You can create variables that will be made available to the policy under an `ak_variables` dictionary.
Creating a variable named `my_var` with a value `this is the value` and associating this variable to the expression will result in the following `ak_variables` dictionary being available to use in the expression:
```python
ak_variables["my_var"] # This is equal to `this_is_the_value`
```
### External variables
To use externally managed variables (for instance, to pass a secret as a file to authentik), you can use the discovery feature.
The docker-compose installation maps `data/variables` directory to `/data/variables`, you can simply use this directory to store your variables.
For Kubernetes, you can map custom configmaps/secrets/volumes under /data/variables.
You can also bind mount single files into the folder.
The name of the variable will be the full path from the `/data/variables/` directory. For instance:
```
data/variables/
├── baz
│ └── bar.baz # The variable will be named `baz/bar.baz`
└── foo.bar # The variable will be named `foo.bar`
```
Note that file contents are not stripped, and may contain an extra `\n` at the end.
External variables are reloaded from disk on every policy execution. If the reload fails, the previous value is used.
When a policy is executed in the context of a flow, this will be set to the user initiaing request, and will only be changed by a `user_login` stage. For that reason, using this value in authentication flow policies may not return the expected user. Use `context['pending_user']` instead; User Identification and other stages update this value during flow execution.
If the user is not authenticated, this will be set to a user called _AnonymousUser_, which is an instance of [authentik.core.models.User](https://docs.djangoproject.com/en/4.1/ref/contrib/auth/#django.contrib.auth.models.User) (authentik uses django-guardian for per-object permissions, [see](https://django-guardian.readthedocs.io/en/stable/)).
- `request.http_request`: The Django HTTP Request. See [Django documentation](https://docs.djangoproject.com/en/4.1/ref/request-response/#httprequest-objects).
- `context['flow_plan'].context`: The context of the currently active flow, which differs from the policy context. Some fields of flow plan context are passed to the root context, and updated from it, like 'prompt_data', but not every variable
- `context['flow_plan'].context['redirect']`: The URL the user should be redirected to after the flow execution succeeds. (Optional)
- `context['is_restored']`: Contains the flow token when the flow plan was restored from a link, for example the user clicked a link to a flow which was sent by an email stage. (Optional)
