Authelia vs Authentik: Choosing a Self-Hosted SSO You Won't Regret

There comes a moment in every homelab’s life when you realise you have a dozen logins. Grafana wants a password. So does Sonarr, and Radarr, and that Nextcloud instance, and the thing you spun up at 2am and have already forgotten the credentials for. Each one is its own little island of authentication, half of them reusing the same password because you’re only human, and exactly none of them have multi-factor authentication because configuring it twelve times sounded like a Tuesday you’d rather not have.

The fix is single sign-on (SSO): one login, sitting in front of everything, that the rest of your services trust. Log in once, and a session cookie carries you everywhere. Two open-source projects dominate this space for self-hosters: Authelia and Authentik. They solve the same problem from opposite ends, and picking the wrong one means either fighting YAML you didn’t need or babysitting a database you didn’t want.

1 The problem, and how forward-auth solves it

Most homelab services sit behind a reverse proxy already — Traefik, nginx, or Caddy. Forward-auth (also called auth-request) is a neat trick where, before the proxy serves a request, it phones a friend: “is this person allowed in?” That friend is your SSO server. If there’s no valid session, the user gets bounced to a login page; once they’re authenticated, the proxy lets the request through and remembers them.

The beauty is that the protected app needs no changes whatsoever. Sonarr doesn’t know or care that something is guarding its front door. This is how you put MFA in front of an application that has never heard of MFA.

2 Authelia: lightweight and config-as-code

Authelia is a single Go binary with a small memory footprint — it’ll happily run in well under 100MB of RAM. Everything is configured through a configuration.yml file. Users live in a flat file or an LDAP backend; sessions can be stored in memory or Redis; and access control is a list of rules you write by hand.

It does TOTP and WebAuthn for second factors, and its killer feature is per-rule policy. You decide which paths need one factor, two factors, or are public:

access_control:
  default_policy: deny
  rules:
    - domain: 'grafana.example.com'
      policy: one_factor
    - domain: 'sonarr.example.com'
      policy: two_factor
      subject: 'group:media'
    - domain: 'public.example.com'
      policy: bypass

Wiring it into Traefik is a forward-auth middleware applied as a label:

labels:
  - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rfc2616=true"
  - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
  - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email"
  - "traefik.http.routers.sonarr.middlewares=authelia@docker"

What you don’t get is a pretty admin UI. There isn’t one. You edit YAML, restart, and move on. For people who keep their infrastructure in Git, that’s a feature: your entire auth policy is reviewable, version-controlled, and reproducible. For people who want to click buttons, it’s friction.

3 Authentik: heavier, but a proper identity provider

Authentik is a different animal. It’s a Python/Django application with a worker process, a PostgreSQL database, and a Redis cache — so you’re looking at four or five containers and a few hundred megabytes of RAM minimum before you’ve authenticated anyone. In exchange, you get a full web admin UI and a genuine identity provider.

Where Authelia is mostly forward-auth, Authentik speaks the whole alphabet: OAuth2, OIDC, SAML, a proxy provider for the forward-auth use case, and an LDAP outpost so legacy apps can bind against it. If you want to log into a third-party SaaS app, or a self-hosted app that natively supports “Sign in with OIDC,” Authentik is built for exactly that. Authelia can do OIDC too, but Authentik makes it the centrepiece.

Its configuration model is flows and stages: a login flow is a sequence of steps (identification, password, MFA, consent) that you assemble and reorder in the UI. It’s powerful and flexible, and it has a learning curve. There’s a lot of UI to learn, and “where on earth is that setting” is a normal Tuesday for the first week.

4 The trade-offs, honestly

• Footprint: Authelia sips resources; Authentik needs Postgres and Redis and won’t apologise for it.
• Config style: Authelia is YAML-in-Git; Authentik is point-and-click with an API underneath.
• Protocols: Both do forward-auth and OIDC. Authentik adds first-class SAML and an LDAP outpost.
• Maintenance: Authelia upgrades are “pull a new binary, mind the changelog.” Authentik upgrades carry a database, which means migrations, backups, and the occasional held breath.

5 The verdict

If your goal is to slap MFA and one login in front of a stack of self-hosted apps behind a reverse proxy, and you like your config in version control, pick Authelia. It’s the lower-maintenance, lower-footprint choice, and for the classic homelab it’s the right answer roughly nine times out of ten. I run it, I rarely think about it, and that’s the highest praise I can give a piece of authentication software.

If you need to be a real identity provider — SAML for some app that demands it, OIDC for half a dozen things, an LDAP outpost for the awkward legacy box, and you genuinely want a GUI to manage users and groups — pick Authentik. It does more because it is more, and on the day you need that breadth you’ll be glad you paid the resource tax.

Pick the smallest tool that solves your actual problem. Then enjoy logging in once and never seeing twelve login screens again.