using authentik for over an year now, I can say this with confidence that it is awesome, functional, and logical. all with great support and pretty UI.
A big thank you for giving me loads of inspiration and lots of new projects to undertake in my homelab. I'm currently in the process of migrating from nginx proxy manager to traefik. Keep up the excellent work, I really enjoy your videos. I'm looking forward to the next authentik episode. 👍
Ah man!!!! Your guide is amazing! I just managed to get my Immich instance behind Oauth!! Dude, you're amazing!! Not to mention I've now learnt HOW to learn from Authentiks documentation.
Your videos are so good they deserve more likes and shares than they have. I guess we are a specilaized group of people. Thank you for these videos they are really helpful and appreciated.
Thanks, it's on the list! :D My goal is to start off with simpler things and move onto the more Enterprise stuff (hence Authelia -> Authentik -> Keycloak).
Thanks a lot for this guide! I set this up earlier watching another video and could not get the OAuth to work with Portainer. After I added the middleware you specified to the traefik config file and the labels to the compose file everything worked as expected!
Clear and precise. Thank you for sharing your time and experience with us. I must be the only one having trouble logging into Portainer. After clicking on Login with OAuth I see the Portainer logo / Log in to your account / Welcome back! Please enter your details / Authentication in progress / Spinning gear / I am taken back to the login screen / Unable to login via OAuth. Running in a Docker Proxmox VM
Thanks so much for the prompt response. I created a new Debian 11 Proxmox container and went through the entire setup again. Everything is working as it should. I suspect that my versions of Docker and Portainer may have well been outdated. Have an awesome evening.@@Jims-Garage
Thanks for another fantastic video! This and the next Authentik video on your channel are my projects for today. I've been using Auth0 for years, and have been wanting to switch to Authentik for a while now. One suggestion for your videos: please leave the pop-up/clarification text on the screen for a little bit longer than you did for the "workers" blurb at 4:10 as I had to back up and pause to read it.
Looking forward to more content on Authentik. It's an awesome product and very capable of many things, although finding good examples and guidance for someone who isn't a devops guy is difficult.
Basically the outcome is that I have now either: 1) a working Authentik on an unsecured IP connection on port 7000 .... OR ... 2) a 504 Gateway Time-out error from openresty. First time I saw a video by Jim. Very likeable. To be fair ... Jim said in the video that he wouldn't recommend going with an IP himself. But that exactly is what he is doing here. My fault, I guess.
@@Jims-Garage I recently setup Traefik 3.0 in a demo environment, in combination with PiHole as a DNS server. I want to acces some local hosted websites / apps with Authentik
2 หลายเดือนก่อน
Great Video! Would you please make a video what to do with the combination nginx-proxy-manager (runs allready) and authentik? Thanks!
one question, You're docker machine is standalone or is installed on proxmox? All of your docker compose are in the same docker machine? If it's proxmox use all the hdd size in this docker machine? best Regards and thanks for all your videos
The machine I'm using in my videos is a standalone VM on Proxmox, it's a replica of what I used to use (hence why it's the homelab journey). I now use Kubernetes, which is what we'll get onto later in the series. For the docker host I used to have, there was a single 512GB nvme drive with a TrueNAS samba share mounted to it for media and backups.
Thanks Jim loving this series. Question are you able to change the internal listening ports of container without exposing? I.e if youre trying to route a container through a reverse proxy but you have a port conflict with another app is there a way to tell the app to listen on another port without defining a "ports" section and exposing ports?
@@Jims-Garage Cheers - yeah okay what i didnt understand was that if im not exposing ports to the host i can for example use traefik to resolve multiple containers all listening on the same port because they are on their own individual IPs. I had an instance where portainer and authentik containers were both listening on the same port.. took me way too long to work out i can set the load balancer to the same port for both and traefik will just handle it XD
Another great video; thanks, Jim. Just FYI, at 16:30, upon logging out of Portainer, I was redirected to an Authentik page instead of the Portainer log-in screen. Logging out of Authentik at this point, and then logging back into Authentik again, and then logging in and logging out of Portainer seemed to fix it, even though the URL was set as you've done in your video. By the way, is there a way to fire off a test email to ensure the Authentik email settings are correct and all is working properly? Thanks again.
I had set authentik up with single application forward auth proxies for the providers for each application to communicate with an nginx reverse proxy setup. I'm trying to switch to OAuth2 OIDC, but get a 404 if I use anything other than the local IP. I don't have my ports exposed on the public IP/domain since I'm using a reverse proxy instead. I can't seem to figure out how to get the proxy outpost in Authentik to work with the OAuth2 providers.
Great video! Exactly what I have been looking for. At 8:10 you mention using a proper domain. My initial setup was wo port forwarding and only using pihole as my internal ens with all fqdn pointing to the nginx proxy manager. The issue is portainer can not resolve the name. It will work if I add the auth fqdn and point it to my public ip and port forward to nginx but I would rather knep it all internal. Is this setup impossible? TIA /lars
Hello again Jim. At approximately 11:38 you state that you can have a single provider for many applications (one to many). Are you sure about that? I have attempted to do so and get the following error message: Application with this provider already exists.
Thanks, I should have been clearer. From the official docs: "Starting with authentik 2023.5, applications can use multiple providers, to augment the functionality of the main provider".
Awesome! But what happens after 16:52? No password asked? It just gets in Portainer? Too bad all other applications I run for my home lab need password through either pop-up or form...
Hi Jim, I am looking for a solution which I can use for my homelab apps but also for my WordPress websites members area. Is it possible to integrate Authelia or Authentik into my WordPress site?
@@Jims-Garageyes, like an authentik mfa app. I’m just looking into this authentik doesn’t it do mfa? It’s basically like a free version of DUO, RSA, Okta etc. btw great channel. Really like your videos.
I am stuck on the initial setup. It won't redirect me after I have entered my details. The logs don't show anything special either; just a regular API request is logged. Edit: I had to use the HTTPs port. The HTTP port does not work for this. Edit 2: Firefox doesn't work with parts of the UI. I recommend a Chromium-based browser.
Great video ! The files and video has gotten me set up with Authentik on my Docker server working great with openid and the proxy auth. I have also been migrating my services to my K3S cluster, have you managed to set this up in Kubernetes with a deployment.yaml and a traefik ingress.yaml?
Awesome content and superb channel!
Thanks 👍
using authentik for over an year now, I can say this with confidence that it is awesome, functional, and logical. all with great support and pretty UI.
Awesome, I agree - it's a great tool!
I am loving it. Thank you for pushing me to improve my home lab!
You're welcome!
A big thank you for giving me loads of inspiration and lots of new projects to undertake in my homelab. I'm currently in the process of migrating from nginx proxy manager to traefik. Keep up the excellent work, I really enjoy your videos. I'm looking forward to the next authentik episode. 👍
Thanks for the feedback, really appreciate it.
Great job researching this and then presenting in a clear way, this looks like a fun thing to tinker with
Thanks 👍
Ah man!!!! Your guide is amazing! I just managed to get my Immich instance behind Oauth!! Dude, you're amazing!! Not to mention I've now learnt HOW to learn from Authentiks documentation.
You're most welcome, good job 👍
Fantastic explanation, please continue with all capabilities of Authentik
Thanks. I did a follow up for web proxies.
Now I am watching it. Awesome guidance. thanks@@Jims-Garage
Your videos are so good they deserve more likes and shares than they have. I guess we are a specilaized group of people. Thank you for these videos they are really helpful and appreciated.
Thanks, really appreciate the feedback
Thanks for the demo and info, have a great day
Thanks, you too!
Thank you so much for sharing this information with us..this is a great video as always ❤❤❤
Thanks 👍
Now a video about Keycloak would be quite fitting + a video comparing Authelia, Authentik and Keycloak😁
Thanks, it's on the list! :D My goal is to start off with simpler things and move onto the more Enterprise stuff (hence Authelia -> Authentik -> Keycloak).
@@Jims-Garage Awesome to hear, keep up the great work!
Thanks a lot for this guide! I set this up earlier watching another video and could not get the OAuth to work with Portainer. After I added the middleware you specified to the traefik config file and the labels to the compose file everything worked as expected!
Great, good to hear that
Clear and precise. Thank you for sharing your time and experience with us. I must be the only one having trouble logging into Portainer. After clicking on Login with OAuth I see the Portainer logo / Log in to your account / Welcome back! Please enter your details / Authentication in progress / Spinning gear / I am taken back to the login screen / Unable to login via OAuth. Running in a Docker Proxmox VM
Thanks. Be sure to check all of the URLs in the redirection journey. If you're still stuck hop onto Discord - lots of people to help.
Thanks so much for the prompt response. I created a new Debian 11 Proxmox container and went through the entire setup again. Everything is working as it should. I suspect that my versions of Docker and Portainer may have well been outdated. Have an awesome evening.@@Jims-Garage
@@PeterBatah great to hear. A strange issue!
Thanks for another fantastic video! This and the next Authentik video on your channel are my projects for today. I've been using Auth0 for years, and have been wanting to switch to Authentik for a while now.
One suggestion for your videos: please leave the pop-up/clarification text on the screen for a little bit longer than you did for the "workers" blurb at 4:10 as I had to back up and pause to read it.
Thanks, noted.
Very nice explanation. Thanks a lot for the video.
Thanks, you're welcome 😁
Looking forward to more content on Authentik. It's an awesome product and very capable of many things, although finding good examples and guidance for someone who isn't a devops guy is difficult.
Thanks, make sure to check out my follow up with web proxies (like Authelia).
Thanks for this great content! For me portainer created the user properly. No issues at all
Great to hear!
Thanks Jim! Great video
Appreciate the feedback ☺️
Basically the outcome is that I have now either:
1) a working Authentik on an unsecured IP connection on port 7000 .... OR ...
2) a 504 Gateway Time-out error from openresty.
First time I saw a video by Jim. Very likeable. To be fair ... Jim said in the video that he wouldn't recommend going with an IP himself. But that exactly is what he is doing here. My fault, I guess.
@@RealEstate3D I'll upload the compose with Traefik labels shortly to the same repo
Now added: I've just added a Treafik labels version to my Authentik repo. github.com/JamesTurland/JimsGarage/tree/main/Authentik
@@Jims-Garage That’s nice 🙂Unfortunately I kicked out traefik and replaced it with node-proxy-manager 🤨🔫
Nice video Jim, i would love to see a video to secure selfhosting in the combination Authentik / Traefik
Thanks, can you explain what you mean? You can plug your apps into Authentik as demoed.
@@Jims-Garage I recently setup Traefik 3.0 in a demo environment, in combination with PiHole as a DNS server.
I want to acces some local hosted websites / apps with Authentik
Great Video! Would you please make a video what to do with the combination nginx-proxy-manager (runs allready) and authentik? Thanks!
Very useful, thank you
Thanks 👍
one question, You're docker machine is standalone or is installed on proxmox? All of your docker compose are in the same docker machine? If it's proxmox use all the hdd size in this docker machine? best Regards and thanks for all your videos
The machine I'm using in my videos is a standalone VM on Proxmox, it's a replica of what I used to use (hence why it's the homelab journey). I now use Kubernetes, which is what we'll get onto later in the series.
For the docker host I used to have, there was a single 512GB nvme drive with a TrueNAS samba share mounted to it for media and backups.
@@Jims-Garage Thanks, related to the TrueNAS server, which the cpu and memory you're using? Thnks
@@javiesteban4510 I'm using a Pentium G4560 (yes, it's ancient), with 32GB of Samsung ECC memory
Thank you very much! Maybe you could also take a look at Zitadel?
You're welcome 😁 Yes, it's on the list. It looks promising.
Hi, so you need to do the same for each app right? And those apps need to support this (auth2), correct?
Correct, otherwise choose a proxy provider which will behave like Authelia instead.
Thanks Jim loving this series. Question are you able to change the internal listening ports of container without exposing? I.e if youre trying to route a container through a reverse proxy but you have a port conflict with another app is there a way to tell the app to listen on another port without defining a "ports" section and exposing ports?
Yes, you can use the loadbalancer to change the port (e.g. grafana on port 443 loadbalanced to 3000).
@@Jims-Garage Cheers - yeah okay what i didnt understand was that if im not exposing ports to the host i can for example use traefik to resolve multiple containers all listening on the same port because they are on their own individual IPs. I had an instance where portainer and authentik containers were both listening on the same port.. took me way too long to work out i can set the load balancer to the same port for both and traefik will just handle it XD
Another great video; thanks, Jim.
Just FYI, at 16:30, upon logging out of Portainer, I was redirected to an Authentik page instead of the Portainer log-in screen. Logging out of Authentik at this point, and then logging back into Authentik again, and then logging in and logging out of Portainer seemed to fix it, even though the URL was set as you've done in your video.
By the way, is there a way to fire off a test email to ensure the Authentik email settings are correct and all is working properly?
Thanks again.
I had set authentik up with single application forward auth proxies for the providers for each application to communicate with an nginx reverse proxy setup. I'm trying to switch to OAuth2 OIDC, but get a 404 if I use anything other than the local IP. I don't have my ports exposed on the public IP/domain since I'm using a reverse proxy instead. I can't seem to figure out how to get the proxy outpost in Authentik to work with the OAuth2 providers.
Great video!
Exactly what I have been looking for. At 8:10 you mention using a proper domain. My initial setup was wo port forwarding and only using pihole as my internal ens with all fqdn pointing to the nginx proxy manager. The issue is portainer can not resolve the name. It will work if I add the auth fqdn and point it to my public ip and port forward to nginx but I would rather knep it all internal. Is this setup impossible? TIA /lars
Ofc, follow my Traefik video. That uses a DNS challenge which doesn't require any port forwarding.
and in the future, if you need to update postgres to a newer version, what is the correct way to do this?
Gracias por compartir!
You're weclome
Hello again Jim. At approximately 11:38 you state that you can have a single provider for many applications (one to many). Are you sure about that? I have attempted to do so and get the following error message: Application with this provider already exists.
Thanks, I should have been clearer. From the official docs: "Starting with authentik 2023.5, applications can use multiple providers, to augment the functionality of the main provider".
My apologies Jim. I should have mentioned that I was using Authentik version 2023.8.3@@Jims-Garage
Awesome! But what happens after 16:52? No password asked? It just gets in Portainer?
Too bad all other applications I run for my home lab need password through either pop-up or form...
It's because I'm using the same account as I'm currently logged into Authentik with.
I am already using a redis in my traefik container for traefik-kop. Can it share the redis or do I need to set them to different ones?
@@RiffyDevine I believe it can be shared but not sure about configuration
Hi Jim, I am looking for a solution which I can use for my homelab apps but also for my WordPress websites members area. Is it possible to integrate Authelia or Authentik into my WordPress site?
Yes, web proxy should do it.
For SAML based auth is there a mobile app you install that will push the SSO/SAML request to your phone? Much like the way DUO works for example.
@@Dros34 I think you're referring to MFA?
@@Jims-Garageyes, like an authentik mfa app. I’m just looking into this authentik doesn’t it do mfa? It’s basically like a free version of DUO, RSA, Okta etc. btw great channel. Really like your videos.
I am stuck on the initial setup. It won't redirect me after I have entered my details. The logs don't show anything special either; just a regular API request is logged.
Edit: I had to use the HTTPs port. The HTTP port does not work for this.
Edit 2: Firefox doesn't work with parts of the UI. I recommend a Chromium-based browser.
Glad it's working. Likely because the Traefik proxy is set to redirect to HTTPS
I followed your instructions and it is now up and running going dorward to put Prometheus behind it
Great, good job.
Thank you for this great content, and please mute the music during the tutorial because its disturbing.
Thanks, will take that into consideration.
Your docker-compose file on github doesn't work with newer images it seems...
Thanks, I'll investigate when I have time. Please submit a pr if you have a working one.
how to install not by docker do it by bare install way?
What is better? This or Keycloak?
For homelab I would go for Authentik as it has a proxy. For enterprise and OAuth it's keycloak all the way
Does it support 2FA with SSO?
I believe it does.
how do i enable https for authentik?
Check my follow up video on Authentik, I've added the Traefik labels necessary.
如何使用用户的 id作为唯一键 该如何配置呢
Hi, Has anyone managed to setup authentik with a angular project?
first
Great video ! The files and video has gotten me set up with Authentik on my Docker server working great with openid and the proxy auth. I have also been migrating my services to my K3S cluster, have you managed to set this up in Kubernetes with a deployment.yaml and a traefik ingress.yaml?
Yes, I did a livestream that's available showing how (without Traefik but it's simple to do). I will do it in Kubernetes at a later time
Thanks @@Jims-Garage for the quick reply, I just found your video and I working through it now.