ContextQMD
Back to Authentik

Force password reset on next login

website/docs/users-sources/user/password_reset_on_login.mdx

latest6.3 KB
Original Source

You can require users to reset their password on their next login, using expression policies, custom stages, and a custom user attribute. This guide explains how to configure this with the default-authentication-flow; however, the same steps apply to any authentication flow.

Configuring forced password reset on next login involves the following steps:

1. Creating two expression policies.
2. Creating and binding two stages to the active authentication flow.
3. Binding the expression policies to the stages.
4. Setting a custom user attribute which triggers the password prompt.

Create expression policies

You'll need to create two expression policies; one that checks the value of a custom user attribute on the user account attempting to log in, and another that resets the value of the custom user attribute.

  1. Log in to authentik as an administrator and open the authentik Admin interface.

  2. Navigate to Customization > Policies and click Create to set up the first policy.

  3. Select Expression Policy as the policy type, click Next, and configure the following settings:

    • Name: Provide a descriptive name for the policy (e.g. reset_password_check).

    • Expression:

      python
      # Check if the "reset_password" attribute set to true for the pending user
if request.context["pending_user"].attributes.get("reset_password") == True:
    return True

return False

  4. Click Finish to save the first policy, then repeat the steps to create the second policy using the following settings:

    • Name: Provide a descriptive name for the policy (e.g. reset_password_update).

    • Expression:

      python
      # Check if the "reset_password" attribute is set to true for the pending user
if request.context["pending_user"].attributes.get("reset_password") == True:
    # Reset the "reset_password" attribute to false to prevent forcing a password reset on next login
    request.context["pending_user"].attributes["reset_password"] = False
    return True

return False

  5. Click Finish.

Create stages

You'll need to create two stages; a Prompt stage to prompt the user to enter a new password, and a User Write stage to update the user's account with the new password. Both stages will need to be bound to the active authentication flow, typically the default-authentication-flow.

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to Flows and Stages > Flows and click on the name of the active authentication flow, typically the default-authentication-flow.
  3. Select the Stage Bindings tab and click Create and bind stage.
  4. Select Prompt Stage as the stage type, click Next, and configure the following settings for the stage:
    • Name: Provide a descriptive name for the stage (e.g. Force Password Reset Prompt Stage).
    • Under Fields:
      • Click the x icon between Available Fields and Selected Fields to clear the selections.
      • Select default-password-change-field-password and default-password-change-field-password-repeat.
    • Under Validation Policies:
      • Click the x icon between Available Policies and Selected Policies to clear the selections.
      • (Optional but recommended) Select default-password-change-policy.

:::tip Optionally, you can create and add a text field to the prompt stage to inform users that they are required to reset their password. For more details on configuring this, refer to the Prompt Stage documentation. :::

  1. Click Next to create the stage and then configure the following settings for the binding:

    • Order: 25 or any number higher than the default-authentication-password stage order and lower than the default-authentication-mfa-validation stage order.
    • Leave the other settings as their default values.

  2. Click Finish to create the binding and repeat the process for the second stage using the following settings:

    • Stage type: Select User Write Stage as the type.
    • Name: Provide a descriptive name for the stage (e.g. Force Password Reset User Write Stage).
    • Leave the other settings as their default values.

  3. Click Next to create the stage and then configure the following settings for the binding:

    • Order: 26 or any number higher than the Force Password Reset Prompt Stage stage order and lower than the default-authentication-mfa-validation stage order.
    • Leave the other settings as their default values.

  4. Click Finish to create the binding.

Bind policies to stages

You will need to bind the previously created policies to the newly created stages. Specifically:

- The `reset_password_check` policy needs to be bound to the `Force Password Reset Prompt Stage`.
- The `reset_password_update` policy needs to be bound to the `Force Password Reset User Write Stage`.
  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to Flows and Stages > Flows and click on the name of the active authentication flow, typically default-authentication-flow.
  3. Select the Stage Bindings tab and click the arrow next to the newly created Force Password Reset Prompt Stage to expand it.
  4. Click Bind existing Policy / Group / User.
  5. Set Policy to reset_password_check and click Create.
  6. Click the arrow next to the newly created Force Password Reset User Write Stage to expand it.
  7. Click Bind existing Policy / Group / User.
  8. Set Policy to reset_password_update and click Create.

Set custom user attribute

To require a user to reset their password on next login, you will need to set a custom user attribute on their account.

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to Directory > Users and click the Edit icon of the user in question.
  3. Add the following values to the user's attribute field:
    python
    reset_password: True
  4. Click Update.

The next time the user logs in, they will be required to reset their password, and the reset_password attribute on their account will be set to False.