2020-11-15 21:42:02 +00:00
---
title: Expression Policies
---
2021-05-29 19:47:35 +00:00
The passing of the policy is determined by the return value of the code. Use
```python
return True
```
to pass a policy and
```python
return False
```
to fail it.
2020-11-15 21:42:02 +00:00
2021-05-29 19:47:35 +00:00
## Available Functions
2020-11-15 21:42:02 +00:00
2021-05-29 19:47:35 +00:00
### `ak_message(message: str)`
2020-11-15 21:42:02 +00:00
Add a message, visible by the end user. This can be used to show the reason why they were denied.
Example:
```python
2020-12-05 21:08:42 +00:00
ak_message("Access denied")
2020-11-15 21:42:02 +00:00
return False
```
2021-09-20 17:13:41 +00:00
### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None)` (2021.9+)
Check if a user has any authenticator devices. Only fully validated devices are counted.
Optionally, you can filter a specific device type. The following options are valid:
- `totp`
- `duo`
- `static`
- `webauthn`
Example:
```python
return ak_user_has_authenticator(request.user)
```
2021-05-29 19:47:35 +00:00
import Functions from '../expressions/_functions.md'
<Functions />
## Variables
import Objects from '../expressions/_objects.md'
<Objects />
2020-11-15 21:42:02 +00:00
2021-03-02 21:10:54 +00:00
- `request`: A PolicyRequest object, which has the following properties:
2021-05-29 19:47:35 +00:00
- `request.user`: The current user, against which the policy is applied. See [User](../expressions/reference/user-object.md)
- `request.http_request`: The Django HTTP Request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects))
2021-03-02 21:10:54 +00:00
- `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
- `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
2021-05-29 19:47:35 +00:00
- `geoip`: GeoIP object, which is added when GeoIP is enabled. See [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
2021-03-02 21:10:54 +00:00
- `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
2021-05-29 20:00:47 +00:00
- `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example
2020-11-15 21:42:02 +00:00
```python
2020-12-05 21:08:42 +00:00
return ak_client_ip in ip_network('10.0.0.0/24')
2021-03-31 09:54:03 +00:00
# or
return ak_client_ip.is_private
2020-11-15 21:42:02 +00:00
```
2021-10-19 13:45:15 +00:00
See also [Python documentation](https://docs.python.org/3/library/ipaddress.html#ipaddress.ip_address)
2021-05-29 19:47:35 +00:00
2020-11-15 21:42:02 +00:00
Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object.
This includes the following:
2021-08-28 10:50:42 +00:00
- `context['prompt_data']`: Data which has been saved from a prompt stage or an external source.
- `context['application']`: The application the user is in the process of authorizing.
- `context['pending_user']`: The currently pending user, see [User](/docs/expressions/reference/user-object)
- `context['auth_method']`: Authentication method set (this value is set by password stages)
2021-08-23 15:23:55 +00:00
2021-08-28 10:50:42 +00:00
Depending on method, `context['auth_method_args']` is also set.
2021-08-23 15:23:55 +00:00
Can be any of:
- `password`: Standard password login
2021-08-28 22:39:29 +00:00
- `app_password`: App password (token)
2021-08-23 15:23:55 +00:00
2021-08-28 10:50:42 +00:00
Sets `context['auth_method_args']` to
2021-08-23 15:23:55 +00:00
```json
{
"token": {
"pk": "f6d639aac81940f38dcfdc6e0fe2a786",
"app": "authentik_core",
"name": "test (expires=2021-08-23 15:45:54.725880+00:00)",
"model_name": "token"
}
}
```
- `ldap`: LDAP bind authentication
2021-08-28 10:50:42 +00:00
Sets `context['auth_method_args']` to
2021-08-23 15:23:55 +00:00
```json
{
"source": {} // Information about the source used
}
```