authentik
A self-hosted identity provider that bundles SSO, OAuth2/OIDC, SAML, LDAP, RADIUS, and SCIM behind one server and a visual flow editor.
- Category: Identity & Policy
- CNCF maturity: Independent (not a CNCF project)
- Language: Python (Django) core, Go outposts, TypeScript/Lit web UI
- License: MIT core, with
website/under CC BY-SA 4.0 andauthentik/enterprise/under a source-available Enterprise license - Repository: goauthentik/authentik
- Documented at commit:
9da4c56(code declares version2026.8.0-rc1; nearest stable tagversion/2026.5.3)
What it is
authentik is an identity provider you run yourself. A single server speaks the protocols an application is likely to need for login: OAuth2/OIDC, SAML, LDAP, RADIUS, and SCIM. It also acts as a forward-auth gateway for apps that have no native authentication, through a separate Go process called an outpost.
The distinguishing idea is the "Flow, Stage, Policy" model. Instead of a fixed login screen, an administrator composes an authentication flow from ordered stages (identification, password, MFA, consent) and gates each stage with policies. A policy can be a static user/group membership check or a user-defined Python expression. The flow planner evaluates these and produces a flat list of stages to execute.
It is built and run from a single repository that mixes three languages: a Python/Django core that owns the data model and protocol providers, Go outposts for proxy/LDAP/RADIUS/RAC, and a TypeScript/Lit frontend for the admin UI and the flow executor.
When to use it
- You want one self-hosted server to cover OIDC, SAML, LDAP, and forward-auth instead of stitching several tools together.
- You are replacing a hosted IdP (Okta, Auth0, Entra ID) and want identity to stay on infrastructure you control.
- You need custom login logic (conditional MFA, scripted access rules) expressed as composable flows and policies rather than code changes.
It is a weaker fit when you want a neutral-foundation governed project (authentik is single-vendor open core, see History), or when a lightweight forward-auth-only gate such as Authelia already covers your needs.
In this deep-dive
- History: origin, milestones, and why it exists.
- Architecture: components and how requests flow.
- Adoption & Ecosystem: who runs it and what surrounds it.
- Internals: the code paths that matter, read from source.
- Getting Started: install and a first working setup.
Sources
- goauthentik/authentik source, pinned at commit
9da4c56. - Happy Birthday to Us!, authentik blog on the project's origin and history.
- Install authentik via Docker Compose, official docs.
- Welcome to authentik, official documentation.
- CNCF Projects, confirming authentik is not a CNCF project.
- GitHub REST API: repos/goauthentik/authentik, observed 2026-06-22.
- Authentik: The Open Source Alternative to Okta & Auth0.
- Authentik vs Authelia vs Keycloak (2026).