How about accessing your selfhosted applications that only you use only via VPN? Exposing your selfhosted applications to the world is only needed if, well, you need the whole or a part of the world to access it? Authentik works great for authentication, but that’s about it, and you are right, most apps don’t work anymore if you add an authentication layer that does not natively exist on it.
this post was submitted on 24 Oct 2023
1 points (100.0% liked)
Self-Hosted Main
511 readers
1 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
For Example
- Service: Dropbox - Alternative: Nextcloud
- Service: Google Reader - Alternative: Tiny Tiny RSS
- Service: Blogger - Alternative: WordPress
We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.
Useful Lists
- Awesome-Selfhosted List of Software
- Awesome-Sysadmin List of Software
founded 1 year ago
MODERATORS
From what I understand, those services would allow to only allow Traefik to redirect the user to the appropriate service if correctly authenticated, is that correct?
Exactly. In Traefik, this is often called a forwardAuth middleware. Only if you are authenticated against Authelia/Authentik, Traefik will obtain the go to proxy the user request to the actual proxy service.
Also, using either Authentik or Authelia, user can use SSO to register/login ? How can I control who can register?
Yes but it depends on the proxied application. Some do not support OAuth/OIDC/SAML and whatever. Then, you have to authenticate against Authelia/Authentik and a second time at the service via username and password usually. Some apps however support it. Then you can setup the app and Authelia/Authentik for SSO. If done, only a single login against Authelia/Authentik is required and you'll be automatically logged into the app. No second login necessary. Authelia/Authentik will handle it. Whether a user can register or not depends on the app and how it is setup. Portainer e.g. can allow SSO user registering but also deny it. If denied, you'd have to create the users first manually in Portainer with the same email address as in Authentik. Then the user can login.
For instance I use immich to backup my pictures, so in the immich mobile app server settings I have : immich.mydomain.com, how would that works out if I use either Authentik or Authelia?
Unfortunately, Immich does not support OAuth/OIDC/SAML yet. Therefore, you are left with authenticating against Authelia/Authentik and then as well against immich via your user credentials. As correctly assumed, this requires a web browser to obtain the Authelia/Authentik login screen. For the immich mobile app, this is not possible.
There is some discussion on GitHub here about this topic:
https://github.com/immich-app/immich/discussions/3118
I've also implemented Authentik with Traefik. May read here:
Unfortunately, Immich does not support OAuth/OIDC/SAML yet.
This is wrong. https://immich.app/docs/administration/oauth
True, it does.
However, the mobile does not work with it properly or? Just the web app.
Then, you have to authenticate against Authelia/Authentik and a second time at the service via username and password usually.
FYI that at least in Authentik you can avoid the second login. Check the instructions they have on setting up Sonarr for more details, but you can save the app credentials in Authentik, then if your identity is authorized for access Authentik will automatically attach the credentials for the app: https://goauthentik.io/integrations/services/sonarr/
Works for anything that has http basic auth
Nice thanks!