Authentication API

Last modified by Admin on 2024/05/29 17:39

cogAPIs used for and during authentication
Developed by

XWiki Development Team

0 Votes
LicenseGNU Lesser General Public License 2.1
Bundled With

XWiki Standard


Since 11.6RC1

Installable with the Extension Manager


This module provides API used for and during the authentication.
In particular this module provides APIs: 

  • to triggers additional security checks when a user failed to authenticate multiple times in a given time window
  • to allows users reset their password when they forgot it
  • to manage the dedicated /authenticate/ URL resource type.



The configuration of the module allows to setup three information:

  • the authentication failure strategies (default is CAPTCHA)
  • the maximum number of failing login attempts authorized before activating a strategy (default is 3)
  • the time window during which those attempts should occur (default is 5 minutes)

Setting no strategy or 0 to the maximum number of attempts, or to the time window will disable the feature.
This configuration is available in the Administration > Authentication page by default.

Starting with XWiki 11.10 it is now possible to enable or disable the authentication security mechanism. Note that disabling it will also clear out all information related to the login failures: this might unlock some users in case of problems.

Authentication Security Checks

Authentication Failure Manager

This component is responsible to record the authentication failures, and to trigger the strategies based on the given configuration.

Authentication Failure Strategies

Two strategies are currently implemented and available.


This is the default strategy. When a user reached the limit number of authentication attempts, a CAPTCHA is displayed in the login page, and the user have to solve it in order to be login.

Disable Account


This strategy will automatically disable the user account in case of repeated authentication failure. In that case he needs to contact an administrator of the wiki to enable it back.

Authenticate URL resource type


This module provides the component to handle the /authenticate/ URLs.
This URL allows to handle two actions with the following schemes:

  • /authenticate/resetpassword allows a user to reset her password
  • /authenticate/retrieveusername allows a user to retrieve her username

Reset password

A dedicated component is provided to allow a user who forgot her password to retrieve it. The process is using an intermediate code that needs to be sent to the user by a protected mean such as an email sent to her.

It's possible to configure the behaviour of the reset password email link, through a configuration in

XWiki 16.3.0+

#-# [Since 13.10.1]
#-# [Since 14.0RC1]
#-# Define the lifetime of the token used for resetting passwords in minutes.
#-# Default value is 60 meaning that users have 1 hour to access the link sent by email for performing password reset.
#-# Once the password is reset using the link, the token is revoked.
#-# Using 0 here means that the token has no expiration date, however it will be revoked at first wrong access.
#-# The value is in minutes. The default is:
# security.authentication.resetPasswordTokenLifetime = 60

XWiki <16.3.0

The configuration used to be slightly different with a default value set to 0:

#-# [Since 13.10.1]
#-# [Since 14.0RC1]
#-# Define the lifetime of the token used for resetting passwords in minutes. Note that this value is only used after
#-# first access.
#-# Default value is 0 meaning that the token is immediately revoked when first accessed.
#-# Use a different value if the reset password email link might be accessed several times (e.g. in case of using an
#-# email link verification system): in such case the user will have the defined lifetime to use again the email link.
#-# The default is:
# security.authentication.resetPasswordTokenLifetime = 0


List of provided events:

  • AuthenticationFailureEvent which is triggered whenever a user fails his authentication
  • AuthenticationFailureLimitReachedEvent which is triggered when the authentication failure manager detected that a user reached the limit of authentication failures.
  • XWiki 13.3+ Form and Basic authenticators trigger the new event UserAuthenticatedEvent whenever a user authenticates.

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager).

You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.


Dependencies for this extension (org.xwiki.platform:xwiki-platform-security-authentication-api 16.4.0):

Get Connected