I work for FusionAuth.

We have lambdas (basically JavaScript code that can make API calls[0] and be managed and tested[1]) that execute at fixed points in the auth lifecycle:

- before a login is allowed

- before a token is created

- after a user returns from a federated login (SAML, OIDC, etc)

- before a user registers

And more[2].

And we're currently working on one for "before an MFA challenge is issued"[3].

There are some limitations[4]. We don't allow, for instance, loading of arbitrary JavaScript libraries.

Not sure if that meets all your needs, but thought it was worth mentioning.

0: https://fusionauth.io/docs/extend/code/lambdas/lambda-remote...

1: https://fusionauth.io/docs/extend/code/lambdas/testing

2: full list here: https://fusionauth.io/docs/extend/code/lambdas/

3: https://github.com/FusionAuth/fusionauth-issues/issues/2309

4: https://fusionauth.io/docs/extend/code/lambdas/#limitations

thank you I will check you guys out

I am not qualified to say whether Authentik can do all of what you need but it does allow custom python code in a lot of places. Perhaps you can ask whether what you need is available directly. They are very active in Discord.

(authentik maintainer here) It does! Also, not only in the authentication process, but also during individual authorization flows, and in a few other places as well, like when a user edits their settings, or whenever an event (basically whenever something happens in authentik) but that's more a reactive process than inline