The property mapping should return a value that is expected by the Provider/Source. Supported types are documented in the individual Provider/Source. Returning
None is always accepted and would simply skip the mapping for which
None was returned.
regex_match(value: Any, regex: str) -> bool
value matches Regular Expression
return regex_match(request.user.username, '.*admin.*')
regex_replace(value: Any, regex: str, repl: str) -> str
Replace anything matching
repl and return it.
user_email_local = regex_replace(request.user.email, '(.+)@.+', '')
list_flatten(value: list[Any] | Any) -> Optional[Any]
Flatten a list by either returning its first element, None if the list is empty, or the passed in object if its not a list.
user = list_flatten(["foo"])
# user = "foo"
ak_call_policy(name: str, **kwargs) -> PolicyResult
Requires authentik 2021.12
Call another policy with the name name. Current request is passed to policy. Key-word arguments can be used to modify the request's context.
result = ak_call_policy("test-policy")
# result is a PolicyResult object, so you can access `.passing` and `.messages`.
# Starting with authentik 2023.4 you can also access `.raw_result`, which is the raw value returned from the called policy
# `result.passing` will always be a boolean if the policy is passing or not.
result = ak_call_policy("test-policy-2", foo="bar")
# Inside the `test-policy-2` you can then use `request.context["foo"]`
ak_is_group_member(user: User, **group_filters) -> bool
user is member of a group matching
return ak_is_group_member(request.user, name="test_group")
ak_user_by(**filters) -> Optional[User]
Fetch a user matching
Returns "None" if no user was found, otherwise User
other_user = ak_user_by(username="other_user")
ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool (2021.9+)
Only available in property mappings with authentik 2022.9 and newer
Check if a user has any authenticator devices. Only fully validated devices are counted.
Optionally, you can filter a specific device type. The following options are valid:
ak_create_event(action: str, **kwargs) -> None
Requires authentik 2022.9
Create a new event with the action set to
action. Any additional key-word parameters will be saved in the event context. Additionally,
context will be set to the context in which this function is called.
Before saving, any data-structure which are not representable in JSON are flattened, and credentials are removed.
The event is saved automatically
Comparing IP Addresses
To compare IP Addresses or check if an IP Address is within a given subnet, you can use the functions
ip_network('192.0.2.0/24'). With these objects you can do arithmetic operations.
You can also check if an IP Address is within a subnet by writing the following:
ip_address('192.0.2.1') in ip_network('192.0.2.0/24')
# evaluates to True
DNS resolution and reverse DNS lookups
Requires authentik 2023.3 or higher
To resolve a hostname to a list of IP addresses, use the functions
resolve_dns("google.com") # return a list of all IPv4 and IPv6 addresses
resolve_dns("google.com", 4) # return a list of only IP4 addresses
resolve_dns("google.com", 6) # return a list of only IP6 addresses
You can also do reverse DNS lookups.
Reverse DNS lookups may not return the expected host if the IP address is part of a shared hosting environment. See: https://stackoverflow.com/a/19867936
To perform a reverse DNS lookup use
reverse_dns("192.0.2.0"). If no DNS records are found the original IP address is returned.
DNS resolving results are cached in memory. The last 32 unique queries are cached for up to 3 minutes.
ak_logger: structlog BoundLogger. See (structlog documentation)
ak_logger.debug("This is a test message")
ak_logger.warning("This will be logged with a warning level")
ak_logger.info("Passing structured data", request=request)
requests: requests Session object. See (request documentation)
user: The current user. This may be
Noneif there is no contextual user. See (User)
"custom_attribute": request.user.attributes.get("custom_attribute", "default"),
request: The current request. This may be
Noneif there is no contextual request. See (Django documentation)
- Other arbitrary arguments given by the provider, this is documented on the Provider/Source.