# Authentik — Open Source Identity Provider & SSO Platform

> Authentik is a flexible open-source identity provider with SSO, MFA, user enrollment flows, and application proxy — the authentication glue for your self-hosted stack.

## Install

Save in your project root:

## Quick Use

```bash
wget https://goauthentik.io/docker-compose.yml
echo "PG_PASS=$(openssl rand -base64 36)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60)" >> .env
docker compose up -d
```

Open `http://localhost:9000/if/flow/initial-setup/` — set up your admin account.

## Intro

**Authentik** is a flexible, open-source identity provider that serves as the authentication layer for your entire self-hosted infrastructure. It provides single sign-on (SSO), multi-factor authentication (MFA), user self-service enrollment, and an application proxy — acting as a centralized identity platform for all your services.

With 20.9K+ GitHub stars, Authentik has become the go-to identity provider for homelab and self-hosted environments, providing enterprise-grade IAM features with a user-friendly configuration interface.

## What Authentik Does

- **Single Sign-On (SSO)**: One login for all your apps via SAML, OAuth 2.0, and OIDC
- **Application Proxy**: Protect any web app with authentication, even apps without built-in auth
- **Multi-Factor Auth**: TOTP, WebAuthn/Passkeys, SMS, Email, and Duo
- **User Enrollment**: Self-service registration with customizable flows (invite, approval, self-signup)
- **Social Login**: Google, GitHub, Discord, Apple, Microsoft, and custom OIDC/OAuth providers
- **LDAP Provider**: Built-in LDAP server for legacy application compatibility
- **SCIM**: Automated user provisioning to downstream applications
- **Flows & Stages**: Visual flow designer for custom authentication and enrollment logic

## Architecture

```
┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  Your Apps   │────▶│  Authentik   │────▶│  PostgreSQL  │
│  (OIDC/SAML) │     │  Server      │     │  (Data)      │
└──────────────┘     │  (Django)    │     └──────────────┘
                     └──────┬───────┘
┌──────────────┐            │         ┌──────────────┐
│  Proxy Apps  │     ┌──────┴───────┐ │  Redis       │
│  (No auth)   │────▶│  Outpost     │ │  (Cache)     │
└──────────────┘     │  (Proxy/LDAP)│ └──────────────┘
                     └──────────────┘
```

## Self-Hosting

### Docker Compose

```yaml
services:
  server:
    image: ghcr.io/goauthentik/server:latest
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: your-secret-key
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
    ports:
      - "9000:9000"
      - "9443:9443"
    depends_on:
      - postgresql
      - redis

  worker:
    image: ghcr.io/goauthentik/server:latest
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: your-secret-key
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik

  postgresql:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD: authentik
      POSTGRES_DB: authentik
    volumes:
      - pg-data:/var/lib/postgresql/data

  redis:
    image: redis:7-alpine

volumes:
  pg-data:
```

## Key Features

### Flow Designer

Authentik's visual flow designer lets you build custom authentication logic:

```
Login Flow:
  Stage 1: Identification (username/email)
  → Stage 2: Password
  → Stage 3: MFA (if enabled)
  → Stage 4: Consent (for OAuth apps)
  → Login Complete

Enrollment Flow:
  Stage 1: Invitation Check
  → Stage 2: User Details Form
  → Stage 3: Email Verification
  → Stage 4: Set Password
  → Account Created
```

### Application Proxy (Outpost)

Protect any web application without modifying it:

```nginx
# Authentik protects apps that have no built-in auth
# Example: Protect a Grafana instance

Application: grafana.yourdomain.com
  → Authentik Proxy Outpost
    → Verify user is authenticated
    → Forward to Grafana (with user headers)
```

### Supported Protocols

| Protocol | Use Case |
|----------|----------|
| OAuth 2.0 / OIDC | Modern web apps, SPAs |
| SAML 2.0 | Enterprise apps, legacy |
| LDAP | Traditional apps, Linux auth |
| Proxy | Apps without auth support |
| SCIM | User provisioning |
| RADIUS | Network equipment |

## Authentik vs Alternatives

| Feature | Authentik | Keycloak | Authelia | Zitadel |
|---------|----------|----------|---------|---------|
| SSO (SAML/OIDC) | Yes | Yes | OIDC only | Yes |
| App Proxy | Built-in | No | Built-in | No |
| LDAP Provider | Built-in | Yes | No | No |
| Flow Designer | Visual | Config files | YAML | Actions |
| MFA | Full | Full | TOTP/WebAuthn | Full |
| SCIM | Yes | Community | No | Yes |
| Language | Python | Java | Go | Go |
| RAM Usage | ~500MB | ~1GB+ | ~30MB | ~200MB |

## 常见问题

**Q: Authentik 和 Authelia 怎么选？**
A: Authelia 更轻量，适合纯反向代理认证场景（保护没有内置认证的应用）。Authentik 功能更全面，支持 SAML/OIDC/LDAP/SCIM，适合需要完整 IdP 功能的场景。如果你只需要给 Traefik/Nginx 加认证，Authelia 更简单。如果你需要 SSO 整合多个应用，选 Authentik。

**Q: 可以替代 Keycloak 吗？**
A: 大部分场景可以。Authentik 的 UI 更现代，配置更直观，自带应用代理。Keycloak 的优势在于 Java 生态集成和超大规模企业部署经验。

**Q: 资源消耗大吗？**
A: Server + Worker 合计约 500MB RAM。比 Keycloak（1GB+）轻，但比 Authelia（30MB）重。对于管理 5-50 个应用的自托管环境，这是合理的资源使用。

## 来源与致谢

- GitHub: [goauthentik/authentik](https://github.com/goauthentik/authentik) — 20.9K+ ⭐
- 官网: [goauthentik.io](https://goauthentik.io)

---
Source: https://tokrepo.com/en/workflows/e890152d-34a9-11f1-9bc6-00163e2b0d79
Author: AI Open Source