Skip to content

Authentik

Info

Authentik - self-hosted, open source identity provider

Authentik consolidates identity, SSO, and access policy controls behind a single pane of glass, making it easier to secure JD Edwards-adjacent services, homelab resources, and partner applications. It supports OAuth2/OIDC, SAML, LDAP, and proxy authentication flows, so one deployment can standardize logins, enforce MFA, and expose audited access for every downstream workload.

Authentik install

https://docs.goauthentik.io/docs/install-config/install/docker-compose

Click to expand - docker-compose.yml 
postgresql:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - ./postgresql/database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
    networks:
      proxy:

  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - ./redis/data:/data
    networks:
      proxy:

  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.3}
    container_name: authentik
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./server/media:/media
      - ./server/custom-templates:/templates
    env_file:
      - .env
    # ports:
    #   - "9000:9000"
    #   - "9443:9443"      
    depends_on:
      - postgresql
      - redis
    networks:
      proxy:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.entrypoints=http"
      - "traefik.http.routers.authentik.rule=Host(`${NAME_CONTAINER_AUTHENTIK}.${NAME_DOMAIN}`)"
      - "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.authentik.middlewares=authentik-https-redirect"
      - "traefik.http.routers.authentik-secure.entrypoints=https"
      - "traefik.http.routers.authentik-secure.rule=Host(`${NAME_CONTAINER_AUTHENTIK}.${NAME_DOMAIN}`)"
      - "traefik.http.routers.authentik-secure.tls=true"
      - "traefik.http.routers.authentik-secure.service=authentik"
      - "traefik.http.services.authentik.loadbalancer.server.scheme=https" 
      - "traefik.http.services.authentik.loadbalancer.server.port=9443"
      - "traefik.docker.network=proxy"
    #   # Catch any subdomain using individual application forward authentication
    #   - "traefik.http.routers.authentik.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${NAME_DOMAIN}`) && PathPrefix(`/outpost.goauthentik.io/`)"

  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.3}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./worker/media:/media
      - ./worker/certs:/certs
      - ./worker/custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis
    networks:
      proxy:

Authentik configuration

note

Authentik OAuth 2.0 provider

https://docs.goauthentik.io/docs/add-secure-apps/providers/oauth2/

Create OAuth Provider and Application with Wizard

Select Name, Slug and click Next

Select OAuth2/OpenID Provider and click Next

Select Name and Authorization Flow

Select Redirect URI (your portainer fully qualified domain name) adn click Next

Click Next

Click Submit