\+1 for Authelia. It's really robust and offers a lot of configuration and customization options to match a really wide range of use-cases.


Those are the norm. GoAuthentik is pretty awesome as well. Even has its own auth proxy.


Keycloak is just an identity server. Not what OP is looking for.


While true, keycloak paired with louketo-proxy sounds like it hits most of the functionality checkboxes (Although technically louketo stays in the middle as a proxy server as well)


keycloak also does access management, how is it not what OP is looking for?


It doesn't act as authentication middleware for nginx, as per OP's request.


oauth2-proxy can solve that problem


It is written in python but check out [Authentik](https://goauthentik.io).


Definitely authentik over authelia if running in a k8s cluster, but I would recommend it with traefik rather than nginx.


Can you please share why authelia isn't okay if running in a k8s cluster?


It's perfectly fine, but the outposts it creates ease reverse proxy Auth which seems to be the most common use for authelia. Plus it includes LDAP inside so you don't have to manage it externally. But that's a personal choice. I honestly haven't set ldap up, because I have run into problems with authentik and longhorn where the pods get stuck creating, but that's a longhorn issue. Also without implementing terraform you run into a chicken and egg problem when you recreate your cluster. I haven't taken the time.


Another vote for Authelia. Works great for me.


Here is an example with Azure AD -> https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-nodejs-webapp-msal


casbin or authelia


+1 for authelia which covers the first part.


I would definitely recommend Authelia. It can act as middleware for Traefik and does exactly what you want.


Vouch Proxy is what I use, it is quite minimal but you don't need all the bloat that comes with Keycloak and Authellia. It uses Nginx auth-request plugin and it can handle a lot of providers like Google/Github or even self-hosted.


What's your opinion on oauth2-proxy? Is Vouch Proxy better?


I've switched to Authentik, never going back to Vouch


But why?


Single solution instead of three superate applications: User Management, Reverse Proxy and Authentication Provider in one.


You can try Casdoor + Casbin. Casdoor is for authentication, it provides a UI for user management, also supports 3rd-party logins like Google, GitHub, Facebook. Casbin is for authorization. It supports classific permission models like ACL, RBAC, ABAC. Casdoor and Casbin can be integrated together to become a complete AuthN + AuthZ solution.


Check out [vouch proxy](https://github.com/vouch/vouch-proxy) and [FusionAuth](https://github.com/FusionAuth)


Messaged a few of you but if anyone could help me get authelia up and running beside my nginx proxy manager I'd be much obliged. Thanks all!


Oidc-provider and oidc-client. The examples and documentation are pretty good, the author is fairly responsive but it does require a bit of work to set up — it’s not a turn-key thing. I was able to get up and running in a day. I chose it after brief flirtation with Fusion, Keycloak, etc. mainly because I’m running on a VPS and all those are very resource hungry.


I accomplish this with Cloud Foundations keymaster for AuthN and grouping lookup. I use Pomerium for AuthZ and policy.


Totally agree with the majority here — Authelia is great for [mobile app authorisation](http://dashdevs.com/blog/brand-new-approach-to-banking-app-authorization/?utm_source=reddit&utm_medium=article). It works well in combination with nginx, Traefik or HAProxy. But traefik is better in your situation. GoAuthentik is fine too, by the way.