authentik/website/docs/policies/index.md

---
title: Overview
---

## Event-matcher policy

This policy is used by the events subsystem. You can use this policy to match events by multiple different criteria, to choose when you get notified.

## Expression Policy

See [Expression Policy](expression.mdx).

## Have I Been Pwned Policy

:::info
This policy is deprecated since authentik 2022.11.0, as this can be done with the password policy now.
:::
This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik.

## Password-Expiry Policy

This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password.

## Password Policy

This policy allows you to specify password rules, such as length and required characters.
The following rules can be set:

-   Minimum amount of uppercase characters.
-   Minimum amount of lowercase characters.
-   Minimum amount of symbols characters.
-   Minimum length.
-   Symbol charset (define which characters are counted as symbols).

Starting with authentik 2022.11.0, the following checks can also be done with this policy:

-   Check the password hash against the database of [Have I Been Pwned](https://haveibeenpwned.com/). Only the first 5 characters of the hashed password are transmitted, the rest is compared in authentik
-   Check the password against the password complexity checker [zxcvbn](https://github.com/dropbox/zxcvbn), which detects weak password on various metrics.

## Reputation Policy

authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).

This policy can be used, for example, to prompt clients with a low score to pass a captcha before they can continue.

To make sure this policy is executed correctly, set `Re-evaluate policies` when using it with a flow.
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00			`---`
website/docs: add azure ad docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-01 14:56:24 +00:00			`title: Overview`
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00			`---`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
outposts: set cookies for a domain to authenticate an entire domain (#971) * outposts: initial cookie domain implementation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: add cookie domain setting Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: replace forward_auth_mode with general mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: rebuild proxy provider form Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: re-add forward_auth_mode for backwards compat Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix data.mode not being set Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * root: always set log level to debug when testing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: use new mode attribute Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: only ingress /akprox on forward_domain Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: fix lint error Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix error on ProxyProviderForm when not using proxy mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix default for outpost form's type missing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: add additional desc for proxy modes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts: fix service account permissions not always being updated Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost/proxy: fix redirecting to incorrect host for domain mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: improve error handling for network errors Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost: fix image naming not matching main imaeg Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts/proxy: fix redirects for domain mode and traefik Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: fix colour for paragraphs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/flows: fix consent stage not showing permissions correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * website/docs: add domain-level docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * website/docs: fix broken links Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts/proxy: remove dead code Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/flows: fix missing id for #header-text Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-08 21:10:17 +00:00			`## Event-matcher policy`

			`This policy is used by the events subsystem. You can use this policy to match events by multiple different criteria, to choose when you get notified.`

outposts/proxy: fix additionalHeaders not being set closes #1050 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-19 13:24:51 +00:00			`## Expression Policy`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
outposts/proxy: fix additionalHeaders not being set closes #1050 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-19 13:24:51 +00:00			`See [Expression Policy](expression.mdx).`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
outposts/proxy: fix additionalHeaders not being set closes #1050 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-19 13:24:51 +00:00			`## Have I Been Pwned Policy`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
policies/password: merge hibp add zxcvbn (#4001) * initial zxcvbn Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add api and port tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * more tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add ui Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add api diff Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-11-14 13:42:43 +00:00			`:::info`
			`This policy is deprecated since authentik 2022.11.0, as this can be done with the password policy now.`
			`:::`
outposts/proxy: fix additionalHeaders not being set closes #1050 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-19 13:24:51 +00:00			`This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik.`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
outposts/proxy: fix additionalHeaders not being set closes #1050 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-19 13:24:51 +00:00			`## Password-Expiry Policy`

			`This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password.`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
website/docs: fix website build Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-29 20:00:47 +00:00			`## Password Policy`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
docs(terminology.md): clarity & capitalisation 2020-06-18 18:27:20 +00:00			`This policy allows you to specify password rules, such as length and required characters.`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00			`The following rules can be set:`

website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`- Minimum amount of uppercase characters.`
			`- Minimum amount of lowercase characters.`
			`- Minimum amount of symbols characters.`
			`- Minimum length.`
			`- Symbol charset (define which characters are counted as symbols).`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
policies/password: merge hibp add zxcvbn (#4001) * initial zxcvbn Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add api and port tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * more tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add ui Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add api diff Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-11-14 13:42:43 +00:00			`Starting with authentik 2022.11.0, the following checks can also be done with this policy:`

			`- Check the password hash against the database of [Have I Been Pwned](https://haveibeenpwned.com/). Only the first 5 characters of the hashed password are transmitted, the rest is compared in authentik`
			`- Check the password against the password complexity checker [zxcvbn](https://github.com/dropbox/zxcvbn), which detects weak password on various metrics.`

outposts/proxy: fix additionalHeaders not being set closes #1050 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-19 13:24:51 +00:00			`## Reputation Policy`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
outposts/proxy: fix additionalHeaders not being set closes #1050 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-19 13:24:51 +00:00			`authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).`
outposts: set cookies for a domain to authenticate an entire domain (#971) * outposts: initial cookie domain implementation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: add cookie domain setting Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: replace forward_auth_mode with general mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: rebuild proxy provider form Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: re-add forward_auth_mode for backwards compat Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix data.mode not being set Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * root: always set log level to debug when testing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: use new mode attribute Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: only ingress /akprox on forward_domain Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: fix lint error Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix error on ProxyProviderForm when not using proxy mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix default for outpost form's type missing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: add additional desc for proxy modes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts: fix service account permissions not always being updated Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost/proxy: fix redirecting to incorrect host for domain mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: improve error handling for network errors Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost: fix image naming not matching main imaeg Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts/proxy: fix redirects for domain mode and traefik Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: fix colour for paragraphs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/flows: fix consent stage not showing permissions correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * website/docs: add domain-level docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * website/docs: fix broken links Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts/proxy: remove dead code Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/flows: fix missing id for #header-text Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-08 21:10:17 +00:00
outposts/proxy: fix additionalHeaders not being set closes #1050 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-19 13:24:51 +00:00			`This policy can be used, for example, to prompt clients with a low score to pass a captcha before they can continue.`
outposts: set cookies for a domain to authenticate an entire domain (#971) * outposts: initial cookie domain implementation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: add cookie domain setting Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: replace forward_auth_mode with general mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: rebuild proxy provider form Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: re-add forward_auth_mode for backwards compat Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix data.mode not being set Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * root: always set log level to debug when testing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: use new mode attribute Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: only ingress /akprox on forward_domain Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: fix lint error Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix error on ProxyProviderForm when not using proxy mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix default for outpost form's type missing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: add additional desc for proxy modes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts: fix service account permissions not always being updated Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost/proxy: fix redirecting to incorrect host for domain mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: improve error handling for network errors Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost: fix image naming not matching main imaeg Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts/proxy: fix redirects for domain mode and traefik Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: fix colour for paragraphs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/flows: fix consent stage not showing permissions correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * website/docs: add domain-level docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * website/docs: fix broken links Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts/proxy: remove dead code Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/flows: fix missing id for #header-text Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-08 21:10:17 +00:00
outposts/proxy: fix additionalHeaders not being set closes #1050 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-19 13:24:51 +00:00			To make sure this policy is executed correctly, set `Re-evaluate policies` when using it with a flow.