Builtin password authentication
The builtin
auth provider manages user accounts inside Sourcegraph. It supports user signup, login, and password reset. This is the simplest provider type to set up, and is the default auth provider on a fresh installation for the first user so they can create an account and become site admin.
Use this auth provider, if you have no organizational requirements to use a SSO provider.
When enabled, users will be able to login using username/password combinations from the login screen.
Signup can either be allowed to all users, the site admin can provision accounts, or new users can request an account.
If Sourcegraph is running on a free license all users will be created as site admins. Learn more about license settings on our pricing page.
Enabling this authentication provider
Add the following section to your site configuration:
JSON{ "auth.providers": [ { "type": "builtin", "allowSignup": false } ] }
Users can now login using their username/password credentials. See below for how users can get an account.
Allow all new users to sign up to your Sourcegraph instance
You can use the setting allowSignup
to control if new users can create an account in your Sourcegraph instance.
If set to true
, users will see a sign-up link under the login form and will have access to the sign-up page, where they can create their accounts.
If enabled, new users can create a new account through this form, and log in to Sourcegraph right away.
Allow new users to request an account
When allowSignup
is not set, or set to false
, users will see a request account link instead.
If you block sign-ups by using the allowSignup
flag, note that this applies only to the builtin auth provider. Other auth providers you configure (eg., GitHub OAuth or GitLab OAuth) will still allow to create new user accounts, depending on the allowSignup
flag on those auth provider configurations.
New users can submit a form and site admins will see the request in the navbar on the instance, where they can approve or reject the requests.
Disable account requests from users
The account request feature can be disabled by setting "auth.accessRequest": { "enabled": false }
. When disabled, new user accounts can only be created by the site admin manually.
Creating builtin authentication users
Users can be created for builtin password authentication in several ways:
- through the site admin page
/site-admin/users/new
- through users signing up
- through the
createUser
mutation in the GraphQL API - through
src users create
When SMTP is enabled, special behaviours apply to whether a builtin authentication user's email is marked as verified by default - refer to email verification for more details.
Account lockout
Password reset links expire after 4 hours by default - this can be configured in site configuration with the auth.passwordResetLinkExpiry
field.
Account will be locked out for 30 minutes after 5 consecutive failed sign-in attempts within one hour for the builtin authentication provider. The threshold and duration of lockout and consecutive periods can be customized via "auth.lockout"
in the site configuration:
JSON{ // ... "auth.lockout": { // The number of seconds to be considered as a consecutive period "consecutivePeriod": 3600, // The threshold of failed sign-in attempts in a consecutive period "failedAttemptThreshold": 5, // The number of seconds for the lockout period "lockoutPeriod": 1800 } }
To enabled self-serve account unlock through emails, add the following lines to your site configuration:
JSON{ // Validity expressed in minutes of the unlock account token "auth.unlockAccountLinkExpiry": 30, // Base64-encoded HMAC signing key to sign the JWT token for account unlock URLs "auth.unlockAccountLinkSigningKey": "your-signing-key", }
The ssh-keygen
command can be used to generate and encode the signing key, for example:
BASH$ ssh-keygen -t ed25519 -a 128 -f auth.unlockAccountLinkSigningKey $ base64 auth.unlockAccountLinkSigningKey | tr -d '\n' LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJu...
Paste the result of the base64
command as the value of "auth.unlockAccountLinkSigningKey"
.