docker.recipes

Authentik + PostgreSQL + Redis

advanced

Identity provider with SSO, LDAP, and SCIM support.

Overview

Authentik is an open-source identity provider that focuses on flexibility and versatility, offering comprehensive authentication and authorization capabilities through multiple protocols including OIDC, SAML, OAuth2, and LDAP. Built with modern web technologies, Authentik provides flow-based authentication, multi-factor authentication, user management, and application proxy functionality, making it an excellent alternative to enterprise solutions like Okta or Azure AD for self-hosted environments. This deployment creates a distributed Authentik infrastructure with four specialized services: authentik-server handles the web interface and API endpoints on ports 9000 (HTTP) and 9443 (HTTPS), authentik-worker manages background tasks and integrations with Docker socket access, postgres provides the primary database for storing users, applications, and configuration data, and redis serves as the cache layer and message broker for inter-service communication. The architecture separates concerns effectively, allowing the worker to handle intensive operations while the server focuses on user interactions. This stack is ideal for organizations implementing single sign-on across multiple applications, development teams requiring centralized authentication for their services, and system administrators managing user access in hybrid environments. The combination provides enterprise-grade identity management capabilities with the flexibility to customize authentication flows, integrate with existing LDAP directories, and proxy legacy applications that lack modern authentication support.

Key Features

  • Multi-protocol authentication support including OIDC, SAML, OAuth2, and LDAP with custom flow configuration
  • Application proxy functionality for protecting legacy applications without built-in authentication
  • Comprehensive multi-factor authentication with TOTP, WebAuthn, SMS, and email verification methods
  • SCIM provisioning for automated user lifecycle management with external systems
  • Flow-based authentication designer for creating custom login, registration, and recovery processes
  • Distributed architecture with dedicated worker processes for background tasks and integrations
  • Built-in LDAP outpost for serving as an LDAP provider to legacy applications
  • Customizable branding and theming with template override support for white-label deployments

Common Use Cases

  • 1Enterprise SSO implementation replacing expensive cloud identity providers with self-hosted solution
  • 2Development team authentication hub providing centralized access to GitLab, Jenkins, Grafana, and custom applications
  • 3Homelab identity management for securing self-hosted services like Nextcloud, Plex, and monitoring tools
  • 4Legacy application modernization by adding modern authentication without code changes
  • 5Multi-tenant SaaS platforms requiring isolated authentication flows for different customer organizations
  • 6Educational institutions needing LDAP compatibility for existing systems while adding modern SSO capabilities
  • 7Startup identity infrastructure providing scalable authentication from day one through enterprise growth

Prerequisites

  • Docker host with minimum 2GB RAM and 10GB storage for PostgreSQL data and media files
  • Available ports 9000 and 9443 for Authentik web interface and API access
  • Strong SECRET_KEY environment variable (minimum 32 characters) for cryptographic operations
  • PostgreSQL credentials configured via POSTGRES_USER and POSTGRES_PASSWORD environment variables
  • Basic understanding of OAuth2/OIDC flows for application integration configuration
  • SSL certificate management knowledge for production HTTPS deployment on port 9443

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  authentik-server: 
3    image: ghcr.io/goauthentik/server:latest
4    command: server
5    environment: 
6      - AUTHENTIK_REDIS__HOST=redis
7      - AUTHENTIK_POSTGRESQL__HOST=postgres
8      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
9      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
10      - AUTHENTIK_POSTGRESQL__NAME=authentik
11      - AUTHENTIK_SECRET_KEY=${SECRET_KEY}
12    volumes: 
13      - authentik-media:/media
14      - authentik-custom-templates:/templates
15    ports: 
16      - "9000:9000"
17      - "9443:9443"
18    depends_on: 
19      - postgres
20      - redis
21    networks: 
22      - authentik-network
23    restart: unless-stopped
24
25  authentik-worker: 
26    image: ghcr.io/goauthentik/server:latest
27    command: worker
28    environment: 
29      - AUTHENTIK_REDIS__HOST=redis
30      - AUTHENTIK_POSTGRESQL__HOST=postgres
31      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
32      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
33      - AUTHENTIK_POSTGRESQL__NAME=authentik
34      - AUTHENTIK_SECRET_KEY=${SECRET_KEY}
35    volumes: 
36      - /var/run/docker.sock:/var/run/docker.sock:ro
37      - authentik-media:/media
38      - authentik-certs:/certs
39      - authentik-custom-templates:/templates
40    depends_on: 
41      - postgres
42      - redis
43    networks: 
44      - authentik-network
45    restart: unless-stopped
46
47  postgres: 
48    image: postgres:15
49    environment: 
50      - POSTGRES_USER=${POSTGRES_USER}
51      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
52      - POSTGRES_DB=authentik
53    volumes: 
54      - postgres-data:/var/lib/postgresql/data
55    networks: 
56      - authentik-network
57    restart: unless-stopped
58
59  redis: 
60    image: redis:alpine
61    volumes: 
62      - redis-data:/data
63    networks: 
64      - authentik-network
65    restart: unless-stopped
66
67volumes: 
68  authentik-media: 
69  authentik-custom-templates: 
70  authentik-certs: 
71  postgres-data: 
72  redis-data: 
73
74networks: 
75  authentik-network: 
76    driver: bridge

.env Template

.env
1# Authentik
2POSTGRES_USER=authentik
3POSTGRES_PASSWORD=secure_postgres_password
4SECRET_KEY=your-very-long-secret-key-generate-with-openssl
5
6# Generate secret: openssl rand -base64 60
7# Setup: docker exec -it authentik-server ak setup

Usage Notes

  1. 1Web UI at http://localhost:9000
  2. 2Initial setup wizard
  3. 3LDAP outpost available
  4. 4Proxy provider for apps
  5. 5SAML and OAuth2/OIDC support

Individual Services(4 services)

Copy individual services to mix and match with your existing compose files.

authentik-server
authentik-server:
  image: ghcr.io/goauthentik/server:latest
  command: server
  environment:
    - AUTHENTIK_REDIS__HOST=redis
    - AUTHENTIK_POSTGRESQL__HOST=postgres
    - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
    - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
    - AUTHENTIK_POSTGRESQL__NAME=authentik
    - AUTHENTIK_SECRET_KEY=${SECRET_KEY}
  volumes:
    - authentik-media:/media
    - authentik-custom-templates:/templates
  ports:
    - "9000:9000"
    - "9443:9443"
  depends_on:
    - postgres
    - redis
  networks:
    - authentik-network
  restart: unless-stopped
authentik-worker
authentik-worker:
  image: ghcr.io/goauthentik/server:latest
  command: worker
  environment:
    - AUTHENTIK_REDIS__HOST=redis
    - AUTHENTIK_POSTGRESQL__HOST=postgres
    - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
    - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
    - AUTHENTIK_POSTGRESQL__NAME=authentik
    - AUTHENTIK_SECRET_KEY=${SECRET_KEY}
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro
    - authentik-media:/media
    - authentik-certs:/certs
    - authentik-custom-templates:/templates
  depends_on:
    - postgres
    - redis
  networks:
    - authentik-network
  restart: unless-stopped
postgres
postgres:
  image: postgres:15
  environment:
    - POSTGRES_USER=${POSTGRES_USER}
    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    - POSTGRES_DB=authentik
  volumes:
    - postgres-data:/var/lib/postgresql/data
  networks:
    - authentik-network
  restart: unless-stopped
redis
redis:
  image: redis:alpine
  volumes:
    - redis-data:/data
  networks:
    - authentik-network
  restart: unless-stopped

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  authentik-server:
5    image: ghcr.io/goauthentik/server:latest
6    command: server
7    environment:
8      - AUTHENTIK_REDIS__HOST=redis
9      - AUTHENTIK_POSTGRESQL__HOST=postgres
10      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
11      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
12      - AUTHENTIK_POSTGRESQL__NAME=authentik
13      - AUTHENTIK_SECRET_KEY=${SECRET_KEY}
14    volumes:
15      - authentik-media:/media
16      - authentik-custom-templates:/templates
17    ports:
18      - "9000:9000"
19      - "9443:9443"
20    depends_on:
21      - postgres
22      - redis
23    networks:
24      - authentik-network
25    restart: unless-stopped
26
27  authentik-worker:
28    image: ghcr.io/goauthentik/server:latest
29    command: worker
30    environment:
31      - AUTHENTIK_REDIS__HOST=redis
32      - AUTHENTIK_POSTGRESQL__HOST=postgres
33      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
34      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
35      - AUTHENTIK_POSTGRESQL__NAME=authentik
36      - AUTHENTIK_SECRET_KEY=${SECRET_KEY}
37    volumes:
38      - /var/run/docker.sock:/var/run/docker.sock:ro
39      - authentik-media:/media
40      - authentik-certs:/certs
41      - authentik-custom-templates:/templates
42    depends_on:
43      - postgres
44      - redis
45    networks:
46      - authentik-network
47    restart: unless-stopped
48
49  postgres:
50    image: postgres:15
51    environment:
52      - POSTGRES_USER=${POSTGRES_USER}
53      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
54      - POSTGRES_DB=authentik
55    volumes:
56      - postgres-data:/var/lib/postgresql/data
57    networks:
58      - authentik-network
59    restart: unless-stopped
60
61  redis:
62    image: redis:alpine
63    volumes:
64      - redis-data:/data
65    networks:
66      - authentik-network
67    restart: unless-stopped
68
69volumes:
70  authentik-media:
71  authentik-custom-templates:
72  authentik-certs:
73  postgres-data:
74  redis-data:
75
76networks:
77  authentik-network:
78    driver: bridge
79EOF
80
81# 2. Create the .env file
82cat > .env << 'EOF'
83# Authentik
84POSTGRES_USER=authentik
85POSTGRES_PASSWORD=secure_postgres_password
86SECRET_KEY=your-very-long-secret-key-generate-with-openssl
87
88# Generate secret: openssl rand -base64 60
89# Setup: docker exec -it authentik-server ak setup
90EOF
91
92# 3. Start the services
93docker compose up -d
94
95# 4. View logs
96docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/authentik-complete/run | bash

Troubleshooting

  • authentik-server fails to start with database connection error: Verify postgres service is healthy and POSTGRES_* environment variables match between services
  • Worker tasks not processing with Redis connection timeout: Check redis service status and ensure AUTHENTIK_REDIS__HOST points to correct service name
  • Initial setup wizard shows 'Invalid SECRET_KEY' error: Generate new SECRET_KEY with at least 32 random characters and restart all authentik services
  • LDAP outpost connection refused: Ensure authentik-worker has proper Docker socket access and outpost configuration matches network settings
  • Application proxy returns 502 errors: Verify target application URLs are accessible from authentik-server container and proxy provider configuration is correct
  • User authentication flows fail silently: Check authentik-worker logs for background task errors and verify flow stage configuration in admin interface

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

authentik-serverauthentik-workerpostgresqlredis

Tags

#authentik#sso#identity#ldap#oauth2#saml

Category

Security & Networking

Related Recipes

Ad Space