docker.recipes

Authentik Identity Provider

advanced

Authentik open-source identity provider with SSO, MFA, and user management.

Overview

Authentik is a modern, open-source identity provider that consolidates authentication, authorization, and user management into a single platform. Born from the need for a more flexible alternative to traditional identity solutions, Authentik supports multiple authentication protocols including OIDC, OAuth2, SAML, and LDAP, while providing advanced features like flow-based authentication, WebAuthn support, and application proxying. Its architecture emphasizes customization and developer-friendly configuration over rigid enterprise constraints. This stack combines Authentik's server and worker components with PostgreSQL for robust data persistence and Redis for session management and caching. The server component handles web requests, user authentication flows, and the administration interface, while the worker processes background tasks like user provisioning, email notifications, and SCIM synchronization. PostgreSQL stores user data, application configurations, and audit logs with full ACID compliance, while Redis manages active sessions, caches frequently accessed data, and handles real-time features like WebSocket connections for the admin interface. This configuration targets organizations seeking comprehensive identity management without vendor lock-in or enterprise licensing costs. Development teams building multiple applications benefit from centralized SSO, while system administrators gain detailed user lifecycle management and compliance reporting. The stack particularly excels in environments requiring custom authentication flows, such as multi-tenant SaaS applications, developer platforms with complex permission models, or organizations integrating legacy systems with modern OAuth-based applications.

Key Features

  • Multi-protocol authentication support including OIDC, OAuth2, SAML 2.0, and LDAP outbound authentication
  • Flow-based authentication system allowing custom multi-step verification processes and conditional logic
  • Built-in application proxy with automatic header injection for applications lacking native SSO support
  • WebAuthn and TOTP multi-factor authentication with conditional MFA based on user context
  • SCIM 2.0 provisioning for automated user lifecycle management across connected applications
  • Customizable branding and theming with support for per-application visual identity
  • Advanced user and group management with hierarchical permissions and custom attributes
  • Comprehensive audit logging with detailed authentication events and administrative actions

Common Use Cases

  • 1Centralizing authentication for multiple internal applications and services in development teams
  • 2Implementing SSO for legacy applications that lack modern authentication through the application proxy
  • 3Building multi-tenant SaaS platforms requiring customer-specific authentication flows and branding
  • 4Securing homelab environments with professional-grade authentication and MFA capabilities
  • 5Replacing expensive enterprise identity solutions while maintaining compliance and audit requirements
  • 6Integrating disparate systems through standardized OIDC/SAML protocols with custom attribute mapping
  • 7Providing self-service user management portals for organizations with distributed administration needs

Prerequisites

  • Minimum 1.5GB RAM available (512MB for Authentik server, 256MB for PostgreSQL, 128MB for Redis, plus worker overhead)
  • Ports 9000 and 9443 available for HTTP and HTTPS access to the Authentik interface
  • Domain name or static IP address for consistent callback URL configuration in OAuth applications
  • Understanding of OAuth2/OIDC concepts including client credentials, scopes, and redirect URIs
  • Docker socket access if using Authentik's Docker integration features for automatic service discovery
  • Valid SSL certificates if exposing Authentik publicly for production SSO implementations

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  authentik-server: 
3    image: ghcr.io/goauthentik/server:2024.1
4    container_name: authentik-server
5    command: server
6    environment: 
7      - AUTHENTIK_REDIS__HOST=redis
8      - AUTHENTIK_POSTGRESQL__HOST=postgres
9      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
10      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
11      - AUTHENTIK_POSTGRESQL__NAME=authentik
12      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
13    volumes: 
14      - authentik_media:/media
15      - authentik_templates:/templates
16    ports: 
17      - "9000:9000"
18      - "9443:9443"
19    depends_on: 
20      postgres: 
21        condition: service_healthy
22      redis: 
23        condition: service_healthy
24    networks: 
25      - authentik-network
26
27  authentik-worker: 
28    image: ghcr.io/goauthentik/server:2024.1
29    container_name: authentik-worker
30    command: worker
31    environment: 
32      - AUTHENTIK_REDIS__HOST=redis
33      - AUTHENTIK_POSTGRESQL__HOST=postgres
34      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
35      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
36      - AUTHENTIK_POSTGRESQL__NAME=authentik
37      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
38    volumes: 
39      - authentik_media:/media
40      - authentik_templates:/templates
41      - /var/run/docker.sock:/var/run/docker.sock
42    depends_on: 
43      postgres: 
44        condition: service_healthy
45      redis: 
46        condition: service_healthy
47    networks: 
48      - authentik-network
49
50  postgres: 
51    image: postgres:16-alpine
52    container_name: authentik-db
53    environment: 
54      - POSTGRES_USER=${POSTGRES_USER}
55      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
56      - POSTGRES_DB=authentik
57    volumes: 
58      - postgres_data:/var/lib/postgresql/data
59    healthcheck: 
60      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
61      interval: 10s
62      timeout: 5s
63      retries: 5
64    networks: 
65      - authentik-network
66
67  redis: 
68    image: redis:7-alpine
69    container_name: authentik-redis
70    command: --save 60 1 --loglevel warning
71    volumes: 
72      - redis_data:/data
73    healthcheck: 
74      test: ["CMD", "redis-cli", "ping"]
75      interval: 10s
76      timeout: 5s
77      retries: 5
78    networks: 
79      - authentik-network
80
81volumes: 
82  authentik_media: 
83  authentik_templates: 
84  postgres_data: 
85  redis_data: 
86
87networks: 
88  authentik-network: 
89    driver: bridge

.env Template

.env
1# Authentik
2POSTGRES_USER=authentik
3POSTGRES_PASSWORD=authentik_password
4AUTHENTIK_SECRET_KEY=your-secret-key-at-least-50-chars

Usage Notes

  1. 1Admin interface at http://localhost:9000/if/flow/initial-setup/
  2. 2Set up initial admin user on first visit
  3. 3Supports OIDC, OAuth2, SAML, LDAP
  4. 4Built-in MFA support
  5. 5Application proxy for SSO

Individual Services(4 services)

Copy individual services to mix and match with your existing compose files.

authentik-server
authentik-server:
  image: ghcr.io/goauthentik/server:2024.1
  container_name: authentik-server
  command: server
  environment:
    - AUTHENTIK_REDIS__HOST=redis
    - AUTHENTIK_POSTGRESQL__HOST=postgres
    - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
    - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
    - AUTHENTIK_POSTGRESQL__NAME=authentik
    - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
  volumes:
    - authentik_media:/media
    - authentik_templates:/templates
  ports:
    - "9000:9000"
    - "9443:9443"
  depends_on:
    postgres:
      condition: service_healthy
    redis:
      condition: service_healthy
  networks:
    - authentik-network
authentik-worker
authentik-worker:
  image: ghcr.io/goauthentik/server:2024.1
  container_name: authentik-worker
  command: worker
  environment:
    - AUTHENTIK_REDIS__HOST=redis
    - AUTHENTIK_POSTGRESQL__HOST=postgres
    - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
    - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
    - AUTHENTIK_POSTGRESQL__NAME=authentik
    - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
  volumes:
    - authentik_media:/media
    - authentik_templates:/templates
    - /var/run/docker.sock:/var/run/docker.sock
  depends_on:
    postgres:
      condition: service_healthy
    redis:
      condition: service_healthy
  networks:
    - authentik-network
postgres
postgres:
  image: postgres:16-alpine
  container_name: authentik-db
  environment:
    - POSTGRES_USER=${POSTGRES_USER}
    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    - POSTGRES_DB=authentik
  volumes:
    - postgres_data:/var/lib/postgresql/data
  healthcheck:
    test:
      - CMD-SHELL
      - pg_isready -U ${POSTGRES_USER}
    interval: 10s
    timeout: 5s
    retries: 5
  networks:
    - authentik-network
redis
redis:
  image: redis:7-alpine
  container_name: authentik-redis
  command: "--save 60 1 --loglevel warning"
  volumes:
    - redis_data:/data
  healthcheck:
    test:
      - CMD
      - redis-cli
      - ping
    interval: 10s
    timeout: 5s
    retries: 5
  networks:
    - authentik-network

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  authentik-server:
5    image: ghcr.io/goauthentik/server:2024.1
6    container_name: authentik-server
7    command: server
8    environment:
9      - AUTHENTIK_REDIS__HOST=redis
10      - AUTHENTIK_POSTGRESQL__HOST=postgres
11      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
12      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
13      - AUTHENTIK_POSTGRESQL__NAME=authentik
14      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
15    volumes:
16      - authentik_media:/media
17      - authentik_templates:/templates
18    ports:
19      - "9000:9000"
20      - "9443:9443"
21    depends_on:
22      postgres:
23        condition: service_healthy
24      redis:
25        condition: service_healthy
26    networks:
27      - authentik-network
28
29  authentik-worker:
30    image: ghcr.io/goauthentik/server:2024.1
31    container_name: authentik-worker
32    command: worker
33    environment:
34      - AUTHENTIK_REDIS__HOST=redis
35      - AUTHENTIK_POSTGRESQL__HOST=postgres
36      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
37      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
38      - AUTHENTIK_POSTGRESQL__NAME=authentik
39      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
40    volumes:
41      - authentik_media:/media
42      - authentik_templates:/templates
43      - /var/run/docker.sock:/var/run/docker.sock
44    depends_on:
45      postgres:
46        condition: service_healthy
47      redis:
48        condition: service_healthy
49    networks:
50      - authentik-network
51
52  postgres:
53    image: postgres:16-alpine
54    container_name: authentik-db
55    environment:
56      - POSTGRES_USER=${POSTGRES_USER}
57      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
58      - POSTGRES_DB=authentik
59    volumes:
60      - postgres_data:/var/lib/postgresql/data
61    healthcheck:
62      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
63      interval: 10s
64      timeout: 5s
65      retries: 5
66    networks:
67      - authentik-network
68
69  redis:
70    image: redis:7-alpine
71    container_name: authentik-redis
72    command: --save 60 1 --loglevel warning
73    volumes:
74      - redis_data:/data
75    healthcheck:
76      test: ["CMD", "redis-cli", "ping"]
77      interval: 10s
78      timeout: 5s
79      retries: 5
80    networks:
81      - authentik-network
82
83volumes:
84  authentik_media:
85  authentik_templates:
86  postgres_data:
87  redis_data:
88
89networks:
90  authentik-network:
91    driver: bridge
92EOF
93
94# 2. Create the .env file
95cat > .env << 'EOF'
96# Authentik
97POSTGRES_USER=authentik
98POSTGRES_PASSWORD=authentik_password
99AUTHENTIK_SECRET_KEY=your-secret-key-at-least-50-chars
100EOF
101
102# 3. Start the services
103docker compose up -d
104
105# 4. View logs
106docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/authentik-identity/run | bash

Troubleshooting

  • Authentik server fails to start with 'database connection failed': Ensure PostgreSQL container is fully initialized before Authentik starts, check database credentials in environment variables
  • OAuth applications show 'invalid_client' errors: Verify the client ID and secret match exactly in both Authentik provider configuration and the consuming application
  • Users cannot complete authentication flows: Check Redis connectivity as session data may be lost, restart Redis container and clear browser cookies
  • SAML assertions fail validation: Ensure clock synchronization between Authentik and service provider, check certificate validity and metadata exchange
  • Background tasks not processing (password resets, emails): Authentik worker container may be failing, check worker logs for Celery connection issues to Redis
  • Performance degradation with many users: Increase PostgreSQL shared_buffers and Redis maxmemory settings, consider connection pooling for high-traffic scenarios

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

authentik-serverauthentik-workerpostgresredis

Tags

#authentik#sso#identity#oauth#saml#ldap

Category

Security & Networking

Related Recipes

Ad Space