What Authentik Does
- Single Sign-On (SSO): One login for all your apps via SAML, OAuth 2.0, and OIDC
- Application Proxy: Protect any web app with authentication, even apps without built-in auth
- Multi-Factor Auth: TOTP, WebAuthn/Passkeys, SMS, Email, and Duo
- User Enrollment: Self-service registration with customizable flows (invite, approval, self-signup)
- Social Login: Google, GitHub, Discord, Apple, Microsoft, and custom OIDC/OAuth providers
- LDAP Provider: Built-in LDAP server for legacy application compatibility
- SCIM: Automated user provisioning to downstream applications
- Flows & Stages: Visual flow designer for custom authentication and enrollment logic
Architecture
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Your Apps │────▶│ Authentik │────▶│ PostgreSQL │
│ (OIDC/SAML) │ │ Server │ │ (Data) │
└──────────────┘ │ (Django) │ └──────────────┘
└──────┬───────┘
┌──────────────┐ │ ┌──────────────┐
│ Proxy Apps │ ┌──────┴───────┐ │ Redis │
│ (No auth) │────▶│ Outpost │ │ (Cache) │
└──────────────┘ │ (Proxy/LDAP)│ └──────────────┘
└──────────────┘Self-Hosting
Docker Compose
services:
server:
image: ghcr.io/goauthentik/server:latest
command: server
environment:
AUTHENTIK_SECRET_KEY: your-secret-key
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
ports:
- "9000:9000"
- "9443:9443"
depends_on:
- postgresql
- redis
worker:
image: ghcr.io/goauthentik/server:latest
command: worker
environment:
AUTHENTIK_SECRET_KEY: your-secret-key
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
postgresql:
image: postgres:16-alpine
environment:
POSTGRES_USER: authentik
POSTGRES_PASSWORD: authentik
POSTGRES_DB: authentik
volumes:
- pg-data:/var/lib/postgresql/data
redis:
image: redis:7-alpine
volumes:
pg-data:Key Features
Flow Designer
Authentik's visual flow designer lets you build custom authentication logic:
Login Flow:
Stage 1: Identification (username/email)
→ Stage 2: Password
→ Stage 3: MFA (if enabled)
→ Stage 4: Consent (for OAuth apps)
→ Login Complete
Enrollment Flow:
Stage 1: Invitation Check
→ Stage 2: User Details Form
→ Stage 3: Email Verification
→ Stage 4: Set Password
→ Account CreatedApplication Proxy (Outpost)
Protect any web application without modifying it:
# Authentik protects apps that have no built-in auth
# Example: Protect a Grafana instance
Application: grafana.yourdomain.com
→ Authentik Proxy Outpost
→ Verify user is authenticated
→ Forward to Grafana (with user headers)Supported Protocols
| Protocol | Use Case |
|---|---|
| OAuth 2.0 / OIDC | Modern web apps, SPAs |
| SAML 2.0 | Enterprise apps, legacy |
| LDAP | Traditional apps, Linux auth |
| Proxy | Apps without auth support |
| SCIM | User provisioning |
| RADIUS | Network equipment |
Authentik vs Alternatives
| Feature | Authentik | Keycloak | Authelia | Zitadel |
|---|---|---|---|---|
| SSO (SAML/OIDC) | Yes | Yes | OIDC only | Yes |
| App Proxy | Built-in | No | Built-in | No |
| LDAP Provider | Built-in | Yes | No | No |
| Flow Designer | Visual | Config files | YAML | Actions |
| MFA | Full | Full | TOTP/WebAuthn | Full |
| SCIM | Yes | Community | No | Yes |
| Language | Python | Java | Go | Go |
| RAM Usage | ~500MB | ~1GB+ | ~30MB | ~200MB |
常见问题
Q: Authentik 和 Authelia 怎么选? A: Authelia 更轻量,适合纯反向代理认证场景(保护没有内置认证的应用)。Authentik 功能更全面,支持 SAML/OIDC/LDAP/SCIM,适合需要完整 IdP 功能的场景。如果你只需要给 Traefik/Nginx 加认证,Authelia 更简单。如果你需要 SSO 整合多个应用,选 Authentik。
Q: 可以替代 Keycloak 吗? A: 大部分场景可以。Authentik 的 UI 更现代,配置更直观,自带应用代理。Keycloak 的优势在于 Java 生态集成和超大规模企业部署经验。
Q: 资源消耗大吗? A: Server + Worker 合计约 500MB RAM。比 Keycloak(1GB+)轻,但比 Authelia(30MB)重。对于管理 5-50 个应用的自托管环境,这是合理的资源使用。
来源与致谢
- GitHub: goauthentik/authentik — 20.9K+ ⭐
- 官网: goauthentik.io