core: Expose password hashes in the user list API Endpoint

[josegomezr]

Details

Return the stored password hash in the user list API endpoint.

The field will only appear if:

• The query string include_password=true is provided in the request
• The current user has the authentik_core.view_password_hashes permission.

Closes #15569

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If applicable (not sure if it applies)

• The documentation has been updated

[netlify]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	9ea8ba6
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/68764dafeec19700081545dd

[netlify]

✅ Deploy Preview for authentik-integrations canceled.

Name	Link
🔨 Latest commit	9ea8ba6
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/68764db02d25e000088d630d

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	9ea8ba6
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/68764daf50000300085e5dc3

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.16%. Comparing base (071305d) to head (9ea8ba6).
⚠️ Report is 543 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #15572      +/-   ##
==========================================
+ Coverage   93.15%   93.16%   +0.01%     
==========================================
  Files         831      831              
  Lines       44135    44185      +50     
==========================================
+ Hits        41115    41166      +51     
+ Misses       3020     3019       -1     

Flag	Coverage Δ
e2e	46.60% <15.68%> (-0.04%)	⬇️
integration	23.48% <3.92%> (-0.03%)	⬇️
unit	91.26% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[BeryJu]

I'd strongly prefer to not include something like this, even with the additional permission required, this still makes it quite easy to shoot yourself in the foot. We could add an endpoint that requires admin auth to validate an individual user's password instead?

[tacerus]

We could add an endpoint that requires admin auth to validate an individual user's password instead?

Whilst interesting too, the goal was rather for the other IDP to synchronize user data completely in order for it to operate independently of Authentik and merely connect occasionally to pull/push changed data.

[josegomezr]

How about shielding this "feature" behind a very explicit config:

• AUTHENTIK_I_KNOW_WHAT_IM_DOING_IS_GONNA_BE_DANGEROUS_YES_SHOW_ME_THE_PW_HASH=1

By default is deactivated, so it's harder to shoot yourself in the foot, and if you get to that point you must know what you're doing.

[fheisler]

the goal was rather for the other IDP to synchronize user data completely in order for it to operate independently of Authentik and merely connect occasionally to pull/push changed data.

Generally when talking about two-way synchronization across multiple IdPs, this would already be supported by various enterprise features (e.g. source stage) rather than as a typical homelab use case.

[tacerus]

We read https://docs.goauthentik.io/docs/add-secure-apps/flows-stages/stages/source/ but it is by our understanding not suitable to sync complete user information (including passphrase hashes) out of Authentik to a secondary IDP.