[{"data":1,"prerenderedAt":806},["ShallowReactive",2],{"guide:en:authentication":3},{"id":4,"title":5,"body":6,"description":798,"extension":799,"meta":800,"navigation":801,"path":802,"seo":803,"stem":804,"__hash__":805},"guide_en/en/user/authentication/index.md","Authentication — Login Methods and Account Security",{"type":7,"value":8,"toc":776},"minimark",[9,14,18,23,34,37,43,56,61,72,78,89,93,98,116,121,138,143,157,162,175,179,184,198,204,215,220,234,238,247,251,256,275,280,294,298,303,320,325,333,339,352,363,373,377,382,399,404,418,423,466,470,475,490,495,506,510,515,520,543,547,551,566,570,574,587,591,595,609,613,617,639,643,648,668,676,692,696,701,712,717,728,733,744,749,760,765],[10,11,13],"h1",{"id":12},"authentication","Authentication",[15,16,17],"p",{},"Authentication verifies who you are before granting access to Aptli. Aptli supports username/password login, OAuth single sign-on (Google, GitHub, Microsoft, Keycloak), and two-factor authentication. This section covers how to use and configure each method, manage account locks, and handle password resets.",[19,20,22],"h2",{"id":21},"active-login-methods","Active Login Methods",[15,24,25,30],{},[26,27],"img",{"alt":28,"src":29},"Login Page","/guide/authentication/login-page.png",[31,32,33],"em",{},"Login page showing available authentication methods including OAuth providers",[15,35,36],{},"Configure which authentication methods are available:",[15,38,39],{},[40,41,42],"strong",{},"Username/Password (Default):",[44,45,46,50,53],"ul",{},[47,48,49],"li",{},"Email + password combination",[47,51,52],{},"Password requirements: minimum 8 characters, complexity rules",[47,54,55],{},"Automatic logout after inactivity (configurable, default 1 day)",[15,57,58],{},[40,59,60],{},"OAuth Providers:",[44,62,63,66,69],{},[47,64,65],{},"GitHub OAuth",[47,67,68],{},"Google OAuth",[47,70,71],{},"Additional providers configurable (contact support)",[15,73,74,77],{},[40,75,76],{},"Configuration:","\nNavigate to App Settings → Authentication → Active Login Methods",[44,79,80,83,86],{},[47,81,82],{},"At least one method must be enabled",[47,84,85],{},"Multiple methods can be active simultaneously",[47,87,88],{},"Users choose preferred method at login screen",[19,90,92],{"id":91},"two-factor-authentication-2fa","Two-Factor Authentication (2FA)",[15,94,95],{},[40,96,97],{},"Enabling 2FA:",[99,100,101,104,107,110,113],"ol",{},[47,102,103],{},"Navigate to user profile",[47,105,106],{},"Click \"Enable Two-Factor Authentication\"",[47,108,109],{},"Scan QR code with authenticator app (Google Authenticator, Authy, etc.)",[47,111,112],{},"Enter 6-digit code to confirm",[47,114,115],{},"Save recovery codes (in case phone lost)",[15,117,118],{},[40,119,120],{},"Login with 2FA:",[99,122,123,126,129,132,135],{},[47,124,125],{},"Enter email and password (or OAuth)",[47,127,128],{},"System prompts for 6-digit code",[47,130,131],{},"Open authenticator app",[47,133,134],{},"Enter current code (refreshes every 30 seconds)",[47,136,137],{},"Access granted",[15,139,140],{},[40,141,142],{},"Recovery Codes:",[44,144,145,148,151,154],{},[47,146,147],{},"10 one-time-use codes generated at 2FA setup",[47,149,150],{},"Store securely (password manager, printed copy)",[47,152,153],{},"Use if authenticator unavailable",[47,155,156],{},"Each code valid once",[15,158,159],{},[40,160,161],{},"Disabling 2FA:",[44,163,164,166,169,172],{},[47,165,103],{},[47,167,168],{},"Click \"Disable Two-Factor Authentication\"",[47,170,171],{},"Enter current 6-digit code (or recovery code)",[47,173,174],{},"Confirm disable",[19,176,178],{"id":177},"spotting-users-without-2fa","Spotting Users Without 2FA",[15,180,181],{},[40,182,183],{},"Admin View:",[99,185,186,189,192,195],{},[47,187,188],{},"Navigate to Admin → Users",[47,190,191],{},"Add column: \"2FA Enabled\" (boolean)",[47,193,194],{},"Filter: \"2FA Enabled = false\"",[47,196,197],{},"Export list for follow-up",[15,199,200,203],{},[40,201,202],{},"Enforcement:","\nApp Settings → Authentication → Require 2FA",[44,205,206,209,212],{},[47,207,208],{},"Enable to force all users to set up 2FA",[47,210,211],{},"Grace period configurable (e.g., 30 days)",[47,213,214],{},"After grace period, users cannot login without 2FA",[15,216,217],{},[40,218,219],{},"Notification Campaign:",[44,221,222,225,228,231],{},[47,223,224],{},"Bulk email users without 2FA",[47,226,227],{},"Include setup instructions",[47,229,230],{},"Emphasize security benefits",[47,232,233],{},"Set deadline for compliance",[19,235,237],{"id":236},"oauth-provider-setup","OAuth Provider Setup",[15,239,240,241,246],{},"OAuth providers (Google, GitHub, Microsoft, Keycloak) are configured by your system administrator. See the ",[242,243,245],"a",{"href":244},"/sysadmin/oauth-setup","OAuth Setup Guide"," for configuration details.",[19,248,250],{"id":249},"adding-oauth-to-user-account","Adding OAuth to User Account",[15,252,253],{},[40,254,255],{},"For Existing Username/Password Users:",[99,257,258,261,263,266,269,272],{},[47,259,260],{},"Login with email and password",[47,262,103],{},[47,264,265],{},"Click \"Link OAuth Account\"",[47,267,268],{},"Choose provider (GitHub or Google)",[47,270,271],{},"Authorize with provider",[47,273,274],{},"OAuth account linked (can now login with either method)",[15,276,277],{},[40,278,279],{},"For New Users:",[44,281,282,285,288,291],{},[47,283,284],{},"First login with OAuth creates account automatically",[47,286,287],{},"Email from OAuth provider must be in allowed domains",[47,289,290],{},"Account created with OAuth-only login (no password set)",[47,292,293],{},"Can add password later from profile",[19,295,297],{"id":296},"email-validation","Email Validation",[15,299,300],{},[40,301,302],{},"New User Flow:",[99,304,305,308,311,314,317],{},[47,306,307],{},"User signs up (or admin creates account)",[47,309,310],{},"Validation email sent to user's email address",[47,312,313],{},"Email contains 10-minute expiration token",[47,315,316],{},"User clicks link in email",[47,318,319],{},"Account validated (can now login)",[15,321,322],{},[40,323,324],{},"Validation Required:",[44,326,327,330],{},[47,328,329],{},"Cannot login (any method) until email validated",[47,331,332],{},"Includes OAuth users (email must be validated even if provider verified)",[15,334,335,338],{},[40,336,337],{},"Resend Validation Email:","\nAdmin can resend from user profile:",[99,340,341,343,346,349],{},[47,342,188],{},[47,344,345],{},"Open user profile",[47,347,348],{},"Click \"Resend Validation Email\"",[47,350,351],{},"New 10-minute token sent",[15,353,354,357,358,362],{},[40,355,356],{},"Manual Validation:","\nAdmin with ",[359,360,361],"code",{},"usersUpdate"," can manually validate:",[99,364,365,367,370],{},[47,366,103],{},[47,368,369],{},"Set \"Email Validated\" date to current date",[47,371,372],{},"Save (user can now login)",[19,374,376],{"id":375},"login-security","Login Security",[15,378,379],{},[40,380,381],{},"Max Login Attempts:",[44,383,384,387,390,393],{},[47,385,386],{},"Default: 5 failed attempts",[47,388,389],{},"Configurable in App Settings",[47,391,392],{},"After max attempts: account hard locked",[47,394,395,396,398],{},"Unlock requires admin with ",[359,397,361],{}," permission",[15,400,401],{},[40,402,403],{},"Hard Lock:",[44,405,406,409,412,415],{},[47,407,408],{},"Account cannot login (any method)",[47,410,411],{},"Visible in user profile: \"Hard Lock\" badge",[47,413,414],{},"Unlock: Admin clicks \"Unlock Account\" action",[47,416,417],{},"Reset: Failed attempt counter reset to 0",[15,419,420],{},[40,421,422],{},"Session Expiry:",[44,424,425,439,453],{},[47,426,427,430,431],{},[40,428,429],{},"Automatic Logout:"," Inactivity timeout (default 1 day)\n",[44,432,433,436],{},[47,434,435],{},"Reading or writing data resets countdown",[47,437,438],{},"Configurable per app settings",[47,440,441,444,445],{},[40,442,443],{},"Server Session Timeout:"," Server session timeout (default 1 week)\n",[44,446,447,450],{},[47,448,449],{},"Forces re-login regardless of activity",[47,451,452],{},"Security measure for long-running sessions",[47,454,455,457,458],{},[40,456,422],{}," Absolute max session duration (default 1 week)\n",[44,459,460,463],{},[47,461,462],{},"Multiple devices may have different expirations",[47,464,465],{},"Prevents indefinite sessions",[19,467,469],{"id":468},"force-logout","Force Logout",[15,471,472],{},[40,473,474],{},"Admin Action:",[99,476,477,479,481,484,487],{},[47,478,188],{},[47,480,345],{},[47,482,483],{},"Actions → Force Logout",[47,485,486],{},"User's session terminated immediately",[47,488,489],{},"User must re-login",[15,491,492],{},[40,493,494],{},"Use Cases:",[44,496,497,500,503],{},[47,498,499],{},"Security incident (compromised account)",[47,501,502],{},"User left session open on public computer",[47,504,505],{},"Administrative lock (pending investigation)",[19,507,509],{"id":508},"troubleshooting-login","Troubleshooting Login",[511,512,514],"h3",{"id":513},"user-cant-find-account","User Can't Find Account",[15,516,517],{},[40,518,519],{},"Check:",[99,521,522,524,527,530,537],{},[47,523,188],{},[47,525,526],{},"Filter by email (case-sensitive)",[47,528,529],{},"If not found: Account may be deleted",[47,531,532,533,536],{},"Click \"See Deleted\" button (requires ",[359,534,535],{},"viewDeleted"," permission)",[47,538,539,540,536],{},"If found in deleted: Undelete (requires ",[359,541,542],{},"usersCreate",[511,544,546],{"id":545},"hard-lock","Hard Lock",[15,548,549],{},[40,550,519],{},[99,552,553,555,558,563],{},[47,554,103],{},[47,556,557],{},"Look for \"Hard Lock\" badge",[47,559,560,561,536],{},"If present: Click \"Unlock Account\" (requires ",[359,562,361],{},[47,564,565],{},"User can now login",[511,567,569],{"id":568},"email-not-validated","Email Not Validated",[15,571,572],{},[40,573,519],{},[99,575,576,578,581,584],{},[47,577,103],{},[47,579,580],{},"\"Email Validated\" field should have date",[47,582,583],{},"If blank: Resend validation email OR manually set date",[47,585,586],{},"User cannot login via any method without validation",[511,588,590],{"id":589},"bad-domain","Bad Domain",[15,592,593],{},[40,594,519],{},[99,596,597,600,603,606],{},[47,598,599],{},"Navigate to App Settings → Authentication",[47,601,602],{},"\"Allowed Domains\" list",[47,604,605],{},"Verify user's email domain included",[47,607,608],{},"If missing: Add domain OR create account manually (bypasses domain check)",[511,610,612],{"id":611},"oauth-not-working","OAuth Not Working",[15,614,615],{},[40,616,519],{},[99,618,619,622,625,633,636],{},[47,620,621],{},"Verify environment variables set (CLIENT_ID, CLIENT_SECRET)",[47,623,624],{},"Check callback URL matches provider configuration",[47,626,627,628,632],{},"Test: Logout, click \"Sign in with ",[629,630,631],"span",{},"Provider","\"",[47,634,635],{},"Error messages in browser console",[47,637,638],{},"Check provider dashboard for auth attempts",[19,640,642],{"id":641},"password-reset","Password Reset",[15,644,645],{},[40,646,647],{},"User-Initiated:",[99,649,650,653,656,659,662,665],{},[47,651,652],{},"Click \"Forgot Password\" on login page",[47,654,655],{},"Enter email address",[47,657,658],{},"Reset email sent (10-minute token)",[47,660,661],{},"Click link in email",[47,663,664],{},"Enter new password",[47,666,667],{},"Password reset (can now login)",[15,669,670,357,673,675],{},[40,671,672],{},"Admin-Initiated:",[359,674,361],{}," can reset:",[99,677,678,680,683,686,689],{},[47,679,103],{},[47,681,682],{},"Actions → Reset Password",[47,684,685],{},"Temporary password generated",[47,687,688],{},"Email sent to user with temp password",[47,690,691],{},"User must change password on first login",[19,693,695],{"id":694},"best-practices","Best Practices",[15,697,698],{},[40,699,700],{},"Enable 2FA:",[44,702,703,706,709],{},[47,704,705],{},"Require for all admin accounts",[47,707,708],{},"Encourage for all users",[47,710,711],{},"Set compliance deadline",[15,713,714],{},[40,715,716],{},"Use OAuth When Possible:",[44,718,719,722,725],{},[47,720,721],{},"Reduces password fatigue",[47,723,724],{},"Leverages provider security",[47,726,727],{},"Easier account recovery",[15,729,730],{},[40,731,732],{},"Monitor Failed Logins:",[44,734,735,738,741],{},[47,736,737],{},"Review hard locked accounts weekly",[47,739,740],{},"Pattern of locks = password guessing attack",[47,742,743],{},"Enable 2FA enforcement",[15,745,746],{},[40,747,748],{},"Regular Session Expiry:",[44,750,751,754,757],{},[47,752,753],{},"Don't set inactivity timeout too long (24 hours reasonable)",[47,755,756],{},"CSRF expiry prevents indefinite sessions",[47,758,759],{},"Balance security vs. user convenience",[15,761,762],{},[40,763,764],{},"Allowed Domains:",[44,766,767,770,773],{},[47,768,769],{},"Keep list tight (only org domains)",[47,771,772],{},"External contractors = create manually (bypass domain check)",[47,774,775],{},"Review quarterly (remove unused domains)",{"title":777,"searchDepth":778,"depth":778,"links":779},"",2,[780,781,782,783,784,785,786,787,788,796,797],{"id":21,"depth":778,"text":22},{"id":91,"depth":778,"text":92},{"id":177,"depth":778,"text":178},{"id":236,"depth":778,"text":237},{"id":249,"depth":778,"text":250},{"id":296,"depth":778,"text":297},{"id":375,"depth":778,"text":376},{"id":468,"depth":778,"text":469},{"id":508,"depth":778,"text":509,"children":789},[790,792,793,794,795],{"id":513,"depth":791,"text":514},3,{"id":545,"depth":791,"text":546},{"id":568,"depth":791,"text":569},{"id":589,"depth":791,"text":590},{"id":611,"depth":791,"text":612},{"id":641,"depth":778,"text":642},{"id":694,"depth":778,"text":695},"Configure and use authentication in Aptli: username/password login, OAuth providers (Google, GitHub, Microsoft), two-factor authentication, email validation, and session security.","md",{},true,"/en/user/authentication",{"title":5,"description":798},"en/user/authentication/index","Yfl_g2tfhu__XYbFyQTdyS0vP1QSb9Sv0_1rwE5mWEg",1776295546620]