How about zitadel as an option?
this post was submitted on 24 Jul 2025
60 points (98.4% liked)
Selfhosted
49847 readers
851 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I do not consider Authelia secure from an architecture point of view.
That is because there is, by design, no authentication between authelia and the backend. That means that if anyone ever manages to directly access the backend services, they can impersonate anyone, including admin.
On paper I should love Authelia, I'm a sucker for y'all configured services, I can write a couple of files on my Ansible and boom, everything works... However I never had much luck setting Authelia up, Authentik on the other hand was very painless (albeit) manual (via UI) configuration. I don't do anything crazy, so any of them would work for me though, I just failed on setting Authelia and tried Authentik and had had no reason to change.
Authentik can be configured through terraform
You can try VoidAuth, it is kinda similar to Authelia+lldap. I am the developer and I created it because I wasn’t satisfied with Authelia’s user management. If you decide you want to try it and run into any issues or questions I will try to help :)
Thanks! I'll check it out
I like the motivation behind this, but have a allergy to running critical infrastructure like authentication on node.
To each their own, though, and good luck with the project. Diversity is life.
I'm using PocketID as it is super simple to set up. I've also paired it with TinyAuth for those services that don't support SSO.
I also use Swag as my reverse proxy, which just added native support for TinyAuth.
Seconding Pocket ID. Very lightweight and fast while also doing everything I need.
Take this with a grain of salt because I haven't started using this yet, but I am planning on using pocket id on my personal server
https://github.com/pocket-id/pocket-id
Seems to do what I want it to do
Keycloak all the way
Authelia + lldap(lightweight ldap) has been a really nice and powerful setup that negates the need for authentik for me. Authelia and authentik have diffrent goals tho, authelia is by design less powerfull and has a much smaller code base so that independent teams can audit the code themselves and a "set and forget" type configuration. Authentik is targeted at being an enterprise solution with all the bells and whistles. If you need those bells and whistles and dont want to use authentik try looking at keycloak (which also needs an ldap backend)
Keycloak user here! You don't need** LDAP to use keycloak, but you can use it (I do too). Afaik keycloak is not always the easiest (not always clear instructions) but it works flawlessly for me and those who I authenticate. I use it for almost all my self hosted services except those who don't support it (obviously).I can manage my users in LDAP and use keycloak for SSO etc. I would definitely recommend it!
I'm on my phone rn and can't write a longer post. This comment is to remind me to write an essay later. I've been using authentik heavily for my cybersecurity club and have a LOT of thoughts about it.
The tldr about authentik's risk of enshittification is that authentik follows a pattern I call "supportware". It's when extremely (intentionally/accidentally) complex software (intentionally/accidentally) lacks edge cases in their docs,because you are supposed to pay for support.
I think this is a sustainable business model, and I think keycloak has some similar patterns (and other Red Hat software).
The tldr about authentik itself is that it has a lot of features, but not all of them are relevant to your usecase, or worth the complexity. I picked up authentik for invites (which afaik are rare, also official docs about setting up invites were wrong, see supportware), but invites may not something you care about.
Anyway. Longer essay/rant later. Despite my problems, I still think authentik is the best for my usecase (cybersecurity club), and other options I've looked at like zitadel (seems to be more developer focused),or ldap + sso service (no invites afaik) are less than the best option.
Sidenote: Microsoft entra is offers similar features to what I want from authentik, but I wanted to self host everything.
I like the "supportware" term, I can apply that to a few other tools (airbyte, teleport). I ended up setting up authentik today and it went really smoothly. So far I like it a lot, so hopefully the full enshittification process doesn't happen soon. Even though right now I just want to use it for my own self-hosting purposes, I'm also interested in potentially using it for work. We have a few hundred thousand users and AWS cognito is getting pretty expensive.
Why don't you like LDAP? OpenLDAP is a PITA (necessarily, I guess, to be considered "enterprise"), but lldap has been pretty nice to me. I mean, it's the identity protocol, it's just that the server software has been complex until relatively recently.
What would you use instead? A SQL DB with some custom schema, that just re-invents LDAP?
LDAP and ldaps are not great from a security perspective. They pass password though the application which means a single compromised app will create a full breach.
Better to use OpenID which uses a single sign on portal that tells the underlying app when authentication is successful. It has a much smaller attack surface and allows for much more flexibility.
Yep, this is what I'm looking for
I am using authelia as well for some time. At some point I was looking into kanidm. It looked promising, but never got into actually using it. I never figured out though, whether they support forward header auth.
Authentik has done the opposite of enshittification. As they've gotten more successful, they've taken enterprise features and moved them into the community edition. I've been extremely happy with Authentik so far and the dev has been nothing short of fantastic every time I've seen them interacting with the community.
I just switched from Authelia to PocketID No good reason. Mainly because Authelia was a bit convoluted and I needed something very basic.
I very much enjoy authentik. Great tool. Lots of great documentation.
I doubt authentik will enshittify, i have been using it since 2 years and have been on their discord interacting with the team. They are very helpful and recently made some useful enterprise features available for self hosted users which is the opposite of enshittification.
There’s also Zitadel: https://zitadel.com/
I tried it before authelia, and it felt like an unfinished product. Nice looking, but there were weird issues, like you could create projects (or apps? i don't remember) through the UI, but then if you wanted to delete them you had to use the API. The hierarchy of resources also didn't really feel intuitive to me. But that's just personal preference. I've been testing out authentik today and I really like it. I like that the UI works great, but there's also a terraform provider to manage things declaratively.
I use authentik and like it. The learning curve isn’t that steep so not a lot of wasted investment if you decide to ditch it for something else. No password flow with webauthn is pretty cool.