Secure authentication for EVERYTHING! // Authentik
Ғылым және технология
In this KZread video, we’ll cover authentik, an open-source identity provider that allows for secure login to administrative services and web applications. With this setup, users only need to sign in once and can access all their services without having to log in multiple times. This not only saves time, but also increases security with multi-factor authentication. I also demonstrate how to install and set up authentik in your own environment.
Wazuh, the open-source security platform: wazuh.com/?...
References:
- Install and deploy Authentik: goauthentik.io
- Authentik Docs: docs.goauthentik.io/docs/
- Docker Course: / 239867
- Traefik Tutorial: • Is this the BEST Rever...
________________
💜 Support me and become a Fan!
→ christianlempa.de/patreon
💬 Join our Community!
→ christianlempa.de/discord
________________
Read my Tech Documentation
christianlempa.de/docs
My Gear and Equipment-*
christianlempa.de/kit
________________
Timestamps:
00:00 Introduction
01:06 Advertisement
02:37 Authentik Overview
04:52 Install Authentik
15:02 Initial Setup
19:48 Connect OAuth Services
33:32 Protect any web app in Traefik
39:00 Final thoughts
________________
All links are and/or include affiliate links.
Пікірлер: 261
I love how you make building the compose file so simple. So many things I need to learn.
@christianlempa
Ай бұрын
Thank you so much :)
Have been waiting for a video like this for ages. Christian, you are my hero.
@christianlempa
Ай бұрын
Haha amazing :D Glad you liked it
I have no words, except the "Thank You!". Thank You!
@christianlempa
Ай бұрын
🫶😊
Christian, danke für deine tollen Videos! Informativ, nützlich und mit viel Enthusiasmus erklärt. Super tolle Arbeit 😊
@christianlempa
Ай бұрын
Vielen lieben Dank! ❤️
Thanks Christian. Just added nodes to Wazuh and can't stop smiling. Traefik and Authentik are next. Really appreciate your work!
@christianlempa
Ай бұрын
Nice! 👍
10/10 video! Legitimately has just about everything you would need to hit the ground running on authentik! Ive been using authelia for a while but have been wanting to play around with authentik to take advantage of OAUTH. Thanks for the awesome video!
@christianlempa
Ай бұрын
Haha thank you so much! :)
So cool, I deployed Authentik one week ago and was playing around a little and now you come with this great video. Thanks for the "compose cleaning", I was not very comfortable doing it in the first place.
@christianlempa
Ай бұрын
Thanks 🙏
I´ve been waiting for this soooooo long! Thank you!
@christianlempa
Ай бұрын
You’re welcome ☺️
Hey Christian, wie immer großartig ;) Ich habe Authentik direkt in meinem Homelab in Kubernetes deployed und nutze es global für mein Homelab und habe es auch mit meinem Traefik Ingress Controller verbunden. Einfach nur genial. Aber die Doku von Authentik ist auch echt gut. Mach weiter so. Du hast mir schon in so vielen Fällen mit Deinen Videos geholfen
@christianlempa
Ай бұрын
Vielen Dank! Freut mich dass meine Videos dir helfen 🙏☺️
I love it.... its tea time. You just coined a new phrase for the channel. I have been waiting for you to create an Authentik video for a while now. Great video!
@christianlempa
Ай бұрын
Thanks 😊
I want to add a comment that I hope you can see as being constructive since you mentioned in a previous video that English is not your first language and that you are sometimes concerned about your pronunciation or word choice. As an American who barely speaks a little bit of a couple of other languages, I have always appreciated when people helped guide me so hopefully I can do that this one time for you. The word realm is pronounced like helm. Thanks for the awesome video!
@NOBODY-oq1xr
Ай бұрын
you mean like "helm" but with an "r" :D just saying this to make sure nobody is wondering why the realm would be pronounced helm :D
@apricotcomputers3943
Ай бұрын
ok, thank you
@raular5513
23 күн бұрын
jelm?
This is the perfect amount of information for me, exactly what I need to get started and fast enough to not skip through things I already know. So good!
@christianlempa
Ай бұрын
Glad it was helpful!
Danke. Your videos are always welcomed, and so much to learn on a lot of topics.
@christianlempa
Ай бұрын
Sehr gerne 😉
absolutely love authentik, glad you are covering it, its such a great product, and gets constant support and updates
@christianlempa
Ай бұрын
It really is!
Thanks for this video, Christian. I'm not sure how you knew I had just installed Authentik, but I'm glad you did :)
@christianlempa
Ай бұрын
Haha nice 👍
I don't have any of this homelabs/infrastructures but definitively i'm into them 🤙🏼 Thank you so much for your videos they are so interesting and useful!
@christianlempa
Ай бұрын
Thank you! Glad you enjoy them 😊
Now this is super cool, just was thinking about it. Thanks!
@christianlempa
Ай бұрын
Glad it was helpful!
I really love Authentik. Its great and the only feature I can see it NEEDS is a mobile push MFA feature like Duo & MS Authenticator. I know there's a current workaround with Duo - but if Duo is needed I'd just do all of the auth there instead.
Boah! Super Video!! Genau auf den Punkt, vielen Dank !!!!
@christianlempa
Ай бұрын
Sehr gerne! Schön dass es dir gefällt ;)
Love your videos, just as I was looking for an authentication platform to use! Viel Dank Christian!
@christianlempa
Ай бұрын
Thank you so much! :)
learned a ton in this video. Thanks a lot. Have to try it myself now.
@christianlempa
Ай бұрын
Thank you! Glad it was useful :)
Great demo as always. Love your videos.
@christianlempa
Ай бұрын
Thanks so much!
This is a very good tutorial Christan !!!🙂
@christianlempa
Ай бұрын
Glad you think so!
This is just what i was searching for
@christianlempa
Ай бұрын
Glad it helped ;)
Amazing! I can have a Heimdall like dashboard, and auto login? Fantastic. Thanks for the great video!
@christianlempa
Ай бұрын
Thanks! :D
Thanks for the demo and info, have a great day
@christianlempa
Ай бұрын
Awesome! Thanks :)
De nuevo me sorprendes, gracias por tu dedicación!!!!!
Amazing Chris! Thanks for sharing
@christianlempa
Ай бұрын
Glad you enjoyed it!
Ziemlich cool. Danke für das tolle Video! Es fällt allerdings in die Kategorie: "Nice to have". Da (m)ein Home Lab dem ständigen Wandel unterlegen ist, weiß ich nicht, ob das für mich wirklich Sinn macht. Vieles an Software ist allenfalls ein paar Monate oder ein halbes Jahr an laufen, bis ich auf die Idee komme, Systeme wieder neu aufzusetzen, die Software neu einzurichten und dann muss ich trotzdem ein Passwort-Manager haben, der mir die Admin-User abgesichert. Es wird nur zusätzliche Arbeit verursacht durch die doppelte Nutzerverwaltung. Das hat sehr viel mehr Sinn in Unternehmensumgebungen, wo IT-Abteilungen auch von frustrierten Mitarbeitern besetzt sind, denen man im Fall des Falles immer auf die Finger schauen/klopfen muss. Oder um Mitarbeiter zentral zu verwalten, was wiederum durchweg Anwendungen voraussetzt, die die genannten Auth-Provider unterstützt. Und Authentik darf bloß nicht kompromittiert werden oder ausfallen. Dann wird's lustig
@timothypierce4602
Ай бұрын
Ay ay apoco si?
@christianlempa
Ай бұрын
Vielen Dank :) vielleicht macht es ja Sinn für System, die du nicht häufig änderst wie z.B. Proxmox?
@Voigt_Analytics
Ай бұрын
@@christianlempa Dieses System muss erst noch erfunden werden 😅 Nein, Proxmox nutze ich nicht. Versuche so stromsparend wie möglich mein Home Lab zu gestalten, daher kommen derzeit nur zwei Raspi‘s 400 und ein MacBook Air 2019 zur Anwendung. Das MBA für etwas performantere Aufgaben. Vielleicht wäre auch das Thema Energiemanagement, Shelly‘s, Grafana und Co was für die nächsten Videos? 😃👍
@Voigt_Analytics
Ай бұрын
@@christianlempa Habe meine Meinung geändert. Die Software ist echt genial. 🤩 Allerdings stehe ich noch vor einigen Problemen mit bestimmten Softwarelösungen.
Awesome Video, thank you. This takes the fear of Auth-Providers from a lot of people. Great solution, well implemented and like always awesome presentation of this lovely peace of tech :)
@christianlempa
Ай бұрын
Thanks for watching 🫶
great as always
@christianlempa
Ай бұрын
Thanks :)
Fantastic video as always 👍 Also, thats another service to add to my list...
@christianlempa
Ай бұрын
Thank you so much!
Cool. Thank you, Christian.
@christianlempa
Ай бұрын
Thank you !
Great quality video. Thanks!
@christianlempa
24 күн бұрын
Thanks!
Personally, I haven’t found anything easier to setup than Caddy + Authelia for my small homelab (plus custom Tailscale domain login). I will give this a go some other time! Thank you
@christianlempa
Ай бұрын
You’re welcome! Let’s us know if you like it
Thanks for sharing this presentation!
@christianlempa
Ай бұрын
Thanks for watching
WoW! Great Vid... nicely done!
@christianlempa
Ай бұрын
Thank you so much 😊
Super helpful, as always!!
@christianlempa
Ай бұрын
Thank you so much 😊
Nice video! Thank you for this job!
@christianlempa
Ай бұрын
Thanks!
Amazing video. Thank you!
@christianlempa
Ай бұрын
Glad you liked it!
Awesome video , thank you! Btw , when you have docker or docker compose env variables and you want to name your container env variables the same as you want them set in your shell , you don't need to say i.e. MY_SUPER_VAR=$MY_SUPER_VAR ... you can just have - MY_SUPER_VAR and docker will pick up your shell variable with the same name if it's set for example services: test: image: nginx environment: - MY_TEST_VAR instead of services: test: image: nginx environment: - MY_TEST_VAR=$MY_TEST_VAR
@christianlempa
27 күн бұрын
Thanks! :D Good tip
@alex.prodigy
26 күн бұрын
@@christianlempa it also works with .env file or other env_file
@christianlempa
26 күн бұрын
@@alex.prodigy one reason though I might keep using the scheme is interpolation of environment variables, to catch errors or apply default values. which makes it easier for the tutorials and boilerplates.
@alex.prodigy
26 күн бұрын
@@christianlempa yep , no worries ... just figured many people don't know that docker compose can pick up env vars without doing MY_ENV_VAR=$MY_ENV_VAR
Hello sir, thinking about your Netbird tutorial have you thought about the advanced installation that allows you to use Authentic as the IdP? I am still continuing that journey as I need to work on alternate ports to use as the one out of the box are already consumed.
Great video, as always!
@christianlempa
Ай бұрын
Thanks 😊
Great video again Christian.. I Also noticed the cool keyboard on your desk, wanna share which one it is?
@christianlempa
Ай бұрын
Nice :D I'm using a Keychron keyboard, however, I'm not all satisfied with it, ... maybe I'll switch to another one at some point :)
You can actually rename the default user, but you have to do so through the Directory interface, it's what I've done in my install. Other than that, great video and thank you!
@christianlempa
Ай бұрын
Thanks for the tip!
Didn't have a chance to watch yet, but it sounds like just the thing I need, wanted to migrate out of keycloak anyway. Thanks!
@christianlempa
Ай бұрын
Thank you! Hope you will find it useful
@wiadrovit
Ай бұрын
@@christianlempa So I did it and it was something I should have done long ago. I trusted your gut and replaced my good old nginx with traefik as well. I was a bit hesitant at first, but it is really cool and it gets even more awesome when you figure out how it works. As for authentitk, I still have a couple of apps to configure but those I already took care of are working just great. Thanks a ton Christian! Keep the great stuff up!
Nice video! A comparison against keycloak would be awesome.
@christianlempa
Ай бұрын
Thanks for the idea! Not sure if I will have the time soon to check out another IdP though :(
Please do a video with keycloak, if possible.
this is awesome. Nice share!
@christianlempa
Ай бұрын
Thank you! Cheers!
Hi, I don't know if it's just me or not, but I think you should explain what "frontend" and "backend" networks are. Because at the beginning (from you past videos) I thought they were some kind of docker built-in networks (due to having a very specific and standard name), but with time I realized that they are just two network you created. So maybe you should clarify what those networks are and why you use them the way you do. At least for beginners, it's not that obvious.
@utentepassivo
16 күн бұрын
I very much agree with this. For beginners like me it can be very confusing
I was also very confused by their documentation and trial and error with it so far. I've tried Jim's Garage and others but they seem to do things a bit different from what you do, which is more like my server setup as well. Appreciate your insight and guidiance
@christianlempa
Ай бұрын
Thank you :) glad you liked my video more
Great video. I know everyone's needs are different, but I'd love to get a copy of your modified docker compose file.
@christianlempa
Ай бұрын
You can find a good template on my boilerplates repo, check out my GitHub profile ;)
If you already have cloudlfare setup on your domain, it also gives you similar setup. Easy to configure as well.
Amazing explanation for this great app! I've already set it up on my Kubernetes cluster and it is working great so far and I'm satisfied with it, but there is some work to be done, and the documentation is patchy in places. I noticed one more drawback which is that it starts up slowly. Perhaps it is due to the fact that it was built with Python (Django?), but not 100% sure. I can live with that.
@christianlempa
Ай бұрын
Great to hear!Thank you :)
Hi there, great video. I recently saw your video on how you set up your vscode, but is there any chance you could share what theme/customizations you are using? I really like the transparent and clean look yours has but I didn't see it in that video.
@christianlempa
Ай бұрын
I'm using my own theme "The Digital Life", hope to give it an update at some point
Nice vid. I thought you would make a video about Zitadel, which you mentioned in a previous video. Authentik seems fine, but Zitadel appears more modern and supports passkeys.
@christianlempa
Ай бұрын
I had a couple of issues with Zitadel, and to me, authentik seems better. Maybe I'll take a look at some point
This is super useful - I've been trying to determine whether authentik is a good alternative to keycloak and I think the native proxy integration with traefik is invaluable - this was really good, thank you :)
@christianlempa
26 күн бұрын
Thank you so much! :D
Legend
@christianlempa
Ай бұрын
Thx :D
Great video! 😊. Also where did you get that hoody! ❤ Also any tips on migrating a docker image to a new vps server. I did it yesterday, but I couldn't access the services as expected post migration. Docker showed everything was running, but I couldn't access the ports?! Thanks!
@christianlempa
Ай бұрын
Thank you! 😊 it was a birthday present from my wife 🫶
@james.houlder
Ай бұрын
@@christianlempaepic 😊
This one is sick! +100
@christianlempa
Ай бұрын
Thx 🙏
Long time Okta/Auth0 user here.. Interesting how authentik say Okta doesn't support app proxy, LDAP or enrollment.. A few of the other vendor claims are questionable too... P.S - Great video
Just Great! FYI: You can remove default admin from authentik after you are admin and logged in.
@christianlempa
19 күн бұрын
Good tip! :D
Hey, awesome video!
@christianlempa
Ай бұрын
Hey, thanks!
Uau big thx for your work & for this ;-)
@christianlempa
Ай бұрын
You're welcome!
I had one more question. What are you using for your IDE in this video for ssh and development of the yaml?
@christianlempa
Ай бұрын
vscode
Unbelievable, I would not worry about his accent. He speaks multiple languages in some Americans are doing good just to speak English. Well, his accent doesn’t bother me whatsoever and I like the information he provides now and his blog that the detail instructions on how to for us sometimes technically challenge individuals.😂😂😅
Thanks!
@christianlempa
Ай бұрын
Thanks for your suppoer! :D
Hi Christian ! You are great and I have to say a big thanks to you... I just installed Authentik in my lab and setting up all the appliances and servers ... every night 'till 4 o'clock ... :D :D :D . But I have also a question ( or suggestion request for you ) : How did you managed the authentication on each node of a proxmox cluster ? Probably i'm too newbie on this but the right way should be : 1 provider ( with all the keys ) and more applications ( 1 x each node ) ... but is not possible , and is also not possible to have more tha one provider for the same Proxmox datacenter ... ( if i'm not wrong ! ). Do you already have the answer : have you already managed this ? Anyway : many thanks ! A lot !!! bye !
@christianlempa
5 күн бұрын
Haha, oh man that sounds like a hard job :D Actually, once I joined the additional node to the cluster it just synced the authentik config, so there was no additional config needed.
@MarcoActis
5 күн бұрын
@@christianlempa 👍👍👍
@christianlempa, is it possible to use authentik with mariadb? How i can see there is ldap provider and mariadb has ldap authentication support. Is there a posibility to use OAuth or only this option is available now?
Just wondering if you have some tips on how i can add authentik to the home page? the documentation is skinny on the process...... cant say this enough...you make sure informative videos!
@christianlempa
Ай бұрын
You can check my config on github.com/christianlempa/homelab, maybe that's what you're looking for :)
@shawndamon3055
Ай бұрын
@@christianlempa I did use your GitHub as a reference ... I think the generation of the authentik key .. it's not very clear on the steps to take
This looks great for a homelab, I just doubt it can fully compete with capabilities of the hybrid Active Directory I run at work.
Is it possible with authentik, to secure for example some services with and some without 2fa?
You did a video on Dockge at one point. Is there a reason you didn't use it in this tutorial? This isn't criticism, I'm genuinely curious. Do you yourself simply not need it or are you just lowering the barrier for entry with Authentik? Great video as always, sir! 🙂
@christianlempa
Ай бұрын
Actually, I'm not using it because I prefer using vscode for managing my containers. I also believe it's better for the tutorials to not rely on too many apps that some people might have, some others don't.
@ThatNateGuy
Ай бұрын
@@christianlempaThat makes sense. Thank you for taking the time!
Great Video!!!!!! Can you make a video on configuring MTLS in Authentik when also using Traefik? Pleeeeaaaaaase!!?? 😁
@christianlempa
Ай бұрын
I'm currently researching what else I can do with authentik, so I can't promise whether I'm going to make a video on this topic
@giingy
Ай бұрын
@@christianlempaFair enough. Thank you for the great content!
Hi, did you manage to setup login to Sophos with authentik? I tried using LDAP for a while but unfortunately couldn't do it. Maybe I can learn from your experiences later. :D
@christianlempa
Ай бұрын
Not yet, but I'm currently looking into it! There will be a follow up video at some point :)
how would you use this with Obsidian's docker container?
Hail Cooptonian!
Hi thats for this can you show how you set up visual studio code to be able to open it so easily against different servers without having to set up an sftp.json
@christianlempa
Ай бұрын
I've recently made a video about it, check it out: kzread.info/dash/bejne/mqmds8ZrgdLQiLw.html&
I tried to integrate proxmox. Created an OpenID provider, created an application, using this provider... Set the realm in proxmox, aaand... When i select my authentic realm for login in proxmox the OepnID redirect fails. "remote error: tls: unknown certificate authority" I guess it's something with the self signed authentik cert, but don't know how to avoid it.
nice work! Can you make a video about zerotier ?
@christianlempa
Ай бұрын
Hm, maybe, but not anywhere soon. I'll add it to my list ;)
i really should consolidate somehow my 4 docker instances in a single network so i can utilize cool stuff like this
@christianlempa
Ай бұрын
Oh yes :D
Hey Christian, how did you make your VSCode look that nice? Vid maybe?
@christianlempa
Ай бұрын
I've made a custom theme and added a background, however since I got so many problems with the background plugin, I probably won't use it anymore.
@emiellr
Ай бұрын
@@christianlempaIs it Vibrancy Continued by any chance? Also, any chance you'll make your theme public? looks sweet.
Hello and thx for this amazing job. I am working on authentik, but it is not working yet at home, the authentik server and worker say ... "Name or service not known" ideas ?
@nope6417
Ай бұрын
found the problem. But there is no middleware for authentik in Traefik ??
@christianlempa
Ай бұрын
Come on our discord :) Maybe we can help
@nope6417
Ай бұрын
@@christianlempa ok I am coming ..
Do you think it could be used to provide MFA to a Microsoft Remote Desktop Gateway?
@christianlempa
Ай бұрын
No idea,🤷♂️, I know that authentik enterprise does RDP but not tried it yet
I want to use this for Jellyfin but when i use this i can't access my jellyfin server via android or desktop Jellyfin client app. What can i do?
Is it possible to know if you have a github repo with these two docker compose files: 1. traefik 2. authentic?
@christianlempa
27 күн бұрын
yes, github.com/christianlempa/boilerplates
I've tried doing this but somehow can't get it to work. I'm trying to connect authentik and portainer. After adding a provider and a application I've tried to login to portainer using oauth. I get the portainer error "Failure Unauthorized" and a little "unable to login via oauth". I've also noticed that my user wasn't automatically created in portainer. But even after manually adding it (it states oauth in users) I get the same errors. Any idea?
What is the application you use to write this code? It makes life so much easier to do it the way you do instead of using a terminal.
@christianlempa
Ай бұрын
It's VSCode
Mal wieder ein super Video! Leider bekomme ich die Authentifizierung mittels OAuth einfach nicht zum Laufen. Habe Deine Anleitung genau befolgt aber weder Portainer noch Proxmox lassen die Authentifizierung durch (Fehler 500). Habe für Authentik sowie für Portainer und Proxmox extra gültige SSL Zertifikate mittels Letsencrypt bereitgestellt und alle intern über den Nginx Proxy Manager erreichbar gemacht. Es funktioniert aber weder per IP, noch per FQDN. Irgendwas muss ich hier wohl übersehen :(.
@heeelga
Ай бұрын
Habe die Lösung selbst gefunden :). Die DNS Einträge fehlten für die entsprechenden Hosts. Interne DNS Auflösung läuft bei mir über Pihole, habe es nachgetragen und es klappt!
@christianlempa
Ай бұрын
Nice, gut dass du es gefunden hast :D
I have been here on this channel for a few months now I watch the videos but i don't know what is going on. I feel like lost in space. I came here 2-3 months ago to learn traefik but i neither understand traefik nor any other related technologies, what could be the issue? I am working as fullstack developer (just for more context).
Great video, thanks. I also liked your compose file clean-up. One tiny, tiny, point......from 31:19 you mispronounce Realm several times. It is actually pronounced with a short vowel, as in RELM. ;-) My wife is German and she has problems with that word as as well ;-)
@christianlempa
Ай бұрын
Thank you, :D Yeah that's probably going to happen from time to time, thanks for sharing, I try to keep it in my head :D
Thanks
@christianlempa
Ай бұрын
Thank you so much for your support 🫶❤️
Hi Christian, sorry where is the documentation and links, can't find it anywhere in the description or your Github?
@christianlempa
Ай бұрын
Sry, added it to the description
Hi, what is the name of the application you use to manage your ssh connections?
@christianlempa
Ай бұрын
openssh :)
@carlosptf
Ай бұрын
I expressed myself wrong, sorry. I mean the application where your ssh sessions are open. and where you edit text files.
OK, so just spent two days setting this up. Having watched your livestream, i think actually in a single user homelab environment authentik has little value and actually adds an additional attack vector, as in addition to the OAuth authentication you still need to keep the traditional login method in place for fallback purposes.
@christianlempa
Ай бұрын
For educational purposes and convenience it’s still amazing
Wait: Azure AD marked as no conditional access available? Reallly? And if you use Intune for MDM you can get CA for compliant devices access
@lostinvasion
Ай бұрын
It's listed because Conditional Access is indeed a feature you need to pay for within Entra ID (Azure). It requires a higher license and is not available to you with the base tier
Strangely i'm getting this weird behavior where i can reach the login page, but when i enter my email and go to put the password, the whole page HTML outputs on the page and idk what to do.
How does a competitive to guacamole?
Do I understand correctly that it is now impossible to use this proxy having authentik and nginx on different servers?
@christianlempa
Ай бұрын
Of course you can do that! More about outposts in the follow up video :)
I've my homelab with Zitadel + passkeys, passwords and 2FA is so 1980's.