knowledge/technology/applications/web/Authentik.md

---
obj: application
repo: https://github.com/goauthentik/authentik
website: https://goauthentik.io
---

# Authentik
Authentik is an open-source Identity Provider (IDP) that aims to unify your identity needs into a single platform. It can replace Okta, Active Directory, and Auth0, offering a comprehensive solution for managing user identities. Built with the public benefit in mind, Authentik Security Inc. has developed this product on top of the open-source project.

## Features
- **Self-host anywhere**: Authentik allows you to self-host your identity provider, giving you complete control over your data and infrastructure.
- **Multi-Factor Authentication (MFA)**: This feature helps ensure the security of your user accounts by requiring multiple forms of identification before granting access.
- **Conditional Access**: Authentik enables you to set conditions for accessing specific resources based on factors such as location, device, or time.
- **Open-source and source available**: The project is fully open-source, with its source code available for anyone to inspect and contribute to.
- **Application Proxy**: This feature allows you to securely connect your applications to Authentik without the need to modify them.
- **Enterprise support**: Authentik offers dedicated enterprise-level support to ensure smooth deployment and operation of the product within your organization.

### Supported Protocols
- **SAML 2.0**
- **OAuth 2.0 and OIDC**
- **SCIM**
- **LDAP**
- **RADIUS**

## Docker-Compose
`docker-compose.yml`:
```yml
---
services:
  postgresql:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - ./db:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - ./redis:/data
    deploy:
      resources:
        limits:
          memory: 512M

  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.4}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
#      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis
```

`.env`:
````
PG_PASS=<PASSWORD>
AUTHENTIK_SECRET_KEY=<SECRET>

# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=<HOST>
AUTHENTIK_EMAIL__PORT=465
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME=<USER>
AUTHENTIK_EMAIL__PASSWORD=<PASS>
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=false
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=true
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=<FROM>

COMPOSE_PORT_HTTP=9020
COMPOSE_PORT_HTTPS=9021
```
update 2024-09-03 16:13:27 +00:00			`---`
			`obj: application`
			`repo: https://github.com/goauthentik/authentik`
			`website: https://goauthentik.io`
			`---`

			`# Authentik`
add authentik 2024-09-26 19:56:39 +00:00			`Authentik is an open-source Identity Provider (IDP) that aims to unify your identity needs into a single platform. It can replace Okta, Active Directory, and Auth0, offering a comprehensive solution for managing user identities. Built with the public benefit in mind, Authentik Security Inc. has developed this product on top of the open-source project.`

			`## Features`
			`- Self-host anywhere: Authentik allows you to self-host your identity provider, giving you complete control over your data and infrastructure.`
			`- Multi-Factor Authentication (MFA): This feature helps ensure the security of your user accounts by requiring multiple forms of identification before granting access.`
			`- Conditional Access: Authentik enables you to set conditions for accessing specific resources based on factors such as location, device, or time.`
			`- Open-source and source available: The project is fully open-source, with its source code available for anyone to inspect and contribute to.`
			`- Application Proxy: This feature allows you to securely connect your applications to Authentik without the need to modify them.`
			`- Enterprise support: Authentik offers dedicated enterprise-level support to ensure smooth deployment and operation of the product within your organization.`

			`### Supported Protocols`
			`- SAML 2.0`
			`- OAuth 2.0 and OIDC`
			`- SCIM`
			`- LDAP`
			`- RADIUS`

			`## Docker-Compose`
			`docker-compose.yml`:
			```yml
			`---`
			`services:`
			`postgresql:`
			`image: docker.io/library/postgres:16-alpine`
			`restart: unless-stopped`
			`healthcheck:`
			`test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]`
			`start_period: 20s`
			`interval: 30s`
			`retries: 5`
			`timeout: 5s`
			`volumes:`
			`- ./db:/var/lib/postgresql/data`
			`environment:`
			`POSTGRES_PASSWORD: ${PG_PASS:?database password required}`
			`POSTGRES_USER: ${PG_USER:-authentik}`
			`POSTGRES_DB: ${PG_DB:-authentik}`
			`env_file:`
			`- .env`
			`redis:`
			`image: docker.io/library/redis:alpine`
			`command: --save 60 1 --loglevel warning`
			`restart: unless-stopped`
			`healthcheck:`
			`test: ["CMD-SHELL", "redis-cli ping \| grep PONG"]`
			`start_period: 20s`
			`interval: 30s`
			`retries: 5`
			`timeout: 3s`
			`volumes:`
			`- ./redis:/data`
			`deploy:`
			`resources:`
			`limits:`
			`memory: 512M`

			`server:`
			`image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8}`
			`restart: unless-stopped`
			`command: server`
			`environment:`
			`AUTHENTIK_REDIS__HOST: redis`
			`AUTHENTIK_POSTGRESQL__HOST: postgresql`
			`AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}`
			`AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}`
			`AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}`
			`volumes:`
			`- ./media:/media`
			`- ./custom-templates:/templates`
			`env_file:`
			`- .env`
			`ports:`
			`- "${COMPOSE_PORT_HTTP:-9000}:9000"`
			`- "${COMPOSE_PORT_HTTPS:-9443}:9443"`
			`depends_on:`
			`- postgresql`
			`- redis`
			`worker:`
			`image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.4}`
			`restart: unless-stopped`
			`command: worker`
			`environment:`
			`AUTHENTIK_REDIS__HOST: redis`
			`AUTHENTIK_POSTGRESQL__HOST: postgresql`
			`AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}`
			`AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}`
			`AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}`
			# `user: root` and the docker socket volume are optional.
			`# See more for the docker socket integration here:`
			`# https://goauthentik.io/docs/outposts/integrations/docker`
			# Removing `user: root` also prevents the worker from fixing the permissions
			`# on the mounted folders, so when removing this make sure the folders have the correct UID/GID`
			`# (1000:1000 by default)`
			`user: root`
			`volumes:`
			`# - /var/run/docker.sock:/var/run/docker.sock`
			`- ./media:/media`
			`- ./certs:/certs`
			`- ./custom-templates:/templates`
			`env_file:`
			`- .env`
			`depends_on:`
			`- postgresql`
			`- redis`
			```

			`.env`:
			````
			`PG_PASS=<PASSWORD>`
			`AUTHENTIK_SECRET_KEY=<SECRET>`

			`# SMTP Host Emails are sent to`
			`AUTHENTIK_EMAIL__HOST=<HOST>`
			`AUTHENTIK_EMAIL__PORT=465`
			`# Optionally authenticate (don't add quotation marks to your password)`
			`AUTHENTIK_EMAIL__USERNAME=<USER>`
			`AUTHENTIK_EMAIL__PASSWORD=<PASS>`
			`# Use StartTLS`
			`AUTHENTIK_EMAIL__USE_TLS=false`
			`# Use SSL`
			`AUTHENTIK_EMAIL__USE_SSL=true`
			`AUTHENTIK_EMAIL__TIMEOUT=10`
			`# Email address authentik will send from, should have a correct @domain`
			`AUTHENTIK_EMAIL__FROM=<FROM>`

			`COMPOSE_PORT_HTTP=9020`
			`COMPOSE_PORT_HTTPS=9021`
			```