This is an automated email from the ASF dual-hosted git repository.

massx1 pushed a commit to branch 4_1_X
in repository https://gitbox.apache.org/repos/asf/syncope.git

commit aa96a05a9472dbcc630551e629c4903b069c7b25
Author: Massimiliano Perrone <[email protected]>
AuthorDate: Mon Jun 15 13:12:59 2026 +0200

    [SYNCOPE-1973] Document authentication error detail properties
---
 src/main/asciidoc/reference-guide/usage/core.adoc | 33 +++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/src/main/asciidoc/reference-guide/usage/core.adoc 
b/src/main/asciidoc/reference-guide/usage/core.adoc
index 9ef8acd8e8..50b0dd0c68 100644
--- a/src/main/asciidoc/reference-guide/usage/core.adoc
+++ b/src/main/asciidoc/reference-guide/usage/core.adoc
@@ -107,6 +107,39 @@ 
https://docs.spring.io/spring-security/reference/6.5/servlet/authentication/anon
 <<entitlements,entitlements>>, handed over to users via <<roles,roles>>.
 ****
 
+[[authentication-error-details]]
+===== Authentication Error Details
+Since 4.1.2 version, by default, authentication failures return a generic 
error message in the `X-Syncope-Error-Info` response header.
+
+This avoids exposing details that could help distinguish between different 
authentication failure causes, such as an unknown user, invalid credentials, 
disabled account, invalid domain or invalid token.
+
+The behavior can be configured with the following properties:
+[cols="1,1,3",options="header"]
+|===
+|Property
+|Default
+|Description
+|`security.authenticationError.exposeDetails`
+|`false`
+|When `false`, authentication failures expose the configured generic message.  
When `true`, the original authentication exception message is exposed. Setting 
this to `true` restores the previous, more detailed behavior.
+|`security.authenticationError.genericMessage`
+|`Authentication failed`
+|Message returned for authentication failures when 
`security.authenticationError.exposeDetails` is `false`. If left empty, Syncope
+  falls back to `Authentication failed`.
+|===
+Example:
+[source,properties]
+----
+security.authenticationError.exposeDetails=false
+security.authenticationError.genericMessage=Authentication failed
+----
+
+For compatibility with previous behavior, administrators can enable detailed 
messages:
+[source,properties]
+----
+security.authenticationError.exposeDetails=true
+----
+
 ===== Authentication Throttling
 This functionality can throttle repeated failed username / password 
authentication attempts, to reduce the effectiveness of automated guessing 
attacks.
 

Reply via email to