Expressions
The property mapping should return a value that is expected by the Provider/Source. Supported types are documented in the individual Provider/Source. Returning None
is always accepted and would simply skip the mapping for which None
was returned.
Available Functions
regex_match(value: Any, regex: str) -> bool
Check if value
matches Regular Expression regex
.
Example:
return regex_match(request.user.username, '.*admin.*')
regex_replace(value: Any, regex: str, repl: str) -> str
Replace anything matching regex
within value
with repl
and return it.
Example:
user_email_local = regex_replace(request.user.email, '(.+)@.+', '')
list_flatten(value: list[Any] | Any) -> Optional[Any]
Flatten a list by either returning its first element, None if the list is empty, or the passed in object if its not a list.
Example:
user = list_flatten(["foo"])
# user = "foo"
ak_call_policy(name: str, **kwargs) -> PolicyResult
Requires authentik 2021.12
Call another policy with the name name. Current request is passed to policy. Key-word arguments can be used to modify the request's context.
Example:
result = ak_call_policy("test-policy")
# result is a PolicyResult object, so you can access `.passing` and `.messages`.
# Starting with authentik 2023.4 you can also access `.raw_result`, which is the raw value returned from the called policy
# `result.passing` will always be a boolean if the policy is passing or not.
return result.passing
result = ak_call_policy("test-policy-2", foo="bar")
# Inside the `test-policy-2` you can then use `request.context["foo"]`
return result.passing
ak_is_group_member(user: User, **group_filters) -> bool
Check if user
is member of a group matching **group_filters
.
Example:
return ak_is_group_member(request.user, name="test_group")
ak_user_by(**filters) -> Optional[User]
Fetch a user matching **filters
.
Returns "None" if no user was found, otherwise returns the User object.
Example:
other_user = ak_user_by(username="other_user")
ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool
(2021.9+)
Only available in property mappings with authentik 2022.9 and newer
Check if a user has any authenticator devices. Only fully validated devices are counted.
Optionally, you can filter a specific device type. The following options are valid:
totp
duo
static
webauthn
Example:
return ak_user_has_authenticator(request.user)
ak_create_event(action: str, **kwargs) -> None
Requires authentik 2022.9
Create a new event with the action set to action
. Any additional key-word parameters will be saved in the event context. Additionally, context
will be set to the context in which this function is called.
Before saving, any data-structure which are not representable in JSON are flattened, and credentials are removed.
The event is saved automatically
Example:
ak_create_event("my_custom_event", foo=request.user)
Comparing IP Addresses
To compare IP Addresses or check if an IP Address is within a given subnet, you can use the functions ip_address('192.0.2.1')
and ip_network('192.0.2.0/24')
. With these objects you can do arithmetic operations.
You can also check if an IP Address is within a subnet by writing the following:
ip_address('192.0.2.1') in ip_network('192.0.2.0/24')
# evaluates to True
DNS resolution and reverse DNS lookups
Requires authentik 2023.3 or higher
To resolve a hostname to a list of IP addresses, use the functions resolve_dns(hostname)
and resolve_dns(hostname, ip_version)
.
resolve_dns("google.com") # return a list of all IPv4 and IPv6 addresses
resolve_dns("google.com", 4) # return a list of only IP4 addresses
resolve_dns("google.com", 6) # return a list of only IP6 addresses
You can also do reverse DNS lookups.
Reverse DNS lookups may not return the expected host if the IP address is part of a shared hosting environment. See: https://stackoverflow.com/a/19867936
To perform a reverse DNS lookup use reverse_dns("192.0.2.0")
. If no DNS records are found the original IP address is returned.
DNS resolving results are cached in memory. The last 32 unique queries are cached for up to 3 minutes.
Variables
-
ak_logger
: structlog BoundLogger. See (structlog documentation)Example:
ak_logger.debug("This is a test message")
ak_logger.warning("This will be logged with a warning level")
ak_logger.info("Passing structured data", request=request) -
requests
: requests Session object. See (request documentation)
user
: The current user. This may beNone
if there is no contextual user. See User.
Example:
return {
"custom_attribute": request.user.attributes.get("custom_attribute", "default"),
}
request
: The current request. This may beNone
if there is no contextual request. See (Django documentation)- Other arbitrary arguments given by the provider, this is documented on the Provider/Source.