Traefik + Authentik - experiments in SSO

A DALL-E AI image "Create a vector image for my blog using the keywords traefik, authentik and sso"
A DALL-E AI vector image based on the keywords traefik, authentik and sso

A while ago I did some research and looked into various open source SSO (Single Sign On) options. Amongst those I considered were Gluu, Keycloak and Authentik. This is about Authentik, as you've probably guessed from the title.

First, lets start with the Traefik docker compose:


services:
  reverse-proxy:
    image: traefik:v3.2.2
    environment:
      AWS_ACCESS_KEY_ID: ""
      AWS_SECRET_ACCESS_KEY: ""
      DUCKDNS_TOKEN: ""
      NAMECHEAP_API_USER: "<your-namecheap-username>"
      NAMECHEAP_API_KEY: "<your-namecheap-api-key>"
      DO_AUTH_TOKEN: ""
      # TRACING
      TRAEFIK_TRACING: true                                                # Enable tracing
      #TRAEFIK_TRACING_JAEGER_SAMPLINGPARAM: 0                              # Set the Jaeger sampling parameter
      #TRAEFIK_TRACING_JAEGER_TRACECONTEXTHEADERNAME: X-Request-ID          # Set the header to use for the X-Request-ID
    command:
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.network=traefik_default
      - --providers.docker.exposedbydefault=false
      - --accesslog=true
      - --accesslog.filepath=access.log
      - --log.level=INFO
      - --log.filePath=traefik.log
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http3
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --certificatesresolvers.myresolver.acme.dnschallenge=true
      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=namecheap
      - --certificatesresolvers.myresolver.acme.email=your+email@address.com
      - --certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme.json
      - --global.checknewversion=false
      - --global.sendanonymoususage=false
    ports:
      - "80:80"
      - "443:443/tcp"
      - "443:443/udp"
    volumes:
      # So that Traefik can listen to Docker events and auto-configure.
      # This has security implications.
      # See https://doc.traefik.io/traefik/providers/docker/#docker-api-access
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # For storing Let's Encrypt cert
      - /data/traefik/etc:/etc/traefik:rw
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard-https.entrypoints=websecure"
      - "traefik.http.routers.dashboard-https.rule=Host(`traefik-dashboard.example.domain`)"
      - "traefik.http.routers.dashboard-https.service=api@internal"
      - "traefik.http.routers.dashboard-https.tls.certresolver=myresolver"
      - "traefik.http.routers.dashboard-https.tls.domains[0].main=example.domain"
      - "traefik.http.routers.dashboard-https.tls.domains[0].sans=*.example.domain"
      - "traefik.http.routers.dashboard-https.middlewares=lan-only"
      - "traefik.http.middlewares.lan-only.ipallowlist.sourcerange=123.123.123.123/32"
      # pulled from https://github.com/brokenscripts/authentik_traefik
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.address=http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.trustForwardHeader=true"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-username"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-groups"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-email"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-name"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-uid"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-jwt"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-meta-jwks"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-meta-outpost"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-meta-provider"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-meta-app"
      - "traefik.http.middlewares.middlewares-authentik.forwardAuth.authResponseHeaders=X-authentik-meta-version"
    restart: unless-stopped

Next, we'll need an Authentik docker compose:

services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
    networks:
      - authentik
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
    networks:
      - authentik
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.1}
    restart: unless-stopped
    command: server
    container_name: authentik_server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.authentik-rtr.rule=Host(`authentik.example.domain`)"
      - "traefik.http.routers.authentik-rtr.entrypoints=websecure"
      - "traefik.http.routers.authentik-rtr.tls=true"
      - "traefik.http.routers.nc-https.tls.certresolver=myresolver"
      ## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth)
      - "traefik.http.routers.authentik-rtr-outpost.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.example.domain`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.routers.authentik-rtr-outpost.entrypoints=websecure"
      - "traefik.http.routers.authentik-rtr-outpost.tls=true"
      - "traefik.http.routers.authentik-rtr-outpost.tls.certresolver=myresolver"
      ## HTTP Services
      - "traefik.http.routers.authentik-rtr.service=authentik-svc"
      - "traefik.http.services.authentik-svc.loadBalancer.server.port=9000"
    env_file:
      - .env
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis
    networks:
      - authentik
      - traefik_default
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.1}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis
    networks:
      - authentik

volumes:
  database:
    driver: local
  redis:
    driver: local

networks:
  authentik:
    name: authentik
  traefik_default:
    external: true

You'll also need a .env file, here's a snippet of mine:

PG_PASS=<super-top-secret-postgres-password>
AUTHENTIK_SECRET_KEY=<really-really-really-secure-authentik-secret-key>
AUTHENTIK_ERROR_REPORTING__ENABLED=true
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=smtp.sendgrid.net
AUTHENTIK_EMAIL__PORT=587
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME=apikey
AUTHENTIK_EMAIL__PASSWORD=<sendgrid-api-key-goes-here>
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=true
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=your+email@address.com