blueprints: fix policy exception causing password stage to be skipped after upgrade

[BeryJu]

Details

closes #6673

due to changing defaults, after upgrading from some versions, a new default policy would be run at the wrong time causing it to fail, which would cause the password stage to get skipped

this fixes both the missing default value and also makes the policy more resilient to errors

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)
• The translation files have been updated (make i18n-extract)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	47d23d1
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/64ee67e4efde860008305f7f

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.92%. Comparing base (bcf9a01) to head (3767ba1).
Report is 4985 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6674      +/-   ##
==========================================
- Coverage   92.49%   90.92%   -1.58%     
==========================================
  Files         561      561              
  Lines       27146    27146              
==========================================
- Hits        25110    24682     -428     
- Misses       2036     2464     +428     

Flag	Coverage Δ
e2e	51.51% <ø> (-0.03%)	⬇️
integration	?
unit	89.29% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[esackbauer]

and also makes the policy more resilient to errors

Does that mean Authentik is still prone to timing attacks, just not so much anymore?

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-blueprints-fix-default-authentication-flow-1693345415-47d23d1
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-blueprints-fix-default-authentication-flow-1693345415-47d23d1-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-blueprints-fix-default-authentication-flow-1693345415-47d23d1

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-blueprints-fix-default-authentication-flow-1693345415-47d23d1-arm64

Afterwards, run the upgrade commands from the latest release notes.