$docker.recipes
·13 min read·Updated February 2026

Authentik: A Full Identity Provider for Your Self-Hosted Stack

Go beyond basic authentication. Authentik provides SSO, OIDC, SAML, and LDAP for your self-hosted services — with a visual flow designer and Docker Compose deployment.

authentikssoidentitysecuritydocker-compose

01Beyond Basic SSO

I started with Authelia — a simple forward-auth proxy that adds username/password authentication to services that don't have their own login. It worked well for about six months, protecting a dozen services behind my reverse proxy. Then I wanted more. I wanted single sign-on across all my services — log in once and access everything. I wanted to use my self-hosted identity for OAuth login on Gitea, Grafana, and Nextcloud instead of creating separate accounts on each. I wanted a user directory where I could manage accounts, groups, and permissions in one place. Authelia doesn't do those things. It's an authentication middleware, not an identity provider. Authentik is. Authentik is a full identity provider — it supports OIDC (OpenID Connect), SAML 2.0, LDAP, and forward auth (proxy authentication). It has a visual flow designer for login, registration, and recovery processes. It supports MFA, social login, user enrollment, and fine-grained access policies. The trade-off is resource usage: Authentik needs about 800MB-1.2GB of RAM compared to Authelia's 50MB. But if you need real SSO and identity management, there's no lightweight alternative that matches Authentik's feature set.

02Docker Compose Setup

Authentik consists of a server (web UI and API), a worker (background tasks), PostgreSQL, and Redis. The official Compose file is well-maintained and production-ready.
[docker-compose.yml]
1services: 
2  authentik-server: 
3    image: ghcr.io/goauthentik/server:2025.2
4    command: server
5    environment: 
6      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
7      AUTHENTIK_REDIS__HOST: redis
8      AUTHENTIK_POSTGRESQL__HOST: postgresql
9      AUTHENTIK_POSTGRESQL__USER: authentik
10      AUTHENTIK_POSTGRESQL__NAME: authentik
11      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
12    volumes: 
13      - authentik-media:/media
14      - authentik-templates:/templates
15    ports: 
16      - "9000:9000"
17      - "9443:9443"
18    depends_on: 
19      postgresql: 
20        condition: service_healthy
21      redis: 
22        condition: service_healthy
23    restart: unless-stopped
24
25  authentik-worker: 
26    image: ghcr.io/goauthentik/server:2025.2
27    command: worker
28    environment: 
29      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
30      AUTHENTIK_REDIS__HOST: redis
31      AUTHENTIK_POSTGRESQL__HOST: postgresql
32      AUTHENTIK_POSTGRESQL__USER: authentik
33      AUTHENTIK_POSTGRESQL__NAME: authentik
34      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
35    volumes: 
36      - authentik-media:/media
37      - authentik-templates:/templates
38      - authentik-certs:/certs
39    depends_on: 
40      postgresql: 
41        condition: service_healthy
42      redis: 
43        condition: service_healthy
44    restart: unless-stopped
45
46  postgresql: 
47    image: postgres:16-alpine
48    environment: 
49      POSTGRES_PASSWORD: ${PG_PASS}
50      POSTGRES_USER: authentik
51      POSTGRES_DB: authentik
52    volumes: 
53      - postgres-data:/var/lib/postgresql/data
54    healthcheck: 
55      test: ["CMD", "pg_isready", "-U", "authentik"]
56      interval: 10s
57      timeout: 5s
58      retries: 5
59    restart: unless-stopped
60
61  redis: 
62    image: redis:7-alpine
63    command: --save 60 1 --loglevel warning
64    volumes: 
65      - redis-data:/data
66    healthcheck: 
67      test: ["CMD", "redis-cli", "ping"]
68      interval: 10s
69      timeout: 5s
70      retries: 5
71    restart: unless-stopped
72
73volumes: 
74  postgres-data: 
75  redis-data: 
76  authentik-media: 
77  authentik-templates: 
78  authentik-certs:

The AUTHENTIK_SECRET_KEY must be a long, random string (at least 50 characters). Generate it with openssl rand -base64 60 and store it securely. Changing this key after initial setup invalidates all sessions and tokens, effectively locking everyone out until they re-authenticate.

03Initial Configuration and Admin Setup

After the first docker compose up, Authentik's setup wizard is available at http://localhost:9000/if/flow/initial-setup/. You'll create your admin account and configure the initial authentication flow.
[.env]
1# Generate secrets:
2# openssl rand -base64 60 | tr -d '\n'
3AUTHENTIK_SECRET_KEY=your-very-long-random-secret-key-here
4
5# PostgreSQL
6PG_PASS=strong-database-password
7
8# Initial admin bootstrap (optional — remove after first login)
9AUTHENTIK_BOOTSTRAP_PASSWORD=initial-admin-password
10AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com
11
12# Email (for password recovery and notifications)
13AUTHENTIK_EMAIL__HOST=smtp.example.com
14AUTHENTIK_EMAIL__PORT=587
15AUTHENTIK_EMAIL__USE_TLS=true
16AUTHENTIK_EMAIL__USERNAME=authentik@example.com
17AUTHENTIK_EMAIL__PASSWORD=email-password
18AUTHENTIK_EMAIL__FROM=authentik@example.com

Set AUTHENTIK_BOOTSTRAP_PASSWORD to create an admin account automatically on first start. Remove this variable after initial login — it's only used when no admin account exists. This is useful for automated deployments and infrastructure-as-code setups where you can't run through the web wizard.

04Protecting Services with Proxy Provider

The proxy provider is the most common use case — add authentication to services that don't have their own login. This works with Traefik, Nginx, Caddy, or any reverse proxy that supports forward authentication. The setup involves creating a Provider (proxy type), an Application (linking the provider to a URL), and an Outpost (the component that actually handles the authentication). Authentik's embedded outpost handles forward auth without needing a separate container. With Traefik, you add forward-auth middleware labels to your service. When a user visits the service, Traefik asks Authentik "is this user authenticated?" If not, Authentik redirects to the login page. After login, the user is redirected back to the original service.
[docker-compose.yml]
1# Traefik labels for forward auth with Authentik
2services: 
3  my-service: 
4    image: myapp:latest
5    labels: 
6      - traefik.enable=true
7      - traefik.http.routers.myapp.rule=Host(`app.example.com`)
8      - traefik.http.routers.myapp.entrypoints=websecure
9      - traefik.http.routers.myapp.tls.certresolver=letsencrypt
10      # Forward auth to Authentik
11      - traefik.http.routers.myapp.middlewares=authentik@docker
12      - traefik.http.middlewares.authentik.forwardAuth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
13      - traefik.http.middlewares.authentik.forwardAuth.trustForwardHeader=true
14      - traefik.http.middlewares.authentik.forwardAuth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email

05OIDC and SAML for Application Login

The real power of Authentik is providing OIDC (OpenID Connect) and SAML login to applications that support it. Instead of creating separate accounts on Gitea, Nextcloud, and Grafana, you log in with your Authentik identity. Setting this up for each application involves creating an OAuth2/OIDC Provider in Authentik with a client ID and secret, then configuring the application to use Authentik as its OAuth provider. For Gitea: Go to Site Administration → Authentication Sources → Add OAuth2 Provider. Set the auto-discover URL to https://auth.example.com/application/o/gitea/.well-known/openid-configuration. Users can then log in with "Sign in with Authentik." For Grafana: Set GF_AUTH_GENERIC_OAUTH_ENABLED=true and configure the OAuth endpoints pointing to your Authentik instance. Grafana supports automatic user creation from OAuth, so new team members just log in — no manual account setup. For Nextcloud: Install the "Social Login" app and configure an OpenID Connect provider pointing to Authentik. Users can link their existing Nextcloud accounts or auto-create new ones on first login. The single sign-on experience is seamless: log in to Authentik once, and every connected service recognizes you. Moving between Gitea, Grafana, and Nextcloud doesn't require re-entering credentials. This is the experience that makes self-hosting feel professional rather than cobbled together.

06LDAP Outpost for Legacy Applications

Some applications only support LDAP for external authentication — they don't speak OIDC or SAML. Authentik handles this with an LDAP Outpost that presents your Authentik user directory as an LDAP server. The LDAP outpost runs as a separate container and exposes ports 389 (LDAP) and 636 (LDAPS). Applications connect to it just like they would connect to any LDAP directory — they can search for users, verify passwords, and query group memberships. I use this for older applications that predate modern authentication standards: some network equipment management interfaces, legacy monitoring tools, and a few internal tools that were written before OIDC existed. The LDAP outpost bridges the gap — these applications don't need modification, they just point at Authentik's LDAP interface. User and group management stays in Authentik's web UI. When I add a user or change group membership, the change is immediately visible to LDAP-connected applications. No syncing scripts, no separate user databases. The LDAP outpost adds about 100-150MB of RAM to your stack. Only deploy it if you have applications that genuinely need LDAP — if everything supports OIDC, skip it.

07Authentik vs Authelia vs Keycloak

These three cover different points on the complexity-features spectrum: Authelia: Forward auth only, no OIDC provider, no SAML, no LDAP. About 50MB RAM. Best for: simple password protection on services behind a reverse proxy. If you just need "put a login page in front of these 5 services," Authelia is the right choice. Setup takes 15 minutes. Authentik: Full identity provider with OIDC, SAML, LDAP, and forward auth. About 800MB-1.2GB RAM (server + worker + PostgreSQL + Redis). Best for: self-hosters who want real SSO across 10+ services, user management, and integration with applications that support OAuth login. Setup takes 1-2 hours including application integration. Keycloak: Enterprise-grade identity provider backed by Red Hat. About 1.5-2GB RAM. Supports everything Authentik does plus advanced enterprise features: fine-grained authorization, kerberos, user federation from Active Directory. Best for: organizations with Active Directory, complex authorization requirements, or compliance needs. Setup takes several hours and the admin UI has a steep learning curve. My recommendation: Start with Authelia if you're new to self-hosted authentication. When you outgrow it — usually when you want SSO login on Gitea, Grafana, or Nextcloud — migrate to Authentik. Consider Keycloak only if you have enterprise requirements that Authentik can't meet (which is rare for home and small-team setups). Migration from Authelia to Authentik is straightforward since Authelia handles forward auth only — you switch the forward-auth endpoint in your reverse proxy config and add OIDC providers in Authentik. Your users create new accounts in Authentik, but since most services support both forward auth and OIDC, you can migrate one application at a time.

About the Author

Frank Pegasus

DevOps engineer and self-hosting enthusiast with over a decade of experience running containerized workloads in production. Creator of docker.recipes.

Back to Blog