Skip to main content

Expression Policies

The passing of the policy is determined by the return value of the code. Use

return True

to pass a policy and

return False

to fail it.

Available Functions

ak_message(message: str)

Add a message, visible by the end user. This can be used to show the reason why they were denied.


ak_message("Access denied")
return False

ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool (2021.9+)

Check if a user has any authenticator devices. Only fully validated devices are counted.

Optionally, you can filter a specific device type. The following options are valid:

  • totp
  • duo
  • static
  • webauthn


return ak_user_has_authenticator(request.user)

ak_call_policy(name: str, **kwargs) -> PolicyResult (2021.12+)

Call another policy with the name name. Current request is passed to policy. Key-word arguments can be used to modify the request's context.


result = ak_call_policy("test-policy")
# result is a PolicyResult object, so you can access `.passing` and `.messages`.
return result.passing

result = ak_call_policy("test-policy-2", foo="bar")
# Inside the `test-policy-2` you can then use `request.context["foo"]`
return result.passing

regex_match(value: Any, regex: str) -> bool

Check if value matches Regular Expression regex.


return regex_match(request.user.username, '.*admin.*')

regex_replace(value: Any, regex: str, repl: str) -> str

Replace anything matching regex within value with repl and return it.


user_email_local = regex_replace(, '(.+)@.+', '')

list_flatten(value: list[Any] | Any) -> Optional[Any}

Flatten a list by either returning its first element, None if the list is empty, or the passed in object if its not a list.


user = list_flatten(["foo"])
# user = "foo"

ak_is_group_member(user: User, **group_filters) -> bool

Check if user is member of a group matching **group_filters.


return ak_is_group_member(request.user, name="test_group")

ak_user_by(**filters) -> Optional[User]

Fetch a user matching **filters.

Returns "None" if no user was found, otherwise User


other_user = ak_user_by(username="other_user")

Comparing IP Addresses

To compare IP Addresses or check if an IP Address is within a given subnet, you can use the functions ip_address('') and ip_network(''). With these objects you can do arithmetic operations.

You can also check if an IP Address is within a subnet by writing the following:

ip_address('') in ip_network('')
# evaluates to True


  • ak_logger: structlog BoundLogger. See (structlog documentation)


    ak_logger.debug("This is a test message")
    ak_logger.warning("This will be logged with a warning level")"Passing structured data", request=request)
  • requests: requests Session object. See (request documentation)

  • request: A PolicyRequest object, which has the following properties:

    • request.user: The current user, against which the policy is applied. See User
    • request.http_request: The Django HTTP Request. See (Django documentation)
    • request.obj: A Django Model instance. This is only set if the policy is ran against an object.
    • request.context: A dictionary with dynamic data. This depends on the origin of the execution.
  • geoip: GeoIP object, which is added when GeoIP is enabled. See GeoIP

  • ak_is_sso_flow: Boolean which is true if request was initiated by authenticating through an external provider.

  • ak_client_ip: Client's IP Address or if no IP Address could be extracted. Can be compared, for example

    return ak_client_ip in ip_network('')
    # or
    return ak_client_ip.is_private

    See also Python documentation

Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the context object.

This includes the following:

  • context['prompt_data']: Data which has been saved from a prompt stage or an external source.

  • context['application']: The application the user is in the process of authorizing.

  • context['pending_user']: The currently pending user, see User

  • context['auth_method']: Authentication method set (this value is set by password stages)

    Depending on method, context['auth_method_args'] is also set.

    Can be any of:

    • password: Standard password login

    • app_password: App password (token)

      Sets context['auth_method_args'] to

      "token": {
      "pk": "f6d639aac81940f38dcfdc6e0fe2a786",
      "app": "authentik_core",
      "name": "test (expires=2021-08-23 15:45:54.725880+00:00)",
      "model_name": "token"
    • ldap: LDAP bind authentication

      Sets context['auth_method_args'] to

      "source": {} // Information about the source used