title |
---|
Expression Policies |
The passing of the policy is determined by the return value of the code. Use
return True
to pass a policy and
return False
to fail it.
Add a message, visible by the end user. This can be used to show the reason why they were denied.
Example:
ak_message("Access denied")
return False
Check if a user has any authenticator devices. Only fully validated devices are counted.
Optionally, you can filter a specific device type. The following options are valid:
totp
duo
static
webauthn
Example:
return ak_user_has_authenticator(request.user)
Call another policy with the name name. Current request is passed to policy. Key-word arguments can be used to modify the request's context.
Example:
result = ak_call_policy("test-policy")
# result is a PolicyResult object, so you can access `.passing` and `.messages`.
return result.passing
result = ak_call_policy("test-policy-2", foo="bar")
# Inside the `test-policy-2` you can then use `request.context["foo"]`
return result.passing
import Functions from "../expressions/_functions.md";
import Objects from "../expressions/_objects.md";
-
request
: A PolicyRequest object, which has the following properties:request.user
: The current user, against which the policy is applied. See Userrequest.http_request
: The Django HTTP Request. See (Django documentation)request.obj
: A Django Model instance. This is only set if the policy is ran against an object.request.context
: A dictionary with dynamic data. This depends on the origin of the execution.
-
geoip
: GeoIP object, which is added when GeoIP is enabled. See GeoIP -
ak_is_sso_flow
: Boolean which is true if request was initiated by authenticating through an external provider. -
ak_client_ip
: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be compared, for examplereturn ak_client_ip in ip_network('10.0.0.0/24') # or return ak_client_ip.is_private
See also Python documentation
Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the context
object.
This includes the following:
-
context['flow_plan']
: The actual flow plan itself, can be used to inject stages. -
context['prompt_data']
: Data which has been saved from a prompt stage or an external source. -
context['application']
: The application the user is in the process of authorizing. -
context['pending_user']
: The currently pending user, see User -
context['auth_method']
: Authentication method set (this value is set by password stages)Depending on method,
context['auth_method_args']
is also set.Can be any of:
-
password
: Standard password login -
app_password
: App password (token)Sets
context['auth_method_args']
to{ "token": { "pk": "f6d639aac81940f38dcfdc6e0fe2a786", "app": "authentik_core", "name": "test (expires=2021-08-23 15:45:54.725880+00:00)", "model_name": "token" } }
-
ldap
: LDAP bind authenticationSets
context['auth_method_args']
to{ "source": {} // Information about the source used }
-