I’m currently using Authelia to authenticate for some of my self hosted services. It works fine, but the limited user backends (ldap or… yaml??) make me want to look for an alternative.
Authentik seems good, but after looking at their website I get the feeling of imminent enshitification, where they’re going to either pull the rug on the open source version, or basically gatekeep essential features behind an enterprise license.
So, for those using Authentik, how has your experience been so far?
How about zitadel as an option?
I do not consider Authelia secure from an architecture point of view.
That is because there is, by design, no authentication between authelia and the backend. That means that if anyone ever manages to directly access the backend services, they can impersonate anyone, including admin.
On paper I should love Authelia, I’m a sucker for y’all configured services, I can write a couple of files on my Ansible and boom, everything works… However I never had much luck setting Authelia up, Authentik on the other hand was very painless (albeit) manual (via UI) configuration. I don’t do anything crazy, so any of them would work for me though, I just failed on setting Authelia and tried Authentik and had had no reason to change.
Authentik can be configured through terraform
You can try VoidAuth, it is kinda similar to Authelia+lldap. I am the developer and I created it because I wasn’t satisfied with Authelia’s user management. If you decide you want to try it and run into any issues or questions I will try to help :)
Thanks! I’ll check it out
I like the motivation behind this, but have a allergy to running critical infrastructure like authentication on node.
To each their own, though, and good luck with the project. Diversity is life.
I’m using PocketID as it is super simple to set up. I’ve also paired it with TinyAuth for those services that don’t support SSO.
I also use Swag as my reverse proxy, which just added native support for TinyAuth.
Seconding Pocket ID. Very lightweight and fast while also doing everything I need.
Authelia + lldap(lightweight ldap) has been a really nice and powerful setup that negates the need for authentik for me. Authelia and authentik have diffrent goals tho, authelia is by design less powerfull and has a much smaller code base so that independent teams can audit the code themselves and a “set and forget” type configuration. Authentik is targeted at being an enterprise solution with all the bells and whistles. If you need those bells and whistles and dont want to use authentik try looking at keycloak (which also needs an ldap backend)
Keycloak user here! You don’t need** LDAP to use keycloak, but you can use it (I do too). Afaik keycloak is not always the easiest (not always clear instructions) but it works flawlessly for me and those who I authenticate. I use it for almost all my self hosted services except those who don’t support it (obviously).I can manage my users in LDAP and use keycloak for SSO etc. I would definitely recommend it!
Keycloak all the way
Take this with a grain of salt because I haven’t started using this yet, but I am planning on using pocket id on my personal server
https://github.com/pocket-id/pocket-id
Seems to do what I want it to do
I’m on my phone rn and can’t write a longer post. This comment is to remind me to write an essay later. I’ve been using authentik heavily for my cybersecurity club and have a LOT of thoughts about it.
The tldr about authentik’s risk of enshittification is that authentik follows a pattern I call “supportware”. It’s when extremely (intentionally/accidentally) complex software (intentionally/accidentally) lacks edge cases in their docs,because you are supposed to pay for support.
I think this is a sustainable business model, and I think keycloak has some similar patterns (and other Red Hat software).
The tldr about authentik itself is that it has a lot of features, but not all of them are relevant to your usecase, or worth the complexity. I picked up authentik for invites (which afaik are rare, also official docs about setting up invites were wrong, see supportware), but invites may not something you care about.
Anyway. Longer essay/rant later. Despite my problems, I still think authentik is the best for my usecase (cybersecurity club), and other options I’ve looked at like zitadel (seems to be more developer focused),or ldap + sso service (no invites afaik) are less than the best option.
Sidenote: Microsoft entra is offers similar features to what I want from authentik, but I wanted to self host everything.
I like the “supportware” term, I can apply that to a few other tools (airbyte, teleport). I ended up setting up authentik today and it went really smoothly. So far I like it a lot, so hopefully the full enshittification process doesn’t happen soon. Even though right now I just want to use it for my own self-hosting purposes, I’m also interested in potentially using it for work. We have a few hundred thousand users and AWS cognito is getting pretty expensive.
Why don’t you like LDAP? OpenLDAP is a PITA (necessarily, I guess, to be considered “enterprise”), but lldap has been pretty nice to me. I mean, it’s the identity protocol, it’s just that the server software has been complex until relatively recently.
What would you use instead? A SQL DB with some custom schema, that just re-invents LDAP?
LDAP and ldaps are not great from a security perspective. They pass password though the application which means a single compromised app will create a full breach.
Better to use OpenID which uses a single sign on portal that tells the underlying app when authentication is successful. It has a much smaller attack surface and allows for much more flexibility.
Yep, this is what I’m looking for
I am using authelia as well for some time. At some point I was looking into kanidm. It looked promising, but never got into actually using it. I never figured out though, whether they support forward header auth.
I just switched from Authelia to PocketID No good reason. Mainly because Authelia was a bit convoluted and I needed something very basic.
Authentik has done the opposite of enshittification. As they’ve gotten more successful, they’ve taken enterprise features and moved them into the community edition. I’ve been extremely happy with Authentik so far and the dev has been nothing short of fantastic every time I’ve seen them interacting with the community.
I very much enjoy authentik. Great tool. Lots of great documentation.
There’s also Zitadel: https://zitadel.com/
I tried it before authelia, and it felt like an unfinished product. Nice looking, but there were weird issues, like you could create projects (or apps? i don’t remember) through the UI, but then if you wanted to delete them you had to use the API. The hierarchy of resources also didn’t really feel intuitive to me. But that’s just personal preference. I’ve been testing out authentik today and I really like it. I like that the UI works great, but there’s also a terraform provider to manage things declaratively.
