Centralising Identities And Authentication With Authentik
Overview
Managing the plethora of accounts and the associate credentials is annoying at the best of times. With the number of services I’m self hosting it’s more to manage whilst aligning to security best practices as much as possible. Before, I was using Authelia briefly. The simplicity integrating it into Traefik Proxy but Authentik has a good management GUI and plenty of tutorials to integrate services.
I will be using applications (apps) and services interchangeably because each service has their own terms but essentially mean the same thing – a thing you want to use.
Topology
Internet traffic is routed via Cloudflare using their Cloudflare Tunnel technology. Cloudflare ZeroTrust will have applications setup where authentication is required.
Traffic are routed down the tunnel where Traefik routes the request based on rules to the services (apps).
Before Authentik
Apps with security configured were usually set up when there were no authentication, (perceived) weak security or should not be exposed to the Internet without protection such as DNS.
With support of various authentication protocols such as JSON Web Token (JWT) to OAuth2, it allows identity and authentication to happen in the middleware (Authentik) and pass on the results to the service to handle the pass or fail.
This greatly simplifies credentials required by people.
Examples
Some applications that supports Authentik in addition to their own that I use include:
- Bookstack
- Grafana
- Immich
- Paperless-NGX
- Zigbee2MQTT
Summary
I hope this is one less friction that will need over coming when the household use the apps more.
