blob: 8f9b049704660ddfc5235acdd6e2ec73395d070b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
---
title: "Reset Password"
description: "Reset Password Identity Validation Configuration"
summary: "Authelia uses multiple methods to verify the identity of users to prevent a malicious user from performing actions on behalf of them. This section describes Reset Password method."
date: 2024-03-04T20:29:11+11:00
draft: false
images: []
weight: 105200
toc: true
seo:
title: "" # custom title (optional)
description: "" # custom description (recommended)
canonical: "" # custom canonical URL (optional)
noindex: false # false (default) or true
---
The Reset Password Identity Validation implementation ensures that users cannot perform a reset password flow without
first ensuring the user is adequately identified. The settings below therefore can affect the level of security Authelia
provides to your users so they should be carefully considered.
Authelia performs this process by issuing a HMAC signed JWT. The JWT is serialized and generated by Authelia itself, the admin must only provide a secret random string known as the [jwt_secret](#jwt_secret).
## Configuration
{{< config-alert-example >}}
```yaml {title="configuration.yml"}
identity_validation:
reset_password:
jwt_secret: ''
jwt_lifespan: '5 minutes'
jwt_algorithm: 'HS256'
```
## Options
This section describes the individual configuration options.
### jwt_secret
{{< confkey type="string" required="yes" >}}
The secret used with the HMAC algorithm to sign the JWT. This value should be an arbitrary random string with printable ASCII characters.
It is __strongly recommended__ this is a
[Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
characters.
### jwt_lifespan
{{< confkey type="string,integer" syntax="duration" default="5 minutes" required="no" >}}
The lifespan of the JSON Web Token after it's initially generated after which it's considered invalid.
### jwt_algorithm
{{< confkey type="string" default="HS256" required="no" >}}
The JSON Web Token Algorithm used to sign the JWT. Must be HS256, HS384, or HS512.
|
