Authelia
OpenID Certified SSO and MFA portal for securing self-hosted web applications behind reverse proxies.
Authelia is an open-source authentication and authorization server that provides multi-factor authentication (MFA) and single sign-on (SSO) for web applications via a reverse proxy. It supports the full suite of modern authentication standards including OpenID Connect 1.0, OAuth 2.0, WebAuthn passkeys, TOTP, and push-based approvals — acting as a gatekeeper that enforces identity policies without modifying the applications it protects.
Designed for DevOps teams, SREs, and home lab enthusiasts, Authelia integrates with popular reverse proxies including Traefik, Nginx, Caddy, and HAProxy. It authenticates users against LDAP directories, Active Directory, or a local file-based user database, and enforces granular authorization policies per domain, subdomain, user, or group.
Authelia deploys as a single binary or lightweight container, with a footprint under 20MB and memory usage under 30MB at idle. It supports horizontal scaling via shared session backends (Redis) and storage backends (PostgreSQL, MySQL, or SQLite for single-node deployments). An official Helm chart is available for Kubernetes deployments.
The project is OpenID Certified and participates in the OpenSSF Best Practices program, achieving SLSA Level 3 supply chain security. With over 28,000 GitHub stars, 1,400+ forks, and an active release cadence exceeding 20 versions per year, Authelia is one of the most mature and actively maintained identity solutions available for self-hosted infrastructure.
What You Get
- OpenID Connect 1.0 Provider (OpenID Certified) - Acts as a full OIDC provider so applications like Nextcloud, Grafana, Gitea, and Jellyfin can delegate authentication to Authelia using standard OAuth2/OIDC flows.
- WebAuthn and Passkey Support - Enables passwordless login using FIDO2 security keys (YubiKey, Google Titan) and platform authenticators (Touch ID, Windows Hello, Face ID) via the WebAuthn standard.
- Time-Based One-Time Password (TOTP) - RFC 6238-compliant TOTP integration works with any standard authenticator app including Authy, Google Authenticator, Bitwarden Authenticator, and hardware tokens.
- Mobile Push Notification MFA - Delivers one-tap MFA approval requests to mobile devices, with support for both Authelia’s native push service and Duo Security integration.
- Granular Per-Domain Authorization Policies - Define access rules based on domain, subdomain, URL path, HTTP method, user identity, group membership, network CIDR, and time-of-day in a declarative YAML policy file.
- LDAP and Active Directory Integration - Authenticate against OpenLDAP, Microsoft Active Directory, FreeIPA, and other directory services without syncing or storing passwords locally, including support for referral chasing and LDAP over TLS.
- Brute-Force Protection and Account Regulation - Detects and blocks brute-force login attempts by tracking failed authentication events and applying configurable account lockout policies with automatic unlock timers.
- Password Reset with Email Identity Validation - Self-service password reset workflow sends time-limited verification emails before allowing password changes, reducing helpdesk load while maintaining security.
- Redis-Backed Session Clustering - Supports high-availability and horizontal scaling by storing sessions in Redis or Redis Sentinel, allowing multiple Authelia instances to share state.
- Multi-Database Storage Backend - Stores authentication state and OIDC tokens in PostgreSQL, MySQL/MariaDB, or SQLite, with automated schema migrations between versions.
Common Use Cases
- Securing a home lab dashboard stack - A self-hoster uses Authelia with Traefik to put MFA in front of Grafana, Portainer, Home Assistant, and Nextcloud, replacing individual app logins with a single SSO portal that blocks public access without valid credentials.
- Enforcing zero-trust access to internal developer tools - A small engineering team deploys Authelia on Kubernetes with Nginx ingress to protect internal Backstage, Argo CD, and Prometheus instances, using LDAP group membership to restrict access per service and WebAuthn for passwordless login.
- Adding OAuth2 SSO to applications that lack it - An organization uses Authelia’s OIDC provider to give applications like Gitea and Nextcloud a centralized login, so users authenticate once and gain access to multiple services without re-entering credentials.
- Complying with security requirements in regulated environments - A healthcare organization uses Authelia’s LDAP integration, TOTP enforcement, and audit logging to enforce MFA for all web-accessible applications as part of HIPAA access control compliance.
- Replacing a commercial identity gateway - A startup migrates away from a paid auth proxy by deploying Authelia with Redis for session clustering and PostgreSQL for storage, getting equivalent MFA and SSO functionality without per-seat licensing fees.
Under The Hood
Architecture
Authelia follows a layered, domain-driven architecture that separates configuration, request routing, authentication logic, and authorization enforcement into distinct packages with well-defined interfaces. Execution flows from a fasthttp-based HTTP server through a middleware pipeline that resolves identity, validates sessions, applies regulation, and delegates to the appropriate authentication handler — all without tight coupling between layers. The Providers struct, injected throughout via context, gives every handler access to the authorizer, session provider, storage backend, OIDC provider, TOTP engine, and WebAuthn subsystem through interface types rather than concrete implementations. This pluggable architecture means storage backends (PostgreSQL, MySQL, SQLite) and user providers (LDAP, file-based) are swappable at configuration time. The authorization subsystem evaluates domain policies independently of the authentication flow, enabling per-domain rules that enforce different MFA levels, session durations, or network-based restrictions. The result is a cohesive system where each subsystem — authentication, authorization, session management, OIDC token issuance — is independently testable and replaceable.
Tech Stack The backend is written in Go using fasthttp as the HTTP server and router, chosen over net/http for its low-allocation, high-throughput request handling. Identity providers are backed by go-ldap for LDAP connectivity and sqlx for SQL access against PostgreSQL, MySQL, or SQLite. OIDC and OAuth 2.0 flows are handled by Authelia’s own fork of the Fosite library (published as authelia.com/provider/oauth2), giving full control over token issuance and validation. WebAuthn is implemented via the go-webauthn library; TOTP uses Authelia’s own authelia/otp fork of pquerna/otp. Session storage uses fasthttp/session with Redis or Redis Sentinel backends. The frontend is a React application using Material UI components, SimpleWebAuthn for browser-side WebAuthn, i18next for internationalization, and Vite as the build tool. Multi-architecture Docker images are built with goreleaser using static linking for glibc and musl targets.
Code Quality Authelia demonstrates exceptional code quality across its codebase. Extensive test coverage includes over 1,400 unit test functions using testify for assertions and gomock for interface mocking, complemented by a comprehensive integration test suite in the suites package. Error handling is explicit and contextual throughout — errors are wrapped with descriptive messages using fmt.Errorf with %w, logged at appropriate levels with logrus structured entries, and propagated up without silent swallowing. The codebase uses strong Go interface contracts for every pluggable subsystem, enabling straightforward mocking in tests. Naming conventions are consistent and self-documenting. A complete CI pipeline on Buildkite enforces linting, formatting, test coverage reporting via Codecov, and vulnerability scanning. The project participates in OpenSSF Best Practices and achieves SLSA Level 3 for supply chain security, reflecting an unusually high bar for an open-source authentication project.
What Makes It Unique Authelia’s most distinctive characteristic is its depth of proxy integration: rather than being a standalone identity provider that applications must be modified to use, it functions as an authentication layer injected into the HTTP request path of any reverse proxy — making it uniquely suited to securing third-party or legacy applications. Its authorization policy engine is unusually expressive for an OSS project, supporting per-domain MFA level requirements, group-based access, network CIDR whitelisting, and custom session durations in a single YAML configuration. The project is one of the few self-hosted solutions that carries OpenID Certification and SLSA Level 3 build attestation, making it suitable for regulated environments where vendor security posture documentation is required. The combination of WebAuthn passkeys, TOTP, push notifications, and OIDC SSO in a single lightweight binary with no runtime dependencies is rare among open-source alternatives.
Self-Hosting
Authelia is released under the Apache License 2.0, a permissive open-source license that allows commercial use, modification, distribution, and private use without restriction. There are no copyleft obligations — you are not required to open-source your own code or infrastructure configurations when deploying Authelia. This makes it safe to embed in commercial products or use in enterprise environments without legal exposure.
Running Authelia yourself means you own the entire authentication stack: configuration, secrets management, database maintenance, Redis clustering, TLS certificate rotation, and version upgrades are all your responsibility. A production deployment requires a working reverse proxy (Traefik, Nginx, Caddy, or HAProxy), a SQL database (PostgreSQL or MySQL for multi-node; SQLite for single-node), and Redis for session sharing if you need more than one instance. Authelia itself is stateless and scales horizontally, but the supporting infrastructure adds operational complexity. The project provides detailed documentation at www.authelia.com, an active Discord community, and a Matrix support room — but no paid support contracts or SLA guarantees.
Authelia has no commercial cloud or managed tier. There is no hosted version, enterprise edition, or paid add-on. Everything is in the open-source distribution. What you trade away compared to managed alternatives (Okta, Auth0, Zitadel Cloud) is primarily operational convenience and support: no managed uptime, no automated backups, no support ticket queue, and no dashboard for non-technical administrators. Configuration is YAML-only with no web-based admin UI for policy management. For teams with strong DevOps capabilities and a preference for full infrastructure control, Authelia is a compelling choice; for organizations needing a turnkey identity solution with vendor support, the operational overhead requires careful consideration.
Related Apps
Supabase
Developer Tools · Databases · Search
The open-source Postgres development platform that replaces Firebase with authentication, real-time APIs, edge functions, storage, and vector embeddings — all built on PostgreSQL.
Supabase
Apache 2.0Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Traefik
Devops · Automation · Security
A cloud-native reverse proxy and load balancer that auto-configures itself from Docker, Kubernetes, and other orchestrators — zero manual routing required.