Secure authentication for EVERYTHING! // Authentik
Video Overview & Insights
In this YouTube video, we’ll cover authentik, an open-source identity provider that allows for secure login to administrative services and web applications. With this setup, users only need to sign in once and can access all their services without having to log in multiple times. This not only saves time, but also increases security with multi-factor authentication. I also demonstrate how to install and set up authentik in your own environment.
great tool, master tutor. as always thanks :)
Wazuh, the open-source security platform: https://wazuh.com/?utm_source=referral&utm_medium=YT&utm_campaign=ChristianLempa
References:
- Install and deploy Authentik: https://goauthentik.io
- Authentik Docs: https://docs.goauthentik.io/docs/
Bester Pullover!
- Docker Course: https://www.patreon.com/collection/239867
- Traefik Tutorial: https://www.youtube.com/watch?v=wLrmmh1eI94
Two things that always come to mind for me any time I'm looking at something like an SSO solution like Authentik; 1) using it for your most security focused things aren't always a good idea; bringing them up to an improved security level may be a good idea, but be aware that the more things secured with that means it's more likely to be found and have people try to gain access for it, thus potentially lowering the security overall and risking a breach. The other thing I always like to keep in mind is disaster recovery; if the chain required to provide Auth is broken, and it's secured being the SSO solution, can I still get into every element of the chain to troubleshoot and diagnose and repair it?
My view in the first one is that if it has 2FA and there's no known vulnerabilities, keep it off SSO (I've had arguments about this at employers before and lost to higher ups because of convenience, but I will stand on the security side in this). As for the second, to me there's no question; if you can't get in to something in the auth chain (hypervisor if one is involved, proxy service, etc) without the SSO, then don't put it behind SSO, because if it goes down, you then can't get into what you need to fix it. Even if it's a pain in the ass to do it, it's not worth it; as long as the default auth is decent, leave it be to prevent headaches in the event of an issue.
________________
💜 Support me and become a Fan!
I had never thought that you could open a server in VS Code - my mind is officially blown. No more fiddling around with vim/nano 🤯
→ https://christianlempa.de/patreon
💬 Join our Community!
Wow, great man, thanks Chris for your efforts... possible to show us one also something with LDAP / MS ADS ?
→ https://christianlempa.de/discord
________________
Thank for all of your content. You're one of my first sources when it comes to the configuration of new services for my own home server. Your channel is extremely hlpful!
Read my Tech Documentation
https://christianlempa.de/docs
Thanks Christian, I also wanted to ask if it's possible to sync the password with TrueNAS/any other NAS, I've already tried but was unable to setup SMB auth with the authentik....
My Gear and Equipment-*
https://christianlempa.de/kit
nice! i will have to check this out. Maybe one day i'll try traefik. I'd like to but my whole homelab is setup and working with nginx proxy manager and it works so well lol
________________
Timestamps:
Are you running this behind cloudflair? i am stumped on it not working when proxy enabled on cloudflair, works fine (no 403) error when dns is turned off
00:00 Introduction
01:06 Advertisement
Your final chapter on setting up auth for dumb web apps behind a traefik proxy was fantastic. It helped me out of a deep rabbit hole in 15 minutes. But then I repeated the same steps for a second app and it did not work. If I run a test using curl, I get the same initial content back from traefik for both apps, with content showing it knows about authentik. But the second app connection is not redirected to authentik (testing in a private browser window where I'm not yet signed in to authentik). So I'm in a new rabbit hole :-(.
As a side note, I use docker swarm in my homelab, and few docker examples on the net show anything about the slight differences between a single docker engine and a swarm.
02:37 Authentik Overview
04:52 Install Authentik
How can I integrate authentik into lucky's third-party authentication using OIDC?
15:02 Initial Setup
19:48 Connect OAuth Services
How is portainer able to reach authentik.domain? In my setup this communication does not work, it seems portainer cannot reach authentik via traefik like a hairpin connection, and this is not allowed by the docker engine natively, I wonder what you did to solve this?
33:32 Protect any web app in Traefik
39:00 Final thoughts
Thank you! Can the backend network be of type bridge? or does it need to be host? I cannot find it in you're boiler plates.
________________
All links are and/or include affiliate links.
8:43 you manage the environment variables in a slightly different way. Question: When upgrading authentik as described on their page, you download their new docker-compose file. You will have to redo all this "slightly different" way again then, right? Isn't it more convenient to just keep it as it is?
More User Perspectives
Danke für das Video. Cooles Tool, aber ernst gemeinte Frage. Ich kann im Homelab auch einen Passwortmanager (Bitwarden) hosten und per Knopfdruck auch den Login gestalten. Ja, komplett andere Technologie und Thema, aber der Aufwand zum aufsetzen wäre deutlich geringer.
Gibt es einen Grund für dich, der dennoch dafür spricht, lieber authentik einzusetzen?
Great video
@masterofdisaster7070What are the characteristics of both the frontend and backend networks you’re using? I’m trying to set mine up the same way. Thanks!
@mohandhamadouche6780Hello can you do a video on how to enable and configure SAML in zabbix using Authentik
@KASSAMBARAMouhamedHow should i config my authentik domain in my traefik config.yml, any doc on that? Great Video im just stuck on that.
@shotbyschwankFab overview Christian - I did mine a bit different as using k8s instead of docker compose - but found your walkthrough invaluable (particularly when working out endpoints as the docs can be a bit general in parts.
Caddy is a lot simpler to configure than Traefik (think this is why is more popular with homelabbers) but obviously doesn't have the extended features of Traefik (it's billed as the worlds most advanced reverse proxy after all).
I use both - but if you're already familiar with Traefik you're certainly not missing out - keep using Traefik.
Du bist mein Held, Chris!
@ZüriVeloSchüümliholy smokes.....im going to be honest. Watching some of the videos i wasnt to interested because i saw 45 minutes...and i bow out..
But i deciced to look into Grafana Alloy and Authentik and Prometheus and OMG...Im so glad i took the time out to watch these videos. Freaking awesome!
Lempa is the GOAT. Respect
This is great so informative. I definitely have a headache now. Lol this will be a fun project for this weekend though. Thanks so much for sharing.
@jig1056If I wanted to expose self hosted services via Cloudflare tunnel how would I ensure authentic is authenticating the users? Also..am I correct in assuming I need to create the user in authentic first?
@elcidtrickyEpic, i still adore keycloak though
@byteafterlifeAwesome video! I currently have mine setup with pfsense HAProxy as the frontend for it to take care of the SSL Let's Encrypt certs. All the apps still go through HAProxy via internal DNS which Autentik have no issues with it so far. Not entirely sure if this is the correct way of doing it but seems to be working fine. I have few apps don't have any authentication or lack of SAML / ID Connect support so may use Caddy for it and let Authenik connect to it.
@Darkk6969If you know how to copy-paste a docker-compose file, type docker compose up -d and you are not interested in his personal reverse proxy stuff the actual content starst at 15:02.
you are welcome
will this work with something like jellyfin, the main problem im having is that apps like and similar to jellyfin that dont have good build in security also dont work with redirects in the apps on ones phone.
@gb1365Just deployed it to my k8s cluster. After I've gotten the hang of this I'll probably be doing the whole provisioning of providers etc using OpenTOFU. There's a pretty nice provider for it 😊
@GilgwathirYou mentionned, that you need to set the administrator right for portainer or proxmox through the interface. Actually it is possible to do it through Authentik by creating a group (admin) and then adding the users to it. When you connect via Oauth, portainer will retrieve the groups information (here it will be admin) from the SSO informations when loggin in and assign the user to the administrators. You also need to activate the team membership in portainer for it to work.
This is quite useful as you only need to maintain the groups in Authentik and thus can have users with different acces rights in different applications.
Dear Christian!!!!
Thank you so much for this video! It really helped me a lot, especially the last part for apps without Auth! Vielen herzlichen Dank. 🙌🏽🙌🏽🙌🏽
thank you
@technikfuzzieOne year later, I'm grateful for this video, but I challenge you, good sir, to remake it and use the Nginx proxy manager in front of both authentic and some apps like Portainer. I will hit the like button 3,5,7,9 times in appreciation.
@wylde780Regarding your sponsor: I just noticed wazuh uses Kibana as interface. What does it add to ELK?
@hans_kruseIsnt it bad to use the same user/password for any service ? This is what it does in the end no ? Or i am misunderstanding something about authentik ?
@kingmatqcIs Authentik broken? Can't initialize: "Request has been Denied. Flow does not apply to current user."
EDIT: their PG_PASS bug remains. putting basic password works. However, the actual authentication doesn't work hahaha learning is fun.. ref image: 2025.2.2
Realm = relm. Great video!
@BAPZRGreat video!! thanks!
@ignaciosplenda2913Warning, if your username for portainer and authentik is the same (i.e. 'admin'), you may get an authorisation failure when attempting to login via oauth. One way to resolve this is to edit the username in Portainer/your service to be different, then log in via oauth again which will now be able to create the user.
@Ryzza5Hello, I tried to configure Authentik with proxmox by following your instruction, it keep returning 401 error on Proxmox. I already matched the Client ID and secret.
Can be the redirection URL wrong? I set to my proxmox domain without the slash
Thanks!
@KINGCAIMANAuthentik is nice but needs development. As an enterprise solution, I prefer Keycloak. If you haven't used it yet, I hardly recommend you to use it.
@TehSingularityThank you, this was so useful! I can already think of dozens of use cases for Authentik.
@MonospaceMentorBrrrrrr tried to take a look on it. Very great but impossible to imports groups from synology ldap. Reallly bad interface for ldap .. tried it with keycloak ok also …
@anthonycoppet8788This is awesome. Is there any chance you could post a video installing Authentik on Truenas Scale? I'm completely lost there
@RafaBecerraRuizCoool I was afraid to expose Jellyfin and Frigate to the internet but it will do the job
@JoaoVictor-wf7pkCan you tell me, If I constantly see a "Not available" notification in the undressed Applications-Outposts in "Health and Version", what could this mean?
@BlinCT@Christian do you have exactly these files available somewhere? i do not see the exact same work on your boilerplate repo?
@paracha3This was amazing specially the last nginx part which is what i wanted to get out of this video. I wanted to protect my web apps using centralized auth. Great work!!
@paracha3