Authentik Identity Provider

advanced

Open source identity provider with SSO, MFA, and user management.

Overview

Authentik is a modern, open-source identity provider designed to centralize authentication and authorization across your entire infrastructure. Born from the need for a more flexible alternative to enterprise solutions like Active Directory or cloud-based identity providers, Authentik supports multiple authentication protocols including OIDC, SAML, OAuth2, and LDAP, making it compatible with virtually any application or service that needs user authentication. This Docker stack combines Authentik's server and worker components with PostgreSQL for robust data persistence and Redis for high-performance session management and caching. The dual-container Authentik architecture separates the web interface and API (server) from background tasks like user synchronization and certificate management (worker), ensuring optimal performance and scalability. PostgreSQL provides ACID-compliant storage for user data, application configurations, and audit logs, while Redis handles real-time session storage and inter-component communication with sub-millisecond response times. This configuration is ideal for organizations seeking enterprise-grade identity management without vendor lock-in, homelab enthusiasts wanting to secure their self-hosted applications, and development teams requiring flexible authentication flows. Authentik's flow-based authentication system allows you to customize login experiences, implement complex MFA requirements, and integrate with existing LDAP directories or external identity providers, making it significantly more versatile than simpler proxy-only solutions like Authelia.

Key Features

Multi-protocol authentication support (OIDC, SAML, OAuth2, LDAP) for maximum application compatibility
Flow-based authentication system allowing custom login, registration, and recovery processes
Built-in application proxy with header-based authentication for legacy applications
Multi-factor authentication with TOTP, WebAuthn, and SMS support
SCIM provisioning for automated user lifecycle management
Comprehensive audit logging and user session management
Customizable branding and theming for white-label deployments
Policy engine for fine-grained access control and conditional authentication

Common Use Cases

1Homelab single sign-on for Plex, Nextcloud, Grafana, and other self-hosted services
2Small business identity management replacing Google Workspace or Azure AD dependency
3Development team authentication for internal tools, CI/CD systems, and staging environments
4Legacy application modernization using the built-in forward auth proxy
5Multi-tenant SaaS applications requiring custom authentication flows per customer
6Educational institutions needing flexible student and faculty authentication
7Compliance-focused organizations requiring detailed audit trails and MFA enforcement

Prerequisites

Minimum 1GB RAM (1.5GB+ recommended) for the full stack including PostgreSQL and Redis
Ports 9000 and 9443 available for HTTP and HTTPS access to Authentik interface
Valid domain name and SSL certificate for production deployment (required for OIDC/SAML)
Basic understanding of identity protocols (OAuth2, SAML) for application integration
PostgreSQL knowledge for backup strategies and performance tuning
Network access planning for applications that will integrate with Authentik

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

1services: 
2  authentik-server: 
3    image: ghcr.io/goauthentik/server:latest
4    command: server
5    ports: 
6      - "9000:9000"
7      - "9443:9443"
8    environment: 
9      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
10      AUTHENTIK_REDIS__HOST: redis
11      AUTHENTIK_POSTGRESQL__HOST: postgres
12      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
13      AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
14      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
15    volumes: 
16      - authentik_media:/media
17      - authentik_templates:/templates
18    depends_on: 
19      postgres: 
20        condition: service_healthy
21      redis: 
22        condition: service_started
23    networks: 
24      - authentik-net
25    restart: unless-stopped
26
27  authentik-worker: 
28    image: ghcr.io/goauthentik/server:latest
29    command: worker
30    environment: 
31      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
32      AUTHENTIK_REDIS__HOST: redis
33      AUTHENTIK_POSTGRESQL__HOST: postgres
34      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
35      AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
36      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
37    volumes: 
38      - authentik_media:/media
39      - authentik_templates:/templates
40      - authentik_certs:/certs
41    depends_on: 
42      - authentik-server
43    networks: 
44      - authentik-net
45    restart: unless-stopped
46
47  postgres: 
48    image: postgres:16-alpine
49    environment: 
50      POSTGRES_USER: ${POSTGRES_USER}
51      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
52      POSTGRES_DB: ${POSTGRES_DB}
53    volumes: 
54      - postgres_data:/var/lib/postgresql/data
55    healthcheck: 
56      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
57      interval: 10s
58      timeout: 5s
59      retries: 5
60    networks: 
61      - authentik-net
62    restart: unless-stopped
63
64  redis: 
65    image: redis:7-alpine
66    volumes: 
67      - redis_data:/data
68    networks: 
69      - authentik-net
70    restart: unless-stopped
71
72volumes: 
73  authentik_media: 
74  authentik_templates: 
75  authentik_certs: 
76  postgres_data: 
77  redis_data: 
78
79networks: 
80  authentik-net: 
81    driver: bridge

.env Template

.env

1# PostgreSQL
2POSTGRES_USER=authentik
3POSTGRES_PASSWORD=secure_postgres_password
4POSTGRES_DB=authentik
5
6# Authentik
7AUTHENTIK_SECRET_KEY=$(openssl rand -hex 50)

Usage Notes

1Authentik at http://localhost:9000
2Initial setup: docker compose run --rm authentik-server ak setup
3Supports OAuth2, SAML, LDAP
4Built-in application proxy

Individual Services(4 services)

Copy individual services to mix and match with your existing compose files.

authentik-server

authentik-server:
  image: ghcr.io/goauthentik/server:latest
  command: server
  ports:
    - "9000:9000"
    - "9443:9443"
  environment:
    AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    AUTHENTIK_REDIS__HOST: redis
    AUTHENTIK_POSTGRESQL__HOST: postgres
    AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
    AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
    AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
  volumes:
    - authentik_media:/media
    - authentik_templates:/templates
  depends_on:
    postgres:
      condition: service_healthy
    redis:
      condition: service_started
  networks:
    - authentik-net
  restart: unless-stopped

authentik-worker

authentik-worker:
  image: ghcr.io/goauthentik/server:latest
  command: worker
  environment:
    AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    AUTHENTIK_REDIS__HOST: redis
    AUTHENTIK_POSTGRESQL__HOST: postgres
    AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
    AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
    AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
  volumes:
    - authentik_media:/media
    - authentik_templates:/templates
    - authentik_certs:/certs
  depends_on:
    - authentik-server
  networks:
    - authentik-net
  restart: unless-stopped

postgres

postgres:
  image: postgres:16-alpine
  environment:
    POSTGRES_USER: ${POSTGRES_USER}
    POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    POSTGRES_DB: ${POSTGRES_DB}
  volumes:
    - postgres_data:/var/lib/postgresql/data
  healthcheck:
    test:
      - CMD-SHELL
      - pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}
    interval: 10s
    timeout: 5s
    retries: 5
  networks:
    - authentik-net
  restart: unless-stopped

redis

redis:
  image: redis:7-alpine
  volumes:
    - redis_data:/data
  networks:
    - authentik-net
  restart: unless-stopped

Quick Start

terminal

1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  authentik-server:
5    image: ghcr.io/goauthentik/server:latest
6    command: server
7    ports:
8      - "9000:9000"
9      - "9443:9443"
10    environment:
11      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
12      AUTHENTIK_REDIS__HOST: redis
13      AUTHENTIK_POSTGRESQL__HOST: postgres
14      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
15      AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
16      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
17    volumes:
18      - authentik_media:/media
19      - authentik_templates:/templates
20    depends_on:
21      postgres:
22        condition: service_healthy
23      redis:
24        condition: service_started
25    networks:
26      - authentik-net
27    restart: unless-stopped
28
29  authentik-worker:
30    image: ghcr.io/goauthentik/server:latest
31    command: worker
32    environment:
33      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
34      AUTHENTIK_REDIS__HOST: redis
35      AUTHENTIK_POSTGRESQL__HOST: postgres
36      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
37      AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
38      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
39    volumes:
40      - authentik_media:/media
41      - authentik_templates:/templates
42      - authentik_certs:/certs
43    depends_on:
44      - authentik-server
45    networks:
46      - authentik-net
47    restart: unless-stopped
48
49  postgres:
50    image: postgres:16-alpine
51    environment:
52      POSTGRES_USER: ${POSTGRES_USER}
53      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
54      POSTGRES_DB: ${POSTGRES_DB}
55    volumes:
56      - postgres_data:/var/lib/postgresql/data
57    healthcheck:
58      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
59      interval: 10s
60      timeout: 5s
61      retries: 5
62    networks:
63      - authentik-net
64    restart: unless-stopped
65
66  redis:
67    image: redis:7-alpine
68    volumes:
69      - redis_data:/data
70    networks:
71      - authentik-net
72    restart: unless-stopped
73
74volumes:
75  authentik_media:
76  authentik_templates:
77  authentik_certs:
78  postgres_data:
79  redis_data:
80
81networks:
82  authentik-net:
83    driver: bridge
84EOF
85
86# 2. Create the .env file
87cat > .env << 'EOF'
88# PostgreSQL
89POSTGRES_USER=authentik
90POSTGRES_PASSWORD=secure_postgres_password
91POSTGRES_DB=authentik
92
93# Authentik
94AUTHENTIK_SECRET_KEY=$(openssl rand -hex 50)
95EOF
96
97# 3. Start the services
98docker compose up -d
99
100# 4. View logs
101docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal

1curl -fsSL https://docker.recipes/api/recipes/authentik-sso/run | bash

Troubleshooting

Authentik server fails to start with 'database connection failed': Ensure PostgreSQL is fully initialized by checking docker logs postgres container and waiting for 'database system is ready to accept connections'
Worker container crashes with 'Redis connection refused': Verify Redis container is running and check network connectivity with docker network inspect authentik-net
SAML applications show 'invalid signature' errors: Generate proper certificates using docker compose run --rm authentik-server ak create-admin-group and place in authentik_certs volume
Memory exhaustion causing container restarts: PostgreSQL and Authentik each need 512MB minimum; increase Docker daemon memory limits or add swap
Session loss after container restart: Verify Redis persistence is working by checking docker volume inspect authentik_redis_data shows proper mount point
OIDC applications can't connect with 'invalid redirect URI': Ensure Authentik is accessible via HTTPS with valid certificate and configure application redirect URIs to match exactly

Community Notes

Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

authentik-serverauthentik-workerpostgresqlredis

Related Recipes

Ad Space

Shortcuts: C CopyF FavoriteD Download