For whatever reason I had trouble finding any resource describing how to add groups to a newly-invited user automatically.

This post will serve mostly as a reference to myself, as I want to try to get this added to the official docs instead since I thought this was a fairly common use case.

We’ll start by outlining the flow as a whole:

Requirement not fulfilled
Requirement fulfilled
Policy passed
Policy denied
Flow authentication requirement
End of the flow
Invitation Enrollment
Stage (Invitation Stage)
Stage (Prompt Stage)
Stage (Prompt Stage)
Policy (Expression Policy)
Stage (User Write Stage)
Stage (User Login Stage)

Custom additions

Given that we have the flow set up, we need to add a policy to convert the data from the invitation stage into the actual Authentik group objects, so I wrote an expression policy:

from authentik.core.models import Group

if "prompt_data" not in request.context:
  ak_logger.warn(f"prompt_data not found in {request.context}")
  return True

if "groups_to_add" not in request.context["prompt_data"]:"prompt_data does not have any groups to add")
  return True

add_groups = []
for invite_group_name in request.context["prompt_data"]["groups_to_add"]:
  group = Group.objects.get(name=invite_group_name)
  add_groups.append(group)"added {invite_group_name} to user")

# ["groups"] *must* be set to an array of Group objects, names alone are not enough.
request.context["flow_plan"].context["groups"] = add_groups

return True

Then, in the invitation you can add group names to an array called groups_to_add in the Attributes input:

  - My Awesome Group Name

the same structure in json works as well, like {"groups_to_add": ["Group Name"]}

Warning: you cannot use groups as the array key here because it will conflict with Authentik’s expected array of Group objects. (not strings!) I spent a while learning this.

If a run of the policy fails (throws an exception) you should get an email from Authentik with the traceback. Most commonly this would be that you have the wrong group name in the invitation attributes.

Now we need to make sure this policy is executed at the right time during the flow, right before the user write stage:

Edit the Stage Binding to ensure Evaluate on plan is off, and Re-evaluate policies is enabled. This will evaluate the policy just before writing the user to storage with the new groups set by the policy.

Spring Swapping in the Spring

It’s spring, and that means… it’s time for spring spring swapping?
At least, that’s what I ended up doing.
Following up on my l...
Continue reading...

Beat Saber Mods and Linux

Published on March 18, 2022

The ZSA Moonlander First Impressions

Published on September 26, 2021