Authentik — Open Source Identity Provider & SSO Platform

What Authentik Does

• Single Sign-On (SSO): One login for all your apps via SAML, OAuth 2.0, and OIDC
• Application Proxy: Protect any web app with authentication, even apps without built-in auth
• Multi-Factor Auth: TOTP, WebAuthn/Passkeys, SMS, Email, and Duo
• User Enrollment: Self-service registration with customizable flows (invite, approval, self-signup)
• Social Login: Google, GitHub, Discord, Apple, Microsoft, and custom OIDC/OAuth providers
• LDAP Provider: Built-in LDAP server for legacy application compatibility
• SCIM: Automated user provisioning to downstream applications
• Flows & Stages: Visual flow designer for custom authentication and enrollment logic

Architecture

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  Your Apps   │────▶│  Authentik   │────▶│  PostgreSQL  │
│  (OIDC/SAML) │     │  Server      │     │  (Data)      │
└──────────────┘     │  (Django)    │     └──────────────┘
                     └──────┬───────┘
┌──────────────┐            │         ┌──────────────┐
│  Proxy Apps  │     ┌──────┴───────┐ │  Redis       │
│  (No auth)   │────▶│  Outpost     │ │  (Cache)     │
└──────────────┘     │  (Proxy/LDAP)│ └──────────────┘
                     └──────────────┘

Self-Hosting

Docker Compose

services:
  server:
    image: ghcr.io/goauthentik/server:latest
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: your-secret-key
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
    ports:
      - "9000:9000"
      - "9443:9443"
    depends_on:
      - postgresql
      - redis

  worker:
    image: ghcr.io/goauthentik/server:latest
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: your-secret-key
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik

  postgresql:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD: authentik
      POSTGRES_DB: authentik
    volumes:
      - pg-data:/var/lib/postgresql/data

  redis:
    image: redis:7-alpine

volumes:
  pg-data:

Key Features

Flow Designer

Authentik's visual flow designer lets you build custom authentication logic:

Login Flow:
  Stage 1: Identification (username/email)
  → Stage 2: Password
  → Stage 3: MFA (if enabled)
  → Stage 4: Consent (for OAuth apps)
  → Login Complete

Enrollment Flow:
  Stage 1: Invitation Check
  → Stage 2: User Details Form
  → Stage 3: Email Verification
  → Stage 4: Set Password
  → Account Created

Application Proxy (Outpost)

Protect any web application without modifying it:

# Authentik protects apps that have no built-in auth
# Example: Protect a Grafana instance

Application: grafana.yourdomain.com
  → Authentik Proxy Outpost
    → Verify user is authenticated
    → Forward to Grafana (with user headers)

Supported Protocols

Authentik vs Alternatives

FAQ

Q: Authentik or Authelia? A: Authelia is lighter, great for pure reverse-proxy auth (protecting apps that lack built-in auth). Authentik is more comprehensive with SAML/OIDC/LDAP/SCIM support — ideal when you need a full IdP. If you just need to add auth to Traefik/Nginx, Authelia is simpler. If you need SSO across many apps, pick Authentik.

Q: Can it replace Keycloak? A: In most scenarios, yes. Authentik has a more modern UI, more intuitive configuration, and a built-in application proxy. Keycloak's edge lies in Java-ecosystem integration and very-large-scale enterprise deployments.

Q: How resource-heavy is it? A: Server + Worker together use about 500MB RAM. Lighter than Keycloak (1GB+), heavier than Authelia (30MB). For a self-hosted environment managing 5–50 apps, this is a reasonable footprint.