[{"data":1,"prerenderedAt":812},["ShallowReactive",2],{"guide:zh:authentication":3},{"id":4,"title":5,"body":6,"description":804,"extension":805,"meta":806,"navigation":807,"path":808,"seo":809,"stem":810,"__hash__":811},"guide_zh/zh/user/authentication/index.md","身份验证 — 登录方式与账户安全",{"type":7,"value":8,"toc":782},"minimark",[9,13,17,21,32,35,41,54,59,70,76,87,91,96,114,119,136,141,155,160,174,177,182,196,202,213,218,232,236,245,249,254,273,278,292,295,300,317,322,330,336,349,360,370,373,378,395,400,414,419,459,464,478,481,486,503,508,519,522,526,531,554,557,561,576,579,583,596,599,604,618,622,627,649,652,657,677,685,701,704,708,718,723,734,739,750,755,766,771],[10,11,12],"h1",{"id":12},"身份验证",[14,15,16],"p",{},"身份验证会在授予访问 Aptli 权限前确认您的身份。Aptli 支持用户名/密码登录、OAuth 单点登录（Google、GitHub、Microsoft、Keycloak）和双因素认证。本节介绍如何使用和配置每种方式、管理账户锁定以及处理密码重置。",[18,19,20],"h2",{"id":20},"当前登录方式",[14,22,23,28],{},[24,25],"img",{"alt":26,"src":27},"登录页面","/guide/authentication/login-page.png",[29,30,31],"em",{},"登录页面展示可用的认证方式，包括 OAuth 提供商",[14,33,34],{},"可配置的身份验证方式：",[14,36,37],{},[38,39,40],"strong",{},"用户名/密码（默认）：",[42,43,44,48,51],"ul",{},[45,46,47],"li",{},"电子邮件 + 密码组合",[45,49,50],{},"密码要求：至少 8 个字符，满足复杂度规则",[45,52,53],{},"闲置后自动注销（可配置，默认 1 天）",[14,55,56],{},[38,57,58],{},"OAuth 提供商：",[42,60,61,64,67],{},[45,62,63],{},"GitHub OAuth",[45,65,66],{},"Google OAuth",[45,68,69],{},"可配置其他提供商（联系支持团队）",[14,71,72,75],{},[38,73,74],{},"配置："," 导航至应用设置 → 身份验证 → 有效登录方式",[42,77,78,81,84],{},[45,79,80],{},"至少需启用一种方式",[45,82,83],{},"多种方式可同时激活",[45,85,86],{},"用户可在登录界面选择首选方式",[18,88,90],{"id":89},"双因素认证2fa","双因素认证（2FA）",[14,92,93],{},[38,94,95],{},"启用双因素认证：",[97,98,99,102,105,108,111],"ol",{},[45,100,101],{},"导航至用户个人资料页面",[45,103,104],{},"点击\"启用双因素认证\"",[45,106,107],{},"使用验证器应用（如 Google Authenticator、Authy 等）扫描 QR 码",[45,109,110],{},"输入 6 位验证码确认",[45,112,113],{},"保存恢复码（以防手机丢失）",[14,115,116],{},[38,117,118],{},"使用双因素认证登录：",[97,120,121,124,127,130,133],{},[45,122,123],{},"输入电子邮件和密码（或 OAuth）",[45,125,126],{},"系统提示输入 6 位验证码",[45,128,129],{},"打开身份验证器应用",[45,131,132],{},"输入当前验证码（每 30 秒刷新一次）",[45,134,135],{},"访问权限授予",[14,137,138],{},[38,139,140],{},"恢复码：",[42,142,143,146,149,152],{},[45,144,145],{},"双因素认证设置时生成 10 个一次性代码",[45,147,148],{},"安全存储（密码管理器、打印副本）",[45,150,151],{},"当验证器不可用时使用",[45,153,154],{},"每个代码仅限使用一次",[14,156,157],{},[38,158,159],{},"禁用双因素认证：",[42,161,162,165,168,171],{},[45,163,164],{},"导航至用户个人资料",[45,166,167],{},"点击\"禁用双因素认证\"",[45,169,170],{},"输入当前 6 位验证码（或恢复码）",[45,172,173],{},"确认禁用",[18,175,176],{"id":176},"识别未启用双因素认证的用户",[14,178,179],{},[38,180,181],{},"管理员视图：",[97,183,184,187,190,193],{},[45,185,186],{},"导航至管理员 → 用户",[45,188,189],{},"添加列：\"2FA 已启用\"（布尔型）",[45,191,192],{},"筛选条件：\"2FA 已启用 = false\"",[45,194,195],{},"导出列表以便后续跟进",[14,197,198,201],{},[38,199,200],{},"强制执行："," 应用设置 → 身份验证 → 要求使用双因素认证",[42,203,204,207,210],{},[45,205,206],{},"启用后强制所有用户设置双因素认证",[45,208,209],{},"宽限期可配置（例如 30 天）",[45,211,212],{},"宽限期结束后，用户必须启用双因素认证才能登录",[14,214,215],{},[38,216,217],{},"通知活动：",[42,219,220,223,226,229],{},[45,221,222],{},"向未启用双因素认证的用户群发邮件",[45,224,225],{},"附上设置说明",[45,227,228],{},"强调安全优势",[45,230,231],{},"设定合规截止日期",[18,233,235],{"id":234},"oauth-提供商设置","OAuth 提供商设置",[14,237,238,239,244],{},"OAuth 提供商（Google、GitHub、Microsoft、Keycloak）由系统管理员配置。配置详情请参阅 ",[240,241,243],"a",{"href":242},"/sysadmin/oauth-setup/","OAuth 配置指南","。",[18,246,248],{"id":247},"为用户账户添加-oauth","为用户账户添加 OAuth",[14,250,251],{},[38,252,253],{},"现有用户名/密码用户操作指南：",[97,255,256,259,261,264,267,270],{},[45,257,258],{},"使用电子邮件和密码登录",[45,260,101],{},[45,262,263],{},"点击\"关联 OAuth 账户\"",[45,265,266],{},"选择提供商（GitHub 或 Google）",[45,268,269],{},"通过提供商授权",[45,271,272],{},"OAuth 账户关联成功（现可通过任一方式登录）",[14,274,275],{},[38,276,277],{},"新用户须知：",[42,279,280,283,286,289],{},[45,281,282],{},"首次通过 OAuth 登录将自动创建账户",[45,284,285],{},"OAuth 提供商的电子邮件必须属于允许的域名范围",[45,287,288],{},"账户仅通过 OAuth 登录创建（不设置密码）",[45,290,291],{},"后续可从个人资料中添加密码",[18,293,294],{"id":294},"电子邮件验证",[14,296,297],{},[38,298,299],{},"新用户流程：",[97,301,302,305,308,311,314],{},[45,303,304],{},"用户注册（或管理员创建账户）",[45,306,307],{},"向用户电子邮件发送验证邮件",[45,309,310],{},"邮件内含 10 分钟有效期的验证令牌",[45,312,313],{},"用户点击邮件中的链接",[45,315,316],{},"账户验证成功（现可登录）",[14,318,319],{},[38,320,321],{},"验证要求：",[42,323,324,327],{},[45,325,326],{},"电子邮件未验证前无法登录（任何方式）",[45,328,329],{},"包含 OAuth 用户（即使提供商已验证，电子邮件仍需验证）",[14,331,332,335],{},[38,333,334],{},"重新发送验证邮件："," 管理员可从用户资料页重新发送：",[97,337,338,340,343,346],{},[45,339,186],{},[45,341,342],{},"打开用户资料页",[45,344,345],{},"点击\"重新发送验证邮件\"",[45,347,348],{},"系统发送新的 10 分钟有效令牌",[14,350,351,354,355,359],{},[38,352,353],{},"手动验证："," 拥有 ",[356,357,358],"code",{},"usersUpdate"," 权限的管理员可手动验证：",[97,361,362,364,367],{},[45,363,164],{},[45,365,366],{},"将\"电子邮件验证\"日期设置为当前日期",[45,368,369],{},"保存（用户现可登录）",[18,371,372],{"id":372},"登录安全",[14,374,375],{},[38,376,377],{},"最大登录尝试次数：",[42,379,380,383,386,389],{},[45,381,382],{},"默认值：5 次失败尝试",[45,384,385],{},"可在应用设置中配置",[45,387,388],{},"超出最大尝试次数后：账户强制锁定",[45,390,391,392,394],{},"解锁需具备 ",[356,393,358],{}," 权限的管理员操作",[14,396,397],{},[38,398,399],{},"强制锁定：",[42,401,402,405,408,411],{},[45,403,404],{},"账户无法登录（任何方式）",[45,406,407],{},"用户资料页显示\"强制锁定\"标识",[45,409,410],{},"解锁：管理员点击\"解锁账户\"操作",[45,412,413],{},"重置：失败尝试计数器重置为 0",[14,415,416],{},[38,417,418],{},"会话过期：",[42,420,421,435,449],{},[45,422,423,426,427],{},[38,424,425],{},"自动注销："," 闲置超时（默认 1 天）\n",[42,428,429,432],{},[45,430,431],{},"读写数据将重置倒计时",[45,433,434],{},"可通过应用设置单独配置",[45,436,437,440,441],{},[38,438,439],{},"服务器会话超时："," 服务器端会话超时（默认 1 周）\n",[42,442,443,446],{},[45,444,445],{},"强制重新登录（无论是否有活动）",[45,447,448],{},"长时会话的安全防护措施",[45,450,451,453,454],{},[38,452,418],{}," 绝对最大会话时长（默认 1 周）\n",[42,455,456],{},[45,457,458],{},"防止无限期会话",[14,460,461],{},[38,462,463],{},"单一活动会话：",[42,465,466,469,472,475],{},[45,467,468],{},"Aptli 每个账户同一时间仅允许一个活动会话",[45,470,471],{},"在新设备上登录会使其他设备退出登录",[45,473,474],{},"在已被退出的设备上会看到提示，并需要重新登录",[45,476,477],{},"同一浏览器配置内的多个标签页或窗口共享一个会话——它们不会互相退出",[18,479,480],{"id":480},"强制注销",[14,482,483],{},[38,484,485],{},"管理员操作：",[97,487,488,491,494,497,500],{},[45,489,490],{},"导航至管理 → 用户",[45,492,493],{},"打开用户个人资料",[45,495,496],{},"操作 → 强制注销",[45,498,499],{},"用户会话立即终止",[45,501,502],{},"用户必须重新登录",[14,504,505],{},[38,506,507],{},"使用场景：",[42,509,510,513,516],{},[45,511,512],{},"安全事件（账户遭入侵）",[45,514,515],{},"用户在公共电脑上未关闭会话",[45,517,518],{},"管理员锁定（待调查处理）",[18,520,521],{"id":521},"登录故障排除",[523,524,525],"h3",{"id":525},"用户无法找到账户",[14,527,528],{},[38,529,530],{},"检查步骤：",[97,532,533,535,538,541,548],{},[45,534,490],{},[45,536,537],{},"按电子邮件筛选（区分大小写）",[45,539,540],{},"若未找到：账户可能已被删除",[45,542,543,544,547],{},"点击\"查看已删除\"按钮（需 ",[356,545,546],{},"viewDeleted"," 权限）",[45,549,550,551,547],{},"若在已删除列表中找到：恢复账户（需 ",[356,552,553],{},"usersCreate",[523,555,556],{"id":556},"强制锁定",[14,558,559],{},[38,560,530],{},[97,562,563,565,568,573],{},[45,564,164],{},[45,566,567],{},"查找\"强制锁定\"标识",[45,569,570,571,547],{},"若存在：点击\"解锁账户\"（需 ",[356,572,358],{},[45,574,575],{},"用户现可登录",[523,577,578],{"id":578},"电子邮件未验证",[14,580,581],{},[38,582,530],{},[97,584,585,587,590,593],{},[45,586,101],{},[45,588,589],{},"\"电子邮件验证\"字段应显示日期",[45,591,592],{},"若为空白：重新发送验证邮件 或 手动设置日期",[45,594,595],{},"未验证用户无法通过任何方式登录",[523,597,598],{"id":598},"域名验证失败",[14,600,601],{},[38,602,603],{},"处理：",[97,605,606,609,612,615],{},[45,607,608],{},"导航至应用设置 → 身份验证",[45,610,611],{},"检查\"允许的域名\"列表",[45,613,614],{},"确认用户电子邮件域名是否包含在内",[45,616,617],{},"若缺失：添加域名 或 手动创建账户（绕过域名验证）",[523,619,621],{"id":620},"oauth-无法正常工作","OAuth 无法正常工作",[14,623,624],{},[38,625,626],{},"检查事项：",[97,628,629,632,635,643,646],{},[45,630,631],{},"验证环境变量设置（CLIENT_ID、CLIENT_SECRET）",[45,633,634],{},"检查回调 URL 是否与提供商配置匹配",[45,636,637,638,642],{},"测试：注销后点击\"使用",[639,640,641],"span",{},"提供商","登录\"",[45,644,645],{},"查看浏览器控制台中的错误信息",[45,647,648],{},"在提供商控制台中检查认证尝试记录",[18,650,651],{"id":651},"密码重置",[14,653,654],{},[38,655,656],{},"用户主动操作：",[97,658,659,662,665,668,671,674],{},[45,660,661],{},"在登录页面点击\"忘记密码\"",[45,663,664],{},"输入电子邮件地址",[45,666,667],{},"重置邮件发送（含 10 分钟有效令牌）",[45,669,670],{},"点击邮件中的链接",[45,672,673],{},"输入新密码",[45,675,676],{},"密码重置完成（现可登录）",[14,678,679,681,682,684],{},[38,680,485],{}," 具备 ",[356,683,358],{}," 权限的管理员可执行重置：",[97,686,687,689,692,695,698],{},[45,688,101],{},[45,690,691],{},"操作 → 重置密码",[45,693,694],{},"生成临时密码",[45,696,697],{},"向用户发送含临时密码的邮件",[45,699,700],{},"用户首次登录时必须修改密码",[18,702,703],{"id":703},"最佳实践",[14,705,706],{},[38,707,95],{},[42,709,710,713,716],{},[45,711,712],{},"所有管理员账户必须启用",[45,714,715],{},"鼓励所有用户启用",[45,717,231],{},[14,719,720],{},[38,721,722],{},"尽可能使用 OAuth：",[42,724,725,728,731],{},[45,726,727],{},"减轻密码负担",[45,729,730],{},"借助提供商的安全性",[45,732,733],{},"简化账户恢复流程",[14,735,736],{},[38,737,738],{},"监控失败登录：",[42,740,741,744,747],{},[45,742,743],{},"每周审查强制锁定账户",[45,745,746],{},"锁定模式表明存在密码猜测攻击",[45,748,749],{},"启用双因素认证强制执行",[14,751,752],{},[38,753,754],{},"常规会话过期：",[42,756,757,760,763],{},[45,758,759],{},"勿将闲置超时时间设得太长（24 小时为宜）",[45,761,762],{},"服务器会话超时可防止无限期会话",[45,764,765],{},"在安全性与用户便利性间取得平衡",[14,767,768],{},[38,769,770],{},"允许的域名：",[42,772,773,776,779],{},[45,774,775],{},"严格控制列表（仅限组织域名）",[45,777,778],{},"外部承包商 = 手动创建（绕过域名检查）",[45,780,781],{},"每季度审核（移除未使用域名）",{"title":783,"searchDepth":784,"depth":784,"links":785},"",2,[786,787,788,789,790,791,792,793,794,802,803],{"id":20,"depth":784,"text":20},{"id":89,"depth":784,"text":90},{"id":176,"depth":784,"text":176},{"id":234,"depth":784,"text":235},{"id":247,"depth":784,"text":248},{"id":294,"depth":784,"text":294},{"id":372,"depth":784,"text":372},{"id":480,"depth":784,"text":480},{"id":521,"depth":784,"text":521,"children":795},[796,798,799,800,801],{"id":525,"depth":797,"text":525},3,{"id":556,"depth":797,"text":556},{"id":578,"depth":797,"text":578},{"id":598,"depth":797,"text":598},{"id":620,"depth":797,"text":621},{"id":651,"depth":784,"text":651},{"id":703,"depth":784,"text":703},"配置和使用 Aptli 中的身份验证：用户名/密码登录、OAuth 提供商（Google、GitHub、Microsoft）、双因素认证、电子邮件验证和会话安全。","md",{},true,"/zh/user/authentication",{"title":5,"description":804},"zh/user/authentication/index","ObnXzLNLuLCmL7Fl2QynpD399bRvf_R7YL27Bea2QkI",1780539281486]