commented
5 months ago I also have this Problem in 2024.4 and 2024.6
nwinkelstraeter
commented
4 months ago @Netti93 It seems this it not something that happens automatically. It has to be implemented manually with an expression policy that skips the identification stage if the flow is restored from a token. Have a look at: https://github.com/goauthentik/authentik/issues/3297
Netti93
commented
3 months ago @nwinkelstraeter yes, that is correct, but I do have imported the example flow and it is correctly skipping the identification stage if the token was created by the email stage itself. In that case the identfier value in the authentik_core_token table is something like "ak-email-stage-default-recovery-email-[...]". But it doesn't work with a token created by an admin via e.g. the "Create Recovery Link" button which has a different identifier value structure like e.g. "[...]-password-reset"
Describe the bug A recovery link generated for a user by an admin does not bypass email stage. Therefore the user then has to enter an email address, wait for that mail and restart the recovery process with the included link.
To Reproduce Steps to reproduce the behavior:
Expected behavior The email stage should be bypassed and the password prompt stage should be shown.
Version and Deployment (please complete the following information):
Additional context Tokens are generated correctly and were still valid when the recovery link was used. The flow works correctly when the user requests a recovery link via "forgot password" and navigates to the url in the received mail.
Possibly related bugs