The authentication glue you need.
| Category | Core Services |
|---|---|
| Platform | nixos |
| Version | 2025.10.12 |
| Site link | https://github.com/goauthentik/authentik |
| Nix Homelab Module | modules/features/authentik |
Migrated to Zitadel. I migrated from Authentik to Zitadel because I encountered a migration issue from version 2025.10 to 2026.02. I found it unacceptable not to be able to migrate from a version only 4 months old (see the issue → [https://github.com/goauthentik/authentik/issues/20634](https://github.com/goauthentik/authentik/issues/20634)). // https://github.com/badele/nix-homelab/docs/features/zitadel.md
Authentik is an open-source Identity Provider (IdP) focused on flexibility and versatility. It provides Single Sign-On (SSO), OAuth2, SAML, and LDAP authentication for self-hosted applications.
Authentik serves as the central authentication gateway for all homelab services, enabling unified user management and secure access control.
Unified authentication and identity management for all services
Key benefits:
- Single Sign-On: One login for all applications
- Multiple Protocols: OAuth2/OIDC, SAML, LDAP support
- Forward Auth: Protect legacy apps without OIDC support
- User Management: Centralized user and group administration, can replace LLDAP server.
- MFA Support: Multi-factor authentication options
- Flexible Flows: Customizable authentication workflows
Administration account
user: akadmin
pass: clan vars get houston authentik/envfile | grep AUTHENTIK_BOOTSTRAP_PASSWORD | cut -d= -f2
To protect services without native OIDC support, use forward authentication:
Step 1: Create a Proxy Provider
Navigate to Applications → Providers → Create:
- Type:
Proxy Provider - Mode:
Forward auth (single application) - External host:
https://service-name.ma-cabane.net - Authorization flow:
default-provider-authorization-implicit-consent
Step 2: Create Application
Navigate to Applications → Applications → Create:
- Link to the provider created above
- Configure access permissions
Step 3: Configure Embedded Outpost
Navigate to Applications → Outposts:
- Edit "authentik Embedded Outpost"
- Add your application to Selected Applications
- Set authentik_host:
https://douane.ma-cabane.net
Verification:
# Should return 204 No Content
curl -v http://127.0.0.1:9000/outpost.goauthentik.io/ping
# Should return 400 or 401 (NOT 404)
curl -v http://127.0.0.1:9000/outpost.goauthentik.io/auth/nginxSample datas :
- subDomain :
journaliste - appName:
miniflux - appDomain :
${subDomain}.ma-cabane.eu
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to
Applications => Applications (Create with provider)- Application: provide a descriptive name
- name:
${subDomain} - slug
${subDomain}-${appName} - Optional: Under UI Settings, set the Launch URL to
https://${appDomain}/oauth2/oidc/redirect. This will allow you to login directly to Miniflux from the authentik applications dashboard and skip the Miniflux OAuth Login button.
- name:
- Choose a Provider type: Select
OAuth2/OpenIDProvider as the provider type. - Configure the Provider: provide a name (or accept the auto-provided
name), the authorization flow to use for this provider (
implicit), and the following required configurations.- Define
ClientIDto${subDomaion}-${appName} - Update the
client secretwithclan vars get houston miniflux/oauth2-client-secret - Set a
Strictredirect URI tohttps://${appDomain}/oauth2/oidc/callback - Select any available signing key.
- Define
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's My applications page.
- Application: provide a descriptive name
- Click Submit to save the new application and provider.
Source: https://integrations.goauthentik.io/media/miniflux/
Examples :
- subDomain :
encyclopedie - appName:
dokuwiki - appDomain :
${subDomain}.ma-cabane.eu
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to
Applications => Applications (Create with provider)- Application: provide a descriptive name
- name:
${subDomain} - slug
${subDomain}-${appName} - Optional: Under UI Settings, set the Launch URL to
https:/${appDomain}/start?oauthlogin=generic. This will allow you to login directly to DokuWiki from the authentik applications dashboard and skip the DokuWiki OAuth Login button.
- name:
- Choose a Provider type: Select
OAuth2/OpenIDProvider as the provider type. - Configure the Provider: provide a name (or accept the auto-provided
name), the authorization flow to use for this provider (
implicit), and the following required configurations.- Define
ClientIDto${subDomaion}-${appName} - Update the
client secretwithclan vars get houston dokuwiki/oauth2-client-secret - Set a
Strictredirect URI tohttps://${appDomain}/doku.php - Under Advanced protocol settings, add the following OAuth mapping
under Scopes:
authentik default OAuth Mapping:OpenID offline_access - Select any available signing key.
- Define
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's My applications page.
- Application: provide a descriptive name
- Click Submit to save the new application and provider.
Source: https://integrations.goauthentik.io/documentation/dokuwiki/
Examples :
- subDomain :
bonnes-adresses - appName:
linkding - appDomain :
${subDomain}.ma-cabane.eu
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to
Applications => Applications (Create with provider)- Application: provide a descriptive name
- name:
${subDomain} - slug
${subDomain}-${appName} - Optional: Under UI Settings, set the Launch URL to
https://${appDomain}/oidc/authenticate/. This will allow you to login directly to Linkding from the authentik applications dashboard and skip the linkding OAuth Login button.
- name:
- Choose a Provider type: Select
OAuth2/OpenIDProvider as the provider type. - Configure the Provider: provide a name (or accept the auto-provided
name), the authorization flow to use for this provider (
implicit), and the following required configurations.- Define
ClientIDto${subDomaion}-${appName} - Update the
client secretwithclan vars get houston linkding/oauth2-client-secret - Set a
Strictredirect URI tohttps://${appDomain}/oidc/callback/ - Under Advanced protocol settings, add the following OAuth mapping
under Scopes:
authentik default OAuth Mapping:OpenID offline_access - Select any available signing key.
- Define
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's My applications page.
- Application: provide a descriptive name
- Click Submit to save the new application and provider.
Enable password recovery flow:
- Navigate to Flows and Stages → Flows
- Import Recovery with email verification flow
- Go to System → Brands
- Enable
recoveryin Default flow section
Monitor email delivery:
Navigate to Events → Notification transports to check message status.
