Skip to main content

Flow Context

Each flow execution has an independent context. This context holds all of the arbitrary data about that specific flow, data which can then be used and transformed by stages and policies.

Managing data in a flow context

You create and manage the data for a context by configuring policies, stages, and bindings. As you plan your flow, and set up the required stages, etc. you are creating the context data for that flow.

For example, in the Identification Stage (part of the default login flow), you can define whether users will be prompted to enter an email address, a username, or both. All such information about the flow's configuration makes up the context.

Any data can be stored in the flow context, however there are some reserved keys in the context dictionary that are used by authentik stages.

To manage flow context on a more granular level, see Setting flow context keys.

Context dictionary and reserved keys

This section describes the data (the context) that are used in authentik, and provides a list of keys, what they are used for and when they are set.

warning

Keys prefixed with goauthentik.io are used internally by authentik and are subject to change without notice, and should not be modified in policies in most cases.

Common keys

pending_user (User object)

pending_user is used by multiple stages. In the context of most flow executions, it represents the data of the user that is executing the flow. This value is not set automatically, it is set via the Identification stage.

Stages that require a user, such as the Password stage, the Authenticator validation stage and others will use this value if it is set, and fallback to the request's users when possible.

prompt_data (Dictionary)

prompt_data is primarily used by the Prompt stage. The value of any field within a prompt stage is written to the prompt_data dictionary. For example, given a field with the Field key email that was submitted with the value foo@bar.baz will result in the following context:

{
"prompt_data": {
"email": "foo@bar.baz"
}
}

This data can be modified with policies. The data is also used by stages like User write, which takes data in prompt_data and writes it to pending_user.

redirect (string)

Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully. This is set when an un-authenticated user attempts to access a secured application, and when a user authenticates/enrolls with an external source.

pending_user_identifier (string)

If Show matched user is disabled, this key will hold the user identifier entered by the user in the identification stage.

Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully. This is set when an un-authenticated user attempts to access a secured application, and when a user authenticates/enrolls with an external source.

application (Application object)

When an unauthenticated user attempts to access a secured resource, they are redirected to an authentication flow. The application they attempted to access will be stored in the key attached to this object. For example: application.github, with application being the key and github the value.

source (Source object)

When a user authenticates/enrolls via an external source, this will be set to the source they are using.

outpost (dictionary) authentik 2024.10+

When a flow is executed by an Outpost (for example the LDAP or RADIUS), this will be set to a dictionary containing the Outpost instance under the key "instance".

Scenario-specific keys

is_sso (boolean)

This key is set to True when the flow is executed from an "SSO" context. For example, this is set when a flow is used during the authentication or enrollment via an external source, and if a flow is executed to authorize access to an application.

is_restored (Token object)

This key is set when a flow execution is continued from a token. This happens for example when an Email stage is used and the user clicks on the link within the email. The token object contains the key that was used to restore the flow execution.

is_redirected (Flow object) authentik 2024.12+

This key is set when the current flow was reached through a Redirect stage in Flow mode.

Stage-specific keys

Autosubmit stage

The autosubmit stage is an internal stage type that is not configurable via the API/Web interface. It is used in certain situations, where a POST request is sent from the browser, such as with SAML POST bindings. This works by using an HTML form that is submitted automatically.

title (string)

Optional title of the form shown to the user. Automatically set when this stage is used by the backend.

url (string)

URL that the form will be submitted to.

attrs (dictionary)

Key-value pairs of the data that is included in the form and will be submitted to url.

Captcha stage authentik 2024.6+

captcha (dictionary)

When error_on_invalid_score (TODO) is set to false on a captcha stage, after the execution of the captcha stage, this object will be set in the flow context.

It contains two keys, response which is the raw response from the specified captcha verification URL, and stage, which is a reference to the captcha stage that executed the test.

The title of the consent prompt shown. Set automatically when the consent stage is used with a OAuth2, Proxy or SAML provider.

An optional list of all permissions that will be given to the application by granting consent. Not supported with SAML. When used with an OAuth2 or Proxy provider, this will be set based on the configured scopes.

Deny stage

deny_message (string) authentik 2023.10+

Optionally overwrite the deny message shown, has a higher priority than the message configured in the stage.

User write stage

groups (List of Group objects)

See Group. If set in the flow context, the pending_user will be added to all the groups in this list.

If set, this must be a list of group objects and not group names.

user_path (string)

Path the pending_user will be written to. If not set in the flow, falls back to the value set in the user_write stage, and otherwise to the users path.

user_type (string) authentik 2023.10+

Type the pending_user will be created as. Must be one of internal, external or service_account.

Password stage

user_backend (string)

Set by the Password stage after successfully authenticating in the user. Contains a dot-notation to the authentication backend that was used to successfully authenticate the user.

auth_method (string)

Set by the Password stage, the Authenticator validation stage, the OAuth2 Provider, and the API authentication depending on which method was used to authenticate.

Possible options:

  • password (Authenticated via the password in authentik's database)
  • token (Authenticated via API token)
  • ldap (Authenticated via LDAP bind from an LDAP source)
  • auth_mfa (Authentication via MFA device without password)
  • auth_webauthn_pwl (Passwordless authentication via WebAuthn)
  • jwt (M2M authentication via an existing JWT)
auth_method_args (dictionary)

Additional arguments used during the authentication. Value varies depending on auth_method.

Example:

{
// List of the MFA device objects used during authentication
// applies for `auth_method` `auth_mfa`
"mfa_devices": [],
// MFA device used for passwordless authentication, applies to
// `auth_method` `auth_webauthn_pwl`
"device": null,
// the token identifier when `auth_method` `token` was used
"identifier": "",
// JWT information when `auth_method` `jwt` was used
"jwt": {},
"source": null,
"provider": null
}

Email stage

email_sent (boolean)

Boolean set to true after the email form the email stage has been sent.

email (string)

Optionally override the email address that the email will be sent to. If not set, defaults to the email of pending_user.

Identification stage

pending_user_identifier (string)

If Show matched user is disabled, this key will be set to the user identifier entered by the user in the identification stage.

Redirect stage

redirect_stage_target (string) authentik 2024.12+

Set this key in an Expression Policy to override Redirect stage to force it to redirect to a certain URL or flow. This is useful when a flow requires that the redirection target be decided dynamically.

Use the format ak-flow://{slug} to use the Redirect stage in Flow mode. Any other format will result in the Redirect stage running in Static mode.