# Authentik — Open Source Identity Provider & SSO Platform > Authentik is a flexible open-source identity provider with SSO, MFA, user enrollment flows, and application proxy — the authentication glue for your self-hosted stack. ## Install Save the content below to `.claude/skills/` or append to your `CLAUDE.md`: ## Quick Use ```bash wget https://goauthentik.io/docker-compose.yml echo "PG_PASS=$(openssl rand -base64 36)" >> .env echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60)" >> .env docker compose up -d ``` Open `http://localhost:9000/if/flow/initial-setup/` — set up your admin account. ## Intro **Authentik** is a flexible, open-source identity provider that serves as the authentication layer for your entire self-hosted infrastructure. It provides single sign-on (SSO), multi-factor authentication (MFA), user self-service enrollment, and an application proxy — acting as a centralized identity platform for all your services. With 20.9K+ GitHub stars, Authentik has become the go-to identity provider for homelab and self-hosted environments, providing enterprise-grade IAM features with a user-friendly configuration interface. ## What Authentik Does - **Single Sign-On (SSO)**: One login for all your apps via SAML, OAuth 2.0, and OIDC - **Application Proxy**: Protect any web app with authentication, even apps without built-in auth - **Multi-Factor Auth**: TOTP, WebAuthn/Passkeys, SMS, Email, and Duo - **User Enrollment**: Self-service registration with customizable flows (invite, approval, self-signup) - **Social Login**: Google, GitHub, Discord, Apple, Microsoft, and custom OIDC/OAuth providers - **LDAP Provider**: Built-in LDAP server for legacy application compatibility - **SCIM**: Automated user provisioning to downstream applications - **Flows & Stages**: Visual flow designer for custom authentication and enrollment logic ## Architecture ``` ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ Your Apps │────▶│ Authentik │────▶│ PostgreSQL │ │ (OIDC/SAML) │ │ Server │ │ (Data) │ └──────────────┘ │ (Django) │ └──────────────┘ └──────┬───────┘ ┌──────────────┐ │ ┌──────────────┐ │ Proxy Apps │ ┌──────┴───────┐ │ Redis │ │ (No auth) │────▶│ Outpost │ │ (Cache) │ └──────────────┘ │ (Proxy/LDAP)│ └──────────────┘ └──────────────┘ ``` ## Self-Hosting ### Docker Compose ```yaml services: server: image: ghcr.io/goauthentik/server:latest command: server environment: AUTHENTIK_SECRET_KEY: your-secret-key AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__PASSWORD: authentik AUTHENTIK_POSTGRESQL__NAME: authentik ports: - "9000:9000" - "9443:9443" depends_on: - postgresql - redis worker: image: ghcr.io/goauthentik/server:latest command: worker environment: AUTHENTIK_SECRET_KEY: your-secret-key AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__PASSWORD: authentik AUTHENTIK_POSTGRESQL__NAME: authentik postgresql: image: postgres:16-alpine environment: POSTGRES_USER: authentik POSTGRES_PASSWORD: authentik POSTGRES_DB: authentik volumes: - pg-data:/var/lib/postgresql/data redis: image: redis:7-alpine volumes: pg-data: ``` ## Key Features ### Flow Designer Authentik's visual flow designer lets you build custom authentication logic: ``` Login Flow: Stage 1: Identification (username/email) → Stage 2: Password → Stage 3: MFA (if enabled) → Stage 4: Consent (for OAuth apps) → Login Complete Enrollment Flow: Stage 1: Invitation Check → Stage 2: User Details Form → Stage 3: Email Verification → Stage 4: Set Password → Account Created ``` ### Application Proxy (Outpost) Protect any web application without modifying it: ```nginx # Authentik protects apps that have no built-in auth # Example: Protect a Grafana instance Application: grafana.yourdomain.com → Authentik Proxy Outpost → Verify user is authenticated → Forward to Grafana (with user headers) ``` ### Supported Protocols | Protocol | Use Case | |----------|----------| | OAuth 2.0 / OIDC | Modern web apps, SPAs | | SAML 2.0 | Enterprise apps, legacy | | LDAP | Traditional apps, Linux auth | | Proxy | Apps without auth support | | SCIM | User provisioning | | RADIUS | Network equipment | ## Authentik vs Alternatives | Feature | Authentik | Keycloak | Authelia | Zitadel | |---------|----------|----------|---------|---------| | SSO (SAML/OIDC) | Yes | Yes | OIDC only | Yes | | App Proxy | Built-in | No | Built-in | No | | LDAP Provider | Built-in | Yes | No | No | | Flow Designer | Visual | Config files | YAML | Actions | | MFA | Full | Full | TOTP/WebAuthn | Full | | SCIM | Yes | Community | No | Yes | | Language | Python | Java | Go | Go | | RAM Usage | ~500MB | ~1GB+ | ~30MB | ~200MB | ## FAQ **Q: Authentik or Authelia?** A: Authelia is lighter, great for pure reverse-proxy auth (protecting apps that lack built-in auth). Authentik is more comprehensive with SAML/OIDC/LDAP/SCIM support — ideal when you need a full IdP. If you just need to add auth to Traefik/Nginx, Authelia is simpler. If you need SSO across many apps, pick Authentik. **Q: Can it replace Keycloak?** A: In most scenarios, yes. Authentik has a more modern UI, more intuitive configuration, and a built-in application proxy. Keycloak's edge lies in Java-ecosystem integration and very-large-scale enterprise deployments. **Q: How resource-heavy is it?** A: Server + Worker together use about 500MB RAM. Lighter than Keycloak (1GB+), heavier than Authelia (30MB). For a self-hosted environment managing 5–50 apps, this is a reasonable footprint. ## Source & Thanks - GitHub: [goauthentik/authentik](https://github.com/goauthentik/authentik) — 20.9K+ ⭐ - Website: [goauthentik.io](https://goauthentik.io) --- Source: https://tokrepo.com/en/workflows/authentik-open-source-identity-provider-sso-platform-e890152d Author: AI Open Source