authentik is a self-hosted Identity Provider (IdP) designed to replace proprietary solutions like Okta, Auth0, and Entra ID by providing a unified platform for authentication and authorization. It serves DevOps teams, security engineers, and IT administrators who need full control over identity data without vendor lock-in or cloud dependency. Built for environments ranging from small labs to large Kubernetes clusters, authentik enables organizations to implement Zero Trust security, manage customer identities, and integrate legacy systems with modern protocols.
The platform is built in Python with a Django backend and React frontend, offering deployment via Docker Compose, Helm charts for Kubernetes, AWS CloudFormation, and DigitalOcean Marketplace. It supports industry-standard protocols including SAML 2.0, OAuth2, OpenID Connect, LDAP, RADIUS, SCIM, and WebAuthn, with a policy engine for conditional access and API-driven automation for infrastructure-as-code workflows.
What You Get
- SAML 2.0 Identity Provider & Service Provider - Act as both IdP and SP to integrate with legacy and modern applications using SAML metadata exchange and attribute mapping.
- OpenID Connect (OIDC) & OAuth2 Server - Issue tokens and manage consent flows for web and mobile apps with full OAuth2 authorization code and client credentials support.
- WebAuthn / FIDO2 Passkey Support - Enable passwordless authentication using hardware keys or platform authenticators with phishing-resistant login flows.
- Conditional Access Policies - Enforce access rules based on user attributes, device status, time of day, IP geolocation, and impossible travel detection.
- Application Proxy with Reverse Proxy Integration - Securely expose internal applications (RDP, VNC, SSH) without a traditional VPN using reverse proxy routing and authentication.
- SCIM User Provisioning - Automate user lifecycle management by syncing identities with HR systems via SCIM 2.0 standard endpoints.
- LDAP & RADIUS Integration - Authenticate against existing directory services and network devices using LDAP bind or RADIUS protocols for legacy system compatibility.
- Multi-factor Authentication (MFA) Hub - Centralize TOTP, WebAuthn, and SMS-based MFA enforcement across all connected applications with customizable policies.
- FIPS Compliance Ready - Deploy in regulated environments with FIPS 140-2 compliant cryptographic modules and audit-ready logging.
- Self-Service User Portal - Allow users to reset passwords, manage MFA devices, and view application access without IT intervention.
Common Use Cases
- Running a Zero Trust network for remote teams - A cybersecurity team uses authentik to enforce device health checks and geolocation-based access before allowing SSH or RDP connections to internal servers.
- Replacing Okta for a mid-sized SaaS company - A product team deploys authentik to manage customer identities via SCIM and OIDC, eliminating monthly SaaS subscription costs and data exposure risks.
- Integrating legacy applications with modern SSO - An enterprise connects a 15-year-old internal HR system using SAML and RADIUS proxies, enabling single sign-on without code changes.
- Securing Kubernetes clusters with centralized auth - A DevOps team configures authentik as the OIDC provider for Kubernetes API server and Dex, enforcing MFA and role-based access across all clusters.
Under The Hood
Architecture
- Monolithic Django core with tightly coupled components despite using DRF and multi-tenancy extensions, limiting strict layer separation
- Service layer implemented via lifecycle hooks and custom middleware, leveraging Django’s app registry for dependency injection without formal DI containers
- Asynchronous processing powered by Dramatiq and Channels, deeply integrated with Django ORM and signals for real-time event handling
- Rust microservices built with Axum and Tokio, sharing data models and configuration utilities via common crates to ensure cross-language consistency
- Modular plugin system enabled through PyPI-packaged extensions that extend functionality without modifying the core codebase
- Comprehensive build pipeline using UV, Makefile, and GitHub Actions to coordinate Python, Rust, and TypeScript compilation with FIPS-compliant crypto
Tech Stack
- Python 3.14 and Django 5.2.12 as the foundational backend, enhanced with DRF, Channels, and PostgreSQL extensions for real-time and high-concurrency capabilities
- Rust 1.94.1 services using Axum for routing and Tokio for async execution, with Clippy and rustfmt enforcing production-grade code quality
- PostgreSQL as the primary database, deeply integrated with advanced extensions for relational operations and event-driven workflows
- UV as the Python package manager, ensuring system-level library compatibility and FIPS compliance through strict source compilation
- OpenAPI 3.0.3 defining a unified API contract with automated documentation and type safety across frontend and backend
- TypeScript/Node.js 24+ frontend with ESLint, Prettier, and monorepo workspaces ensuring consistent, maintainable UI code
Code Quality
- Extensive test coverage spanning unit, integration, and end-to-end scenarios with realistic fixtures and mock data
- Clear component-based test organization with dedicated modules for sources, providers, tenants, and outposts
- Robust error handling with structured API responses and user-friendly messages, leveraging Django’s exception system
- Consistent naming and Django-conventional patterns across models, serializers, and test suites
- Strong data integrity enforced through ORM constraints, foreign keys, and explicit field validations
- Comprehensive linting and CI-integrated testing with reusable utilities and configuration patches for isolation and reproducibility
What Makes It Unique
- Native identity orchestration with dynamic policy engines enabling real-time, context-aware access decisions without external rule engines
- Unified event system with structured JSON context tracking for comprehensive audit trails across authentication and authorization events
- Extensible source abstraction layer that unifies SAML, OAuth, LDAP, and custom providers under a single API
- Client-side component library built with LitElement for framework-agnostic UI elements that directly sync with backend APIs
- Visual policy flow designer allowing non-developers to construct complex auth pipelines via drag-and-drop
- Built-in brand and theme engine that dynamically renders UI and emails per tenant without separate deployments or subdomains