I have a Talos k8s setup now and I’m trying to add various services. I have discovered that my old htpasswd file won’t cut it for auth.
I want to host the following,
Should I go with keycloak? Are there better auth services?
Keycloak is amazing for no money, I use it connected to my Google workspace.
I have been using Authentik for several years now, works great with k8s. Not sure about the difference between Keycloak and Authentik tho (feature vise)
If you are not on the warpath with Webauthn I can highly recommend PocketID. It’s just so damn convenient. But note that the arrs don’t come with a good solution for oidc login. But you can use something like tinyauth or an auth forwarder in your reverse proxy.
For very simple Kubernetes and Docker environments, I’ve used Dex IdP with good results. It’s low on features, but easy to set up.
I used to love keycloak, but lately they’ve made changes that make client setup feel very complicated. I switched to authentik a while back and I feel it’s far easier to deal with.
I’ve been using Authentic for a while now and it works very well. There is also a Teraform provider to manage it as code. I do mostly OIDC, but also use it as a proxy for a few things that do not support that and just need to be locked down (Esp home and longhorn dashboards for example).
The disadvantage is that it is not the lightest option. If that is important to you, look at Authelia.
https://github.com/lldap/lldap is much simpler.
I use Authelia and its worked perfect to put auth in front of my services, including OAuth
Keycloak has some learning curve, but it’s the best OpenID Connect client and the most configurable and feature rich open source SSO system with the fewest major issues that I’ve used. And I use traefik for a reverse proxy, so for things that don’t support SSO directly thomseddon/traefik-forward-auth works flawlessly with Keycloak to provide an auth layer to those apps.
I feel Authentik is at the sweet spot between complexity/features (keycloak) and ease of setup (authelia)
Authentik is definitely the best of all I’ve tried. It has the most features, supporting both ldap and oauth, and also has an official helm chart.
Yeah I just set it up. Amazingly straight forward. I still have PTSD from keycloak, so I’m glad there’s an alternative
It’s kind of funny, I initially tried Authentik and ran into issues getting it working, so I went with Authelia instead, but eventually went back to try Authentik again because I wanted to customize the CSS and felt I was outgrowing Authelia, and it just worked. Not sure what I was doing wrong the first time, but oh well.
I will say though the latest release has a major bug where worker instances are eating up db connections to the point where the entire thing crashes, so while I’ve generally been happy with it, definitely need to do some careful research before blindly upgrading.
In addition to adding more worker instances, you can also increase the amount of threads each worker instance uses to vertically scale. It’s about equivalent to adding a worker instance.
I chose Keycloak because it seemed the most battle tested and least likely to just stop receiving updates and die and that is worth a lot to me. The most annoying thing for me was their storing usernames in lower case but after I figured out how to create custom SPI plugins I got that sorted out.
I’m on Keycloak + lldap for user provisioning and services that don’t support OIDC or SAML. I have yet to find a OAuth or SAML feature it doesn’t have. It does have a steep learning curve tho, so Authentik is maybe a better solution to get started with. I personally hit a wall with Authentik when I was trying to get different signature key algorithms for different services (some services have different supported set of key algorithms than others) and custom plugins for custom JWT fields and user attributes. I believe Authentik has something for extensions as well, but Keycloak is just Java, which has a much better development and deployment experience than throwing a .py or .js file in some directory and hoping it works.