Authelia
Authelia is an open source authentication and authorization server providing multi-factor authentication and single sign-on for applications behind a reverse proxy. It supports OpenID Connect 1.0, OAuth 2.0, TOTP, WebAuthn, and Duo Push as authentication methods. Authelia exposes a REST API documented with an OpenAPI specification and integrates with nginx, Traefik, Caddy, and other reverse proxies.
APIs
Authelia REST API
The Authelia REST API provides endpoints for authentication flows including first-factor login, MFA challenges, password reset, session management, and authorization verificatio...
Authelia OpenID Connect 1.0 Provider
Authelia acts as an OpenID Certified OpenID Connect 1.0 Provider supporting Authorization Code, Implicit, and Hybrid flows with PKCE, PAR, and various token endpoint authenticat...
Features
Supports TOTP, WebAuthn/FIDO2, Duo Push, and mobile authenticator apps as second factors.
OpenID Certified identity provider supporting Authorization Code, Implicit, and Hybrid flows.
Session-based SSO across all applications behind the reverse proxy with configurable session lifetime.
User authentication against LDAP, Active Directory, and OpenLDAP directories with group-based access control.
Fine-grained access control policies based on domain, path, user, group, and network for precise authorization.
Native integration with nginx, Traefik, Caddy, HAProxy, Envoy, and Skipper via forward-auth and ExtAuthz endpoints.
Support for WebAuthn/FIDO2 passwordless login using hardware security keys and platform authenticators.
Use Cases
Deploy a self-hosted SSO solution for internal web applications and services without relying on cloud identity providers.
Protect self-hosted homelab applications with MFA and access control without exposing them to the internet unprotected.
Provide centralized authentication for small business web applications using LDAP and access control policies.
Act as an OpenID Connect provider for applications requiring OAuth 2.0 and OIDC-based authentication flows.
Integrations
Integration with nginx-based proxies including nginx, nginx-proxy-manager, and Swag via auth_request module.
Native Traefik middleware integration via ForwardAuth for seamless authentication in Docker and Kubernetes environments.
Caddy forward-auth integration for protecting applications behind the Caddy web server.
User directory integration with LDAP, Active Directory, and FreeIPA for enterprise user management.
Official Helm chart available at the authelia/chartrepo GitHub repository for Kubernetes deployment.
Solutions
Complete self-hosted identity and access management solution for privacy-conscious deployments.
Enforce zero trust network access policies for internal applications with per-request authentication verification.