How to implement approval workflow for social login with inactive users and proper source connection?

[tilllt]

Description

Goal

I want to implement a social login flow (Google, Discord, GitHub) with the following requirements:

1. New users see an approval message - When users log in for the first time via social login, they should see a friendly message explaining their account is pending administrator approval
2. Users are created as inactive - New users should be created but not able to access applications until an admin activates them
3. Source connection must work - After activation, users should be able to log in again without getting "username already taken" errors
4. Only approved users get access - Users should only access applications (e.g., Nextcloud) after being added to specific groups

Current Setup

• Authentik version: 2025.8.4
• Social sources: Google, Discord, GitHub OAuth
• Target application: Nextcloud via OIDC
• Custom enrollment flow: social-login-with-approval

Problems Encountered

1. Source Connection Not Created

When using a User Write Stage with:

• user_type: internal
• create_users_as_inactive: true

The UserSourceConnection is not created during enrollment. This causes:

• Second login attempt triggers enrollment flow again instead of authentication flow
• "Username already taken" error because user already exists

2. Inactive Users Can Still Login

When using user_type: external:

• Source connection IS created correctly
• But inactive users can still authenticate and reach applications
• The is_active flag doesn't block external users from logging in

3. Missing Email in Flow Context

Initially got errors like 'email' when the User Write Stage tried to create the user because:

• Google doesn't provide a username automatically
• Email wasn't present in the prompt_data context
• Needed to add an email field to the Prompt Stage

4. Policy Binding Confusion

• Validation Policies on Prompt Stages don't have access to social login data
• Policies need to be bound to Stage Bindings, not to the Stage itself
• This differs from how the default enrollment flow works

Current Flow Structure

Order -10: Invitation Stage (continue without invitation)
Order 0:   Prompt Stage (username + email fields)
Order 10:  User Write Stage (create_users_as_inactive=true, user_type=internal)
Order 20:  Deny Stage (approval message in German/English)

Questions

1. What's the recommended way to implement this approval workflow? Should I:

   • Use user_type: external + policy on authentication flow to block inactive users?
   • Use user_type: internal + manual source connection after activation?
   • Use active users with group-based application policies instead?

2. How does the UserSourceConnection get created for internal users? Is there a stage or setting I'm missing?

3. Should the enrollment flow handle source connection differently when create_users_as_inactive is used?

4. Is there a better pattern for "pending approval" workflows with social login that I should be following?

What I've Tried

• Custom enrollment flow with internal user type (source connection not created)
• External user type (inactive users can still login)
• Various policy configurations on flows and stages
• Adding email field to prompt stage to fix context issues

Additional Context

The default default-source-enrollment flow works well for active users but doesn't support:

• Creating inactive users
• Showing custom approval messages
• Preventing access until admin approval

Any guidance on the correct approach would be greatly appreciated!