This is an automated email from the ASF dual-hosted git repository. massx1 pushed a commit to branch 4_1_X in repository https://gitbox.apache.org/repos/asf/syncope.git
commit aa96a05a9472dbcc630551e629c4903b069c7b25 Author: Massimiliano Perrone <[email protected]> AuthorDate: Mon Jun 15 13:12:59 2026 +0200 [SYNCOPE-1973] Document authentication error detail properties --- src/main/asciidoc/reference-guide/usage/core.adoc | 33 +++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/src/main/asciidoc/reference-guide/usage/core.adoc b/src/main/asciidoc/reference-guide/usage/core.adoc index 9ef8acd8e8..50b0dd0c68 100644 --- a/src/main/asciidoc/reference-guide/usage/core.adoc +++ b/src/main/asciidoc/reference-guide/usage/core.adoc @@ -107,6 +107,39 @@ https://docs.spring.io/spring-security/reference/6.5/servlet/authentication/anon <<entitlements,entitlements>>, handed over to users via <<roles,roles>>. **** +[[authentication-error-details]] +===== Authentication Error Details +Since 4.1.2 version, by default, authentication failures return a generic error message in the `X-Syncope-Error-Info` response header. + +This avoids exposing details that could help distinguish between different authentication failure causes, such as an unknown user, invalid credentials, disabled account, invalid domain or invalid token. + +The behavior can be configured with the following properties: +[cols="1,1,3",options="header"] +|=== +|Property +|Default +|Description +|`security.authenticationError.exposeDetails` +|`false` +|When `false`, authentication failures expose the configured generic message. When `true`, the original authentication exception message is exposed. Setting this to `true` restores the previous, more detailed behavior. +|`security.authenticationError.genericMessage` +|`Authentication failed` +|Message returned for authentication failures when `security.authenticationError.exposeDetails` is `false`. If left empty, Syncope + falls back to `Authentication failed`. +|=== +Example: +[source,properties] +---- +security.authenticationError.exposeDetails=false +security.authenticationError.genericMessage=Authentication failed +---- + +For compatibility with previous behavior, administrators can enable detailed messages: +[source,properties] +---- +security.authenticationError.exposeDetails=true +---- + ===== Authentication Throttling This functionality can throttle repeated failed username / password authentication attempts, to reduce the effectiveness of automated guessing attacks.
