Selfhost

I switched from Keycloak to authentik

Why I switched and what I learned!

SteffoSpieler

SteffoSpieler

3 min read
Image showing the Keycloak and authenik logos. In the bottom right corner there's a sticker of my dragon standing next to a burning pot of fire. The facial expression show a "what? how?!".
(Sticker by @Ikaika)

It's been over a year since I've set up my Keycloak instance. I thought it would be cool to only have SSO (single sign-on) for my services, so I searched for something self-hostable and found... Keycloak! Yeah, it looked a bit complicated, but surely, it can't be THAT complicated to set up, right? ... RIGHT?

A sticker of my dragon with a smug expression, leaning on a desk next to a computer - giving off a “You don’t say?” vibe.
I think you already know the answer. (Sticker by @Ikaika)

I had many plans with Keycloak - like setting up SSO for each service I'd need for my Discord team. Well, this didn't really happen. There was only one other person who helped me test this stuff, and not even that person used it a lot. I mean, we already had Nextcloud as an SSO provider. Also, needing to set up a new realm, including new user accounts, was annoying. And, well... in the end, Keycloak didn't support simple things that I definitely wanted to have - like WebAuthn.

Okay, Keycloak technically supports WebAuthn, but the only helpful guide I found was using an outdated version of Keycloak and I just wasn't able to enable it completely. I tried it anyway and it.. kinda worked? But sadly not fully.

A sticker of my dragon standing next to a burning pot of fire. The facial expression show a "what? how?!".
What did I do wrong?! (Sticker by @Ikaika)

So, after a lot of struggling, I complained on Mastodon:

Post by @SteffoSpieler@fellies.social
View on Mastodon

And luckily, I got a very helpful reply by arch, mentioning that he "would definitely recommend authentik or PocketID over Keycloak. Way easier". This not only showed me that I was right about Keycloak being difficult, but also gave me alternatives. I looked into both alternatives and found that authentik would be the one that fills my needs the best.

The Switch

As my current configuration in Keycloak wasn't the best, I planned to install authentik from scratch - meaning I didn't migrate any data from Keycloak. I mean, I don't know if that would've been possible anyway, but to be honest, that could have saved me some issues. I started with the recommended docker-compose.yml file, added some important things like secrets and email credentials to my .env file and set up my reverse proxy.

Setup was straightforward, even though I didn't see the link to the setup page at first... This could've saved me a few minutes.

At first, I didn't understand how to add services to authentik. It's definitely different from what I know from Keycloak. Apparently, you need to add a Provider for each Application... Huh! (I don't fully understand why, but.. okay, sure..) At least the documentation was useful, and the user interface is easy to understand for someone who doesn't do this professionally. (Unlike how it is with Keycloak cough...)

After some configuration changes (like enabling "remember me") I can say: I'm quite happy with authentik. It works like a charm and now that I've set up some services with authentik SSO, I understand the world of SSO a bit more. I also prepared a group for the Discord team - if we ever decide to use this SSO.

One thing I don't like is the mobile UI of the user settings. It's cut off on the right side and makes it really difficult to set some things up. I hope this is getting better at some point!

I mean, I could still need some explanations for this, but at least it works!

Nice!

A sticker of my dragon being a bit chompy, but happy.
(Sticker by @Ikaika)
❤️
Thanks to Violet for proofreading this post.

Read more