Configure Authentication¶
BillTracker supports local login, optional Authentik-compatible OIDC, and an optional single-user mode.
This page explains the local login flow, the OIDC integration shape, the unsafe-configuration guard rails, and the rate limits applied to login.
How does local login work?¶
Local login is enabled by default. Password hashes use bcrypt. Successful login
creates a server-side session with a 7-day expiry and sends the browser an
HTTP-only bt_session cookie.
How does OIDC login work?¶
OIDC uses authorization code flow with PKCE, state and nonce checks, and
openid-client token validation. See Authentik / OIDC.
What unsafe configurations are blocked?¶
The Admin settings API prevents these unsafe configurations:
- Disabling both local and OIDC login
- Enabling OIDC before required provider settings exist
- Disabling local login before OIDC is configured and enabled
- Disabling local login before an OIDC admin group is configured
Keep local login enabled until a real OIDC login has succeeded.
What are the rate limits?¶
| Operation | Limit |
|---|---|
| Login | 10 requests per 15 minutes per IP |
| Password change | 5 requests per 15 minutes per IP |
| OIDC login and callback | 20 requests per 15 minutes per IP |
Next steps¶
- Connect Authentik with the step-by-step guide in Connect Authentik / OIDC.
- Add users in Add Users and Roles.
- Review the security settings in Tune Security Settings.