7 Authentication

Note

Authentik as a family identity provider — OIDC, LDAP outpost, forward auth proxy — for 5–25 users across 14 services.

7.1 What a family IDP needs to do

Single sign-on across all services: log in once, access everything
Three integration patterns: OIDC for apps that support it, LDAP for legacy apps, forward auth for apps with no auth support
User enrollment simple enough to onboard a parent or in-law
Session lifetime long enough that family members don’t hit login prompts daily

7.2 The evaluation

7.2.1 Authentik

Authentik ships OIDC provider, LDAP outpost, and forward auth proxy in one deployment
Customizable flows for enrollment, login, MFA
Active upstream, frequent releases, responsive security process
Django-based; resource-heavy but featureful

7.2.2 Zitadel

Zitadel is strong on OIDC, built in Go, lighter footprint
No LDAP outpost, no forward auth proxy — would need separate solutions for both
Better fit for cloud-native orgs than for a homelab with legacy apps

7.2.3 Keycloak

Keycloak is the most mature option; Red Hat-backed, huge ecosystem
Java-based, heavy on resources, configuration complexity is high for a single-maintainer deployment
No built-in forward auth proxy

7.2.4 Kanidm

Kanidm is Rust-based, opinionated, designed for small deployments
Promising but young; OIDC support is maturing, LDAP is read-only
Worth watching

7.2.5 Authelia

Authelia is excellent for forward auth, lightweight
No OIDC provider, no LDAP — it’s an auth proxy, not an identity provider
Good complement but not a standalone solution

7.2.6 Ory

Ory (Kratos + Hydra + Oathkeeper) is modular and powerful
Three separate services to deploy, configure, and maintain
Designed for platform teams, not single maintainers

7.3 Why Authentik won

Only project that covers all three integration patterns in a single deployment
Flow customization handles the enrollment and session UX requirements
LDAP outpost means legacy apps (Jellyfin, Navidrome) work without code changes
Forward auth proxy means apps with no auth at all (vLLM, Mealie) get authentication for free

7.4 The LDAP outpost

Authentik’s LDAP outpost presents a standard LDAP interface backed by the Authentik user directory
Apps configured for LDAP bind against the outpost; Authentik handles password verification and group membership
Used by: Jellyfin (via LDAP plugin)

7.5 Forward auth proxy

Caddy’s forward_auth directive sends a subrequest to Authentik’s outpost endpoint
Authentik checks the session cookie; if valid, returns 200 with user headers; if not, returns a redirect to login
Used by: services that have no native auth or where OIDC isn’t worth configuring

7.6 Choosing the right pattern per service

OIDC: preferred when the app supports it natively — Immich, oCIS, GitLab, Grafana
LDAP: for apps with LDAP plugins but no OIDC — Jellyfin
Forward auth: for apps with no auth or where adding auth would be more maintenance than the proxy — vLLM, Mealie, Audiobookshelf

7.7 Deploying Authentik

Runs as a pod: server + worker + PostgreSQL + Caddy sidecar
ZFS dataset: /zfs/safe/authentication (NVMe pool for database performance)
Secrets (secret key, PostgreSQL password, email credentials) managed via podman secret
Pod publishes 127.0.0.1:8440→443; Envoy routes auth.dunn.dev to it via SNI

7.8 What Authentik gets wrong

Resource usage is high for what it does (Django + Celery + PostgreSQL + Redis)
Upgrade path is sometimes rocky; breaking changes in minor releases
Flow designer UI is powerful but has a learning curve
No built-in backup/export of flows and configuration as code (improving)

# Authentication {#sec-authentication} ::: {.callout-note} Authentik as a family identity provider — OIDC, LDAP outpost, forward auth proxy — for 5–25 users across 14 services. ::: ## What a family IDP needs to do - Single sign-on across all services: log in once, access everything - Three integration patterns: [OIDC](https://en.wikipedia.org/wiki/OpenID_Connect) for apps that support it, [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) for legacy apps, forward auth for apps with no auth support - User enrollment simple enough to onboard a parent or in-law - Session lifetime long enough that family members don't hit login prompts daily ## The evaluation ### Authentik - [Authentik](https://goauthentik.io/) ships OIDC provider, LDAP outpost, and forward auth proxy in one deployment - Customizable flows for enrollment, login, MFA - Active upstream, frequent releases, responsive security process - Django-based; resource-heavy but featureful ### Zitadel - [Zitadel](https://zitadel.com/) is strong on OIDC, built in Go, lighter footprint - No LDAP outpost, no forward auth proxy — would need separate solutions for both - Better fit for cloud-native orgs than for a homelab with legacy apps ### Keycloak - [Keycloak](https://www.keycloak.org/) is the most mature option; Red Hat-backed, huge ecosystem - Java-based, heavy on resources, configuration complexity is high for a single-maintainer deployment - No built-in forward auth proxy ### Kanidm - [Kanidm](https://kanidm.com/) is Rust-based, opinionated, designed for small deployments - Promising but young; OIDC support is maturing, LDAP is read-only - Worth watching ### Authelia - [Authelia](https://www.authelia.com/) is excellent for forward auth, lightweight - No OIDC provider, no LDAP — it's an auth proxy, not an identity provider - Good complement but not a standalone solution ### Ory - [Ory](https://www.ory.sh/) (Kratos + Hydra + Oathkeeper) is modular and powerful - Three separate services to deploy, configure, and maintain - Designed for platform teams, not single maintainers ## Why Authentik won - Only project that covers all three integration patterns in a single deployment - Flow customization handles the enrollment and session UX requirements - LDAP outpost means legacy apps (Jellyfin, Navidrome) work without code changes - Forward auth proxy means apps with no auth at all (vLLM, Mealie) get authentication for free ## The LDAP outpost - Authentik's LDAP outpost presents a standard LDAP interface backed by the Authentik user directory - Apps configured for LDAP bind against the outpost; Authentik handles password verification and group membership - Used by: [Jellyfin](https://jellyfin.org/) (via LDAP plugin) ## Forward auth proxy - Caddy's `forward_auth` directive sends a subrequest to Authentik's outpost endpoint - Authentik checks the session cookie; if valid, returns 200 with user headers; if not, returns a redirect to login - Used by: services that have no native auth or where OIDC isn't worth configuring ## Choosing the right pattern per service - **OIDC**: preferred when the app supports it natively — Immich, oCIS, GitLab, Grafana - **LDAP**: for apps with LDAP plugins but no OIDC — Jellyfin - **Forward auth**: for apps with no auth or where adding auth would be more maintenance than the proxy — vLLM, Mealie, Audiobookshelf ## Deploying Authentik - Runs as a pod: server + worker + PostgreSQL + Caddy sidecar - ZFS dataset: `/zfs/safe/authentication` (NVMe pool for database performance) - Secrets (secret key, PostgreSQL password, email credentials) managed via `podman secret` - Pod publishes `127.0.0.1:8440→443`; Envoy routes `auth.dunn.dev` to it via SNI ## What Authentik gets wrong - Resource usage is high for what it does (Django + Celery + PostgreSQL + Redis) - Upgrade path is sometimes rocky; breaking changes in minor releases - Flow designer UI is powerful but has a learning curve - No built-in backup/export of flows and configuration as code (improving)