🔐 authentik
Description
authentik is a modern identity provider (IdP) and access management platform that enables Single Sign-On (SSO), user management, and fine-grained access control for applications.
It supports OAuth2, OpenID Connect (OIDC), and SAML, and can integrate with existing directories like LDAP.
authentik can also act as a forward authentication gateway, allowing protection of applications even if they do not natively support authentication.
Why authentik (instead of Keycloak)
authentik was chosen over Keycloak for the following reasons:
- Better suited for homelab / Kubernetes environments
- Simpler and more intuitive configuration model (flow-based authentication)
- Easier integration with ingress / reverse proxies (forward auth)
- Built-in policy engine and flexible access rules
- Lighter operational overhead compared to Keycloak
- More convenient for protecting apps that do not support OIDC/SAML
Keycloak is a powerful enterprise IAM solution, but it introduces more complexity (realms, clients, roles) and is less flexible for reverse-proxy-based access control.
Website
Kubernetes Notes
- Requires persistent storage (database + media)
- Typically deployed with:
- PostgreSQL (external or bundled)
- Redis (for caching / background tasks)
- Multiple components:
- server (API + web UI)
- worker (background jobs)
- Works best with Ingress + forward auth integration
- Configure outposts for proxy-based authentication
- Integrates with LDAP as a user backend (optional)
- Use OIDC for most applications instead of LDAP
- Enable MFA (2FA) for improved security
- Important to configure:
- external URL correctly
- trusted proxies (when behind ingress)