WHAT IS IT?
Authelia is an open source authentication and authorization server that sits in front of your web apps through a reverse proxy (nginx, Traefik, Caddy, HAProxy, Envoy). It exposes an SSO portal, 2FA and an OpenID Connect provider, so any self-hosted service can be protected, including those with no built-in user management.
WHY IS IT INTERESTING?
- Transparent to apps: authentication is enforced at the reverse proxy layer via forward-auth, your services stay unaware of it.
- Serious 2FA: TOTP, WebAuthn/Passkeys (FIDO2) and Duo Push, not just SMS.
- Certified OpenID Connect: OIDC 1.0 / OAuth 2.0 provider certified for Basic, Implicit, Hybrid, Form Post and Config OP.
- Rule-based access control: fine-grained ACLs by subdomain, user, group, URI, HTTP method and source network.
- Production-ready: SQL backend (MySQL, PostgreSQL, SQLite), Redis sessions, Kubernetes integrations and HA support.
- Self-hosted and lean: a single Go binary and a Docker image, no third-party SaaS holding your identities.
USE CASES
- Adding SSO and 2FA in front of a homelab full of self-hosted services (Jellyfin, Nextcloud, Grafana, etc.).
- Replacing Keycloak when it feels overkill for modest OIDC needs.
- Enforcing WebAuthn only on sensitive subdomains (admin, backups) while keeping plain login elsewhere.
- Centralizing authentication for a Kubernetes cluster behind nginx-ingress or Traefik.