Authelia

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for reverse proxies like nginx, Traefik or HAProxy to let them know whether requests should either be allowed or redirected to Authelia's portal for authentication.

The following is a simple diagram of the architecture:

Authelia can be installed as a standalone service from the AUR, APT, FreeBSD Ports, or using a Static binary, .deb package, Docker or Kubernetes either manually or via the Helm Chart (beta) leveraging ingress controllers and ingress configurations.

Here is what Authelia's portal looks like:

Features summary

This is a list of the key features of Authelia:

Several second factor methods: Security Key (U2F) with Yubikey. Time-based One-Time password with Google Authenticator. Mobile Push Notifications with Duo. Password reset with identity verification using email confirmation. Access restriction after too many invalid authentication attempts. Fine-grained access control using rules which match criteria like subdomain, user, user group membership, request uri, request method, and network. Choice between one-factor and two-factor policies per-rule. Support of basic authentication for endpoints protected by the one-factor policy. Highly available using a remote database and Redis as a highly available KV store. Compatible with Traefik out of the box using the ForwardAuth middleware. Curated configuration from LinuxServer via their Swag container as well as a guide. Kubernetes Support: Compatible with the ingress-nginx, the Traefik Kubernetes CRD, and the Traefik Kubernetes Ingress Kubernetes ingress controllers out of the box. Beta support for installing via Helm using our Charts. Beta support for OpenID Connect.