2020-11-15 21:42:02 +00:00
---
title: Expression Policies
---
2021-05-29 19:47:35 +00:00
The passing of the policy is determined by the return value of the code. Use
2022-05-09 19:22:41 +00:00
2021-05-29 19:47:35 +00:00
```python
return True
```
2022-05-09 19:22:41 +00:00
2021-05-29 19:47:35 +00:00
to pass a policy and
2022-05-09 19:22:41 +00:00
2021-05-29 19:47:35 +00:00
```python
return False
```
2022-05-09 19:22:41 +00:00
2021-05-29 19:47:35 +00:00
to fail it.
2020-11-15 21:42:02 +00:00
2021-05-29 19:47:35 +00:00
## Available Functions
2020-11-15 21:42:02 +00:00
2021-05-29 19:47:35 +00:00
### `ak_message(message: str)`
2020-11-15 21:42:02 +00:00
Add a message, visible by the end user. This can be used to show the reason why they were denied.
Example:
```python
2020-12-05 21:08:42 +00:00
ak_message("Access denied")
2020-11-15 21:42:02 +00:00
return False
```
2023-01-05 11:38:38 +00:00
### `ak_call_policy(name: str, **kwargs) -> PolicyResult`
:::info
Requires authentik 2021.12
:::
2021-12-09 08:37:41 +00:00
2022-05-09 19:22:41 +00:00
Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
2021-12-09 08:37:41 +00:00
can be used to modify the request's context.
Example:
```python
result = ak_call_policy("test-policy")
# result is a PolicyResult object, so you can access `.passing` and `.messages`.
return result.passing
result = ak_call_policy("test-policy-2", foo="bar")
# Inside the `test-policy-2` you can then use `request.context["foo"]`
return result.passing
```
2022-05-09 19:22:41 +00:00
import Functions from "../expressions/_functions.md";
2021-05-29 19:47:35 +00:00
<Functions />
## Variables
2022-05-09 19:22:41 +00:00
import Objects from "../expressions/_objects.md";
2021-05-29 19:47:35 +00:00
<Objects />
2020-11-15 21:42:02 +00:00
2022-05-09 19:22:41 +00:00
- `request`: A PolicyRequest object, which has the following properties:
2022-09-10 12:08:37 +00:00
2022-05-09 19:22:41 +00:00
- `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes)
2022-09-10 12:08:37 +00:00
:::warning
2022-12-27 13:10:30 +00:00
When a policy is executed in the context of a flow, this will be set to the user initiaing request, and will only be changed by a `user_login` stage. For that reason, using this value in authentication flow policies may not return the expected user. Use `context['pending_user']` instead; User Identification and other stages update this value during flow execution.
2022-09-10 12:08:37 +00:00
2022-12-27 13:10:30 +00:00
If the user is not authenticated, this will be set to a user called _AnonymousUser_, which is an instance of [authentik.core.models.User](https://docs.djangoproject.com/en/4.1/ref/contrib/auth/#django.contrib.auth.models.User) (authentik uses django-guardian for per-object permissions, [see](https://django-guardian.readthedocs.io/en/stable/)).
2022-09-10 12:08:37 +00:00
:::
2022-12-27 13:10:30 +00:00
- `request.http_request`: The Django HTTP Request. See [Django documentation](https://docs.djangoproject.com/en/4.1/ref/request-response/#httprequest-objects).
2022-05-09 19:22:41 +00:00
- `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
- `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
2022-09-10 12:08:37 +00:00
2022-12-20 21:09:30 +00:00
- `geoip`: GeoIP object, see [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
2022-05-09 19:22:41 +00:00
- `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
- `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example
2020-11-15 21:42:02 +00:00
```python
2020-12-05 21:08:42 +00:00
return ak_client_ip in ip_network('10.0.0.0/24')
2021-03-31 09:54:03 +00:00
# or
return ak_client_ip.is_private
2020-11-15 21:42:02 +00:00
```
2021-10-19 13:45:15 +00:00
See also [Python documentation](https://docs.python.org/3/library/ipaddress.html#ipaddress.ip_address)
2021-05-29 19:47:35 +00:00
2020-11-15 21:42:02 +00:00
Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object.
This includes the following:
2022-07-01 21:19:41 +00:00
- `context['flow_plan']`: The actual flow plan itself, can be used to inject stages.
2023-01-05 11:38:38 +00:00
- `context['flow_plan'].context`: The context of the currently active flow, which differs from the policy context. Some fields of flow plan context are passed to the root context, and updated from it, like 'prompt_data', but not every variable
- `context['flow_plan'].context['redirect']`: The URL the user should be redirected to after the flow execution succeeds. (Optional)
2022-12-13 14:37:37 +00:00
- `context['prompt_data']`: Data which has been saved from a prompt stage or an external source. (Optional)
- `context['application']`: The application the user is in the process of authorizing. (Optional)
- `context['source']`: The source the user is authenticating/enrolling with. (Optional)
2022-05-09 19:22:41 +00:00
- `context['pending_user']`: The currently pending user, see [User](../user-group/user.md#object-attributes)
2022-12-13 14:37:37 +00:00
- `context['is_restored']`: Set to `True` when the flow plan has been restored from a flow token, for example the user clicked a link to a flow which was sent by an email stage. (Optional)
- `context['auth_method']`: Authentication method (this value is set by password stages) (Optional)
2021-08-23 15:23:55 +00:00
2021-08-28 10:50:42 +00:00
Depending on method, `context['auth_method_args']` is also set.
2021-08-23 15:23:55 +00:00
Can be any of:
2022-05-09 19:22:41 +00:00
- `password`: Standard password login
2022-12-13 14:37:37 +00:00
- `auth_mfa`: MFA login (this method is only set if no password was used)
Sets `context['auth_method_args']` to
```json
{
"mfa_devices": [
{
"pk": 1,
"app": "otp_static",
"name": "Static Token",
"model_name": "staticdevice"
}
]
}
```
- `auth_webauthn_pwl`: Password-less WebAuthn login
- `jwt`: OAuth Machine-to-machine login via external JWT
2022-05-09 19:22:41 +00:00
- `app_password`: App password (token)
2021-08-23 15:23:55 +00:00
2021-08-28 10:50:42 +00:00
Sets `context['auth_method_args']` to
2022-05-09 19:22:41 +00:00
2021-08-23 15:23:55 +00:00
```json
{
"token": {
"pk": "f6d639aac81940f38dcfdc6e0fe2a786",
"app": "authentik_core",
"name": "test (expires=2021-08-23 15:45:54.725880+00:00)",
"model_name": "token"
}
}
```
2022-05-09 19:22:41 +00:00
- `ldap`: LDAP bind authentication
2021-08-23 15:23:55 +00:00
2021-08-28 10:50:42 +00:00
Sets `context['auth_method_args']` to
2022-05-09 19:22:41 +00:00
2021-08-23 15:23:55 +00:00
```json
{
"source": {} // Information about the source used
}
```