6b155621fe
* add password policy to default password change flow This change complies with the minimal compositional requirements by NIST SP 800-63 Digital Identity Guidelines. See https://pages.nist.gov/800-63-4/sp800-63b.html#password More work is needed to comply with other parts of the Guidelines, specifically > If the chosen password is found on the blocklist, the CSP or verifier > [...] SHALL provide the reason for rejection. and > Verifiers SHALL offer guidance to the subscriber to assist the user in > choosing a strong password. This is particularly important following > the rejection of a password on the blocklist as it discourages trivial > modification of listed weak passwords. * add docs for default Password policy * remove HIBP from default Password policy * add zxcvbn to default Password policy * add fallback password error message to password policy, fix validation policy Signed-off-by: Jens Langhammer <jens@goauthentik.io> * reword docs Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> * add HIBP caveat Co-authored-by: Jens L. <jens@goauthentik.io> Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> * separate policy into separate blueprint Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use password policy for oobe flow Signed-off-by: Jens Langhammer <jens@goauthentik.io> * kiss Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
75 lines
2.0 KiB
YAML
75 lines
2.0 KiB
YAML
version: 1
|
|
metadata:
|
|
name: Default - Password change flow
|
|
entries:
|
|
- attrs:
|
|
check_static_rules: true
|
|
check_zxcvbn: true
|
|
length_min: 8
|
|
password_field: password
|
|
zxcvbn_score_threshold: 2
|
|
error_message: Password needs to be 8 characters or longer.
|
|
identifiers:
|
|
name: default-password-change-password-policy
|
|
model: authentik_policies_password.passwordpolicy
|
|
id: default-password-change-password-policy
|
|
- attrs:
|
|
designation: stage_configuration
|
|
name: Change Password
|
|
title: Change password
|
|
authentication: require_authenticated
|
|
identifiers:
|
|
slug: default-password-change
|
|
model: authentik_flows.flow
|
|
id: flow
|
|
- attrs:
|
|
order: 300
|
|
placeholder: Password
|
|
placeholder_expression: false
|
|
required: true
|
|
type: password
|
|
field_key: password
|
|
label: Password
|
|
identifiers:
|
|
name: default-password-change-field-password
|
|
id: prompt-field-password
|
|
model: authentik_stages_prompt.prompt
|
|
- attrs:
|
|
order: 301
|
|
placeholder: Password (repeat)
|
|
placeholder_expression: false
|
|
required: true
|
|
type: password
|
|
field_key: password_repeat
|
|
label: Password (repeat)
|
|
identifiers:
|
|
name: default-password-change-field-password-repeat
|
|
id: prompt-field-password-repeat
|
|
model: authentik_stages_prompt.prompt
|
|
- attrs:
|
|
fields:
|
|
- !KeyOf prompt-field-password
|
|
- !KeyOf prompt-field-password-repeat
|
|
validation_policies:
|
|
- !KeyOf default-password-change-password-policy
|
|
identifiers:
|
|
name: default-password-change-prompt
|
|
id: default-password-change-prompt
|
|
model: authentik_stages_prompt.promptstage
|
|
- identifiers:
|
|
name: default-password-change-write
|
|
id: default-password-change-write
|
|
model: authentik_stages_user_write.userwritestage
|
|
attrs:
|
|
user_creation_mode: never_create
|
|
- identifiers:
|
|
order: 0
|
|
stage: !KeyOf default-password-change-prompt
|
|
target: !KeyOf flow
|
|
model: authentik_flows.flowstagebinding
|
|
- identifiers:
|
|
order: 1
|
|
stage: !KeyOf default-password-change-write
|
|
target: !KeyOf flow
|
|
model: authentik_flows.flowstagebinding
|