i have not made a page for authentik yet so here we are since i have been messing around with it for the past few days. i originally setup it up way back when, but never really took much time into it. few weeks back i installed it again and deployed it from a proxmox lxc script and it has been working well. i setup basic oidc sso for web apps and services that support it.
i found that deploying it in different ways has affected the way it functions, but if done correctly, it will obviously work. i just came across some hiccups as i was deploying it and after following different guides, i have a better understanding. the way i did was an easy solution and updating it is just a matter of running the same install script. the docker compose method is a bit more confusing as it is dealing with a more complex stack, but still manageable. you do have to follow documentation well and include the necessary variables for the database to function. as always, i upload the files into my github so you can go to the docker repo.
the main configurations of oidc was fairly simple and straight forward. authentik makes it really easy and has a document page for its integration. i put it on most services that i am hosting that support oidc. the other method is authentik proxy provider which forwards requests to the authentik portal and from there the user has to authenticate. it is an easy configuration so long as you understand how proxy’s function and which one you are using.
in my case i am using nginx proxy manager and the configuration of proxy providers and applications is straight forward. using the wizard you can assign a name for the service you want to proxy. the provider will be proxy and configure the middle option ‘forward auth (single application)’. this is where you put the website url of the service being proxied. skip the binding and the provider and application are created. then go to outposts and ensure that the type is ‘proxy’ and below you can add your proxy applications. furthermore in the advanced settings, ensure that ‘authentik_host’ is configured to the website url of authentik. now press update and click on your application under the providers tab. this will direct you to the provider page for your application and this is where you paste these text blocks into your desired reverse proxy service. if you are using nginx proxy manager, copy the whole text block under its tab and paste it into the advanced tab of your proxy host. then you want to change the ‘proxy_pass’ option to the ip address of authentik and proper port mapping. this configuration is now the standard one for all proxy applications for authentik, so save this.
now if you go to the website url of your service, it will proxy you to authentik and it will prompt you to login. then it will guide you to your service. this works wonders when your services do not have support for oidc, oauth, saml, or any type of sso. this helped secure my homepage web app as it was open to anyone on my management network, but now it is secured behind the authentik proxy.
customization is an appealing option in authentik and you can change a lot. from the logo, background, links, positioning of login block, display boxes one at a time or together, etc. i did have to do some looking around in the authentik server as i had to find where the images were being stored. it gave me a nice directory link but it did not ‘exist’ in the linux directory. so eventually after some looking and testing i came across this:
/opt/authentik/web/dist/assets/icons
this is where you can store your favicons, logos, and background images. so long as you keep the original path which is:
/static/dist/assets/icons/
be sure that when you change the background image, you do it across the different flows as you will want it to stay the same and not change when going from identification to authentication.
the positioning of the text box is very nice and handy for preference. i went with stacked as i think it looks better when it is in the middle. i also kept the defaults of prompting the email/user and then the password. inside the flows i checked the box for compatibility for password managers and mobile. more convenience having the pop up for my password manager than copy and pasting.
as long as you follow some nice videos and the official documentation you will be fine. there is an option to create different brands, which allows you to change the domain depending on where the service is being accessed. great for managing many domains within one instance of authentik. it goes without saying that authentik is resource intensive, so be sure to allow the service eight gigs or more ram.
keep this in mind as you are configuring authentik, specifically for those who installed it through a proxmox ve script. the config file is located in this:
/etc/authentik
this is where you will configure the ‘environment’ variables found in the docker compose install process.