How to restrict the execution of a flow to be only used from LDAP?

[jorti]

Hi,

I've created a custom authentication flow ldap-authentication-flow which is identical to default-authentication-flow, but without validating MFA. I use that flow to skip MFA for applications using LDAP (is there other alternative?).

However, users can still execute the flow manually by going to the URL https://auth.company/if/flow/ldap-authentication-flow/, which I'd like to prevent.

I've tried to create an expression policy is-ldap-authentication like this, bound to the password stage:

if 'http_request' in context:
  if 'args' in context['http_request']:
    if 'goauthentik.io/outpost/ldap' in context['http_request']['args']:
      if context['http_request']['args']['goauthentik.io/outpost/ldap'] == 'true':
        return True
return False

I've tried many variations, but none work.

Any advice about how to restrict the execution of a flow to only when running from LDAP?

Thank you.