Builtin password authentication

The builtin auth provider manages user accounts inside Sourcegraph. It supports user signup, login, and password reset. This is the simplest provider type to set up, and is the default auth provider on a fresh installation for the first user so they can create an account and become site admin.

Use this auth provider, if you have no organizational requirements to use a SSO provider.

When enabled, users will be able to login using username/password combinations from the login screen.

Signup can either be allowed to all users, the site admin can provision accounts, or new users can request an account.

Enabling this authentication provider

Add the following section to your site configuration:

JSON
{
  "auth.providers": [
    {
      "type": "builtin",
      "allowSignup": false
    }
  ]
}

Users can now login using their username/password credentials. See below for how users can get an account.

Allow all new users to sign up to your Sourcegraph instance

You can use the setting allowSignup to control if new users can create an account in your Sourcegraph instance.

If set to true, users will see a sign-up link under the login form and will have access to the sign-up page, where they can create their accounts.

If enabled, new users can create a new account through this form, and log in to Sourcegraph right away.

Allow new users to request an account

When allowSignup is not set, or set to false, users will see a request account link instead.

New users can submit a form and site admins will see the request in the navbar on the instance, where they can approve or reject the requests.

Disable account requests from users

The account request feature can be disabled by setting "auth.accessRequest": { "enabled": false }. When disabled, new user accounts can only be created by the site admin manually.

Creating builtin authentication users

Users can be created for builtin password authentication in several ways:

• through the site admin page /site-admin/users/new
• through users signing up
• through the createUser mutation in the GraphQL API
• through src users create

When SMTP is enabled, special behaviours apply to whether a builtin authentication user's email is marked as verified by default - refer to email verification for more details.

Account lockout

Password reset links expire after 4 hours by default - this can be configured in site configuration with the auth.passwordResetLinkExpiry field.

Account will be locked out for 30 minutes after 5 consecutive failed sign-in attempts within one hour for the builtin authentication provider. The threshold and duration of lockout and consecutive periods can be customized via "auth.lockout" in the site configuration:

JSON
{
  // ...
  "auth.lockout": {
    // The number of seconds to be considered as a consecutive period
    "consecutivePeriod": 3600,
    // The threshold of failed sign-in attempts in a consecutive period
    "failedAttemptThreshold": 5,
    // The number of seconds for the lockout period
    "lockoutPeriod": 1800
  }
}

To enabled self-serve account unlock through emails, add the following lines to your site configuration:

JSON
{
  // Validity expressed in minutes of the unlock account token
  "auth.unlockAccountLinkExpiry": 30,
  // Base64-encoded HMAC signing key to sign the JWT token for account unlock URLs
  "auth.unlockAccountLinkSigningKey": "your-signing-key",
}

The ssh-keygen command can be used to generate and encode the signing key, for example:

BASH
$ ssh-keygen -t ed25519 -a 128 -f auth.unlockAccountLinkSigningKey
$ base64 auth.unlockAccountLinkSigningKey | tr -d '\n'
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJu...

Paste the result of the base64 command as the value of "auth.unlockAccountLinkSigningKey".