Advanced Expression Policy with Additional Dependencies

[p5]

I am looking to create a more advanced policy than those listed in the documentation.

In an ideal world, I would be able to:

1. User navigates to an app which requires additional security (e.g. HashiCorp Vault)
2. The user is prompted to enter a Change Management ID
3. The policy queries the Change Management API to see if change is scheduled and approved
4. If approved, allow the user to login. Else deny the request

This would be fairly straight forward to implement in a normal Python application, but when inside a GoAuthentik instance, I'm fearing it may not be as easy as it sounds.

My questions are:

1. Can you import additional Python packages for the policy to utilise? Thinking I may need integration with a secrets manager to authenticate against the REST API, and will definitely need to make HTTP requests against my backend
2. Are there any examples of a more complex policy which uses external sources to decide whether a user should be allowed access?

Thank you in advance.

Rob

[rissson]

1. yes, you can use whatever we include in the image. Look at /~https://github.com/goauthentik/authentik/blob/main/poetry.lock at the correct version for the list of included packages and their versions. requests is included already if that's the one you're looking for
2. don't know if there are examples out there but for instance:

import requests

res = requests.post("https://api.example.com", json={"user": request.user.username})
res.raise_for_status()
return res.json().get("has_access", False)

[p5]

Awesome, thank you!

It sounds like you'll be able to, if a package you want isn't included, just call an external API which does the logic you'd require. Then there would be a separation between the goauthentik and custom code.

[rissson]

Yep that works as well. The alternative is building a custom docker image with the required packages installed