deddit.petersanchez.com

Authentik vs Authelia?
from keepee@lemmy.world to selfhosted@lemmy.world on 24 Jul 04:16
https://lemmy.world/post/33393066

I’m currently using Authelia to authenticate for some of my self hosted services. It works fine, but the limited user backends (ldap or… yaml??) make me want to look for an alternative.

Authentik seems good, but after looking at their website I get the feeling of imminent enshitification, where they’re going to either pull the rug on the open source version, or basically gatekeep essential features behind an enterprise license.

So, for those using Authentik, how has your experience been so far?

#selfhosted

threaded - newest

lilith267@lemmy.blahaj.zone on 24 Jul 05:27 next collapse

Authelia + lldap(lightweight ldap) has been a really nice and powerful setup that negates the need for authentik for me. Authelia and authentik have diffrent goals tho, authelia is by design less powerfull and has a much smaller code base so that independent teams can audit the code themselves and a “set and forget” type configuration. Authentik is targeted at being an enterprise solution with all the bells and whistles. If you need those bells and whistles and dont want to use authentik try looking at keycloak (which also needs an ldap backend)

AddiXz@feddit.nl on 24 Jul 06:23 collapse

Keycloak user here! You don’t need** LDAP to use keycloak, but you can use it (I do too). Afaik keycloak is not always the easiest (not always clear instructions) but it works flawlessly for me and those who I authenticate. I use it for almost all my self hosted services except those who don’t support it (obviously).I can manage my users in LDAP and use keycloak for SSO etc. I would definitely recommend it!

athes@lemmy.world on 24 Jul 05:56 next collapse

I just switched from Authelia to PocketID No good reason. Mainly because Authelia was a bit convoluted and I needed something very basic.

extrahazmat@lemmy.zip on 24 Jul 09:48 next collapse

I’m using PocketID as it is super simple to set up. I’ve also paired it with TinyAuth for those services that don’t support SSO.

I also use Swag as my reverse proxy, which just added native support for TinyAuth.

MoonRaven@feddit.nl on 24 Jul 12:05 collapse

Seconding Pocket ID. Very lightweight and fast while also doing everything I need.

sk@utsukta.org on 24 Jul 10:22 next collapse

I doubt authentik will enshittify, i have been using it since 2 years and have been on their discord interacting with the team. They are very helpful and recently made some useful enterprise features available for self hosted users which is the opposite of enshittification.

roofuskit@lemmy.world on 24 Jul 11:43 next collapse

I very much enjoy authentik. Great tool. Lots of great documentation.

notquitenothing@sh.itjust.works on 24 Jul 11:45 next collapse

You can try VoidAuth, it is kinda similar to Authelia+lldap. I am the developer and I created it because I wasn’t satisfied with Authelia’s user management. If you decide you want to try it and run into any issues or questions I will try to help :)

sxan@midwest.social on 24 Jul 13:18 next collapse

I like the motivation behind this, but have a allergy to running critical infrastructure like authentication on node.

To each their own, though, and good luck with the project. Diversity is life.

keepee@lemmy.world on 25 Jul 06:39 collapse

Thanks! I’ll check it out

johnwicksdog@aussie.zone on 24 Jul 12:03 next collapse

I use authentik and like it. The learning curve isn’t that steep so not a lot of wasted investment if you decide to ditch it for something else. No password flow with webauthn is pretty cool.

sxan@midwest.social on 24 Jul 13:22 next collapse

Why don’t you like LDAP? OpenLDAP is a PITA (necessarily, I guess, to be considered “enterprise”), but lldap has been pretty nice to me. I mean, it’s the identity protocol, it’s just that the server software has been complex until relatively recently.

What would you use instead? A SQL DB with some custom schema, that just re-invents LDAP?

possiblylinux127@lemmy.zip on 24 Jul 23:25 collapse

LDAP and ldaps are not great from a security perspective. They pass password though the application which means a single compromised app will create a full breach.

Better to use OpenID which uses a single sign on portal that tells the underlying app when authentication is successful. It has a much smaller attack surface and allows for much more flexibility.

keepee@lemmy.world on 25 Jul 06:30 collapse

Yep, this is what I’m looking for

markstos@lemmy.world on 24 Jul 13:23 next collapse

There’s also Zitadel: zitadel.com

keepee@lemmy.world on 25 Jul 06:36 collapse

I tried it before authelia, and it felt like an unfinished product. Nice looking, but there were weird issues, like you could create projects (or apps? i don’t remember) through the UI, but then if you wanted to delete them you had to use the API. The hierarchy of resources also didn’t really feel intuitive to me. But that’s just personal preference. I’ve been testing out authentik today and I really like it. I like that the UI works great, but there’s also a terraform provider to manage things declaratively.

bear@slrpnk.net on 24 Jul 16:43 next collapse

Authentik has done the opposite of enshittification. As they’ve gotten more successful, they’ve taken enterprise features and moved them into the community edition. I’ve been extremely happy with Authentik so far and the dev has been nothing short of fantastic every time I’ve seen them interacting with the community.

moonpiedumplings@programming.dev on 24 Jul 17:46 next collapse

I’m on my phone rn and can’t write a longer post. This comment is to remind me to write an essay later. I’ve been using authentik heavily for my cybersecurity club and have a LOT of thoughts about it.

The tldr about authentik’s risk of enshittification is that authentik follows a pattern I call “supportware”. It’s when extremely (intentionally/accidentally) complex software (intentionally/accidentally) lacks edge cases in their docs,because you are supposed to pay for support.

I think this is a sustainable business model, and I think keycloak has some similar patterns (and other Red Hat software).

The tldr about authentik itself is that it has a lot of features, but not all of them are relevant to your usecase, or worth the complexity. I picked up authentik for invites (which afaik are rare, also official docs about setting up invites were wrong, see supportware), but invites may not something you care about.

Anyway. Longer essay/rant later. Despite my problems, I still think authentik is the best for my usecase (cybersecurity club), and other options I’ve looked at like zitadel (seems to be more developer focused),or ldap + sso service (no invites afaik) are less than the best option.

Sidenote: Microsoft entra is offers similar features to what I want from authentik, but I wanted to self host everything.

keepee@lemmy.world on 25 Jul 06:28 collapse

I like the “supportware” term, I can apply that to a few other tools (airbyte, teleport). I ended up setting up authentik today and it went really smoothly. So far I like it a lot, so hopefully the full enshittification process doesn’t happen soon. Even though right now I just want to use it for my own self-hosting purposes, I’m also interested in potentially using it for work. We have a few hundred thousand users and AWS cognito is getting pretty expensive.

possiblylinux127@lemmy.zip on 24 Jul 23:25 next collapse

Keycloak all the way

justme@lemmy.dbzer0.com on 25 Jul 08:18 next collapse

I am using authelia as well for some time. At some point I was looking into kanidm. It looked promising, but never got into actually using it. I never figured out though, whether they support forward header auth.

Lyricism6055@lemmy.world on 25 Jul 08:27 collapse

Take this with a grain of salt because I haven’t started using this yet, but I am planning on using pocket id on my personal server

github.com/pocket-id/pocket-id

Seems to do what I want it to do