Skills2026年4月10日·1 分钟阅读

Authentik — Open Source Identity Provider & SSO Platform

Authentik is a flexible open-source identity provider with SSO, MFA, user enrollment flows, and application proxy — the authentication glue for your self-hosted stack.

AI Open Source
AI Open Source · Community
Agent 就绪

这个资产会安全暂存

这个资产会先安全暂存。复制的指令会要求 Agent 读取暂存文件,并在激活脚本、MCP 配置或全局配置前先确认。

Stage only · 29/100策略:需暂存
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Stage only
信任
信任等级:Established
入口
step-1.md
安全暂存命令
npx -y tokrepo@latest install e890152d-34a9-11f1-9bc6-00163e2b0d79 --target codex

先暂存文件;激活前需要读取暂存 README 和安装计划。

TL;DR
Authentik provides SSO, MFA, and user flows as a self-hosted identity provider.
§01

What it is

Authentik is a flexible open-source identity provider offering single sign-on (SSO), multi-factor authentication (MFA), user enrollment flows, and an application proxy. It serves as the authentication layer for self-hosted infrastructure, connecting all your applications behind one login system with support for SAML, OAuth2, OIDC, LDAP, and SCIM.

Authentik targets homelab operators and organizations running self-hosted services that need centralized authentication without paying for commercial identity providers like Okta or Azure AD.

§02

Why it saves time or tokens

Without a centralized identity provider, each self-hosted application manages its own user database, passwords, and MFA. Authentik consolidates this into one system. Users log in once and access all connected applications. Adding a new application takes minutes through the Authentik UI rather than implementing auth from scratch. For AI-managed infrastructure, Authentik provides a single API for user provisioning and access control.

§03

How to use

  1. Deploy Authentik with Docker Compose using the official compose file
  2. Access the admin interface and configure your identity sources and policies
  3. Add applications using SAML, OAuth2, OIDC, or the proxy provider
§04

Example

# docker-compose.yml (simplified)
version: '3'
services:
  authentik-server:
    image: ghcr.io/goauthentik/server:latest
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: your-secret-key
      AUTHENTIK_POSTGRESQL__HOST: postgresql
    ports:
      - '9000:9000'
      - '9443:9443'
  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    command: worker
  postgresql:
    image: postgres:16
  redis:
    image: redis:7
ProtocolUse Case
OAuth2/OIDCModern web apps
SAMLEnterprise apps
LDAPLegacy systems
ProxyApps without auth support
SCIMUser provisioning
§05

Related on TokRepo

§06

Common pitfalls

  • Authentik requires PostgreSQL and Redis; ensure these are properly backed up as they contain all user data and configuration
  • The proxy provider adds latency to every request; for performance-sensitive applications, use native OIDC integration instead
  • Enrollment flows are powerful but complex; test flows thoroughly before enabling for end users

常见问题

What authentication protocols does Authentik support?+

Authentik supports OAuth2, OpenID Connect (OIDC), SAML 2.0, LDAP, and SCIM. It can act as an identity provider for any application that supports these standards. The proxy provider adds authentication to applications that have no native auth support by sitting in front of them.

How does Authentik compare to Keycloak?+

Both are open-source identity providers. Keycloak is Java-based and backed by Red Hat with a longer track record. Authentik is Python-based with a more modern UI and flow system. Authentik's proxy provider is particularly useful for homelab setups. Choose based on your infrastructure preferences and community support needs.

Does Authentik support MFA?+

Yes. Authentik supports TOTP (authenticator apps), WebAuthn (hardware keys like YubiKey), SMS, and email-based verification. You configure MFA requirements per application or user group through policy bindings. MFA can be required for all users or only when risk conditions are met.

Can Authentik protect apps that have no built-in auth?+

Yes. The proxy provider sits in front of any web application and requires authentication before granting access. This works for dashboards, admin panels, and legacy apps that lack their own auth system. The proxy passes user identity headers to the backend application.

How do enrollment flows work?+

Enrollment flows are customizable sequences of stages (forms, email verification, MFA setup, approval) that users go through when creating an account. You design flows visually in the admin interface. Different applications can use different enrollment flows with different requirements.

引用来源 (3)
  • Authentik GitHub— Authentik is an open-source identity provider
  • Authentik Docs— Authentik supports SAML, OAuth2, OIDC, LDAP, and SCIM
  • OIDC— OpenID Connect specification for authentication
TokRepo 相关
Security toolsSelf-hosted toolsFeatured workflows
🙏

来源与感谢

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

Keycloak — Open Source Identity & Access Management

Keycloak is the most widely deployed open-source IAM solution. SSO, OIDC, SAML, LDAP federation, MFA, social login, and user management for enterprise applications.

Skills
AI Open Source

Huly — All-in-One Open Source Project Management Platform

Huly is an open-source alternative to Linear, Jira, Slack, and Notion. Project tracking, team chat, knowledge base, and HR tools in a single unified platform.

Skills
AI Open Source

Documenso — Open Source Document Signing Platform

Documenso is an open-source DocuSign alternative for self-hosted document signing with PDF e-signatures, audit trails, and Next.js stack.

Skills
AI Open Source

SigNoz — Open Source APM & Observability Platform

SigNoz is an open-source Datadog/New Relic alternative with logs, traces, and metrics in one platform. Native OpenTelemetry support, ClickHouse backend, and powerful dashboards.

Skills
AI Open Source
首页🔍搜索👤我的