authentik/website/docs/policies/expression.mdx

---
title: Expression Policies
---

The passing of the policy is determined by the return value of the code. Use

```python
return True
```

to pass a policy and

```python
return False
```

to fail it.

## Available Functions

### `ak_message(message: str)`

Add a message, visible by the end user. This can be used to show the reason why they were denied.

Example:

```python
ak_message("Access denied")
return False
```

### `ak_call_policy(name: str, **kwargs) -> PolicyResult` (2021.12+)

Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
can be used to modify the request's context.

Example:

```python
result = ak_call_policy("test-policy")
# result is a PolicyResult object, so you can access `.passing` and `.messages`.
return result.passing

result = ak_call_policy("test-policy-2", foo="bar")
# Inside the `test-policy-2` you can then use `request.context["foo"]`
return result.passing
```

import Functions from "../expressions/_functions.md";

<Functions />

## Variables

import Objects from "../expressions/_objects.md";

<Objects />

-   `request`: A PolicyRequest object, which has the following properties:

    -   `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes)

        :::warning
        When a policy is executed in the context of a flow, this will be set to the user initiaing request, and will only be changed by a `user_login` stage. For that reason, using this value in authentication flow policies may not return the expected user. Use `context['pending_user']` instead; User Identification and other stages update this value during flow execution.

        If the user is not authenticated, this will be set to a user called _AnonymousUser_, which is an instance of [authentik.core.models.User](https://docs.djangoproject.com/en/4.1/ref/contrib/auth/#django.contrib.auth.models.User) (authentik uses django-guardian for per-object permissions, [see](https://django-guardian.readthedocs.io/en/stable/)).
        :::

    -   `request.http_request`: The Django HTTP Request. See [Django documentation](https://docs.djangoproject.com/en/4.1/ref/request-response/#httprequest-objects).
    -   `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
    -   `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.

-   `geoip`: GeoIP object, see [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
-   `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
-   `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example

    ```python
    return ak_client_ip in ip_network('10.0.0.0/24')
    # or
    return ak_client_ip.is_private
    ```

    See also [Python documentation](https://docs.python.org/3/library/ipaddress.html#ipaddress.ip_address)

Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object.

This includes the following:

-   `context['flow_plan']`: The actual flow plan itself, can be used to inject stages.
-   `context['redirect']`: The URL the user should be redirected to after the flow execution succeeds. (Optional)
-   `context['prompt_data']`: Data which has been saved from a prompt stage or an external source. (Optional)
-   `context['application']`: The application the user is in the process of authorizing. (Optional)
-   `context['source']`: The source the user is authenticating/enrolling with. (Optional)
-   `context['pending_user']`: The currently pending user, see [User](../user-group/user.md#object-attributes)
-   `context['is_restored']`: Set to `True` when the flow plan has been restored from a flow token, for example the user clicked a link to a flow which was sent by an email stage. (Optional)
-   `context['auth_method']`: Authentication method (this value is set by password stages) (Optional)

    Depending on method, `context['auth_method_args']` is also set.

    Can be any of:

    -   `password`: Standard password login
    -   `auth_mfa`: MFA login (this method is only set if no password was used)

        Sets `context['auth_method_args']` to

        ```json
        {
            "mfa_devices": [
                {
                    "pk": 1,
                    "app": "otp_static",
                    "name": "Static Token",
                    "model_name": "staticdevice"
                }
            ]
        }
        ```

    -   `auth_webauthn_pwl`: Password-less WebAuthn login
    -   `jwt`: OAuth Machine-to-machine login via external JWT
    -   `app_password`: App password (token)

        Sets `context['auth_method_args']` to

        ```json
        {
            "token": {
                "pk": "f6d639aac81940f38dcfdc6e0fe2a786",
                "app": "authentik_core",
                "name": "test (expires=2021-08-23 15:45:54.725880+00:00)",
                "model_name": "token"
            }
        }
        ```

    -   `ldap`: LDAP bind authentication

        Sets `context['auth_method_args']` to

        ```json
        {
            "source": {} // Information about the source used
        }
        ```