Password Authentication
Password authentication is the default auth_mode. Users provide a username and password on the login page, which Autentico validates before issuing an authorization code.
How it works
Section titled “How it works”- The user is redirected to
/oauth2/authorizewith the standard OAuth2 parameters - Autentico renders the login page
- The user submits their credentials via
POST /oauth2/login - Autentico validates the credentials, checks for account lockout, and either:
- Issues an MFA challenge (if
mfa_enabledis true), or - Issues an authorization code and redirects back to the client
- Issues an MFA challenge (if
Password storage
Section titled “Password storage”Passwords are hashed with bcrypt before storage. The plaintext password is never stored or logged.
Account lockout
Section titled “Account lockout”After a configurable number of consecutive failed login attempts, the account is temporarily locked. See Account Lockout for configuration details.
Validation rules
Section titled “Validation rules”Username and password validation rules are enforced at registration and can be configured via runtime settings:
| Setting | Default | Description |
|---|---|---|
validation_min_username_length | 4 | Minimum username length |
validation_max_username_length | 64 | Maximum username length |
validation_min_password_length | 6 | Minimum password length |
validation_max_password_length | 64 | Maximum password length |
validation_username_is_email | false | Require username to be a valid email format |
validation_email_required | false | Require email field at registration |