Amazon Cognito
Customer identity and access management service for adding user sign-up, sign-in, and authentication to apps
Authelia
Authentication and authorization server with SSO and 2FA
Open-source authentication and authorization server providing two-factor authentication and single sign-on for applications via a web portal, acting as a companion for reverse proxies.
Overview
Overview
Authelia is an authentication and authorization server that adds two-factor authentication and single sign-on capabilities to your applications through a web portal. It works as a companion to reverse proxies like nginx, Traefik, Caddy, Envoy, and HAProxy, allowing, denying, or redirecting requests based on fine-grained access control rules.
Key Capabilities
Authelia is OpenID Connect™ certified and supports multiple second-factor methods including FIDO2 WebAuthn security keys (YubiKey), time-based one-time passwords, and mobile push notifications via Duo. It offers passwordless authentication through WebAuthn passkeys and includes password reset with email verification. Access control rules can match criteria like subdomain, user, group membership, request URI, method, and network, with per-rule policies for one-factor or two-factor authentication.
Deployment
Authelia can be deployed as a standalone service via AUR, APT, FreeBSD Ports, or static binaries, or as a container on Docker and Kubernetes. Kubernetes deployments support multiple ingress controllers including ingress-nginx, Traefik, Istio, and Envoy Gateway, with beta Helm Chart support. High availability is achieved using remote databases and Redis as a key-value store.
Highlights
OpenID Connect 1.0 / OAuth 2.0 certified provider with comprehensive protocol support
Multiple 2FA methods: FIDO2 WebAuthn security keys, TOTP, mobile push, and passwordless passkeys
Fine-grained access control rules matching subdomain, user, group, URI, method, and network
Native integration with major reverse proxies and Kubernetes ingress controllers
Pros
- OpenID Connect™ certified to multiple profiles ensuring standards compliance
- Flexible deployment options from bare metal to Kubernetes with Helm support
- Comprehensive 2FA support including modern WebAuthn and passwordless authentication
- Works seamlessly with popular reverse proxies and ingress controllers out of the box
Considerations
- Still under active development with potential breaking changes between versions
- Lite configuration with file-based storage and SQLite does not scale well
- Requires careful configuration and understanding of reverse proxy integration
- Helm Chart support is currently in beta status
Managed products teams compare with
When teams consider Authelia, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
Fit guide
Great for
- Organizations needing SSO and 2FA for self-hosted applications behind reverse proxies
- Teams running Kubernetes clusters with ingress-nginx, Traefik, Istio, or Envoy Gateway
- Infrastructure requiring OpenID Connect certified authentication provider
- Environments needing fine-grained access control with flexible authentication policies
Not ideal when
- High-scale deployments using file-based user storage and SQLite configuration
- Teams requiring stable APIs without breaking changes across versions
- Organizations needing direct Internet exposure without reverse proxy architecture
- Projects requiring production-ready Helm deployments without beta limitations
How teams use it
Securing self-hosted applications with SSO
Users authenticate once through Authelia's portal and gain access to multiple internal applications with consistent 2FA enforcement across all services.
Kubernetes ingress authentication
Deploy Authelia alongside ingress-nginx or Traefik to add authentication and authorization to services without modifying application code.
OpenID Connect provider for internal apps
Applications integrate with Authelia as an OpenID Connect certified provider, enabling standards-based authentication with 2FA support.
Fine-grained access control by subdomain and user group
Define rules that grant different access levels based on subdomain, user group membership, request method, and network origin with flexible 1FA or 2FA policies.
Tech snapshot
Go88%
TypeScript10%
Shell1%
HTML1%
Lua1%
JavaScript1%
Frequently asked questions
Which reverse proxies does Authelia support?
Authelia works with nginx, Traefik, Caddy, Skipper, Envoy, and HAProxy. It integrates with Traefik using ForwardAuth middleware and Caddy using the forward_auth directive.
Is Authelia certified for OpenID Connect?
Yes, Authelia is OpenID Connect™ certified to the Basic OP, Implicit OP, Hybrid OP, Form Post OP, and Config OP profiles, though this feature is still considered beta.
What second-factor authentication methods are supported?
Authelia supports FIDO2 WebAuthn security keys like YubiKey, time-based one-time passwords (TOTP), mobile push notifications via Duo, and passwordless authentication using WebAuthn passkeys.
Can Authelia be deployed on Kubernetes?
Yes, Authelia supports Kubernetes deployment with compatibility for ingress-nginx, Traefik CRD and Ingress, Istio, and Envoy Gateway. Beta Helm Chart support is available for orchestration.
How does Authelia achieve high availability?
High availability is achieved by using a remote database for persistent storage and Redis as a highly available key-value store, allowing multiple Authelia instances to run concurrently.
Project at a glance
Active- Stars
- 26,427
- Watchers
- 26,427
- Forks
- 1,320
LicenseApache-2.0
Repo age9 years old
Last commit2 days ago
Self-hostingSupported
Primary languageGo
Last synced 2 days ago