Deploying Authentik SSO across the homelab
Replacing per-service authentication with centralised SSO backed by Google OAuth. OIDC for Grafana, Immich, Portainer; forwardAuth for everything else.
I wanted single sign-on across the homelab — log in once, access everything. Per-service auth (Grafana’s built-in login, Immich’s Google OAuth, Pi-hole’s password) was manageable but increasingly annoying, especially when accessing things remotely.
Target architecture
User → Authentik login → Google OAuth (upstream) → Authentik session → ServiceAuthentik acts as the identity provider. Google is the upstream social login — I already use it everywhere, so no new credentials to manage. Services either integrate natively via OIDC or sit behind Traefik’s forwardAuth middleware.
Service integration
| Service | Method | Notes |
|---|---|---|
| Grafana | Native OIDC | First service migrated — lowest risk test case |
| Immich | Native OIDC | Re-pointed from Google direct to Authentik |
| Portainer | Native OIDC | CE has limitations but works |
| Homepage | forwardAuth | Public at dashboard.gread.uk |
| Pi-hole | forwardAuth | No native OIDC, pure bouncer. Keeps its own password as LAN break-glass |
| Traefik dashboard | forwardAuth | Replaced basic auth |
| Prometheus | forwardAuth | Internal only |
What took the most time
The checklist had 9 phases and looked straightforward. The actual work was considerably more involved:
- Authentik’s OIDC configuration is flexible but has a lot of moving parts — providers, applications, outposts, property mappings, and authentication flows all need to line up
- Immich family users (Rosie and family) needed their Google accounts to still work through the new Authentik layer without disruption
- Public shared links on Immich needed to remain accessible without authentication — this required careful scoping of the forwardAuth rules
- Session expiry needed to be tuned per-service: weeks for Immich (used daily by family), hours for admin tools
Break-glass paths
If Authentik goes down, forwardAuth-protected services become inaccessible from outside. Pi-hole keeps its own password for LAN access regardless. The NAS is always directly accessible on the LAN. Emergency recovery key stored offline.
Result
Log in once via Google through Authentik, access Grafana, Immich, Portainer, Homepage, Pi-hole, and Traefik dashboard without re-authenticating. Single logout works. MFA enforced. CrowdSec still sees real client IPs through the middleware chain.