Authentik Identity Provider
Relevant source files
- infrastructure/terraform/authentik/applications.tf
- infrastructure/terraform/authentik/customization+mapping+scope.tf
- infrastructure/terraform/authentik/directory.tf
- infrastructure/terraform/authentik/expressions/openid-scope-nextcloud.py
- infrastructure/terraform/authentik/expressions/openid-scope-profile.py
- infrastructure/terraform/authentik/expressions/user-settings-authorization.py
- infrastructure/terraform/authentik/expressions/user-settings-avatar-authorization.py
- infrastructure/terraform/authentik/flows.tf
- infrastructure/terraform/authentik/main.tf
- infrastructure/terraform/authentik/oauth2_application/main.tf
- infrastructure/terraform/authentik/oauth2_application/variables.tf
- infrastructure/terraform/authentik/proxy_application/main.tf
- infrastructure/terraform/authentik/proxy_application/outputs.tf
- infrastructure/terraform/authentik/stages-prompt_fields.tf
- infrastructure/terraform/authentik/stages.tf
- infrastructure/terraform/authentik/system.tf
- infrastructure/terraform/authentik/variables.tf
- kubernetes/apps/database/dragonfly-operator/cluster/cluster.yaml
- kubernetes/apps/media/romm/app/helmrelease.yaml
- kubernetes/apps/network/echo-server/app/helmrelease.yaml
- kubernetes/apps/network/echo-server/ks.yaml
- kubernetes/apps/security/authentik/app/helmrelease.yaml
- kubernetes/apps/security/authentik/app/kustomization.yaml
- kubernetes/apps/security/authentik/app/referencegrant.yaml
- kubernetes/apps/security/tetragon/app/kustomization.yaml
- kubernetes/apps/security/tetragon/app/tracingpolicies.yaml
- kubernetes/components/ext-auth/kustomization.yaml
- kubernetes/components/ext-auth/readme.md
- kubernetes/components/ext-auth/securitypolicy.yaml
- kubernetes/components/ext-auth/two/kustomization.yaml
- kubernetes/components/ext-auth/two/securitypolicy.yaml
The Authentik Identity Provider serves as the central authentication and authorization engine for the home-ops cluster. It provides Single Sign-On (SSO) via OAuth2/OIDC and protects legacy or simple applications through an External Authentication (ext-auth) pattern integrated with the Envoy Gateway.
Deployment Architecture
Authentik is deployed in the security namespace using the official Helm chart, managed via Flux CD. It utilizes a high-performance external cache and a dedicated PostgreSQL database (managed by CloudNativePG) for state persistence.
Kubernetes Components
- HelmRelease: Deploys the Authentik server and worker components kubernetes/apps/security/authentik/app/helmrelease.yaml16-22
- DragonflyDB Cache: Authentik is configured to use a DragonflyDB instance (Redis-compatible) for caching, located at
dragonfly.database.svc.cluster.local/4kubernetes/apps/security/authentik/app/helmrelease.yaml57-58 - Database: Uses a PostgreSQL backend. An
init-dbcontainer ensures the database is provisioned before the server starts kubernetes/apps/security/authentik/app/helmrelease.yaml32-35 - Observability: A
ServiceMonitoris enabled to export metrics to Prometheus kubernetes/apps/security/authentik/app/helmrelease.yaml36-41
Data Flow: Authentication Request
The following diagram illustrates the flow of an authentication request from a user to a protected application.
Request Flow for Protected Routes
[Flowchart Diagram]
Sources: kubernetes/components/ext-auth/securitypolicy.yaml2-17kubernetes/apps/security/authentik/app/helmrelease.yaml57-58infrastructure/terraform/authentik/system.tf90-113
Terraform Configuration
The entire Authentik configuration—including applications, flows, stages, and groups—is managed as Infrastructure-as-Code using the Authentik Terraform provider. The state is stored in a Cloudflare R2 bucket infrastructure/terraform/authentik/main.tf12-27
Group Hierarchy and Directory
Authentik manages users and permissions through a structured group system. Groups are defined in directory.tf and used for policy bindings to applications infrastructure/terraform/authentik/directory.tf2-13
| Group Name | Slug | Purpose |
|---|---|---|
authentik Admins | admins | Full administrative access infrastructure/terraform/authentik/directory.tf26-28 |
superusers | superusers | Cluster-wide superuser permissions infrastructure/terraform/authentik/directory.tf12 |
users | users | Default group for all enrolled users infrastructure/terraform/authentik/directory.tf11 |
Public | public | Access to public-facing authenticated proxies infrastructure/terraform/authentik/directory.tf6 |
Identity Sources
Authentik is configured with Google as a federated identity provider.
- Google OAuth: Configured as an OAuth2 source using
email_linkmatching mode infrastructure/terraform/authentik/directory.tf82-87 - Authentication Flow: Uses the
default-source-authenticationflow infrastructure/terraform/authentik/directory.tf85
Sources: infrastructure/terraform/authentik/directory.tf1-60infrastructure/terraform/authentik/variables.tf178-188
Application Security Patterns
The cluster utilizes two primary patterns for securing applications: Native OIDC and Envoy External Auth.
1. Native OIDC/OAuth2 Applications
Applications that natively support OIDC are configured as authentik_application resources. Examples include Grafana, Forgejo, and Romm infrastructure/terraform/authentik/applications.tf106-167
Example: Romm OIDC Integration
Romm is configured with OIDC enabled, pointing to the Authentik provider URL kubernetes/apps/media/romm/app/helmrelease.yaml50-53 In Terraform, the application is mapped to the users group infrastructure/terraform/authentik/applications.tf134-142
2. Envoy External Authentication (ext-auth)
For applications lacking native auth, the ext-auth Kustomize component is used. This component creates an Envoy SecurityPolicy that intercepts requests and validates them against an Authentik Outpost kubernetes/components/ext-auth/securitypolicy.yaml2-30
SecurityPolicy Mapping
[Class Diagram]
Sources: kubernetes/components/ext-auth/securitypolicy.yaml2-30kubernetes/apps/network/echo-server/ks.yaml14-21
Authentication Flows and MFA
Authentik uses complex flows to handle multi-stage authentication, including Passkeys and MFA.
- Identification Stage: Allows login via username, email, or Google SSO infrastructure/terraform/authentik/stages.tf25-35
- MFA Validation: Supports TOTP and Email-based OTP. If not configured, the user is prompted to set them up infrastructure/terraform/authentik/stages.tf43-53
- Passkey Validation: Uses WebAuthn for passwordless authentication with “required” user verification infrastructure/terraform/authentik/stages.tf55-63
- Password Complexity: Enforced via
authentik_policy_passwordduring password change or enrollment prompts infrastructure/terraform/authentik/stages.tf98-101
Sources: infrastructure/terraform/authentik/stages.tf1-165infrastructure/terraform/authentik/system.tf115-119