Skip to content

Authentik app providers

How different apps hook into Authentik — and why SaxDocs uses Cloudflare Access instead of forward-auth.

Authentik runs at auth.saxobroko.com. Admin credentials live in Vaultwarden.

Integration patterns

Pattern How it works Best for
Forward auth / proxy Reverse proxy asks Authentik "is this session valid?" before forwarding to the app Self-hosted apps on TrueNAS behind NPM or native proxy
Native OIDC / OAuth App redirects to Authentik login; app validates tokens itself Apps with built-in OIDC (some dashboards, custom apps)
Cloudflare Access + OIDC Cloudflare sits at the edge; Access delegates login to Authentik as IdP Static sites on Cloudflare Pages with no backend on LAN

SaxDocs cannot use forward-auth on the NAS — it is static files on Pages. Access is the edge gate.

Apps today

App URL Integration Notes
Homepage dash.saxobroko.com Forward auth / proxy User hits dash → Authentik login → dashboard tiles. See Homepage.
Vaultwarden vault.saxobroko.com fill in — forward auth and/or Bitwarden SSO Bitwarden clients use server URL; web vault may sit behind Authentik. See Bitwarden.
SaxDocs docs.saxobroko.com Cloudflare Access → Authentik OIDC Not forward-auth. Access app + matching OAuth2 provider in Authentik. Live.
Authentik auth.saxobroko.com Must not be behind Access (login loop).

Homepage / dash (forward auth)

Typical homelab flow:

Browser → dash.saxobroko.com
       → Cloudflare Tunnel → NPM or app proxy
       → Authentik forward auth (session check)
       → Homepage

Configure an Authentik Provider + Application for Homepage. Proxy (NPM or Traefik) sends auth headers or redirects unauthenticated users to Authentik.

Same username/password as other Authentik apps after first login.

Vaultwarden

Vaultwarden supports several auth modes. Common setup:

  • Clients (phone/desktop): server URL https://vault.saxobroko.com, master password + 2FA in Bitwarden apps
  • Web access: may use Authentik forward auth in front of the web vault, or Bitwarden SSO if configured

Fill in exact provider type and NPM/proxy config when documenting.

Do not store Vaultwarden admin or master passwords in SaxDocs.

SaxDocs (Cloudflare Access)

Different stack — no LAN proxy:

Browser → docs.saxobroko.com (Pages)
       → Cloudflare Access (Authentik IdP)
       → auth.saxobroko.com login
       → back to docs

Setup: Authentik — OAuth2 provider slug cloudflare-access, redirect URI https://saxobroko.cloudflareaccess.com/cdn-cgi/access/callback.

GitHub Actions deploy bypasses browser Access (API token to Pages). Readers need Access; CI does not.

WAF requirements

  • auth.saxobroko.com excluded from block no aus and not behind Access
  • Bot Fight Mode off — required for Access OIDC
  • See WAF and access rules

Adding a new Authentik-protected app

  1. Run app on TrueNAS; add tunnel hostname if public
  2. Forward auth path: create Provider + Application in Authentik; configure NPM/proxy outpost
  3. OIDC path: use app-native OIDC settings with Authentik client ID/secret
  4. Pages / static at edge: use Cloudflare Access pattern like SaxDocs
  5. Add hostname to WAF rules as appropriate (WAF doc)