You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using an expression policy in default-enrollment-flow fails with error Expression policy error builtins.KeyError: 'flow_plan'.
Reproduction
Following-up from #9477, I've continued testing with with ghcr.io/goauthentik/dev-server:gh-bfc340df160328e1aa0f7dfa4f1592729923ae9c, and if I add another expression policy (e.g. custom-enrollment-group; example taken from docs) with execution logging disabled, and bind the policy to the default-source-enrollment as well, I get both the policy message that user is not allowed to login (from the previous google-email-expression policy), but also an additonal message containing flow_plan.
default-source-enrollment
default-source-enrollment policies:
custom-enrollment-group
Response
Response for user1@gmail.com (allowed)
Response for user3@gmail.com (not allowed)
So it shows flow_plan in the message as well. Looking in the UI notification the following message is shown:
Traceback (most recent call last):\n File \"custom-enrollment-group\", line 6, in <module>\n File \"custom-enrollment-group\", line 4, in handler\nbuiltins.KeyError: 'flow_plan'"
So apparently now my second expression policy is broken due to the usage of request.context["flow_plan"]. The example was taken from the docs, so what am I doing wrong here?
The text was updated successfully, but these errors were encountered:
The docs should be clearer on this, but the error happens due to the fact that the policies bound directly to a flow are evaluated before the flow planner starts - and as such there's no flow_plan available yet and it can't be accessed in policies
the policies bound directly to a flow are evaluated before the flow planner starts
Does this correspond with the "pre-flow policies" as denoted by the flow diagram?
and as such there's no flow_plan available yet and it can't be accessed in policies
Would you then have any suggestions or alternatives on how should I proceed? My objective is to add the users to one (or mulitple) groups automatically.
I'll close this as I figured out what I was doing wrong, which was that I added the policy to the "Policy / Group / User Bindings" tab (which are apparently "pre-flow policies"), but what I needed was to add the policy inside the "Stage bindings" tab under the default-source-enrollment-write.
I totally not notice or just overlooked the dropdown arrow icon there, so I had no idea I could open it to add policies to it🤦♂️ Makes a lot more sense now, as I see the policy in my flow diagram before the user write stage (which the docs do point out correctly).
Problem
Originally posted by @ToshY in #9477 (comment)
Using an expression policy in
default-enrollment-flow
fails with errorExpression policy error builtins.KeyError: 'flow_plan'
.Reproduction
Following-up from #9477, I've continued testing with with
ghcr.io/goauthentik/dev-server:gh-bfc340df160328e1aa0f7dfa4f1592729923ae9c
, and if I add another expression policy (e.g.custom-enrollment-group
; example taken from docs) with execution logging disabled, and bind the policy to thedefault-source-enrollment
as well, I get both the policy message that user is not allowed to login (from the previousgoogle-email-expression
policy), but also an additonal message containingflow_plan
.default-source-enrollment
default-source-enrollment
policies:custom-enrollment-group
Response
Response for
user1@gmail.com
(allowed)Response for
user3@gmail.com
(not allowed)So it shows
flow_plan
in the message as well. Looking in the UI notification the following message is shown:So apparently now my second expression policy is broken due to the usage of
request.context["flow_plan"]
. The example was taken from the docs, so what am I doing wrong here?The text was updated successfully, but these errors were encountered: