Authentik: Self-Hosted SSO for Your Homelab

Centralize authentication for all your self-hosted services. Authentik gives you OAuth2, OIDC, and proxy authentication with one login. Here's how to set it up with Docker and Traefik.

• 7 min read
homelabssoauthentikoauth2oidcdockertraefiksecurity
Authentik: Self-Hosted SSO for Your Homelab
Table of Contents

Every service in your homelab has its own login. Grafana, Proxmox, Gitea, Jellyfin—that’s four passwords to remember, four accounts to secure, four places to reset when you forget. There’s a better way.

Authentik is a self-hosted identity provider that gives you single sign-on (SSO) for all your services. One login. One password. One place to manage access.

What Is Authentik?

Authentik is an open-source identity provider (IdP) that acts as your central authentication hub. It supports:

  • OAuth2/OpenID Connect (OIDC) — For modern apps like Grafana, Gitea, and Harbor
  • SAML — For enterprise apps like Nextcloud and old-school software
  • LDAP — For legacy systems that need directory access
  • Proxy Authentication — For apps with no SSO support, using forward auth with Traefik or Nginx

When a user tries to access a protected service, Authentik handles the login. Once authenticated, the user can access all connected services without logging in again.

Why Authentik Over Alternatives?

FeatureAuthentikAutheliaKeycloak
OAuth2/OIDC Provider
Proxy Auth
SAML
Visual Flow Builder
Ease of SetupMediumEasyHard
RAM Usage~2GB~100MB~1GB+
Modern UIBasicDated

Use Authentik if you want:

  • OAuth2/OIDC provider functionality (Authelia doesn’t have this)
  • A modern, actively developed project
  • Visual workflow customization
  • Proxy auth for apps without native SSO

Use Authelia if you want:

  • Minimal resource usage
  • Simple forward auth only
  • Quick setup for basic needs

Use Keycloak if you want:

  • Enterprise-grade features
  • Complex organizational structures
  • You don’t mind the dated UI and complexity

For a homelab that wants modern SSO plus proxy auth in one package, Authentik hits the sweet spot.

Architecture

Authentik runs as a stack of containers:

┌─────────────────────────────────────────────┐
│              Reverse Proxy (Traefik)        │
│                  :443                       │
└─────────────────┬───────────────────────────┘

┌─────────────────▼───────────────────────────┐
│           Authentik Server                   │
│         (Web UI + API + Embedded Outpost)   │
│              :9000 / :9443                   │
└─────────────────┬───────────────────────────┘

        ┌─────────┴─────────┐
        ▼                   ▼
┌───────────────┐   ┌───────────────┐
│   PostgreSQL  │   │     Redis     │
│   (Database)  │   │   (Caching)   │
└───────────────┘   └───────────────┘

┌───────▼───────┐
│    Worker     │
│ (Background   │
│    Tasks)     │
└───────────────┘

The server handles the web interface and API. The worker processes background tasks like sending emails and expiring sessions. PostgreSQL stores all data, and Redis handles caching.

Installation with Docker Compose

Requirements

  • 2 CPU cores minimum
  • 2GB RAM minimum (4GB recommended)
  • Docker Compose v2
  • A domain pointing to your server
  • Reverse proxy (Traefik recommended)

Step 1: Create Project Directory

mkdir ~/authentik && cd ~/authentik

Step 2: Download Compose File

wget https://docs.goauthentik.io/compose.yml

Step 3: Generate Secrets

# Generate PostgreSQL password
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env

# Generate secret key
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env

Step 4: Configure for Traefik

Create a .env file with Traefik labels:

cat >> .env << 'EOF'
# Port configuration
COMPOSE_PORT_HTTP=9000
COMPOSE_PORT_HTTPS=9443

# Email (optional but recommended)
AUTHENTIK_EMAIL__HOST=smtp.gmail.com
AUTHENTIK_EMAIL__PORT=587
[email protected]
AUTHENTIK_EMAIL__PASSWORD=your-app-password
AUTHENTIK_EMAIL__USE_TLS=true
[email protected]
EOF

Step 5: Start the Stack

docker compose pull
docker compose up -d

Step 6: Initial Setup

Navigate to: https://auth.yourdomain.com/if/flow/initial-setup/

Create your admin account (akadmin user). Make sure to include the trailing slash or you’ll get a “Not Found” error.

Traefik Integration

Add Authentik to Your Traefik Stack

Add these labels to your docker-compose.yml:

services:
  authentik-server:
    # ... existing config
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.rule=Host(`auth.yourdomain.com`)"
      - "traefik.http.routers.authentik.entrypoints=websecure"
      - "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"

Forward Auth Middleware

Create a middleware for protecting other services:

# traefik-dynamic.yml or docker-compose labels
http:
  middlewares:
    authentik:
      forwardAuth:
        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-email
          - X-authentik-groups
          - X-authentik-name
          - X-authentik-uid

Apply to a Service

services:
  grafana:
    image: grafana/grafana
    labels:
      - "traefik.http.routers.grafana.middlewares=authentik@file"

Now accessing Grafana requires Authentik authentication.

Creating Your First Application

OAuth2/OIDC Provider (For Apps with Native Support)

  1. Navigate to Applications → Applications
  2. Click Create with provider
  3. Select OAuth2/OpenID Connect
  4. Fill in details:
    • Name: grafana-provider
    • Client type: Confidential
    • Redirect URIs: https://grafana.yourdomain.com/login/generic_oauth
  5. Save and note the Client ID and Client Secret

Proxy Provider (For Apps Without SSO)

  1. Create a new provider
  2. Select Proxy
  3. Choose Forward auth (single application)
  4. Set External host: https://grafana.yourdomain.com
  5. Create an application and link it to this provider

Configuring Grafana with OIDC

Here’s a real example connecting Grafana to Authentik:

# grafana.ini
[auth.generic_oauth]
enabled = true
name = Authentik
client_id = <your-client-id>
client_secret = <your-client-secret>
scopes = openid email profile
auth_url = https://auth.yourdomain.com/application/o/authorize/
token_url = https://auth.yourdomain.com/application/o/token/
api_url = https://auth.yourdomain.com/application/o/userinfo/
login_attribute_path = preferred_username
email_attribute_path = email
name_attribute_path = name

[auth]
signout_redirect_url = https://auth.yourdomain.com/application/o/<app-slug>/end-session/

Restart Grafana and you’ll see “Sign in with Authentik” on the login page.

OAuth2 Endpoints Reference

When integrating apps, use these endpoint patterns:

EndpointURL
Authorization/application/o/authorize/
Token/application/o/token/
User Info/application/o/userinfo/
JWKS/application/o/<app-slug>/jwks/
OpenID Config/application/o/<app-slug>/.well-known/openid-configuration
Logout/application/o/<app-slug>/end-session/

Adding Multi-Factor Authentication

MFA is essential for a public-facing auth system. Authentik supports:

  • TOTP — Authenticator apps (Google Authenticator, Authy)
  • WebAuthn — Hardware keys (YubiKey)
  • Duo — Push notifications
  • SMS — Text codes (less secure, not recommended)

Add TOTP Stage to Login Flow

  1. Go to Customization → Flows
  2. Edit default-authentication-flow
  3. Add a new stage: Authenticator Validation Stage
  4. Configure TOTP device classes
  5. Bind the stage to the flow

Now users will be prompted to set up an authenticator app on first login.

Security Best Practices

1. Use Strong Secrets

The secret key protects tokens and sessions. Make it long:

# Generate a 60-character key
openssl rand -base64 60 | tr -d '\n'

2. Enable HTTPS Only

Never expose Authentik without TLS. Always use a reverse proxy with Let’s Encrypt.

3. Limit Token Lifetime

Shorter tokens = less risk if compromised. Go to Customization → Property Mappings and adjust:

  • Access token validity: 5 minutes
  • Refresh token validity: 30 days

4. Restrict Admin Access

Create a separate admin group and require MFA for admin actions:

  1. Create an admins group
  2. Add a policy requiring MFA
  3. Bind to admin-related flows

5. Regular Backups

Backup your PostgreSQL database regularly:

docker exec authentik-postgres pg_dump -U authentik authentik > authentik-backup.sql

Groups and Access Control

Organize users into groups for easier permission management:

# Example group structure
groups:
  - name: admins
    permissions: full access to all apps
  - name: family
    permissions: media apps (Jellyfin, Audiobookshelf)
  - name: friends
    permissions: read-only access to shared content

Create these groups in Directory → Groups, then bind them to applications:

  1. Open an application
  2. Click Policy/Group/Role Bindings
  3. Add a group binding
  4. Users in that group now have access

Troubleshooting

Can’t Access Initial Setup

Make sure you include the trailing slash:

✅ https://auth.yourdomain.com/if/flow/initial-setup/
❌ https://auth.yourdomain.com/if/flow/initial-setup

Also verify all containers are running:

docker compose ps

Invalid Redirect URI

If you see redirect URI errors, check that your regex is escaped properly. Dots in domains need escaping:

✅ https://grafana\.yourdomain\.com/.*
❌ https://grafana.yourdomain.com/.*

Proxy Provider Not Working

Check the outpost logs:

docker logs authentik-server-1 | grep <client-id>

Make sure the outpost is assigned:

  1. Go to Applications → Outposts
  2. Verify your outpost is running
  3. Check that it’s linked to your proxy provider

Token Errors

Common causes:

  • Client ID/secret mismatch
  • Clock skew between servers (use NTP)
  • Incorrect scopes requested

Resource Requirements

ScaleUsersRAMCPU
Small<502GB2 cores
Medium50-5004GB4 cores
Large500+8GB+4+ cores

For a typical homelab with family and friends, 2GB is sufficient.

What’s Next?

Once Authentik is running, start connecting your services:

  1. Grafana — Native OIDC support, easy integration
  2. Proxmox VE — Add as OIDC realm in Datacenter settings
  3. Gitea — Enable OpenID sign-in
  4. Portainer — OAuth integration
  5. Apps without SSO — Use proxy provider with forward auth

Each service you add reduces password fatigue and centralizes access control. When someone leaves the family or changes roles, one click in Authentik controls everything.

Authentik turns your scattered authentication into one unified system. One login, one dashboard, one place to manage who accesses what. For a homelab with more than a few services, it’s the authentication layer you didn’t know you needed.

Need help? Join the Authentik Discord or check the official docs.

Anthony Lattanzio

Anthony Lattanzio

Tech Enthusiast & Builder

I'm a tech enthusiast who loves building things with hardware and software. By night, I run a homelab that's grown way beyond what any reasonable person needs. Check out about me for more.

If you liked this, check out...

Building a Budget Intel N100 Homelab: The Ultimate 2024 Guide

Building a Budget Intel N100 Homelab: The Ultimate 2024 Guide

Build a powerful, energy-efficient homelab with Intel N100 mini PCs and Proxmox. Complete guide with parts list, setup steps, and real-world performance.

homelab

Comments

Powered by GitHub Discussions