What is Authelia — Single Sign-On & 2FA for Your Homelab?

OpenID Connect certified SSO portal that sits in front of your reverse proxy and adds TOTP, WebAuthn, or passkey login to any self-hosted app.

Is Authelia — Single Sign-On & 2FA for Your Homelab free to use?

Yes. Authelia — Single Sign-On & 2FA for Your Homelab is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install Authelia — Single Sign-On & 2FA for Your Homelab?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

Authelia — Single Sign-On & 2FA for Your Homelab

Introduction

Authelia is an open-source authentication and authorization server that turns any reverse proxy (Traefik, Nginx, HAProxy, Caddy, Envoy) into an SSO gateway. You define users, groups, and access policies in YAML; Authelia handles password checks, multi-factor, and session management.

What Authelia Does

Forward-auth endpoint that reverse proxies can call to gate every request.
Full OpenID Connect 1.0 OP, certified by the OpenID Foundation.
LDAP and file-based user backends with Argon2id password hashing.
WebAuthn (passkeys, YubiKey), TOTP, mobile push, and Duo for second factor.
Per-resource policies: bypass, one-factor, two-factor on URL patterns.

Architecture Overview

Authelia runs as a single Go binary. Sessions live in Redis (recommended) or in memory; persistent data (user prefs, WebAuthn keys, consents) is in SQLite, MySQL, or PostgreSQL. The auth portal is a small React app served by the same process. Reverse proxies make a ForwardAuth sub-request to /api/verify and honor the response headers.

Self-Hosting & Configuration

Put Authelia behind the same reverse proxy it protects, at auth.example.com.
Redis is mandatory when running multiple replicas for session affinity.
Issue HTTPS certs via your proxy — Authelia does not terminate TLS itself.
Back up configuration.yml plus the database; they hold WebAuthn credentials.
Use notifier.smtp or filesystem notifier for password reset emails.

Key Features

OpenID Certified™ OP — plug real apps (Grafana, GitLab, Nextcloud) into it.
Passwordless with passkeys or WebAuthn second factor without vendor lock-in.
Regex-based access control with network, resource, and subject filters.
Geo-IP banning and brute-force regulation out of the box.
Exposes metrics, traces, and structured logs for observability.

Comparison with Similar Tools

Keycloak — larger feature set (federation, admin UI), heavier Java footprint.
Zitadel — modern OIDC provider with multi-tenant SaaS features.
Dex — OIDC federator without its own user DB.
Authentik — similar scope, richer UI, Python stack.
Cloudflare Access — managed, no self-hosting, ties you to Cloudflare.

FAQ

Q: Do I need Redis? A: Only for HA. Single instance runs happily with the in-memory store.

Q: Can I use my existing LDAP/AD? A: Yes — Authelia speaks both and supports group filters and custom attribute maps.

Q: Is Authelia an IdP or a proxy? A: Both — it can be a forward-auth gateway and an OpenID Connect OP at the same time.

Q: Mobile app? A: Use any TOTP app, Duo Mobile for push, or a passkey-capable browser on iOS/Android.

Authelia — Single Sign-On & 2FA for Your Homelab

Introduction

What Authelia Does

Architecture Overview

Self-Hosting & Configuration

Key Features

Comparison with Similar Tools

FAQ

Sources

讨论

相关资产

Flagger — Progressive Delivery Operator for Kubernetes

Metrics Server — Lightweight Core Metrics for Kubernetes Autoscaling

ExternalDNS — Dynamic DNS Records from Kubernetes Resources