website/docs: document the Password Uniqueness Policy

[verkaufer]

Relates to #10631

Details

Introduces public documentation for the Unique Password Policy feature added by #10631

Documentation changes were move into a separate PR to keep feedback conversations focused on the specific changes.

👉 This PR should not be merged before #10631.

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	ae05509
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/66c6b1bb2d094f0008db494b
😎 Deploy Preview	https://deploy-preview-11000--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	ae05509
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/66c6b1bb05be5a0008f7edfe
😎 Deploy Preview	https://deploy-preview-11000--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[kensternberg-authentik]

A few language changes to help people be aware of the mechanics. I feel a solid mental model helps people feel more confident about the reliability of a system.

[kensternberg-authentik]

I think this reads awkwardly. Suggestion: "This policy allows admins to specify how many previous password hashes should be kept to prevent re-use. By default, the password history depth is zero, permitting users to re-use any previous password."

[kensternberg-authentik]

(Correct me if the default is wrong. I took that number from https://github.com/goauthentik/authentik/pull/10631/files#diff-cbb45e894de9c1957d2289a8301eaecdcef3ecd580a35d4fefba93f50441b398R30)

[verkaufer]

I like that rephrasing a lot more and I'll get that changed!

The UI displays 1 as the default, which I can change to be 0 (I figured if you're setting up a the policy you want it to actually do something 😅 ). Is there a preference?

[tanberry]

Agree about defaulting to 1, from a usability perspective. Also zeros can be unnerving, lol.

[kensternberg-authentik]

Suggestion: "When the policy succeeds, the user's current password hash is copied into the password history. Passwords hashes are removed, oldest first, from the user's password history if it has more entries than the current depth setting."

[verkaufer]

👍 Much cleaner

We could note if more than one Password Uniqueness Policy is bound & active anywhere in authentik, then the system maintains a history depth equal to the greatest configured depth of all Password Uniqueness Policies.

e.g. I create 2 copies of a Password Uniqueness Policy. I configure one policy with a depth of 1, and another with a depth of 10. authentik will maintain 10 old password hashes.

It's a minor detail and probably only important for someone wanting to fully understand how many old hashes are stored. I'll leave it up to you & @tanberry whether we include that.

[tanberry]

Ah, I remember you telling me about this. Yes I think we should indeed include this info in the docs. I predict it will avoid a few GitHub Issues in the future, where people ask what-the-heck.

I think that will also help people understand that there can be multiple instances on a policy.

[tanberry]

Thanks @verkaufer for the docs! I agree with Ken's rewordings ( I almost always like them more than my own), and then I caught one typo, but looks great otherwise!

I'm pre-approving just so that I am not the blocker when you/we are ready to merge this.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.76%. Comparing base (b6cf889) to head (ae05509).
Report is 1528 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11000      +/-   ##
==========================================
+ Coverage   92.69%   92.76%   +0.07%     
==========================================
  Files         736      736              
  Lines       36360    36360              
==========================================
+ Hits        33703    33729      +26     
+ Misses       2657     2631      -26     

Flag	Coverage Δ
e2e	49.28% <ø> (+0.10%)	⬆️
integration	25.05% <ø> (ø)
unit	90.23% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[melizeche]

close for #13686