--- title: Expression Policies --- The passing of the policy is determined by the return value of the code. Use ```python return True ``` to pass a policy and ```python return False ``` to fail it. ## Available Functions ### `ak_message(message: str)` Add a message, visible by the end user. This can be used to show the reason why they were denied. Example: ```python ak_message("Access denied") return False ``` ### `ak_call_policy(name: str, **kwargs) -> PolicyResult` (2021.12+) Call another policy with the name _name_. Current request is passed to policy. Key-word arguments can be used to modify the request's context. Example: ```python result = ak_call_policy("test-policy") # result is a PolicyResult object, so you can access `.passing` and `.messages`. return result.passing result = ak_call_policy("test-policy-2", foo="bar") # Inside the `test-policy-2` you can then use `request.context["foo"]` return result.passing ``` import Functions from "../expressions/_functions.md"; ## Variables import Objects from "../expressions/_objects.md"; - `request`: A PolicyRequest object, which has the following properties: - `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes) :::warning When a policy is executed in the context of a flow, this will be set to the previously authenticated user, i.e. when used with an authentication flow this will be set to _AnonymousUser_. In flows, `context['pending_user']` should be used instead. ::: - `request.http_request`: The Django HTTP Request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects)) - `request.obj`: A Django Model instance. This is only set if the policy is ran against an object. - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution. - `geoip`: GeoIP object, see [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City) - `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider. - `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example ```python return ak_client_ip in ip_network('10.0.0.0/24') # or return ak_client_ip.is_private ``` See also [Python documentation](https://docs.python.org/3/library/ipaddress.html#ipaddress.ip_address) Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object. This includes the following: - `context['flow_plan']`: The actual flow plan itself, can be used to inject stages. - `context['redirect']`: The URL the user should be redirected to after the flow execution succeeds. (Optional) - `context['prompt_data']`: Data which has been saved from a prompt stage or an external source. (Optional) - `context['application']`: The application the user is in the process of authorizing. (Optional) - `context['source']`: The source the user is authenticating/enrolling with. (Optional) - `context['pending_user']`: The currently pending user, see [User](../user-group/user.md#object-attributes) - `context['is_restored']`: Set to `True` when the flow plan has been restored from a flow token, for example the user clicked a link to a flow which was sent by an email stage. (Optional) - `context['auth_method']`: Authentication method (this value is set by password stages) (Optional) Depending on method, `context['auth_method_args']` is also set. Can be any of: - `password`: Standard password login - `auth_mfa`: MFA login (this method is only set if no password was used) Sets `context['auth_method_args']` to ```json { "mfa_devices": [ { "pk": 1, "app": "otp_static", "name": "Static Token", "model_name": "staticdevice" } ] } ``` - `auth_webauthn_pwl`: Password-less WebAuthn login - `jwt`: OAuth Machine-to-machine login via external JWT - `app_password`: App password (token) Sets `context['auth_method_args']` to ```json { "token": { "pk": "f6d639aac81940f38dcfdc6e0fe2a786", "app": "authentik_core", "name": "test (expires=2021-08-23 15:45:54.725880+00:00)", "model_name": "token" } } ``` - `ldap`: LDAP bind authentication Sets `context['auth_method_args']` to ```json { "source": {} // Information about the source used } ```