docker-authentik

Docker container for use as Identity Provider and authentication portal in front of a Traefik reverse-proxy.

1. Docker Setup

Initialize config by running init.sh: ./init.sh
Input personal information into .env
Generate postgresql password and authentik secret key, by using e.g. openssl rand 56 | base64, and input into .env
Make sure that Docker network traefik exists, docker network ls
Run docker compose up and check logs

2. Authentik Setup

Updated for version 2025.6.3

2.1. Set up your first user

Open browser and go to auth.YOURDOMAIN.COM and verify that you reach the Authentik login screen
Add /if/flow/initial-setup/ at the end of the URL to reach the dialogue for setting up the initial admin account
Input the email and password you want to use for the default akadmin account and press Continue
Log into the default admin account using either usename akadmin or the email you entered in the previous step
Click the Admin interface button on the top-right
Go to Directory->Users in the menu on the left side and click Create
Input Username and Name, select User type: Internal, input Email, finally click Create
Click on your recently created user and go to the Groups tab and click Add to existing group
Click on the plus sign, select authentik Admins and press Add, then press Add again
Go back to the Overview tab and click Set password under the Recovery section
Log out of the current session and log in with your new user account instead
Go back to Directory->Users and click on the akadmin user
In the User Info pane scroll down to the Actions section and press the Deactivate button, then press Update in the popup prompt

You have now logged in for the first time, created your own user account and disabled the default admin account.

2.2. Configuring Authentik Embedded Outpost

In the Admin interface, go to Applications->Outposts, locate the authentik Embedded Outpost and verify that is says Loggin in via https://auth.YOURDOMAIN.COM in green below the name
Go to Applications->Providers and click Create
Select Proxy Provider and click Next
Input a Name, e.g. Traefik Provider and select Authorization flow with either implicit or explicit consent (determines if you are presented with an explicit prompt when being forwarded after logging in or not, prefer implicit)
Click Forward auth (domain level), check that Authentication URL is https://auth.YOURDOMAIN.COM and set Cookie domain simply as YOURDOMAIN.COM
Change Token validity to your taste and click Finish
Go to Applications->Applications and click Create
Input Name and Slug, e.g. Traefik//traefik
Click the Provider field and select Traefik Provider (or whatever you named it in the previous step) and finally click Create
Go back to Applications->Providers and verify that Traefik Provider has a green checkmark and the text Assigned to application Traefik under the Application column
Go back to Applications->Outposts and click the Edit button for the authentik Embedded Outpost (under the Actions column)
In the Applications section click on Traefik and press the > button to add it to Selected Applications, then press Update

You have now set up Authentik to be ready to be used with Traefik reverse-proxy with domain level forward auth.

2.3. Configuring Traefik

Go to your Traefik dir and open dynamic_config.yml

Add an Authentik middleware:

middlewares:
    authentik-auth:
        forwardAuth:
        # Match base url to authentik server container name
        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
            - X-authentik-username
            - X-authentik-groups
            - X-authentik-email
            - X-authentik-name
            - X-authentik-uid
            - X-authentik-jwt
            - X-authentik-meta-jwks
            - X-authentik-meta-outpost
            - X-authentik-meta-provider
            - X-authentik-meta-app
            - X-authentik-meta-version

Optionally create a middleware chain that includes default security headers:

middlewares:
    authentik:
        chain:
            middlewares:
            - authentik-auth
            - default-security-headers

Now you can use Authentik together with Traefik by including the authentik middleware in container labels, e.g.: traefik.http.routers.APP_NAME.middlewares=authentik@file.

3. Autentik configuration

3.1. Check if email config is correct

To verify that the email settings in .env are correct run docker compose exec worker ak test_email RECIPIENT_EMAIL to send a test email to RECIPIENT_EMAIL.

3.2. Showing both username and password prompt at once on login screen

Certain password managers will have an easier time auto-typing your login info if the username and password fields are both presented at once.

Go to Flows and Stages->Stages and click Edit for the default-authentication-identification stage
Under Password stage select default-authentication-password
(Optional) Enable Enable "Remember me on this device"
Click Update
Go to Flows and Stages->Flows and click the default-authentication-flow stage
Go to the Stage Bindings tab and delete the default-authentication-password stage

3.3. Password complexity policy

It's a good idea to enforce some kind of password policy.

Go to Customisation->Policies and click Create
Select Password Policyand click Next
Set a suitable Name, e.g. password-complexity
Expand the Static rules section
Input your choice of rules and enter an Error message that reflects the requirements, e.g. Please enter a minimum of 12 characters with at least 1 uppercase, 1 lowercase, 1 digit and 1 symbol character.
Click Finish
Go to Flows and Stages->Stages, click Edit for the default-source-enrollment-prompt stage
Scroll down to Validation Policies, select the password policy created previously under Available Policies and click > to add it to `Selected Policies.
Make sure to remove any other default policies and click Update
Repeat above for the default-password-change-prompt stage while also removing the default-password-change-password-policy if present

3.4. MFA forced on login

It's a good idea to enforce MFA for something that provides such powerful means of access. Here's how to force setup of MFA using TOTP using e.g. Google Authenticator app.

Go to Flows and Stages->Stages, click Edit for default-authentication-mfa-validation
Under Stage-specific settings->Device classes select the MFA types you want to allow, in this case only TOTP Authenticators for Google Authenticator app
Set Not configured action to Force the user to configure an authenticator
Under Configuration stages select only default-authenticator-totp-setup, click Update
Go to Flows and Stages->Flows and click on default-source-enrollment
Go to the Stage Bindings tab, click Bind existing stage and input:
- Stage: default-authentication-mfa-validation
- Order: 2
Update the order of the default-source-enrollment-login stage to 3, the resulting list should be:

Order Name

0 default-source-enrollment-prompt

1 default-source-enrollment-write

2 default-authentication-mfa-validation

3 default-source-enrollment-login

3.5. Password recovery

If users forget their password it's nice if they're able to reset their passwords on their own.

Go to Flows and Stages->Stages and click Create
Select Identification Stage and click Next
Set a suitable name, e.g. recovery-authentication-identification, under User fields select Username and Email and click Finish
Click Create again and select Email Stage, click Next
Set a suitable Name, e.g. recovery-email
Set Subject to e.g. Authentik password recovery, click Finish
Go to Flows and Stages->Flows and click Create
Set Name/Title/Slug as Recovery/Recovery/recovery
Set Designation as Recovery
Click Create
Click on the recovery flow we just created and go to the Stage Bindings tab

Add bindings by clicking Bind existing stage and setting up according to the table below:

Order	Stage	Type
10	recovery-authentication-identification	Identification Stage
20	recovery-email	Email Stage
30	default-password-change-prompt	Prompt Stage
40	default-password-change-write	User Write Stage

Go to Flows and Stages->Stages and click Edit for the default-authentication-identification stage
Under Flow settings->Recovery flow select recovery (Recovery) and click Update

3.6. Invitation

It's a bad idea to allow anyone visiting the login page to register for an account. Invitation link with a set expiration time is a better solution.

Go to Directory->Groups and click Create
Set a suitable name, e.g. authentik Users
Make sure Is superuser is switched OFF, click Create
Click on your recently created group, go to the Users tab and click on Add existing user
Click on the plus sign, select your currently existing normal user accounts, press Add and then press Add again
Go to Flows and Stages->Stages and click Create
Select User Write Stage and click Next
Set a suitable name, e.g. enrollment-invitation-write
Under Stage-specific settings make sure Create users when required is selected and uncheck Create users as inactive
Under User type make sure Internal is selected
Under Group select the recently created authentik Users group
Click Finish
Click Create again and select Invitation Stage, click Next
Set a suitable name, e.g. enrollment-invitation
Make sure Continue flow without invitation is OFF and click Finish
Click Create again and select Email Stage
Set Name to enrollment-invitation-email, Subject to Account Confirmation and Template to Account Confirmation, finally click Finish
Go to Flows and Stages->Flows and click Create
Set Name and Titleto Enrollment Invitation
Set Designation to Enrollment
Under Behavior settings check Compatibility mode and click Create
Click the recently created enrollment-invitation flow and go to the Stage Bindings tab

Add bindings by clicking Bind existing stage and setting up according to the table below:

Order	Stage	Type
10	enrollment-invitation	Invitation Stage
20	default-source-enrollment-prompt	Prompt Stage
30	enrollment-invitation-write	User Write Stage
40	enrollment-invitation-email	Email Stage
50	default-source-enrollment-login	User Login Stage

Click on Edit Stage for the default-source-enrollment-prompt stage
Under Stage-specific settings->Fields select the following entries:
- default-user-settings-field-username
- default-user-settings-field-name
- default-user-settings-field-email
- initial-setup-field-password
- initial-setup-field-password-repeat
Check under Validation Policies that password-complexity is selected, click Update

You can now go to Directory->Invitations and click Create to create an invitation link. Set a suitable name and expiration time. Make sure to select the enrollment-invitation flow and make sure Single use is checked.

Expand the recently created invite and Link to use the invitation will contain the link to be distributed.

4. Applications setup

4.1. API calls bypassing authentication

If you want to allow API calls to a certain application to bypass authentication simply add ^\/api\/.* to Advanced protocol settings->Unauthenticated Paths under the relevant Provider.

4.2. Servarr

Authentik can be set up to contain the user//pass for the HTTP logins for the various Servarr apps and to forward credentials to the respective app after authentication via Authentik. This way you can keep authentication activated for each app but still only have to log in once when going through Authentik.

4.2.1. Traefik changes

Go to your Traefik dir and open your dynamic_config.yml

Create a middleware similar to the one in the general Traefik setup above but including the authorization header (this is required for Authentik to be able to forward the credentials):

middlewares:
    authentik-auth-http:
        forwardAuth:
            # Match base url to authentik server container name
            address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
            trustForwardHeader: true
            authResponseHeaders:
                - X-authentik-username
                - X-authentik-groups
                - X-authentik-email
                - X-authentik-name
                - X-authentik-uid
                - X-authentik-jwt
                - X-authentik-meta-jwks
                - X-authentik-meta-outpost
                - X-authentik-meta-provider
                - X-authentik-meta-app
                - X-authentik-meta-version
                - authorization

Optionally create a middleware chain similar to above:

middlewares:
    authentik-http:
        chain:
            middlewares:
                - authentik-auth-http
                - default-security-headers

For the services where you want to use the HTTP-Basic authentication forwarding via Authentik you need to replace the default authentik middleware chain with the authentik-http created above instead.

4.2.2. Authentik settings

Open the Authentik Admin Interface
Go to Directory->Groups and click Create
Set a suitable name, e.g. Servarr Users
Under Attributes input a list of usernames//passwords for the different Servarr apps, e.g.:
- prowlarr_user: PROWLARR_USERNAME
- prowlarr_password: PROWLARR_PASSWORD
- sonarr_user: SONARR_USERNAME
- sonarr_password: SONARR_PASSWORD
- etc...
Click Create
Click on the recently created group, go to the Users tab and click Add existing user
Click the plus sign, select the users you want to be able to access the Servarr apps, click Add and then Add again
Go to Applications->Providers and click Create
Select Proxy Provider and click Next
Set a suitable name, e.g. Prowlarr Provider and select implicit-concent under Authorization flow
Click Forward auth (single application)
Set External host to the externally accessible address for the app, e.g. https://prowlarr.DOMAIN.COM
Expand Authntication settings and make sure that both Intercept header authentication and Send HTTP-Basic Authentication are ON
Set HTTP-Basic Username Key and HTTP-Basic Password Key to prowlarr_user and prowlarr_password respectively (matching the keys in the list set up above)
Click Finish
Repeat Provider creation for each individual app in your stack
Go to Applications->Applications and click Create
Set a suitable name, e.g. Prowlarr and the slug similarly to prowlarr
Under Provider select the Prowlarr Provider created previously and click Create
Repeat Application creation for each individual app in your stack
Go to Applications->Outposts and open authentik Embedded Outpost for editing
Under Applications select each application created previously and click > to add them to `Selected Applications
Click Update
The previously created providers should now be listed in the Providers tab for authentik Embedded Outpost

4.3. Nextcloud

Authentik has a community integration for Nextcloud to allow user login and provisioning via Authentik.

4.3.1. Authentik settings

Make sure usernames are immutable by going to System->Settings in the Admin Interface and checking that Allow users to change username is OFF.

Open the Authentik Admin Interface
Go to Directory->Groups and click Create
Create a group called nextcloud Admins, this will control which users are given admin permissions in Nextcloud
Create a group called nextcloud Users, this will control which users are allowed to access Nextcloud (to prevent Nextcloud accounts from being provisioned for users who aren't supposed to have access)
Go to Customization->Property Mappings and click Create
Select Scope Mapping and click Next
Set Name to Nextcloud Profile and Scope name to profile

In Expression enter the following:

 # Extract all groups the user is a member of
 groups = [group.name for group in user.ak_groups.all()]

 # Nextcloud admins must be members of a group called "admin".
 # This is static and cannot be changed.
 # We append a fictional "admin" group to the user's groups if they are a member of "nextcloud Admins" in authentik.
 # This group would only be visible in Nextcloud and does not exist in authentik.
 if "nextcloud Admins" in groups:
     groups = ["admin"]
 else:
     groups = []

 return {
     # Display name
     "name": request.user.name,
     "groups": groups,
     # To set a quota set the "nextcloud_quota" property in the user's attributes
     "quota": user.group_attributes().get("nextcloud_quota", None),
     # To connect an already existing user, set the "nextcloud_user_id" property in the
     # user's attributes to the username of the corresponding user on Nextcloud.
     # Uses the Authentik username if attribute is not set.
     "user_id": user.attributes.get("nextcloud_user_id", str(user.username)),
 }

Click Finish
Go to Applications->Providers and click Create
Select OAuth2/OpenID Provider and click Next
Enter the following:
- Name: Nextcloud Provider
- Authorization flow: implicit-consent
- Client type: Confidential
- Redirect URIs/Origins (RegEx): https://nc.DOMAIN.COM/apps/user_oidc/code (make sure you're using the correct path prefix)
Under Advanced protocol settings->Scopes select:
- authentik default OAuth Mapping: OpenID 'email'
- authentik default OAuth Mapping: OpenID 'openid'
- authentik default OAuth Mapping: OpenID 'profile'
- Nextcloud Profile
Make sure that Advanced protocol settings->Subject mode: Based on the User's username is selected
Make sure that Include claims in id_token at the bottom is ON
Take note of your Client ID and Client Secret, you will use this in the Nextcloud stage
Go to Applications->Applications and click Create
Enter the following:
- Name: Nextcloud
- Slug: nextcloud
- Provider: Nextcloud Provider
Click Create
Click on the recently created application and go to the Policy / Group/ User Bindings tab
Click Bind existing Policy / Group / User, select the Group option and then select the nextcloud Users group

To map an Authentik user to an existing Nextcloud account give the user an attribute like nextcloud_user_id: NEXTCLOUD_ACCOUNT_NAME. To give a user a quota limit give it an atrtibute like nextcloud_quota: 10 GB.

4.3.2. Nextcloud settings

Log into the web UI using an admin account, click on the profile icon in the top-right and then click on Apps
Select the Integration category to the left and look for OpenID Connect user backend, enable it
Go to the top-right menu again and this time click Administration Settings
In the left-side menu list click on OpenID Connect
Click the plus sign under Registered Providers and enter the following:
- Identifier: Authentik
- Client ID: See the Authentik section
- Client secret: See the Authentik section
- Discovery endpoint: https://auth.DOMAIN.COM/application/o/nextcloud/.well-known/openid-configuration
- Scope: openid email profile
- User ID mapping: user_id
- Quota mapping: quota
- Groups mapping: groups (Requires Use group provisioning to be checked further down)
- Display name mapping: name (Under Extra attributes mapping)
- Email mapping: email (Under Extra attributes mapping)
- Use unique user id: Turn this OFF

To make Authentik the default login method for Nextcloud go to your Nextcloud docker directory and run docker compose exec -u www-data nextcloud php occ config:app:set --value=0 user_oidc allow_multiple_user_backends.

4.4. Synology NAS

Authentik has a community integration for Synology DSM to allow user login via Authentik.

4.4.1. Authentik settings

Open the Authentik Admin Interface
Go to Applications->Providers and click Create
Select OAuth2/OpenID Provider and click Next
Enter the following:
- Name: Synology Provider
- Authorization flow: implicit-consent
- Client type: Confidential
- Redirect URIs/Origins (RegEx): https://nas.DOMAIN.COM/#/signin (use whatever subdomain you set up in your Traefik dynamic_config.yml)
- Subject mode: Based on the User's username
Click Finish
Go to Applications->Applications and click Create
Enter Name//Slug as NAS//nas and select the recently created provider, click Create

4.4.2. Synology DSM settings

Log in to DSM with an admin account
Go to Control Panel->Domain/LDAP and click on the SSO Client tab
Check the Enable OpenID Connect SSO service box and click the OpenID Connect SSO Settings button below it
Enter the following:
- Name: Authentik
- Wellknown URL: https://auth.DOMAIN.COM/application/o/nas/.well-known/openid-configuration
- Application ID: Client ID from the Synology Provider
- Application Key: Client Secret from the Synology Provider
- Redirect URL: https://nas.DOMAIN.COM/#/signin
- Authorization scope: openid profile email
- Username claim: preferred_username

Currently doesn't work properly with DSM <7.2 so TBC...

4.5 Immich

Authentik has a community integration for Immich to allow user login and provisioning via Authentik.

4.5.1 Authentik settings

Open the Authentik Admin Interface
Go to Applications->Providers and click Create
Select OAuth2/OpenID Provider and click Next
Enter the following:
- Name: Immich Provider
- Authorization flow: implicit-consent
- Client type: Confidential
- Redirect URIs/Origins (RegEx):
  - https://immich.DOMAIN.COM/auth/login
  - https://immich.DOMAIN.COM/user-settings
  - app.immich://oauth-callback
Take note of the Client ID and Client Secret, we will need these in the Immich setup
Click Finish
Go to Applications->Applications and click Create
Enter the following:
- Name: Immich
- Slug: immich
- Provider: Immich Provider
Click Create

4.5.2 Immich settings

Log in with the admin account initially set up for Immich
Click the top-right circle icon and select Administration
From the left-side menu select Settings and then Authentication Settings->OAuth
Enable Login with OAuth and fill out:
- ISSUER_URL: https://auth.DOMAIN.COM/application/o/immich/
- CLIENT_ID: Use value from Authentik Provider setup
- CLIENT_SECRET: Use value from Authentik Provider setup
- AUTO LAUNCH: Set to ON
Click Save at the bottom of the form

4.6 Inventree

Authentik doesn't have an outright integration for Inventree but Inventree supports general OIDC.

4.6.1 Authentik settings

Go to Applications->Providers and click Create
Select OAuth2/OpenID Provider and click Next
Enter the following:
- Name: Inventree Provider
- Authorization flow:: implicit-consent
- Client type: Confidential
- Redirect URIs/Origins (RegEx): ("authentik" refers to the provider id set in Inventree)
  - https://parts.DOMAIN.COM/accounts/authentik/login/callback/
  - https://inventree.DOMAIN.COM/accounts/authentik/login/callback/
Take note of the Client ID and Client Secret, we will need these in the Inventree setup
Click Finish
Go to Applications->Applications and click Create
Enter the following:
- Name: Inventree
- Slug: inventree
- Provider: Inventree Provider
Click Create

4.6.2 Inventree settings

Log in as superuser/admin and go to Admin Center
Under Operations->Users / Access, expand the Groups section and add groups called Admins and Users
Go to System Settings
Make sure that the following options are ON:
- Enable SSO
- Enable SSO registration
- Auto-fill SSO users
- Enable SSO group sync
- Remove groups outside of SSO
Make sure that the following option is OFF:
- Enable registration
Set SSO group map to {"inventree Users": "Users", "inventree Admins": "Admins"}
Set Group on signup to Users
Go to the Django admin panel by entering https://inventree.DOMAIN.COM/admin/, scroll down to SOCIAL ACCOUNTS and click on Social applications
Click ADD SOCIAL APPLICATION + and enter:
- Provider: OpenID Connect
- Provider ID: authentik
- Name: Authentik
- Client id: As per the Authentik Provider
- Secret key: As per the Authentik Provider
- Settings: {"server_url": "https://auth.DOMAIN.COM/application/o/inventree/"}
Click SAVE

Name		Name	Last commit message	Last commit date
Latest commit History 24 Commits
files		files
.gitignore		.gitignore
README.md		README.md
docker-compose.yml		docker-compose.yml
init.sh		init.sh

Order	Name
0	default-source-enrollment-prompt
1	default-source-enrollment-write
2	default-authentication-mfa-validation
3	default-source-enrollment-login

znibb/docker-authentik

Folders and files

Latest commit

History

Repository files navigation