Authelia
Get started

User Attributes

The user attributes section allows you to define custom attributes for your users using Common Expression Language (CEL). These attributes can be used at the current time to:

Configuration

Example Configuration

This section is intended as an example configuration to help users with a rough contextual layout of this configuration section, it is not intended to explain the options. The configuration shown may not be a valid configuration, and you should see the options section below and the navigation links to properly understand each option individually.

configuration.yml 
definitions:
  user_attributes:
    # Boolean attribute example
    is_admin:
      expression: '"admin" in groups'

    # String attribute example
    department:
      expression: 'groups[0]'

    # Number attribute example
    access_level:
      expression: '"admin" in groups ? 10 : 5'

Options

This section describes the individual configuration options. Currently, these attribute definitions are used in the OpenID Connect 1.0 Provider.

The key name is the name of the resulting attribute. It is important to note that this attribute name must not conflict with extra attributes defined within the authentication backend, or with the common attributes we have defined.

In the above example the following attributes are added:

  • is_admin
  • department
  • access_level

expression

The Common Expression Language expression for this attribute.

Contextual Attributes

Security Notice

The openid_authreq_claim_value and openid_authreq_claim_values attributes should not be used in a security sensitive context unless they are used in conjunction with either OAuth 2.0 JWT-Secured Authorization Requests (JAR) (with the use of JSON Web Encryption (JWE) in the instance that an attacker having knowledge of the value would present a security risk) or OAuth 2.0 Pushed Authorization Requests (PAR). Both of these mechanisms prevent the claims values from being altered by an attacker (specifically in the case of man-in-the-middle attacks and compromised clients).

The following attributes are available for use in expressions depending on the context:

Attribute Description Context
openid_authreq_claim_value The value property of the relevant claims request OpenID Connect 1.0 Authorization Request
openid_authreq_claim_values The values property of the relevant claims request OpenID Connect 1.0 Authorization Request
Last updated on November 26, 2025
Edit this page on GitHub
Prev
OpenID Connect 1.0 Clients
Next
Definitions