Authelia is an open-source authentication and authorization server designed to provide Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for web applications protected by reverse proxies like Nginx, Traefik, or Caddy. It acts as a gateway that intercepts unauthenticated requests and presents users with a unified login portal supporting modern authentication standards including OpenID Connect 1.0, OAuth 2.0, WebAuthn (FIDO2), TOTP, and mobile push notifications. Built in Go and designed for containerized environments, Authelia integrates seamlessly with existing infrastructure using configuration files and is compatible with LDAP, Redis, PostgreSQL, MySQL, and SQLite for user storage. It’s ideal for organizations seeking to enforce strong authentication across internal tools without modifying application code.
Authelia is widely adopted by DevOps teams and infrastructure engineers managing microservices, SaaS platforms, or internal dashboards where centralized authentication is critical. With OpenID Connect certification and high security scores (SLSA Level 3, OpenSSF Best Practices), it provides enterprise-grade authentication without vendor lock-in. The project supports deployment via Docker, Kubernetes (via Helm), static binaries, and package managers like APT and AUR.
What You Get
- OpenID Connect 1.0 & OAuth 2.0 Support - Authelia implements the OpenID Connect certification standard, enabling seamless SSO integration with any OpenID-compatible client such as Keycloak, Dex, or custom web apps. It supports authorization code flow with PKCE and refresh tokens.
- Multi-Factor Authentication (MFA) Methods - Offers three MFA options: WebAuthn/FIDO2 security keys (YubiKey, Titan), Time-Based One-Time Passwords (TOTP) via Google Authenticator or Authy, and mobile push notifications using the Authelia mobile app for Android/iOS.
- Reverse Proxy Integration - Works with Nginx, Traefik, Caddy, and other reverse proxies using standard headers (e.g., X-Forwarded-User) to pass authenticated identity without modifying backend apps.
- Flexible User Storage - Supports LDAP, PostgreSQL, MySQL, SQLite, and Redis for user directory integration. Configure users via YAML configuration files or sync with existing enterprise directories.
- Docker and Kubernetes Ready - Official Docker image available on Docker Hub with Helm charts for Kubernetes deployments. Supports ingress controllers like nginx-ingress and Traefik via annotated configurations.
- Role-Based Access Control (RBAC) - Define access policies per URL path, HTTP method, and user group. Enforce MFA requirements conditionally based on IP address, device trust level, or sensitivity of the resource.
Common Use Cases
- Building a secure internal dashboard with multiple microservices - A DevOps team uses Authelia to protect Grafana, Prometheus, and Portainer behind a Traefik reverse proxy. Users authenticate once via SSO with TOTP, and all services inherit identity via X-Forwarded-User headers without requiring individual login flows.
- Enforcing MFA for remote access to admin tools - A company requires all employees to use WebAuthn (YubiKey) when accessing their internal Jenkins CI server. Authelia is deployed as a sidecar to Nginx, intercepting requests and enforcing FIDO2 authentication before proxying to Jenkins.
- Replacing legacy SSO with open-source MFA - An organization migrates from proprietary SAML solutions to Authelia to reduce costs and increase auditability. They configure LDAP sync for user management and enforce TOTP for all external-facing applications.
- DevOps teams managing microservices across multiple cloud providers - Teams deploy Authelia as a Kubernetes sidecar using Helm charts to provide consistent authentication across AWS, GCP, and on-prem clusters. Policies restrict access to /admin paths unless MFA is verified.
Under The Hood
Authelia is a robust identity and access management solution built as a monolithic Go application, offering comprehensive authentication and authorization capabilities with a modern web interface. It supports multiple authentication protocols and integrates seamlessly into complex infrastructures through modular design and extensive tooling.
Architecture
Authelia follows a layered architecture that promotes clear separation of concerns and maintainable code organization.
- The system is structured into distinct modules for authentication, configuration, and API handling, enabling focused development and testing
- Command-line interfaces and internal automation tools reflect a strong emphasis on developer experience and operational efficiency
- Integration with various authentication providers and extensive customization options highlight its flexible and extensible design patterns
- The web frontend utilizes well-defined interfaces and context providers to manage state and component interactions effectively
Tech Stack
The project leverages a combination of Go for backend services and React for the frontend, supported by modern development practices.
- Built primarily in Go with a React-based web interface and extensive use of TypeScript for type safety
- Relies on MUI, React Router, i18next, and Bootstrap for a consistent and feature-rich UI
- Employs Vite for frontend builds, Hugo for documentation, and Node.js tooling to support modern workflows
- Combines Go-based unit and integration tests with frontend testing libraries like React Testing Library for comprehensive coverage
Code Quality
The codebase reflects a mature approach to quality assurance with consistent practices and structured error handling.
- Comprehensive test suites and linting configurations support maintainability and code consistency across modules
- Error handling is generally well-structured, though some inconsistencies are present in specific areas
- The project enforces clear naming conventions and follows established Go idioms for readability and scalability
- Documentation and tooling support contribute to overall code quality, though some areas lack depth in explanation
What Makes It Unique
Authelia distinguishes itself through a unique blend of authentication protocols, extensibility, and developer-centric tooling.
- Offers seamless support for both OpenID Connect and SAML 2.0, making it a versatile choice for enterprises with mixed authentication needs
- Features a modular architecture that allows custom validators and storage backends, enabling granular configuration without compromising security
- Includes extensive internal tooling for generating documentation and configuration schemas, significantly lowering the barrier to contribution and maintenance
- Combines a powerful RESTful API with a fully functional web-based admin interface, providing dual control mechanisms for authentication policies and session management