Authentik Identity Provider
Authentik for SSO, MFA, and identity management.
Overview
Authentik is an open-source identity provider that serves as a comprehensive authentication and authorization platform for modern applications. Originally developed to address the complexity and cost limitations of traditional IAM solutions, Authentik focuses on flexibility and ease of deployment while supporting multiple authentication protocols including OIDC, SAML, OAuth2, and LDAP. It features a unique flow-based authentication system that allows administrators to create custom login experiences and implement sophisticated security policies. This deployment creates a complete identity management infrastructure using four specialized containers: authentik-db runs a PostgreSQL 15 database for storing user data and configuration, authentik-redis provides session storage and caching, authentik-server handles the web interface and API endpoints, and authentik-worker processes background tasks like user synchronization and email notifications. The architecture separates concerns effectively, with the server component managing user-facing operations while the worker handles intensive background processes. This configuration is ideal for organizations seeking a self-hosted alternative to cloud identity providers like Auth0 or Okta, particularly those requiring GDPR compliance, custom branding, or integration with existing LDAP directories. The stack provides enterprise-grade features including multi-factor authentication with TOTP and WebAuthn, SCIM provisioning for automated user management, and comprehensive audit logging for compliance requirements.
Key Features
- Multi-protocol authentication support (OIDC, SAML 2.0, OAuth2, LDAP) for universal application compatibility
- Flow-based authentication engine allowing custom login sequences and conditional security policies
- Built-in application proxy for protecting legacy applications without native SSO support
- WebAuthn and TOTP multi-factor authentication with passwordless login capabilities
- SCIM 2.0 provisioning for automated user lifecycle management across connected applications
- Customizable branding and theming with white-label support for customer-facing deployments
- Real-time audit logging and session management with detailed security event tracking
- LDAP outpost functionality for synchronizing with Active Directory and other directory services
Common Use Cases
- 1Homelab SSO implementation for self-hosted services like Nextcloud, Grafana, and media servers
- 2Small to medium business identity management replacing expensive SaaS solutions
- 3Development team authentication for internal tools, CI/CD pipelines, and staging environments
- 4Educational institutions managing student and faculty access across multiple platforms
- 5Compliance-focused organizations requiring on-premises identity data storage
- 6Multi-tenant SaaS platforms needing white-label authentication for customer portals
- 7Legacy application modernization using the built-in proxy for SSO integration
Prerequisites
- Minimum 2GB RAM and 2 CPU cores for production workloads with moderate user base
- Available ports 9000 (HTTP) and 9443 (HTTPS) for Authentik web interface access
- Valid SSL certificates for production deployments to ensure secure authentication flows
- Basic understanding of OAuth2/OIDC concepts for application integration configuration
- SMTP server credentials for user registration, password reset, and notification emails
- Domain name with proper DNS configuration for production SSO functionality
For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms
docker-compose.yml
docker-compose.yml
1services: 2 authentik-db: 3 image: postgres:15-alpine4 container_name: authentik-db5 restart: unless-stopped6 environment: 7 - POSTGRES_USER=authentik8 - POSTGRES_PASSWORD=${DB_PASSWORD}9 - POSTGRES_DB=authentik10 volumes: 11 - authentik_db_data:/var/lib/postgresql/data1213 authentik-redis: 14 image: redis:7-alpine15 container_name: authentik-redis16 restart: unless-stopped1718 authentik-server: 19 image: ghcr.io/goauthentik/server:latest20 container_name: authentik-server21 restart: unless-stopped22 command: server23 ports: 24 - "${AUTHENTIK_PORT:-9000}:9000"25 - "${AUTHENTIK_SSL_PORT:-9443}:9443"26 environment: 27 - AUTHENTIK_REDIS__HOST=authentik-redis28 - AUTHENTIK_POSTGRESQL__HOST=authentik-db29 - AUTHENTIK_POSTGRESQL__USER=authentik30 - AUTHENTIK_POSTGRESQL__PASSWORD=${DB_PASSWORD}31 - AUTHENTIK_SECRET_KEY=${SECRET_KEY}32 volumes: 33 - authentik_media:/media34 depends_on: 35 - authentik-db36 - authentik-redis3738 authentik-worker: 39 image: ghcr.io/goauthentik/server:latest40 container_name: authentik-worker41 restart: unless-stopped42 command: worker43 environment: 44 - AUTHENTIK_REDIS__HOST=authentik-redis45 - AUTHENTIK_POSTGRESQL__HOST=authentik-db46 - AUTHENTIK_POSTGRESQL__USER=authentik47 - AUTHENTIK_POSTGRESQL__PASSWORD=${DB_PASSWORD}48 - AUTHENTIK_SECRET_KEY=${SECRET_KEY}49 volumes: 50 - authentik_media:/media51 depends_on: 52 - authentik-db53 - authentik-redis5455volumes: 56 authentik_db_data: 57 authentik_media: .env Template
.env
1# Authentik2AUTHENTIK_PORT=90003AUTHENTIK_SSL_PORT=94434DB_PASSWORD=authentik_password5SECRET_KEY=your-very-secret-keyUsage Notes
- 1Authentik at http://localhost:9000
- 2Initial setup at /if/flow/initial-setup/
- 3Configure OAuth2/OIDC apps
- 4Built-in MFA support
Individual Services(4 services)
Copy individual services to mix and match with your existing compose files.
authentik-db
authentik-db:
image: postgres:15-alpine
container_name: authentik-db
restart: unless-stopped
environment:
- POSTGRES_USER=authentik
- POSTGRES_PASSWORD=${DB_PASSWORD}
- POSTGRES_DB=authentik
volumes:
- authentik_db_data:/var/lib/postgresql/data
authentik-redis
authentik-redis:
image: redis:7-alpine
container_name: authentik-redis
restart: unless-stopped
authentik-server
authentik-server:
image: ghcr.io/goauthentik/server:latest
container_name: authentik-server
restart: unless-stopped
command: server
ports:
- ${AUTHENTIK_PORT:-9000}:9000
- ${AUTHENTIK_SSL_PORT:-9443}:9443
environment:
- AUTHENTIK_REDIS__HOST=authentik-redis
- AUTHENTIK_POSTGRESQL__HOST=authentik-db
- AUTHENTIK_POSTGRESQL__USER=authentik
- AUTHENTIK_POSTGRESQL__PASSWORD=${DB_PASSWORD}
- AUTHENTIK_SECRET_KEY=${SECRET_KEY}
volumes:
- authentik_media:/media
depends_on:
- authentik-db
- authentik-redis
authentik-worker
authentik-worker:
image: ghcr.io/goauthentik/server:latest
container_name: authentik-worker
restart: unless-stopped
command: worker
environment:
- AUTHENTIK_REDIS__HOST=authentik-redis
- AUTHENTIK_POSTGRESQL__HOST=authentik-db
- AUTHENTIK_POSTGRESQL__USER=authentik
- AUTHENTIK_POSTGRESQL__PASSWORD=${DB_PASSWORD}
- AUTHENTIK_SECRET_KEY=${SECRET_KEY}
volumes:
- authentik_media:/media
depends_on:
- authentik-db
- authentik-redis
Quick Start
terminal
1# 1. Create the compose file2cat > docker-compose.yml << 'EOF'3services:4 authentik-db:5 image: postgres:15-alpine6 container_name: authentik-db7 restart: unless-stopped8 environment:9 - POSTGRES_USER=authentik10 - POSTGRES_PASSWORD=${DB_PASSWORD}11 - POSTGRES_DB=authentik12 volumes:13 - authentik_db_data:/var/lib/postgresql/data1415 authentik-redis:16 image: redis:7-alpine17 container_name: authentik-redis18 restart: unless-stopped1920 authentik-server:21 image: ghcr.io/goauthentik/server:latest22 container_name: authentik-server23 restart: unless-stopped24 command: server25 ports:26 - "${AUTHENTIK_PORT:-9000}:9000"27 - "${AUTHENTIK_SSL_PORT:-9443}:9443"28 environment:29 - AUTHENTIK_REDIS__HOST=authentik-redis30 - AUTHENTIK_POSTGRESQL__HOST=authentik-db31 - AUTHENTIK_POSTGRESQL__USER=authentik32 - AUTHENTIK_POSTGRESQL__PASSWORD=${DB_PASSWORD}33 - AUTHENTIK_SECRET_KEY=${SECRET_KEY}34 volumes:35 - authentik_media:/media36 depends_on:37 - authentik-db38 - authentik-redis3940 authentik-worker:41 image: ghcr.io/goauthentik/server:latest42 container_name: authentik-worker43 restart: unless-stopped44 command: worker45 environment:46 - AUTHENTIK_REDIS__HOST=authentik-redis47 - AUTHENTIK_POSTGRESQL__HOST=authentik-db48 - AUTHENTIK_POSTGRESQL__USER=authentik49 - AUTHENTIK_POSTGRESQL__PASSWORD=${DB_PASSWORD}50 - AUTHENTIK_SECRET_KEY=${SECRET_KEY}51 volumes:52 - authentik_media:/media53 depends_on:54 - authentik-db55 - authentik-redis5657volumes:58 authentik_db_data:59 authentik_media:60EOF6162# 2. Create the .env file63cat > .env << 'EOF'64# Authentik65AUTHENTIK_PORT=900066AUTHENTIK_SSL_PORT=944367DB_PASSWORD=authentik_password68SECRET_KEY=your-very-secret-key69EOF7071# 3. Start the services72docker compose up -d7374# 4. View logs75docker compose logs -fOne-Liner
Run this command to download and set up the recipe in one step:
terminal
1curl -fsSL https://docker.recipes/api/recipes/authentik-identity-stack/run | bashTroubleshooting
- authentik-server fails to start with database connection errors: Verify DB_PASSWORD environment variable matches between authentik-db and authentik-server containers
- Initial setup page shows 'Redis connection failed': Ensure authentik-redis container is running and check Docker network connectivity between services
- Applications can't connect to OIDC endpoint: Confirm authentik-server port 9000 is accessible and configure proper redirect URIs in application settings
- Background tasks not processing (user sync, emails): Check authentik-worker container logs and verify it shares the same SECRET_KEY as authentik-server
- PostgreSQL data corruption after container restart: Ensure authentik_db_data volume has proper permissions and sufficient disk space for database operations
- WebAuthn authentication fails in browsers: Configure proper HTTPS with valid certificates as WebAuthn requires secure contexts for biometric authentication
Community Notes
Loading...
Loading notes...
Download Recipe Kit
Get all files in a ready-to-deploy package
Includes docker-compose.yml, .env template, README, and license
Ad Space
Shortcuts: C CopyF FavoriteD Download