Once you have more than a few Docker containers running in your homelab, you’ll notice some applications have implemented their own authentication, requiring you to keep those credentials organized (hopefully in a password manager like 1Password). However, some applications don’t support authentication at all. What do you do? How do you make it less annoying to access your stuff?

Fortunately, a small cottage industry has developed around Single Sign-On (SSO) for homelab applications. Some of these are offered for free, with paid versions available for commercial use – a perfect use case for homelabs!

I started out with Authelia. Wherever possible, I disabled authentication for my apps, and chose to use Authelia instead. When I’d visit my app, my reverse proxy would check that I’m logged into Authelia, and if not, I’d be redirected there before I could access my application. I set it up with this guide from the LinuxServer team, and it worked well for quite a while.

However, I found that every update would include breaking changes, requiring me to comb through the config file (a massive YAML file) to make sure my settings still worked. Per the guide, I was also using a sqlite database to store my users (just myself and my wife), though Authelia’s documentation warns that I should set up a PostgreSQL database for production use.

Thanks to the r/selfhosted and r/homelab subreddits, I found Authentik. Authentik includes a GUI for configuration, which was a huge improvement to my experience with Authelia. However, it required a PostgreSQL database and a Redis instance, but those didn’t require much effort to set up. Authentik’s interface can be very, very confusing if you’re not intimately familiar with SSO, so I found this guide to be instrumental in getting things working (I’m using SWAG instead of Traefik, but most of the guide is still applicable). My goal was to have most applications forward to Authentik without having to create them individually as separate entries in the admin interface.

Updating Authentik is harder than Authelia. For each update, you have to see if the dependencies have been changed – namely, PostgreSQL and Redis. Redis is easy to update (just modify the version number of the image and rebuild your container), but PostgreSQL is a real hassle. You have to export your database, stop the container, delete your data, bump the version of the image you’re using, rebuild your container, then import your database dump. Recently, an Authentik update set the session length to ~24 hours, which annoyed me a whole lot. Unable to figure out why that changed or how to configure that, I became motivated to try something else. I even considered going back to Authelia.

Then, I found a replacement I think I’ll stick with for a while – Tinyauth. Tinyauth is all I ever wanted in an authentication backend: it’s lightweight and incredibly easy to configure. Although it supports the creation of local accounts, I’ve disabled that and outsourced the whole thing to Google. Thanks to this pull request, it’s available in SWAG, and it wasn’t difficult to add to my reverse proxy configurations. Now, when I access an application via SSO, my reverse proxy passes my request to Tinyauth. If I’m not logged into my Google account, I’m passed to Google, where I can login with my passkey. Super simple. I highly recommend Tinyauth if you’ve found other SSO methods to be too complex.