authentik
authentik copied to clipboard
goauthentik
policies: add unique password policy
Details
Closes #8307
Adds a "Password Uniqueness" policy to the set of configurable flow policies.
Documentation PR: https://github.com/goauthentik/authentik/pull/11000
How it works
After at least one (1) Flow has a UniquePasswordPolicy binding attached & enabled, the system records every user's hashed password when the user changes their own password.
When the user submits a new password during a password-change Flow, the system will check if the new password is identical to any of the user's previous passwords. The check will hash the new password against the Hasher originally used to hash the old password. This ensures backwards compatiblity if Authentik decides to change hashing algorithsm.
This check only occurs if the Flow Stage has a Unique Password Policy attached.
Configuration
Admins can configure how many previous passwords the system should evaluate.
The configured number of passwords to evaluate also defines the number of passwords retained for each user.
Admins may also define which field they wish to use as the "password" field in a Stage. This is similar to the Password Policy configuration.
Data considerations
The system purges the password history table after the last enabled UniquePasswordPolicy binding is deleted.
Because the number of passwords we save is configurable, it's important admins understand that whatever value they configure will end up saving up to n^m passwords, were n is the configured policy value & m is the number of users.
Checklist
- [x] Local tests pass (
ak test authentik/) - [x] The code has been formatted (
make lint-fix)
If an API change has been made
- [x] The API schema has been updated (
make gen-build)
If changes to the frontend have been made
- [x] The code has been formatted (
make web)
If applicable
- [ ] The documentation has been updated
- [ ] The documentation has been formatted (
make website)
