core: support hashed password in users API + automated install#18686
core: support hashed password in users API + automated install#18686
Conversation
dominic-r
added
area:frontend
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-integrations ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #18686 +/- ##
==========================================
+ Coverage 93.26% 93.29% +0.02%
==========================================
Files 968 969 +1
Lines 53429 53721 +292
==========================================
+ Hits 49831 50118 +287
- Misses 3598 3603 +5
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-9cb094b381a709c63d954ee9c28bbcdfad6a26b4
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-9cb094b381a709c63d954ee9c28bbcdfad6a26b4Afterwards, run the upgrade commands from the latest release notes. |
rissson
changed the title
rissson
changed the title
dominic-r
force-pushed
the
sdko/hash-password-bootstrap
branch
from
e678a9d to
9f50675
Compare
gergosimonyi
left a comment
gergosimonyi
left a comment
There was a problem hiding this comment.
Setting password by hash should be possible via the API (as the title of this PR led me to believe), not only in blueprints.
This would enable workflows such as a user giving an admin their hash and logging in with the password that was used to generate that hash.
dominic-r
force-pushed
the
sdko/hash-password-bootstrap
branch
from
9f50675 to
8ff4983
Compare
dominic-r
changed the title
dominic-r
force-pushed
the
sdko/hash-password-bootstrap
branch
from
aa1b3cd to
292cd1d
Compare
dominic-r
modified the milestones:
Release 2026.2.0: Required,
Release 2026.5.0: Nice to have
4 participants
Overview:
Adds support for bootstrapping authentik using pre-hashed passwords. Instead of passing plaintext passwords through environment variables, admins can generate a hash locally and configure authentik with the hash directly. This also extends to runtime as admins can set password hashes on existing users via API or the admin UI as they would for setting. password.
Motivation:
The current AUTHENTIK_BOOTSTRAP_PASSWORD requires plaintext passwords in environment variables which is just bad practice and some environments may require users to be able to set their password without admins knowing it (?).
Closes: #5471