How to link expression policy to use an alternateEmail in recovery-password flow

[kukoarmas]

Hello!
I've been trying to create a password recovery flow with an alternate email, because my email service is connected to authentik. I've seen several questions about this need, but no step-by-step guide to solve it.

As documented in https://goauthentik.io/docs/flow/stages/email/#behaviour, I created an expression policy to set the email from the user "alternateEmail" attribute. Here is my policy:

try:
  request.context["flow_plan"].context["email"] = request.context["pending_user"].attributes["recoveryEmail"]
  return True
except:
  request.context["flow_plan"].context["email"] = "EXCEPT"
  return True

Then I created a recovery flow like this:

The expression policy is linked to the email stage:

I expected the expression policy to be run after the recovery-authentication-identification stage and so, the pending_user should be the one typed in the identification stage, but it seems that the policy is being run before the identification stage, and so que pending_user is anonymous and I don't get the correct recoveryEmail attribute.

Here is the flow in inspector:

Before The identification stage, the expression policy was already run, and it changed the email to the alternateEmail of the user running the flow inspector:

After entering the user ìdtest in the identification stage, the pending_user is changed to the one entered in the identification stage, but the email is not changed, because it seems the expression policy was already run

Am I doing something wrong?
How should I link the expression policy to the email stage so it applies it's changes after the identification stage to use the entered user?

[tanberry]

Hi @kukoarmas I'd like to add more info to our authentik documentation about this; I don't have an answer to your question right now, but we will be looking into it.

[tanberry]

Hi again, @kukoarmas. This is likely not the full answer, but please take a look at the merged/closed PR #4784. In release 2023.3, we changed the default flow stage binding settings.

Can you check on your Update Stage Binding modal that you have the second option, Evaluate when stage is run, turned on?

To get there, go to Flows, and in the list of flows scroll down and click on default-password-change to open the detail page for the Change Password page. Click on the Stage Bindings tab, then click Edit Binding. There you will see the Evaluate when stage is run option.

It might be that stages are getting out of order, and that option will reset stages in realtime, if I understand it correctly.

[kukoarmas]

Yes, the trick was enabling Evaluate when stage is run in the binding of my recovery-email stage

Now, if the user has a recoveryEmail attribute, the recovery email is sent to that address. If there is no recoveryEmail attribute, the email is sent to the user's email address

I think it would be great to have this whole configuration documented, because I've seen a several questions about this, and no clear answers.