Skip to main content

[Superseded] Authelia - Authentication & SSO

Supersedure notice

Authelia has been replaced by Authentik for use in the kasad.com web apps. Authentik provides more customization, as well as a web-based user interface for managing users, which was my main gripe when using Authelia.

Description

Authelia is an open-source authentication and authorization server and portal. It is used in the SWAG stack as an authentication agent and an SSO portal.

Service info

The Authelia container uses the ghcr.io/authelia/authelia Docker image, versionĀ 4.36.2.

Configuration

To-do: document Authelia's configuration.

Authelia is configured to use a YAML file to store users, since there are not enough users that switching to an SQL database is justified.

Access

Authelia is published at auth.kasad.com.

Because Authelia is used as the authentication backend for Cloudflare Access, it bypasses Access auth. Otherwise an infinite loop would occur, where Cloudflare tries to access Authelia as the auth backend and Authelia tries to redirect back to Cloudflare for pre-auth.

Deployment

Authelia runs in a single container. It's currently part of the SWAG stack. It can (and probably should) be separated into its own stack. The Docker Compose service configuration for it is:

services:
  # ...
  authelia:
    image: ghcr.io/authelia/authelia:4.36.4
    container_name: authelia
    user: '938:941' # swag:servlets
    environment:
      - TZ=America/Los_Angeles
    volumes:
      - /srv/swag/authelia_config:/config
    restart: unless-stopped

Usage

Authelia (auth.kasad.com) is used as an authentication backend for Cloudflare Zero Trust. It is also used as the authentication provider for the following web apps using the OpenID Connect specification:

  • Jellyfin
  • Portainer
  • BookStack
  • Vikunja
  • Guacamole

Currently, it does not appear to be possible to use Authelia for Paperless-NGX or Bitwarden.