Authentik was one of my very first projects when setting up my home lab, Beyond this now but one of the best configurations I had was OpenID with CloudFlare Zero & a bunch of application & firewall rules while messing around with FWaaS, Ofc the most tedious process was setting up OTP with Yubikeys, ill never forget the hours on end messing with policy and flows. Ive been in CyberSec professionally for a while since then, I stumbled across this channel last week & your vids have been background music since, but i must say This channel is without doubt the easiest to follow along, explanations are fantastic! Loving the content, breath of fresh air.

FINALLY a video that helped me set this up!! Now the only thing left is to figure out how to go from here to singel application ForwardAuth

As usual, videos are great. One suggestion I would like to make here is that it would be good if you show where you are getting some of these things from, for example, the forward auth configuration is available on Authentik's documentation; but you didn't mention/encourage/enable the viewers to that direction. If you can add that information as well, it would be a lot more helpful and people would then be able to go figure out problems on their own rather than the current spoon fed info. Another thing is that your videos are still fresh, and so are the configurations, but a year down the line, a lot of it might not be fresh; at that point, the official documentation would be really helpful to bridge the gaps.

10:25 ish, slightly confusing because you show creating a new Outpost, but the settings you use here only work if you select the embedded Outpost. Took me a few minutes of fumbling around to figure that out. You can have Authentik dynamically create the new outposts with the local docker connection, but you'll need to either remove the ports it's exposing, or change the external ones to something else, as the containers it spawns also listen on 9443. EDIT: after playing with this some more I definitely prefer manually deploying the outpost container, so I can set the name, dispense with the exposed ports, and connect it to the existing docker network.

Literally the first time in my life I needed to go through yt videos pausing to understand something. Authentik while powerful proved to be clusterf... for me, but man... Your explanations Jim are superb! //Few restarts later it works, lol 🤔

This is what I want to achieve proxy + Oauth, thanks for sharing

Great videos ! Keep it up ! I am actually doing the same thing as we speak :) Perfect timing

thanks for the demo and info, have a great day

You read multiple minds, had seen you post the Authentik video, and didn't get to watch it yet but a question I had was, are you using both or which replaces the other. Thanks Jim keep up the great work , it is much appreciated

Nice content! Congrats

Is it possible to disable the internal authentication in Portainer (non Business version)? It seems dangerous to use Oauth on Portainer if it exposes the weak internal auth mechanism. For now I've disabled Oauth and just put Portainer behind the Authentik proxy as that does not expose the internal auth to the public internet.

When logging out of authentik the proxy session is still kept have anyone solved this problem?

Great video. Quick question. With this setup, when you access Portainer, you are doing double authentication. You first hit the Domain Forward Auth and then the Portainer OAuth. In most cases you don't see this but in many cases it will break authentication. The Immich iOS app for instance won't work. Same with the Hoarder iOS app. I don't know what the correct work around is but I've successfully avoided the double auth by adding Portainer, Immich and any other apps I don't want to hit the Domain Forward auth to Unauthenticated URLs in the Domain Forward Auth Provider. How are you dealing with double auth?

I want to achieve push notification 2FA through a free provider/solution. Authelia uses Duo, which is not free. Is there an alternative way to configure it? Does Authentik support something like this? Unfortunately, the video only showed things up to the point that it is installed and no use cases have been presented. Thanks for any help!

Bit confusing setting up outpost as it starts out called "Domain Forward Auth Provider" but then magically becomes "authentik Embedded Outpost" ?

Hey, first of all thanks for your videos they are very inspiring (at least for me ☺). I have one question : I am running Truenas Scale (Bare metal) on Traefik and I wondering if i can get logged via Authentik ? If so how ?

I did this and it works great for web access, but can't access my nextcloud account via android app now. I have been looking for a fix but haven't figured it out. Is there a way to login to the android app with authentik? Thanks

from my point of view the current Version 2024.6.1 does not run very stable and its very hard to change things if the application is loosing the session all couple of minutes. I saw, that this is a very buggy version at the github forum. I will test the 2024.4.3 now because this was suggested from a user of the forum. Did you get similar issues?

Hey mate. In your Authentik videos, I’ve noticed that your compose yaml files don't have the authentik secret key entries to pull from your .env file. Is that on purpose or an oversight/not required?

I split my docker applications from one host to two hosts, one for admin stuff like pihole, authentik etc, the other for outbound applications. The formerly working configuration broke when authentik ended up on a different host than the traefik reversee proxy for the app - just some mistake on my side or do we need to change the traefik / authentik config when they don't share a (docker) host? Traefik is on both hosts - should it be only on one? Thanks for any hints!

How portainer and authentik not in conflict with port 9000, if they both use traefik ? did you change portainer's port? are they running in the same docker or server?

Currently using cloudflared tunnel…would this be better? Can this be used with tunnels?

Should I have watched a video before this one? I don't have the env file so not sure if it will work should I watch something else 1st?

Hi, thanks for this.... After i follow the steps exactly how you did, i try to access my app, but after authentification with authentik i will be fowarded to the authentik dashboard and not to the app.... Am i do something wrong?

Great video. Thank you. Do you recommend deploying this is a DMZ vlan and forward to server vlan from security stand point or just use an external network points to the DMZ as you pointed out in another video to secure other local services?

I had to separate the networks proxy on only the server and Authentik network for the rest for some reason there is a conflict I haven't been able to find but this fix it for now ... if I put every thing on the proxy network it goes haywire the web server wont server half the info and the log in blips in and out it was a horrid. maybe a port conflict whit Portainer port 9000, maybe some thing else ?

Please cover an mail server too tnx

Hmm, you are not really giving up on that background "noise"?

Problem with authentik that it requires an expensive enterprise license to integrate with google provider for oauth2.

It's got a good start. It's just a shame that LDAP authentication seems to be totally busted for a lot of people. Authentik will eventually just end up returning invalid access or invalid credentials with no change required from the user.