Use Authentik User or Group attributes to populate immich_quota value in OIDC login.

README.md

Authentik Setup

Standard Property Mappings

• Customizations > Property Mappings
• Create > Scope Mapping
  • Name: Immich
  • Scope Name: profile
  • Expression: [code in attached file]

Advaned Property Mappings

This would use a custom scope when an application requests it, and allowed.

• Configure the Scope Mapping as above, but update Scope Name to immich.
• Update the Provider in Authentic to allow the app to use the scope immich.
  • Providers > Edit > Advanced protocol settings > Scopes
    • Select immich and click add to right
    • Update
• Update Immich settings to ask for openid email profile immich.

  Without this, Immich won't ask for the immich scope, and the provider won't be executed.

---

Related Links

• Authentik: Integrate with Immich
• Reddit Thread
• Immich Unit Tests

authentik_immich_mapping.py

# This mapping sets a custom "immich_quota" value for users.
# - If the user has an "immich_quota" attribute, return it.
# - Otherwise:
#     - Check all groups the user belongs to for "immich_quota" values.
#         - If any group has "0" as the quota, use that as unlimited.
#         - Otherwise, use the highest numeric quota found.
# - If no user or group quota is defined, skip emitting the claim.


if request.user.attributes.get("immich_quota") is not None:
    return {
        "immich_quota": request.user.attributes.get("immich_quota")
    }

group_limits = [
    int(group.attributes.get("immich_quota"))
    for group in request.user.ak_groups.all()
    if group.attributes.get("immich_quota") is not None
]

if 0 in group_limits or -1 in group_limits:
    quota = 0
elif group_limits:
    quota = max(group_limits)
else:
    quota = None  # No quota defined

# Nothing to be applied
if quota is None:
    return {}

return {
    "immich_quota": quota
}