Authentik¶
Authentik is an open-source identity provider with support for OIDC, SAML, LDAP, and forward authentication.
Docker Compose Setup¶
docker-compose.yml¶
services:
postgresql:
image: postgres:15-alpine
container_name: authentik-db
restart: unless-stopped
volumes:
- ./data/postgres:/var/lib/postgresql/data
environment:
POSTGRES_DB: authentik
POSTGRES_USER: authentik
POSTGRES_PASSWORD: ${PG_PASSWORD}
healthcheck:
test: ["CMD-SHELL", "pg_isready -U authentik"]
interval: 30s
timeout: 5s
retries: 5
redis:
image: redis:7-alpine
container_name: authentik-redis
restart: unless-stopped
command: --save 60 1 --loglevel warning
volumes:
- ./data/redis:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 30s
timeout: 5s
retries: 5
server:
image: ghcr.io/goauthentik/server:latest
container_name: authentik-server
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASSWORD}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
volumes:
- ./media:/media
- ./custom-templates:/templates
ports:
- "9000:9000"
- "9443:9443"
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
networks:
- default
- proxy
worker:
image: ghcr.io/goauthentik/server:latest
container_name: authentik-worker
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASSWORD}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
volumes:
- ./media:/media
- ./custom-templates:/templates
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
networks:
proxy:
external: true
Environment Variables¶
Initial Setup¶
# Create directories
mkdir -p data/postgres data/redis media custom-templates
# Start services
docker compose up -d
# Access setup at http://localhost:9000/if/flow/initial-setup/
Traefik Integration¶
Authentik Labels¶
# Add to authentik server service
labels:
- "traefik.enable=true"
- "traefik.http.routers.authentik.rule=Host(`auth.${DOMAIN}`)"
- "traefik.http.routers.authentik.entrypoints=https"
- "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
- "traefik.http.services.authentik.loadbalancer.server.port=9000"
Forward Auth Middleware¶
Create an Outpost in Authentik UI, then configure Traefik:
# In authentik docker-compose.yml, add to server labels
labels:
# ... existing labels ...
# Forward auth endpoint
- "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
- "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
Protected Service¶
services:
myapp:
labels:
- "traefik.enable=true"
- "traefik.http.routers.myapp.rule=Host(`myapp.${DOMAIN}`)"
- "traefik.http.routers.myapp.entrypoints=https"
- "traefik.http.routers.myapp.tls.certresolver=letsencrypt"
- "traefik.http.routers.myapp.middlewares=authentik@docker"
Configure Applications¶
Forward Auth Provider¶
- Go to Applications > Providers > Create
- Select Proxy Provider
- Configure:
- Name:
Forward Auth - Authorization flow: default
- Mode: Forward auth (single application)
- External host:
https://myapp.domain.com
OIDC Provider¶
- Go to Applications > Providers > Create
- Select OAuth2/OpenID Provider
- Configure:
- Name: App name
- Authorization flow: default
- Client ID: auto-generated (save this)
- Client Secret: auto-generated (save this)
- Redirect URIs:
https://app.domain.com/callback
LDAP Provider¶
- Go to Applications > Providers > Create
- Select LDAP Provider
- Configure:
- Name:
LDAP - Bind DN: auto-generated
- Search group: select user group
Outpost Configuration¶
Create Outpost¶
- Go to Applications > Outposts > Create
- Configure:
- Name:
Embedded Outpost - Type: Proxy
- Integration: Select docker or kubernetes
- Applications: Select your applications
Embedded Outpost (Default)¶
The embedded outpost runs inside the server container. For forward auth:
User Management¶
Create Users¶
- Go to Directory > Users > Create
- Fill in user details
- Set password or send invitation email
Groups¶
- Go to Directory > Groups > Create
- Name the group (e.g.,
admins,users) - Add users to group
Policies¶
Create policies to control access:
- Go to Flows & Stages > Policies > Create
- Policy types:
- Expression Policy: Python expressions
- Group Membership: Require group membership
- Password: Password requirements
Two-Factor Authentication¶
Enable TOTP¶
- Go to Flows & Stages > Stages > Create
- Select Authenticator Validation Stage
- Configure device classes (TOTP, WebAuthn)
- Bind to authentication flow
WebAuthn (Hardware Keys)¶
Supported by default when TOTP stage is configured.
Customization¶
Custom Branding¶
- Go to System > Brands
- Configure:
- Logo
- Favicon
- Custom CSS
Custom Templates¶
Mount templates directory and create custom HTML:
Backup¶
Database Backup¶
Full Backup¶
# Stop services
docker compose stop
# Backup data directory
tar -czvf authentik-backup.tar.gz data/ media/
# Start services
docker compose start
Troubleshooting¶
Check Logs¶
Common Issues¶
- 502 Bad Gateway
- Check if server is healthy
-
Verify network connectivity
-
Forward auth not working
- Check outpost is running
-
Verify middleware URL is correct
-
OIDC redirect issues
- Check redirect URIs match exactly
- Verify client ID/secret