Add maxLength to passwordcomplexity policy

[Yberion]

Preflight Checklist

• I could not find a solution in the existing issues, docs, nor discussions
• I have joined the ZITADEL chat

Describe your problem

Hello,

Checking https://zitadel.com/docs/apis/resources/user_service/user-service-set-password, we can see that there's a maxLength on the password of 200 chars.

However, there's no maxLength in the passwordcomplexity policy:

• https://zitadel.com/docs/apis/resources/auth/auth-service-get-my-password-complexity-policy
• https://zitadel.com/docs/guides/manage/console/default-settings#password-complexity

So if we want to properly create "validators" when we create our own UI for a reset password for example, we'll need to hardcode that maxLength of 200 chars if we use v2 api.

I don't know from where that limit come from, it seems not to be there for v1 api (https://zitadel.com/docs/apis/resources/auth/auth-service-update-my-password), it seems that all string fields when using new APIs are limited to 200 chars.

I did not test, but if we're allowed to set a password > 200 chars in the console, we won't be able to use the new APIs, for example change password on v2 api, because the current password will be limited to 200 chars and therefore don't match (https://zitadel.com/docs/apis/resources/user_service/user-service-set-password)

Describe your ideal solution

Add maxLength (same as minLength) for the passwordcomplexity policy as it will anyway be limited by the API.

Version

2.51.1

Environment

Self-hosted

Additional Context

No response

[livio-a]

Since there can be further restrictions depending on the hashing algorithm, e.g. bcrypt only is able to handle 72bytes we'll close this issue in favor of: #4993