Authelia is an open-source authentication and authorization server that offers 2FA and SSO for applications through a web portal. It works alongside reverse proxies to permit, deny, or redirect requests.
Authelia connects directly to the reverse proxy but never to the application backends. Therefore, payloads sent by clients of the protected API never reach Authelia—only the authentication components, such as the Authorization header, do. As a result, the protected APIs can be REST, GraphQL, or any other type of API over HTTP.
Authelia features
James Elliott, one of Authelia’s developers, outlined several features that are completely different from most other solutions in this space:
Declarative configuration. This feature is probably the one most users find as a differentiator. Because the configuration is entirely done without a UI and is a configuration file, it makes it incredibly easy to work with when considering deployment methodologies like Ansible (and other configuration managers), Helm; and subsequently GitOps Workflows.
Very low footprint. Authelia itself during normal operation uses between 20-25MB of RAM and often has a CPU utilization that is not visible with the exclusion of password hashing operations.
The development process for Authelia aims to forego implementations in instances where the security implications are questionable. We’d rather say no to a feature than introduce a feature that makes it easy for a misunderstanding to lead to users causing a negative security outcome. This is reflected by our efforts to improve our practices to meet more of the OpenSSF Security Best Practices. We are currently satisfied with the passing score but aim to get Gold, or at the very least Silver.
We started as a direct integration with popular reverse proxies in a way that augmented the security of applications served by the reverse proxy. This allows for an authentication flow transparent to the user and for the most part application agnostic. Even if the apps have zero support for an SSO implementation, this flow will likely work with it somehow.
Authelia works with nginx, Traefik, Caddy, Skipper, Envoy, or HAProxy.
The tool supports hardware-based second factors for additional security using FIDO2 WebAuthn-compatible security keys, such as YubiKeys.
Future plans and download
Elliott told us their focus is on OpenID Connect 1.0 and WebAuthn.
OpenID Connect 1.0
The next version of Authelia:
- Will pass 100% of the standard conformance profiles with the notable exception being Dynamic Client Registration.
- Will include the Device Code Flow.
- Will include support for the claims authorization parameter allowing Relying Parties to request only the claims relevant to them.
“We’re also looking to the future regarding security and privacy of our implementation by slowly adding the Financial-grade API aspects to Authelia such as RFC9126 Pushed Authorization Requests which is already implemented. The Financial-grade API appears in most situations to be a sensible set of security defaults and helpful features that improve security and privacy and fits well into the goals of Authelia,” Elliott said.
WebAuthn
The next version of Authelia will extend WebAuthn support by adding:
- Passkey registration and login.
- AAGUID filtering.
- More rigorous validation of the attestations via the MDS3 entries.
Authelia is available for free on GitHub.
Must read: