← Back to overview
πŸ”‘ Reference Β· Identity & SSO

One login that knows every app

Authentik is the homelab’s central identity. Apps integrate in two ways: OIDC when they speak it natively, or ForwardAuth when the reverse proxy should gate them. High-value apps use both.

How apps sign in to the SSO
AOIDC
πŸ§‘Browser
↓
πŸ“¦App
↓
πŸ”‘Authentik Β· login
↓
🎫token β†’ app session
BForwardAuth
πŸ§‘Browser
↓
πŸ”€Traefik
↓
πŸ”‘Authentik Β· session check?
↓
πŸ“¦App (only if ok)
C = both combined β€” OIDC for identity, ForwardAuth as an extra perimeter

🎫OIDC (Pattern A)

The app speaks OpenID Connect directly to Authentik: login redirect, token exchange, done. Includes user and group sync β€” roles can be derived from Authentik groups.

OpenID Connectgroups β†’ rolesForgejo Β· Immich

πŸ›‘οΈForwardAuth (Pattern B)

For apps with weak or no native login, Traefik checks with Authentik before every request. Only a valid session gets forwarded β€” otherwise a redirect to the login.

TraefikperimeterPrometheus Β· Kuma

πŸ”Both combined (Pattern C)

Defense in depth: ForwardAuth as the outer perimeter plus native OIDC for clean identity inside the app. An existing session passes through both β€” login feels like one click.

Wiki.jsNextcloudGrafana

πŸ‘₯Groups instead of per-app rights

Who may access what is decided by group membership in Authentik β€” one source of truth, no per-app user sprawl.

groupsrole mappingcentral
Stack in use
AuthentikOIDCForwardAuthTraefikEmbedded Outpost