mirror of
https://github.com/goauthentik/authentik
synced 2026-04-27 18:07:15 +02:00
website/docs: improve creds recovery docs (#18385)
* Updates doc * Fix links * Typo * Email link update * Update website/docs/users-sources/user/user_basic_operations.md Co-authored-by: Dominic R <dominic@sdko.org> Signed-off-by: Dewi Roberts <dewi@goauthentik.io> --------- Signed-off-by: Dewi Roberts <dewi@goauthentik.io> Co-authored-by: Dominic R <dominic@sdko.org>
This commit is contained in:
Dewi Roberts
@@ -10,7 +10,7 @@ The following topics are for the basic management of users: how to create, modif
|
||||
|
||||
> If you want to automate user creation, you can do that either by [invitations](./invitations.md), [`user_write` stage](../../add-secure-apps/flows-stages/stages/user_write.md), or [using the API](/api/reference/core-users-create).
|
||||
|
||||
1. In the Admin interface of your authentik instance, select **Directory > Users** in the left side menu.
|
||||
1. In the Admin interface of your authentik instance, select **Directory** > **Users** in the left side menu.
|
||||
2. Select the folder where you want to create a user.
|
||||
3. Click **Create** (for a default user).
|
||||
4. Fill in the required fields:
|
||||
@@ -57,7 +57,7 @@ You can create advanced queries to locate specific users within the list shown u
|
||||
|
||||
## View user details
|
||||
|
||||
In the **Directory > Users** menu of the Admin interface, you can browse all the users in your authentik instance.
|
||||
In the **Directory** > **Users** menu of the Admin interface, you can browse all the users in your authentik instance.
|
||||
|
||||
To view details about a specific user:
|
||||
|
||||
@@ -66,19 +66,18 @@ To view details about a specific user:
|
||||
This takes you to the **Overview** tab, with basic information about the user, and also quick access to perform basic actions to the user.
|
||||
|
||||
2. To see further details, click any of the other tabs:
|
||||
|
||||
- **Session** shows the active sessions established by the user. If there is any need, you can clean up the connected devices for a user by selecting the device(s) and then clicking **Delete**. This forces the user to authenticate again on the deleted devices.
|
||||
- **Groups** allows you to manage the group membership of the user. You can find more details on [groups](../groups/index.mdx).
|
||||
- **User events** displays all the events generated by the user during a session, such as login, logout, application authorisation, password reset, user info update, etc.
|
||||
- **Explicit consent** lists all the permissions the user has given explicitly to an application. Entries will only appear if the user is validating an [explicit consent flow in an OAuth2 provider](../../add-secure-apps/providers/oauth2/index.mdx). If you want to delete the explicit consent (because the application is requiring new permissions, or the user has explicitly asked to reset his consent on third-party apps), select the applications and click **Delete**. The user will be asked to again give explicit consent to share information with the application.
|
||||
- **OAuth Refresh Tokens** lists all the OAuth tokens currently distributed. You can remove the tokens by selecting the applications and then clicking **Delete**.
|
||||
- **MFA Authenticators** shows all the authentications that the user has registered to their user profile. You can remove the tokens if the user has lost their authenticator and want to enroll a new one.
|
||||
- **Session** shows the active sessions established by the user. If there is any need, you can clean up the connected devices for a user by selecting the device(s) and then clicking **Delete**. This forces the user to authenticate again on the deleted devices.
|
||||
- **Groups** allows you to manage the group membership of the user. You can find more details on [groups](../groups/index.mdx).
|
||||
- **User events** displays all the events generated by the user during a session, such as login, logout, application authorisation, password reset, user info update, etc.
|
||||
- **Explicit consent** lists all the permissions the user has given explicitly to an application. Entries will only appear if the user is validating an [explicit consent flow in an OAuth2 provider](../../add-secure-apps/providers/oauth2/index.mdx). If you want to delete the explicit consent (because the application is requiring new permissions, or the user has explicitly asked to reset his consent on third-party apps), select the applications and click **Delete**. The user will be asked to again give explicit consent to share information with the application.
|
||||
- **OAuth Refresh Tokens** lists all the OAuth tokens currently distributed. You can remove the tokens by selecting the applications and then clicking **Delete**.
|
||||
- **MFA Authenticators** shows all the authentications that the user has registered to their user profile. You can remove the tokens if the user has lost their authenticator and want to enroll a new one.
|
||||
|
||||
## Modify a user
|
||||
|
||||
After the creation of the user, you can edit any parameter defined during the creation.
|
||||
|
||||
To modify a user object, go to **Directory > Users**, and click the edit icon beside the name. You can also go into [user details](#view-user-details), and click **Edit**.
|
||||
To modify a user object, go to **Directory** > **Users**, and click the edit icon beside the name. You can also go into [user details](#view-user-details), and click **Edit**.
|
||||
|
||||
## Assign, modify, or remove permissions for a user
|
||||
|
||||
@@ -88,36 +87,53 @@ For more information, review ["Permissions"](../access-control/permissions.md).
|
||||
|
||||
## Add a user to a group
|
||||
|
||||
1. To add a user to a group, navigate to **Directory > Users** to display all users.
|
||||
1. To add a user to a group, navigate to **Directory** > **Users** to display all users.
|
||||
2. Click the name of the user to display the full user details page.
|
||||
3. Click the **Groups** tab, and then click either **Add to existing group** or **Add to new group**.
|
||||
|
||||
## User credentials recovery
|
||||
|
||||
If a user has lost their credentials, there are several options.
|
||||
If a user has lost their credentials and needs to recover their account, there are two available options:
|
||||
|
||||
### Generate a recovery link
|
||||
1. Create a recovery link and send it to the user
|
||||
2. Have authentik send the user a recovery email
|
||||
|
||||
:::info
|
||||
This option is only available if a default recovery flow was configured for the currently active brand.
|
||||
Both options require you to configure a recovery flow and set it as the **Default recovery flow** for the active brand.
|
||||
|
||||
### Configure a recovery flow
|
||||
|
||||
To get started, you can [import](../../add-secure-apps/flows-stages/flow/index.md#import-or-export-a-flow) this example flow: [Recovery with email verification flow](../../add-secure-apps/flows-stages/flow/examples/flows.md#recovery-with-email-verification)
|
||||
|
||||
Then, set this as the default recovery flow for the active brand:
|
||||
|
||||
1. In the Admin interface, navigate to **System** > **Brands**, and select the active brand.
|
||||
2. Under **Default flows**, set **Recovery flow** to the imported recovery flow: `default-recovery-flow`.
|
||||
3. Click **Update**.
|
||||
|
||||
Now that you've configured a recovery flow, you can select one of the following options:
|
||||
|
||||
### 1. Create a recovery link
|
||||
|
||||
:::info Email stage not required
|
||||
The example recovery flow includes an email stage. However, if you're manually sending the recovery link to the user, this email stage is not required and can be removed.
|
||||
:::
|
||||
|
||||
1. In the Admin interface, navigate to **Directory > Users** to display all users.
|
||||
2. Either click the name of the user to display the full User details page, or click the chevron (the › symbol) beside their name to expand the options.
|
||||
3. To generate a recovery link, which you can then copy and paste into an email, click **Create recovery link**.
|
||||
1. In the Admin interface, navigate to **Directory** > **Users** to display all users.
|
||||
2. Click the name of the user to display the full User details page.
|
||||
3. To generate a recovery link, which you can then send to the user, click **Create recovery link**.
|
||||
|
||||
A pop-up will appear on your browser with the link for you to copy and to send to the user.
|
||||
|
||||
### Email a recovery link
|
||||
### 2. Email a recovery link
|
||||
|
||||
:::info
|
||||
This option is only available if a default recovery flow was configured for the currently active brand and if the configured flow has an [Email Stage](../../add-secure-apps/flows-stages/stages/email/index.mdx) bound to it.
|
||||
:::info Email stage required
|
||||
This option is only available if the default recovery flow has an [Email Stage](../../add-secure-apps/flows-stages/stages/email/index.mdx) bound to it. The example recovery flow includes an email stage.
|
||||
:::
|
||||
|
||||
You can send a link with the URL for the user to reset their password via Email. This option will only work if you have properly [configured a SMTP server during the installation](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended) and set an email address for the user.
|
||||
You can send a link with the URL for the user to reset their password via Email. This option will only work if you have [configured email](../../install-config/email.mdx) and set an email address for the user.
|
||||
|
||||
1. In the Admin interface, navigate to **Directory > Users** to display all users.
|
||||
2. Either click the name of the user to display the full User details page, or click the chevron beside their name to expand the options.
|
||||
1. In the Admin interface, navigate to **Directory** > **Users** to display all users.
|
||||
2. Click the name of the user to display the full User details page.
|
||||
3. To send the email to the user, click **Email recovery link**.
|
||||
|
||||
If the user does not receive the email, check if the mail server parameters [are properly configured](../../troubleshooting/emails.md).
|
||||
@@ -126,7 +142,7 @@ If the user does not receive the email, check if the mail server parameters [are
|
||||
|
||||
As an Admin, you can simply reset the password for the user.
|
||||
|
||||
1. In the Admin interface, navigate to **Directory > Users** to display all users.
|
||||
1. In the Admin interface, navigate to **Directory** > **Users** to display all users.
|
||||
2. Either click the name of the user to display the full User details page, or click the chevron beside their name to expand the options.
|
||||
3. To reset the user's password, click **Reset password**, and then define the new value.
|
||||
|
||||
@@ -155,7 +171,7 @@ The user list refreshes and no longer displays the removed users.
|
||||
|
||||
With authentik, an Admin can impersonate a user, meaning that the Admin temporarily assumes the identity of the user.
|
||||
|
||||
1. In the Admin interface, navigate to **Directory > Users** to display all users.
|
||||
1. In the Admin interface, navigate to **Directory** > **Users** to display all users.
|
||||
2. Click the name of the user to display the full User details page.
|
||||
3. On the Overview tab, beneath **User Details**, in the **Actions** area, click **Impersonate**.
|
||||
4. At the prompt, provide a reason why you are impersonating this user, and then click **Impersonate**.
|
||||
|
||||
Reference in New Issue
Block a user