1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
|
---
title: "File"
description: "File"
summary: "Authelia supports a file based first factor user provider. This section describes configuring this."
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
weight: 102300
toc: true
aliases:
- /docs/configuration/authentication/file.html
seo:
title: "" # custom title (optional)
description: "" # custom description (recommended)
canonical: "" # custom canonical URL (optional)
noindex: false # false (default) or true
---
## Configuration
{{< config-alert-example >}}
```yaml {title="configuration.yml"}
authentication_backend:
file:
path: '/config/users.yml'
watch: false
search:
email: false
case_insensitive: false
extra_attributes:
extra_example:
multi_valued: false
value_type: 'string'
password:
algorithm: 'argon2'
argon2:
variant: 'argon2id'
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
scrypt:
iterations: 16
block_size: 8
parallelism: 1
key_length: 32
salt_length: 16
pbkdf2:
variant: 'sha512'
iterations: 310000
salt_length: 16
sha2crypt:
variant: 'sha512'
iterations: 50000
salt_length: 16
bcrypt:
variant: 'standard'
cost: 12
```
## Options
This section describes the individual configuration options.
### path
{{< confkey type="string" required="yes" >}}
The path to the file with the user details list. Supported file types are:
* [YAML File](../../reference/guides/passwords.md#yaml-format)
### watch
{{< confkey type="boolean" default="false" required="no" >}}
Enables reloading the database by watching it for changes.
### search {#config-search}
Username searching functionality options.
{{< callout context="caution" title="Important Note" icon="outline/alert-triangle" >}}
This functionality is experimental.
{{< /callout >}}
#### email
{{< confkey type="boolean" default="false" required="no" >}}
{{< callout context="note" title="Note" icon="outline/info-circle" >}}
Emails are always checked using case-insensitive lookup.
{{< /callout >}}
Allows users to login using their email address. If enabled two users must not have the same emails and their usernames
must not be an email.
#### case_insensitive
{{< confkey type="boolean" default="false" required="no" >}}
{{< callout context="note" title="Note" icon="outline/info-circle" >}}
Emails are always checked using case-insensitive lookup.
{{< /callout >}}
Enabling this search option allows users to login with their username regardless of case. If enabled users must only
have lowercase usernames.
### extra_attributes
{{< confkey type="dictionary(object)" required="no" >}}
{{< callout context="note" title="Note" icon="outline/info-circle" >}}
In addition to the extra attributes, you can configure custom attributes based on the values of existing attributes.
This is done via the [Definitions](../definitions/user-attributes.md) section.
{{< /callout >}}
The extra attributes to load from the directory server. These extra attributes can be used in other areas of _Authelia_
such as [OpenID Connect 1.0](../identity-providers/openid-connect/provider.md). It's also recommended to check out the
[Attributes Reference Guide](../../reference/guides/attributes.md) for more information.
The key represents the backend attribute name. The database will be validated given the `multi_valued` and `value_type`
configuration.
In the example below, we load the directory server attribute `example_file_attribute` into the _Authelia_ attribute
`example_file_attribute`, treat it as a single valued attribute which has an underlying type of `integer`.
```yaml
authentication_backend:
file:
extra_attributes:
example_file_attribute:
multi_valued: false
value_type: 'integer'
```
#### value_type
{{< confkey type="string" required="yes" >}}
This defines the underlying type the attribute must be. This is required if an extra attribute is configured. The valid
values are `string`, `integer`, or `boolean`.
#### multi_valued
{{< confkey type="boolean" required="no" >}}
This indicates the underlying type can have multiple values.
## Password Options
A [reference guide](../../reference/guides/passwords.md) exists specifically for choosing password hashing values. This
section contains far more information than is practical to include in this configuration document. See the
[Passwords Reference Guide](../../reference/guides/passwords.md) for more information.
This guide contains examples such as the [User / Password File](../../reference/guides/passwords.md#user--password-file).
### algorithm
{{< confkey type="string" default="argon2" required="no" >}}
Controls the hashing algorithm used for hashing new passwords. Value must be one of:
* `argon2` for the [Argon2](#argon2) algorithm
* `scrypt` for the [Scrypt](#scrypt) algorithm
* `pbkdf2` for the [PBKDF2](#pbkdf2) algorithm
* `sha2crypt` for the [SHA2Crypt](#sha2crypt) algorithm
* `bcrypt` for the [Bcrypt](#bcrypt) algorithm
### argon2
The [Argon2] algorithm implementation. This is one of the only algorithms that was designed purely with password hashing
in mind and is subsequently one of the best algorithms to date for security.
#### variant
{{< confkey type="string" default="argon2id" required="no" >}}
Controls the variant when hashing passwords using [Argon2]. Recommended `argon2id`.
Permitted values `argon2id`, `argon2i`, `argon2d`.
#### iterations
{{< confkey type="integer" default="3" required="no" >}}
Controls the number of iterations when hashing passwords using [Argon2].
#### memory
{{< confkey type="integer" default="65536" required="no" >}}
Controls the amount of memory in kibibytes when hashing passwords using [Argon2].
#### parallelism
{{< confkey type="integer" default="4" required="no" >}}
Controls the parallelism factor when hashing passwords using [Argon2].
#### key_length
{{< confkey type="integer" default="32" required="no" >}}
Controls the output key length when hashing passwords using [Argon2].
#### salt_length
{{< confkey type="integer" default="16" required="no" >}}
Controls the output salt length when hashing passwords using [Argon2].
### scrypt
The [Scrypt] algorithm implementation.
#### iterations
{{< confkey type="integer" default="16" required="no" >}}
Controls the number of iterations when hashing passwords using [Scrypt].
#### block_size
{{< confkey type="integer" default="8" required="no" >}}
Controls the block size when hashing passwords using [Scrypt].
#### parallelism
{{< confkey type="integer" default="1" required="no" >}}
Controls the parallelism factor when hashing passwords using [Scrypt].
#### key_length
{{< confkey type="integer" default="32" required="no" >}}
Controls the output key length when hashing passwords using [Scrypt].
#### salt_length
{{< confkey type="integer" default="16" required="no" >}}
Controls the output salt length when hashing passwords using [Scrypt].
### pbkdf2
The [PBKDF2] algorithm implementation.
#### variant
{{< confkey type="string" default="sha512" required="no" >}}
Controls the variant when hashing passwords using [PBKDF2]. Recommended `sha512`.
Permitted values `sha1`, `sha224`, `sha256`, `sha384`, `sha512`.
#### iterations
{{< confkey type="integer" default="310000" required="no" >}}
Controls the number of iterations when hashing passwords using [PBKDF2].
#### salt_length
{{< confkey type="integer" default="16" required="no" >}}
Controls the output salt length when hashing passwords using [PBKDF2].
### sha2crypt
The [SHA2 Crypt] algorithm implementation.
#### variant
{{< confkey type="string" default="sha512" required="no" >}}
Controls the variant when hashing passwords using [SHA2 Crypt]. Recommended `sha512`.
Permitted values `sha256`, `sha512`.
#### iterations
{{< confkey type="integer" default="50000" required="no" >}}
Controls the number of iterations when hashing passwords using [SHA2 Crypt].
#### salt_length
{{< confkey type="integer" default="16" required="no" >}}
Controls the output salt length when hashing passwords using [SHA2 Crypt].
### bcrypt
The [Bcrypt] algorithm implementation.
#### variant
{{< confkey type="string" default="standard" required="no" >}}
Controls the variant when hashing passwords using [Bcrypt]. Recommended `standard`.
Permitted values `standard`, `sha256`.
{{< callout context="caution" title="Important Note" icon="outline/alert-triangle" >}}
The `sha256` variant is a special variant designed by
[Passlib](https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt_sha256.html). This variant passes the
password through a SHA256 HMAC before passing it to the [Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) algorithm, effectively bypassing the 72 byte password
truncation that [Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) does. It is not supported by many other systems.
{{< /callout >}}
#### cost
{{< confkey type="integer" default="12" required="no" >}}
Controls the hashing cost when hashing passwords using [Bcrypt].
[Argon2]: https://datatracker.ietf.org/doc/html/rfc9106
[Scrypt]: https://en.wikipedia.org/wiki/Scrypt
[PBKDF2]: https://datatracker.ietf.org/doc/html/rfc2898
[SHA2 Crypt]: https://www.akkadia.org/drepper/SHA-crypt.txt
[Bcrypt]: https://en.wikipedia.org/wiki/Bcrypt
|
