One login that knows every app
Authentik is the homelabβs central identity. Apps integrate in two ways: OIDC when they speak it natively, or ForwardAuth when the reverse proxy should gate them. High-value apps use both.
π«OIDC (Pattern A)
The app speaks OpenID Connect directly to Authentik: login redirect, token exchange, done. Includes user and group sync β roles can be derived from Authentik groups.
π‘οΈForwardAuth (Pattern B)
For apps with weak or no native login, Traefik checks with Authentik before every request. Only a valid session gets forwarded β otherwise a redirect to the login.
πBoth combined (Pattern C)
Defense in depth: ForwardAuth as the outer perimeter plus native OIDC for clean identity inside the app. An existing session passes through both β login feels like one click.
π₯Groups instead of per-app rights
Who may access what is decided by group membership in Authentik β one source of truth, no per-app user sprawl.