Authentik was one of my very first projects when setting up my home lab, Beyond this now but one of the best configurations I had was OpenID with CloudFlare Zero & a bunch of application & firewall rules while messing around with FWaaS, Ofc the most tedious process was setting up OTP with Yubikeys, ill never forget the hours on end messing with policy and flows. Ive been in CyberSec professionally for a while since then, I stumbled across this channel last week & your vids have been background music since, but i must say This channel is without doubt the easiest to follow along, explanations are fantastic! Loving the content, breath of fresh air.
Thanks so much for the feedback and hello to a fellow cyber security professional 👋 you have an interesting setup, I'll likely move on to hardware tokens further down the road.
10:25 ish, slightly confusing because you show creating a new Outpost, but the settings you use here only work if you select the embedded Outpost. Took me a few minutes of fumbling around to figure that out. You can have Authentik dynamically create the new outposts with the local docker connection, but you'll need to either remove the ports it's exposing, or change the external ones to something else, as the containers it spawns also listen on 9443. EDIT: after playing with this some more I definitely prefer manually deploying the outpost container, so I can set the name, dispense with the exposed ports, and connect it to the existing docker network.
Literally the first time in my life I needed to go through yt videos pausing to understand something. Authentik while powerful proved to be clusterf... for me, but man... Your explanations Jim are superb! //Few restarts later it works, lol 🤔
As usual, videos are great. One suggestion I would like to make here is that it would be good if you show where you are getting some of these things from, for example, the forward auth configuration is available on Authentik's documentation; but you didn't mention/encourage/enable the viewers to that direction. If you can add that information as well, it would be a lot more helpful and people would then be able to go figure out problems on their own rather than the current spoon fed info. Another thing is that your videos are still fresh, and so are the configurations, but a year down the line, a lot of it might not be fresh; at that point, the official documentation would be really helpful to bridge the gaps.
You read multiple minds, had seen you post the Authentik video, and didn't get to watch it yet but a question I had was, are you using both or which replaces the other. Thanks Jim keep up the great work , it is much appreciated
@@Jims-Garage Yup, just jabe to set some time to review all the content and start building, work a little rough at the moment so when things settle on my end
@@Jr-hv1ct one thing there's never enough of, time! Well at least the videos aren't going anywhere and if you need help/advice jump into the Discord and we can help you out.
Is it possible to disable the internal authentication in Portainer (non Business version)? It seems dangerous to use Oauth on Portainer if it exposes the weak internal auth mechanism. For now I've disabled Oauth and just put Portainer behind the Authentik proxy as that does not expose the internal auth to the public internet.
@@robflate you always want internal Auth available for when you need to break glass. However, you definitely don't want to put the login internet facing. Put it on a vLAN and restrict access
Great video. Quick question. With this setup, when you access Portainer, you are doing double authentication. You first hit the Domain Forward Auth and then the Portainer OAuth. In most cases you don't see this but in many cases it will break authentication. The Immich iOS app for instance won't work. Same with the Hoarder iOS app. I don't know what the correct work around is but I've successfully avoided the double auth by adding Portainer, Immich and any other apps I don't want to hit the Domain Forward auth to Unauthenticated URLs in the Domain Forward Auth Provider. How are you dealing with double auth?
If you open an Incognito browser and go to Portainer, Authentik will first trigger the Domain wide proxy provider. Once signed in, it will then trigger the Portainer OAuth provider. What I’m saying is there’s nothing in your setup that tells Authentik to exclude Portainer from the Domain wide proxy. Or am I missing something? If for example you try to login to the Immich iOS app, Authentik will trigger the Domain wide proxy auth which will not provide Immich with the correct OAuth settings/URLs.
@@robflate portainer isn't using the Authentik proxy, it supports oauth2. If an app doesn't support oauth2 use the proxy. For example, you need the proxy for immich as it doesn't support oauth2. For portainer you don't use the proxy, you create a new provider using oauth2
@@Jims-Garage Managed to get it sorted. I had accidentally set Portainer, Immich etc to use the authentik middleware in Traefik so Traefik was first sending requests to the Authentik outpost which was triggering the proxy. Removed that and everything works. Thanks again for a great channel!
I had an issue with this, too. What I think he did (and what ended up working for me) was to simply edit the existing outpost. Authentik automatically creates this embedded outpost. I couldn't get a new one to work/communicate. So I re-watched that part and noticed that instead of creating a new one, he was actually using the embedded outpost (but modified with the inputs he explained). And, boom - it finally worked for me. The only app I can't get to work with this is Pihole. I think it has to do with the /admin requirement. Can't figure out how to strip it.
@@lsik231l That's been my experience too. Works with embedded outpost. Doesn't work with created one. I've spent the last 10 hours trying to get it working with a created outpost (like he talks about in the video), and I just feel like putting my head through a wall. I really need at least one other outpost though, so I can have two separate URLs for two separate traefik middlewares, and use groups to restrict access to admin-only apps. Basically, to have a User Forward Auth middleware and an Admin Forward Auth middleware, to be applied to each application via traefik labels as needed.
Hey, first of all thanks for your videos they are very inspiring (at least for me ☺). I have one question : I am running Truenas Scale (Bare metal) on Traefik and I wondering if i can get logged via Authentik ? If so how ?
I want to achieve push notification 2FA through a free provider/solution. Authelia uses Duo, which is not free. Is there an alternative way to configure it? Does Authentik support something like this? Unfortunately, the video only showed things up to the point that it is installed and no use cases have been presented. Thanks for any help!
from my point of view the current Version 2024.6.1 does not run very stable and its very hard to change things if the application is loosing the session all couple of minutes. I saw, that this is a very buggy version at the github forum. I will test the 2024.4.3 now because this was suggested from a user of the forum. Did you get similar issues?
Hey mate. In your Authentik videos, I’ve noticed that your compose yaml files don't have the authentik secret key entries to pull from your .env file. Is that on purpose or an oversight/not required?
How portainer and authentik not in conflict with port 9000, if they both use traefik ? did you change portainer's port? are they running in the same docker or server?
You can run many servers on the same port behind a reverse proxy, that's one of the main advantages. It routes traffic based on the container, not the IP:port
@@Jims-Garage You're right. Great work. I just realized that it was traefik who randomly pick a network, when I had multiples networks inside a service. I had to name explicitly, all my networks, even if I had "- traefik.docker.network=..." everywhere. Continue your good job ;)
I split my docker applications from one host to two hosts, one for admin stuff like pihole, authentik etc, the other for outbound applications. The formerly working configuration broke when authentik ended up on a different host than the traefik reversee proxy for the app - just some mistake on my side or do we need to change the traefik / authentik config when they don't share a (docker) host? Traefik is on both hosts - should it be only on one? Thanks for any hints!
Solved... (I lost the overview). Expose port 9443 or 9000 (https or http) in docker-compose.yaml for authentik (server). Modify traefik/data/config.yml and use the external authentik.mydomain/outpost.go... instead of the docker internal one authentik_server:9000/outpost...
I did this and it works great for web access, but can't access my nextcloud account via android app now. I have been looking for a fix but haven't figured it out. Is there a way to login to the android app with authentik? Thanks
Great video. Thank you. Do you recommend deploying this is a DMZ vlan and forward to server vlan from security stand point or just use an external network points to the DMZ as you pointed out in another video to secure other local services?
Hi, thanks for this.... After i follow the steps exactly how you did, i try to access my app, but after authentification with authentik i will be fowarded to the authentik dashboard and not to the app.... Am i do something wrong?
@@Jims-Garage thanks for the answer. I have done everything exactly how you did it in this video. After i add the authentik middleware to my container (traefik label) and will access my app url, a login promt from authentik appears, and after this, there is only the authentik dashboard, but not the app.... Strange...... Is it a bug? Because i have followed you in every single step.....
@@Jims-Garage I did't understand what you mean here. In your video, you set the authentik url in the config.yml, what i did, too. And on the app the only thing is to add the middleware for authentik.... But i always will end on the authentik dashboard after select my app url and authenticate with authentik.... ?!?!
I had to separate the networks proxy on only the server and Authentik network for the rest for some reason there is a conflict I haven't been able to find but this fix it for now ... if I put every thing on the proxy network it goes haywire the web server wont server half the info and the log in blips in and out it was a horrid. maybe a port conflict whit Portainer port 9000, maybe some thing else ?
I had the same issue and was able to fix it. The issue was that, i had other redis and databases on the same network, so all you have to do is rename redis to authentik-redis and postgresql to authentik-postgreql. And also give them the same container_name. And make sure you change that everywhere else it was mentioned, like the redis host variable.
Yes, I think having any database, or Redis related on your open docker network is just bad news for conflicts.. I have found out, all those times where I could nt figure out why the database is'nt working all the setting are correct, look at the logs and think most of those issues where related to having them on the main docker proxy network, now I segregate the apps in there own network if they need it, and then only have the main app on the Proxy network. but I have had prob to where if you don't put others thing on the network or some shared network and it just wont work ...
I might do this later, but self-hosted email is generally not recommended due to the way domain trust is established. You'll likely have a high non delivery rate with a home mail server.
It's got a good start. It's just a shame that LDAP authentication seems to be totally busted for a lot of people. Authentik will eventually just end up returning invalid access or invalid credentials with no change required from the user.
Authentik was one of my very first projects when setting up my home lab,
Beyond this now but one of the best configurations I had was OpenID with CloudFlare Zero & a bunch of application & firewall rules while messing around with FWaaS,
Ofc the most tedious process was setting up OTP with Yubikeys, ill never forget the hours on end messing with policy and flows.
Ive been in CyberSec professionally for a while since then, I stumbled across this channel last week & your vids have been background music since,
but i must say
This channel is without doubt the easiest to follow along, explanations are fantastic!
Loving the content, breath of fresh air.
Thanks so much for the feedback and hello to a fellow cyber security professional 👋 you have an interesting setup, I'll likely move on to hardware tokens further down the road.
@@Jims-Garage I love to see a video on forcing 2fa on all applications using authentik, that would be a great benefit in my opinion
thanks for the demo and info, have a great day
Thanks, Chris.
10:25 ish, slightly confusing because you show creating a new Outpost, but the settings you use here only work if you select the embedded Outpost.
Took me a few minutes of fumbling around to figure that out.
You can have Authentik dynamically create the new outposts with the local docker connection, but you'll need to either remove the ports it's exposing, or change the external ones to something else, as the containers it spawns also listen on 9443.
EDIT: after playing with this some more I definitely prefer manually deploying the outpost container, so I can set the name, dispense with the exposed ports, and connect it to the existing docker network.
FINALLY a video that helped me set this up!! Now the only thing left is to figure out how to go from here to singel application ForwardAuth
Glad it helped!
Great videos ! Keep it up !
I am actually doing the same thing as we speak :) Perfect timing
Thanks, stay tuned for keycloak...
Haha, same here. Did some stuff differently a bit though.
This is what I want to achieve proxy + Oauth, thanks for sharing
Glad it was helpful!
Literally the first time in my life I needed to go through yt videos pausing to understand something. Authentik while powerful proved to be clusterf... for me, but man... Your explanations Jim are superb!
//Few restarts later it works, lol 🤔
Glad I could help! I often find a restart of containers sorts things out.
As usual, videos are great. One suggestion I would like to make here is that it would be good if you show where you are getting some of these things from, for example, the forward auth configuration is available on Authentik's documentation; but you didn't mention/encourage/enable the viewers to that direction. If you can add that information as well, it would be a lot more helpful and people would then be able to go figure out problems on their own rather than the current spoon fed info. Another thing is that your videos are still fresh, and so are the configurations, but a year down the line, a lot of it might not be fresh; at that point, the official documentation would be really helpful to bridge the gaps.
Thanks for the feedback. I do endeavour to keep the configs up to date on GitHub. If there are significant changes I'll likely do another video.
Nice content! Congrats
Thanks!
When logging out of authentik the proxy session is still kept have anyone solved this problem?
Try to reduce session cache time
You read multiple minds, had seen you post the Authentik video, and didn't get to watch it yet but a question I had was, are you using both or which replaces the other. Thanks Jim keep up the great work , it is much appreciated
You're welcome, glad you're enjoying the content. You have some choices to make now haha
@@Jims-Garage Yup, just jabe to set some time to review all the content and start building, work a little rough at the moment so when things settle on my end
@@Jr-hv1ct one thing there's never enough of, time! Well at least the videos aren't going anywhere and if you need help/advice jump into the Discord and we can help you out.
@Jims-Garage yup its true. Noted and thanks again
Is it possible to disable the internal authentication in Portainer (non Business version)? It seems dangerous to use Oauth on Portainer if it exposes the weak internal auth mechanism. For now I've disabled Oauth and just put Portainer behind the Authentik proxy as that does not expose the internal auth to the public internet.
@@robflate you always want internal Auth available for when you need to break glass. However, you definitely don't want to put the login internet facing. Put it on a vLAN and restrict access
Great video. Quick question. With this setup, when you access Portainer, you are doing double authentication. You first hit the Domain Forward Auth and then the Portainer OAuth. In most cases you don't see this but in many cases it will break authentication. The Immich iOS app for instance won't work. Same with the Hoarder iOS app. I don't know what the correct work around is but I've successfully avoided the double auth by adding Portainer, Immich and any other apps I don't want to hit the Domain Forward auth to Unauthenticated URLs in the Domain Forward Auth Provider. How are you dealing with double auth?
@@robflate not sure I follow. There's no double Auth, it's single sign in with oauth
If you open an Incognito browser and go to Portainer, Authentik will first trigger the Domain wide proxy provider. Once signed in, it will then trigger the Portainer OAuth provider. What I’m saying is there’s nothing in your setup that tells Authentik to exclude Portainer from the Domain wide proxy. Or am I missing something?
If for example you try to login to the Immich iOS app, Authentik will trigger the Domain wide proxy auth which will not provide Immich with the correct OAuth settings/URLs.
You are right. It seems like an issue with my setup but I can't for the life of me see where I'm going wrong.
@@robflate portainer isn't using the Authentik proxy, it supports oauth2. If an app doesn't support oauth2 use the proxy.
For example, you need the proxy for immich as it doesn't support oauth2. For portainer you don't use the proxy, you create a new provider using oauth2
@@Jims-Garage Managed to get it sorted. I had accidentally set Portainer, Immich etc to use the authentik middleware in Traefik so Traefik was first sending requests to the Authentik outpost which was triggering the proxy. Removed that and everything works. Thanks again for a great channel!
Bit confusing setting up outpost as it starts out called "Domain Forward Auth Provider" but then magically becomes "authentik Embedded Outpost" ?
I had an issue with this, too. What I think he did (and what ended up working for me) was to simply edit the existing outpost. Authentik automatically creates this embedded outpost. I couldn't get a new one to work/communicate. So I re-watched that part and noticed that instead of creating a new one, he was actually using the embedded outpost (but modified with the inputs he explained). And, boom - it finally worked for me.
The only app I can't get to work with this is Pihole. I think it has to do with the /admin requirement. Can't figure out how to strip it.
@@lsik231l That's been my experience too. Works with embedded outpost. Doesn't work with created one.
I've spent the last 10 hours trying to get it working with a created outpost (like he talks about in the video), and I just feel like putting my head through a wall.
I really need at least one other outpost though, so I can have two separate URLs for two separate traefik middlewares, and use groups to restrict access to admin-only apps.
Basically, to have a User Forward Auth middleware and an Admin Forward Auth middleware, to be applied to each application via traefik labels as needed.
Hey, first of all thanks for your videos they are very inspiring (at least for me ☺). I have one question :
I am running Truenas Scale (Bare metal) on Traefik and I wondering if i can get logged via Authentik ? If so how ?
I don't believe it's supported natively.
I want to achieve push notification 2FA through a free provider/solution. Authelia uses Duo, which is not free. Is there an alternative way to configure it? Does Authentik support something like this? Unfortunately, the video only showed things up to the point that it is installed and no use cases have been presented. Thanks for any help!
from my point of view the current Version 2024.6.1 does not run very stable and its very hard to change things if the application is loosing the session all couple of minutes. I saw, that this is a very buggy version at the github forum. I will test the 2024.4.3 now because this was suggested from a user of the forum. Did you get similar issues?
I have also witnessed this behaviour, that's likely what was happening in my recent headscale video...
Currently using cloudflared tunnel…would this be better? Can this be used with tunnels?
I prefer to not use tunnels due to privacy. I like Authentik as I have full control. It's all personal preference though. Try it and see
@@Jims-Garage I will check it out…will I need to port forward ? 443, 80 or both? My current set up is docker on my synology.
Hey mate. In your Authentik videos, I’ve noticed that your compose yaml files don't have the authentik secret key entries to pull from your .env file. Is that on purpose or an oversight/not required?
How portainer and authentik not in conflict with port 9000, if they both use traefik ? did you change portainer's port? are they running in the same docker or server?
You can run many servers on the same port behind a reverse proxy, that's one of the main advantages. It routes traffic based on the container, not the IP:port
@@Jims-Garage You're right. Great work. I just realized that it was traefik who randomly pick a network, when I had multiples networks inside a service. I had to name explicitly, all my networks, even if I had "- traefik.docker.network=..." everywhere. Continue your good job ;)
Traefik has its own load balancer. You do not need to expose ports like how you would on nginx proxy manager.
I split my docker applications from one host to two hosts, one for admin stuff like pihole, authentik etc, the other for outbound applications. The formerly working configuration broke when authentik ended up on a different host than the traefik reversee proxy for the app - just some mistake on my side or do we need to change the traefik / authentik config when they don't share a (docker) host? Traefik is on both hosts - should it be only on one? Thanks for any hints!
You're good with a single Traefik, be sure to use an external service.
Solved... (I lost the overview). Expose port 9443 or 9000 (https or http) in docker-compose.yaml for authentik (server). Modify traefik/data/config.yml and use the external authentik.mydomain/outpost.go... instead of the docker internal one authentik_server:9000/outpost...
I did this and it works great for web access, but can't access my nextcloud account via android app now. I have been looking for a fix but haven't figured it out. Is there a way to login to the android app with authentik? Thanks
Should I have watched a video before this one? I don't have the env file so not sure if it will work should I watch something else 1st?
Great video. Thank you. Do you recommend deploying this is a DMZ vlan and forward to server vlan from security stand point or just use an external network points to the DMZ as you pointed out in another video to secure other local services?
I don't think it matters too much, but from a security perspective micro segmentation is always better. Try it first and decide later.
Hi, thanks for this.... After i follow the steps exactly how you did, i try to access my app, but after authentification with authentik i will be fowarded to the authentik dashboard and not to the app.... Am i do something wrong?
Make sure the redirect URL is for the app and not Authentik (you will need to set the redirect in the App and the Authentik Provider).
@@Jims-Garage thanks for the answer. I have done everything exactly how you did it in this video. After i add the authentik middleware to my container (traefik label) and will access my app url, a login promt from authentik appears, and after this, there is only the authentik dashboard, but not the app.... Strange...... Is it a bug? Because i have followed you in every single step.....
@@Jims-Garage I did't understand what you mean here. In your video, you set the authentik url in the config.yml, what i did, too. And on the app the only thing is to add the middleware for authentik.... But i always will end on the authentik dashboard after select my app url and authenticate with authentik.... ?!?!
@@kurt_hansen let me take a look at the video and replicate the steps. I'll come back to you.
@@Jims-Garage I have the same following this video. Is there any further response to this issue ?
I had to separate the networks proxy on only the server and Authentik network for the rest for some reason there is a conflict I haven't been able to find but this fix it for now ... if I put every thing on the proxy network it goes haywire the web server wont server half the info and the log in blips in and out it was a horrid.
maybe a port conflict whit Portainer port 9000, maybe some thing else ?
I had the same issue and was able to fix it. The issue was that, i had other redis and databases on the same network, so all you have to do is rename redis to authentik-redis and postgresql to authentik-postgreql. And also give them the same container_name. And make sure you change that everywhere else it was mentioned, like the redis host variable.
Yes, I think having any database, or Redis related on your open docker network is just bad news for conflicts.. I have found out, all those times where I could nt figure out why the database is'nt working all the setting are correct, look at the logs and think most of those issues where related to having them on the main docker proxy network, now I segregate the apps in there own network if they need it, and then only have the main app on the Proxy network. but I have had prob to where if you don't put others thing on the network or some shared network and it just wont work ...
Please cover an mail server too tnx
I might do this later, but self-hosted email is generally not recommended due to the way domain trust is established. You'll likely have a high non delivery rate with a home mail server.
Hmm, you are not really giving up on that background "noise"?
I've recorded my next one without any, just for you :)
I think the music is of a nice level. But maybe too similar to ibracorp
@@KeesFluitman we probably use the same stock music, I'll have to check. I'm actually a metal head but I don't think that would go down too well 😂
Problem with authentik that it requires an expensive enterprise license to integrate with google provider for oauth2.
It's got a good start. It's just a shame that LDAP authentication seems to be totally busted for a lot of people. Authentik will eventually just end up returning invalid access or invalid credentials with no change required from the user.
Interesting, I will look into this at a later date. I'd also like to cover zitadel.
I've been using authentik as an LDAP provider for a while now. Working fine with Jellyfin, Opnsense and Mealie