File
Authelia supports a file based first factor user provider. This section describes configuring this.
On this page
Configuration
authentication_backend:
file:
path: /config/users.yml
watch: false
search:
email: false
case_insensitive: false
password:
algorithm: argon2
argon2:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
scrypt:
iterations: 16
block_size: 8
parallelism: 1
key_length: 32
salt_length: 16
pbkdf2:
variant: sha512
iterations: 310000
salt_length: 16
sha2crypt:
variant: sha512
iterations: 50000
salt_length: 16
bcrypt:
variant: standard
cost: 12
Options
This section describes the individual configuration options.
path
The path to the file with the user details list. Supported file types are:
watch
Enables reloading the database by watching it for changes.
search
Username searching functionality options.
Important Note: This functionality is experimental.
Allows users to login using their email address. If enabled two users must not have the same emails and their usernames must not be an email.
Note: Emails are always checked using case-insensitive lookup.
case_insensitive
Enabling this search option allows users to login with their username regardless of case. If enabled users must only have lowercase usernames.
Note: Emails are always checked using case-insensitive lookup.
Password Options
A reference guide exists specifically for choosing password hashing values. This section contains far more information than is practical to include in this configuration document. See the Passwords Reference Guide for more information.
This guide contains examples such as the User / Password File.
algorithm
Controls the hashing algorithm used for hashing new passwords. Value must be one of:
argon2
for the Argon2 algorithmscrypt
for the Scrypt algorithmpbkdf2
for the PBKDF2 algorithmsha2crypt
for the SHA2Crypt algorithmbcrypt
for the Bcrypt algorithm
argon2
The Argon2 algorithm implementation. This is one of the only algorithms that was designed purely with password hashing in mind and is subsequently one of the best algorithms to date for security.
variant
Controls the variant when hashing passwords using Argon2. Recommended argon2id
.
Permitted values argon2id
, argon2i
, argon2d
.
iterations
Controls the number of iterations when hashing passwords using Argon2.
memory
Controls the amount of memory in kibibytes when hashing passwords using Argon2.
parallelism
Controls the parallelism factor when hashing passwords using Argon2.
key_length
Controls the output key length when hashing passwords using Argon2.
salt_length
Controls the output salt length when hashing passwords using Argon2.
scrypt
The Scrypt algorithm implementation.
iterations
Controls the number of iterations when hashing passwords using Scrypt.
block_size
Controls the block size when hashing passwords using Scrypt.
parallelism
Controls the parallelism factor when hashing passwords using Scrypt.
key_length
Controls the output key length when hashing passwords using Scrypt.
salt_length
Controls the output salt length when hashing passwords using Scrypt.
pbkdf2
The PBKDF2 algorithm implementation.
variant
Controls the variant when hashing passwords using PBKDF2. Recommended sha512
.
Permitted values sha1
, sha224
, sha256
, sha384
, sha512
.
iterations
Controls the number of iterations when hashing passwords using PBKDF2.
salt_length
Controls the output salt length when hashing passwords using PBKDF2.
sha2crypt
The SHA2 Crypt algorithm implementation.
variant
Controls the variant when hashing passwords using SHA2 Crypt. Recommended sha512
.
Permitted values sha256
, sha512
.
iterations
Controls the number of iterations when hashing passwords using SHA2 Crypt.
salt_length
Controls the output salt length when hashing passwords using SHA2 Crypt.
bcrypt
The Bcrypt algorithm implementation.
variant
Controls the variant when hashing passwords using Bcrypt. Recommended standard
.
Permitted values standard
, sha256
.
Important Note: The sha256
variant is a special variant designed by
Passlib. This variant passes the
password through a SHA256 HMAC before passing it to the Bcrypt algorithm, effectively bypassing the 72 byte password
truncation that Bcrypt does. It is not supported by many other systems.
cost
Controls the hashing cost when hashing passwords using Bcrypt.