Authentik app providers
How different apps hook into Authentik — and why SaxDocs uses Cloudflare Access instead of forward-auth.
Authentik runs at auth.saxobroko.com. Admin credentials live in Vaultwarden.
Integration patterns
| Pattern | How it works | Best for |
|---|---|---|
| Forward auth / proxy | Reverse proxy asks Authentik "is this session valid?" before forwarding to the app | Self-hosted apps on TrueNAS behind NPM or native proxy |
| Native OIDC / OAuth | App redirects to Authentik login; app validates tokens itself | Apps with built-in OIDC (some dashboards, custom apps) |
| Cloudflare Access + OIDC | Cloudflare sits at the edge; Access delegates login to Authentik as IdP | Static sites on Cloudflare Pages with no backend on LAN |
SaxDocs cannot use forward-auth on the NAS — it is static files on Pages. Access is the edge gate.
Apps today
| App | URL | Integration | Notes |
|---|---|---|---|
| Homepage | dash.saxobroko.com | Forward auth / proxy | User hits dash → Authentik login → dashboard tiles. See Homepage. |
| Vaultwarden | vault.saxobroko.com | fill in — forward auth and/or Bitwarden SSO | Bitwarden clients use server URL; web vault may sit behind Authentik. See Bitwarden. |
| SaxDocs | docs.saxobroko.com | Cloudflare Access → Authentik OIDC | Not forward-auth. Access app + matching OAuth2 provider in Authentik. Live. |
| Authentik | auth.saxobroko.com | — | Must not be behind Access (login loop). |
Homepage / dash (forward auth)
Typical homelab flow:
Browser → dash.saxobroko.com
→ Cloudflare Tunnel → NPM or app proxy
→ Authentik forward auth (session check)
→ Homepage
Configure an Authentik Provider + Application for Homepage. Proxy (NPM or Traefik) sends auth headers or redirects unauthenticated users to Authentik.
Same username/password as other Authentik apps after first login.
Vaultwarden
Vaultwarden supports several auth modes. Common setup:
- Clients (phone/desktop): server URL
https://vault.saxobroko.com, master password + 2FA in Bitwarden apps - Web access: may use Authentik forward auth in front of the web vault, or Bitwarden SSO if configured
Fill in exact provider type and NPM/proxy config when documenting.
Do not store Vaultwarden admin or master passwords in SaxDocs.
SaxDocs (Cloudflare Access)
Different stack — no LAN proxy:
Browser → docs.saxobroko.com (Pages)
→ Cloudflare Access (Authentik IdP)
→ auth.saxobroko.com login
→ back to docs
Setup: Authentik — OAuth2 provider slug cloudflare-access, redirect URI https://saxobroko.cloudflareaccess.com/cdn-cgi/access/callback.
GitHub Actions deploy bypasses browser Access (API token to Pages). Readers need Access; CI does not.
WAF requirements
auth.saxobroko.comexcluded from block no aus and not behind Access- Bot Fight Mode off — required for Access OIDC
- See WAF and access rules
Adding a new Authentik-protected app
- Run app on TrueNAS; add tunnel hostname if public
- Forward auth path: create Provider + Application in Authentik; configure NPM/proxy outpost
- OIDC path: use app-native OIDC settings with Authentik client ID/secret
- Pages / static at edge: use Cloudflare Access pattern like SaxDocs
- Add hostname to WAF rules as appropriate (WAF doc)
Related
- Authentik — SaxDocs Access setup and troubleshooting
- Homepage — dash tiles
- Bitwarden — Vaultwarden
- This docs site — SaxDocs deploy