k8s-apps/authentik/README.md

# 🔐 authentik

## Description
authentik is a **modern identity provider (IdP) and access management platform** that enables Single Sign-On (SSO), user management, and fine-grained access control for applications.  
It supports OAuth2, OpenID Connect (OIDC), and SAML, and can integrate with existing directories like LDAP.

authentik can also act as a **forward authentication gateway**, allowing protection of applications even if they do not natively support authentication.

## Why authentik (instead of Keycloak)
authentik was chosen over Keycloak for the following reasons:

- **Better suited for homelab / Kubernetes environments**
- **Simpler and more intuitive configuration model** (flow-based authentication)
- **Easier integration with ingress / reverse proxies** (forward auth)
- Built-in **policy engine** and flexible access rules
- Lighter operational overhead compared to Keycloak
- More convenient for protecting apps that **do not support OIDC/SAML**

Keycloak is a powerful enterprise IAM solution, but it introduces more complexity (realms, clients, roles) and is less flexible for reverse-proxy-based access control.

## Website
https://goauthentik.io

## Kubernetes Notes
- Requires **persistent storage** (database + media)
- Typically deployed with:
  - PostgreSQL (external or bundled)
  - Redis (for caching / background tasks)
- Multiple components:
  - server (API + web UI)
  - worker (background jobs)
- Works best with **Ingress + forward auth integration**
- Configure **outposts** for proxy-based authentication
- Integrates with LDAP as a **user backend (optional)**
- Use **OIDC for most applications** instead of LDAP
- Enable **MFA (2FA)** for improved security
- Important to configure:
  - external URL correctly
  - trusted proxies (when behind ingress)


  #Improvements:
  HA (2x Database + 2x Pods)
  Force 2FA for Admin if external
  sync LDAP Thumbnail Pictures