Authentik

TAS Score: S3/3 – D5/5 – A3 / T2

Brief Description

Open-source identity provider focused on flexibility and security. Supports SSO, MFA, LDAP, OAuth2, OIDC, and more — all without external dependencies.

Architectural Role

Identity layer: central authentication and authorization for your self-hosted services.

Technical Autonomy

• Works without internet (after initial setup)
• Stores data locally (PostgreSQL, Redis, files)
• Does not require external accounts
• Allows data export (database and config backups)
• Provides offline updates (manual upgrade via packages or Docker)

Philosophical Assessment (whose.world criteria)

Criterion	Status	Comments
Pause	Yes	Services can be stopped; authentication requests fail gracefully.
Exit	Yes	All user data can be exported; you can migrate to another IdP.
Recoverability	Yes	Database and configuration can be backed up and restored.
Visibility	Yes	Open source, full documentation.
External Dependencies	Yes	None; runs entirely offline.

Configuration (Minimal)

Example docker-compose.yml snippet:

services:
  postgresql:
    image: postgres:15
    volumes:
      - ./postgres-data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: authentik
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD: change-me

  redis:
    image: redis:alpine
    command: --save 60 1
    volumes:
      - ./redis-data:/data

  authentik:
    image: ghcr.io/goauthentik/server:latest
    ports:
      - "9000:9000"
      - "9443:9443"
    environment:
      AUTHENTIK_SECRET_KEY: change-me
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: change-me
      AUTHENTIK_REDIS__HOST: redis
    volumes:
      - ./authentik-media:/media
    depends_on:
      - postgresql
      - redis

Related Recipes

• Minimal Autonomous Server – can be extended with Authentik for unified auth.

Alternatives

• Keycloak – more complex, heavier, still open source
• Authelia – lightweight, but less feature-rich
• Zitadel – cloud-native, requires external database

Sources

• Website

• Documentation

• Repository

• Docker image

• Community

Trajectory

Mixed — commercial company, open core model.

Authentik is developed by Authentik Security Inc., a venture-backed company. The core product is open source (MIT), but the company generates revenue through enterprise features and support. This is the classic open-core model.

The tension: enterprise features may gradually pull the most useful capabilities behind a paywall. So far Authentik has kept the core generous. Watch for: features moving from community to enterprise tier, license changes, or acquisition. The MIT license is a strong protection — but it does not prevent forking pressure if the project closes.

Rate: stable, with commercial tension to monitor.