Skip to content

Authentik

Install | Docker Compose

Official Docs

Bash
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env

To enable error reporting, run the following command:

Bash
echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env

env example

Text Only
POSTGRES_USER=authentik
POSTGRES_DB=authentik
POSTGRES_PASSWORD=password
AUTHENTIK_SECRET_KEY=pbrkUZxxxxxxxxxxxxxxxxxxxxxxxx+LjvUg

Compose example for setup with proxy webserver

  • docker-compose.yml
YAML
services:

  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    container_name: authentik_postgres
    healthcheck:
      test:
        - CMD-SHELL
        - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - ./database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_DB: ${POSTGRES_DB}

  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    container_name: authentik_redis
    restart: unless-stopped
    healthcheck:
      test:
        - CMD-SHELL
        - redis-cli ping | grep PONG
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - ./redis:/data

  server:
    image: ghcr.io/goauthentik/server:2024.10.1
    restart: unless-stopped
    container_name: authentik_server
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      # SMTP Host Emails are sent to
      AUTHENTIK_EMAIL__HOST: <mail.example.com>
      AUTHENTIK_EMAIL__PORT: <2525> #usually 587
      # Optionally authenticate (don't add quotation marks to your password)
      AUTHENTIK_EMAIL__USERNAME: username
      AUTHENTIK_EMAIL__PASSWORD: password
      # Use StartTLS
      AUTHENTIK_EMAIL__USE_TLS: "false"
      # Use SSL
      AUTHENTIK_EMAIL__USE_SSL: "false"
      AUTHENTIK_EMAIL__TIMEOUT: 10
      # Email address authentik will send from, should have a correct @domain
      AUTHENTIK_EMAIL__FROM: [email protected]
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    ports:
      - 9000:9000
      # - "9443:9443"
    depends_on:
      - postgresql
      - redis

  worker:
    image: ghcr.io/goauthentik/server:2024.10.1
    restart: unless-stopped
    container_name: authentik_worker
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      # SMTP Host Emails are sent to
      AUTHENTIK_EMAIL__HOST: mail.example.com
      AUTHENTIK_EMAIL__PORT: <2525>
      # Optionally authenticate (don't add quotation marks to your password)
      AUTHENTIK_EMAIL__USERNAME: username
      AUTHENTIK_EMAIL__PASSWORD: password
      # Use StartTLS
      AUTHENTIK_EMAIL__USE_TLS: "false"
      # Use SSL
      AUTHENTIK_EMAIL__USE_SSL: "false"
      AUTHENTIK_EMAIL__TIMEOUT: 10
      # Email address authentik will send from, should have a correct @domain
      AUTHENTIK_EMAIL__FROM: [email protected]
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    depends_on:
      - postgresql
      - redis
networks: {}

To start the initial setup, navigate to http://:9000/if/flow/initial-setup/.

There you are prompted to set a password for the akadmin user (the default user).

Integrations

Check Docs

warpgate setup

  • warpgate side

Edit warpgate.yaml

Bash
sudo nano data/warpgate.yaml
YAML
external_host: warp.example.com

sso_providers:
- name: authentik
  label: Authentik
  provider:
    type: custom
    client_id: hBhsMBEE28UXXXXXXXXXXXXXXXXXXX
    client_secret: D3C7gNdXugltUKY4BQ1QxqJsd3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    issuer_url: https://<authentik.example.com>/application/o/<warp-slug>/.well-known/openid-configuration
    scopes:
      - email
      - openid
  • authentik side

Provider

Applications > Providers > Create - OAuth2/OpenID Provider

Name: warp (example)

Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)

Client type: Confidential

Copy and save somewhere Client ID and Client Secret.

Redirect URIs/Origins (RegEx): https:///@warpgate/api/sso/return

Sign Key: authentik Self-signed Certificate.

Save

Application

Applications > Applications - Create

Name: warp (example)

Slug: warp

Provider: warp (choose what you used in previous step)

Policy engine mode: any