Integration of Authentik into Yunohost platform

netzy-cloud · April 7, 2026, 5:50pm

What type of hardware are you using: VPS bought online
What YunoHost version are you running: 12.1.39 (stable)
How are you able to access your server: The webadmin
SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: Not yet

Describe your issue

I am looking for the best way to integrate Authentik into Yunohost login flow. Basically, I have some external docker apps that are being proxied forwarded (using the redirect app) from Yunohost and users have to manually login to each application. I am looking to make it a seamless experience where users only need to login one instead of multiple times across multiple applications. I have been researching Authentik and I see the it can function as an LDAP store as well as an LDAP Idp. The information surrounding this topic is scarce and not really specific to what I am trying to accomplish. So, I am looking for information on integration feasibility of YNH LDAP integration in Autentik or if there is a better way such as nginx auth forward or a way to integrate YNH LDAP into my apps an additional SSO login option using YNH existing credential store?

I just need a little directionality here to simplify the process for my users and them to not have to authenticate so much to use basic services I have integrated into the platform for my users. Any help or information will be useful

Share relevant logs or error messages

N/A

netzy-cloud · April 7, 2026, 5:55pm

Auth Flow would be:

User authenticates with authentik which redirects the user back to YNH platform and logins them in without further login prompts. Then when the user click on the proxied app tile it takes them to the application and logs them in automatically based on the fact that they are already authenticated with Authentik/LDAP and forwards the credential status to the app for seamless access.

Tho · April 8, 2026, 3:30pm

Hello and welcome!

This is a difficult subject with lot of implications. However, you can see in our dream map that it’s planned to support Authelia.

I don’t think it’s easily feasible to integrate Authentik in the meantime.

netzy-cloud · April 9, 2026, 2:07pm

I have already put some research into this and it does look like if you set Authentik up as a LDAP provider and source for Yunohost LDAP server and point it locally to port 389 & 636 respectfully, that authentication is possible. The issue I am struggling with specifically is setting up the forwarding headers in nginx (attached to authentik docker) so that SSOwat issues the session cookie after accepting the headers as a logged in user. I know that Yunohost uses very specific forwarding headers and I am trying to figure out what those are. There is no documentation on this process and I have not been able to locate any resources online about this specifically, including on Stack Overflow. Which is why I am asking for some assistance from the author. My only other option is to move existing services to docker containers and I don’t want to have to do that as I find your platform very easy to use on a daily basis and my users love the simplicity it offers. Any advice, experience or suggestion would be helpful

artlog · April 26, 2026, 12:04pm

Hi @netzy-cloud

Here a personal view :

I somehow tried with another iam solution (lemonldap-ng) which i am quite familiar with and that i use on another self-host solution and get to the conclusion that sso/ldap handling is intricated in yunohost core and couldn’t easily bind both ssowat and lemonldap-ng.
I know that going further in that direction won’t be lifted by yunohost core developers, so i changed my mind.
I then left this idea behind and i am waiting and will follow what will be done for Authelia since it is were yunohost project will need an effort.
Once Authelia will be in place it would perhaps be easier to interoperate with Authelia, in my case from lemonldap-ng.

netzy-cloud · April 26, 2026, 1:23pm

It would be easier, yes. But access to the header information is still critical as they have to be formatted a certain way in order for nginx to accept them as a logged in user due to the way the virtual host file is configured for SSOwat. I have already done a test run with Authentic and it did successful connect to the Yunohost LDAP service, authenticate and sent back a success message. So, it is possible to interoperate. I would like to see them implement an easier api login via post process that doesn’t involve having to write a separate script in python (current implementation) in order to authenticate users programmatically. But. there is alot happening at the moment with the platform. So, I may wait a little longer before renewing my request to give them time to finalize the changes they are currently implementing before taking on new tasks

artlog · April 26, 2026, 4:16pm

@netzy-cloud For my curiosity, do you you have some code to show about your prototype ?

netzy-cloud · April 26, 2026, 4:45pm

Here is the configuration I used to authenticate against Yunohost LDAP directory. This code only authenticates against the Yunohost directory and synchronizes users to Authentik. It does not actually authenticate resources. That comes later

## LDAP Source in Authentik
resource “authentik_provider_ldap” “yunohost_ldap” {
name = “YunoHost LDAP”
connection_url = “ldap://<YunoHost_IP>:389”
user_dn = “cn=admin,dc=yunohost,dc=org”
user_password = “<admin_password>”
base_dn = “dc=yunohost,dc=org”
user_search_base = “ou=users,dc=yunohost,dc=org”
user_object_class = “posixAccount”
user_name_attribute = “uid”
user_email_attribute = “mail”
}```

to actually authenticate apps you have to do it directly with Authentik(setting up as a LDAP provider) after you have disabled SSOwat and update the Nginx configuration to accept auth headers from Authentik. You also have to update Nginx virtual host file configuration to forward every auth request to Authentik in order to keep the system secure. If the reverse proxy encounters an expired session then it would automatically send them back to Authentik to reauthenticate and provide a new session.

NOTE: I wanted to do a direct auth while keeping SSOwat in place but I didn’t have the specific headers to program Authentik with for native inline authentication with SSOwat. So, my workaround was to completely disable the SSO system and rely entirely on Authentik’s auth flow for auth management. It is not ideal for me, but it works

artlog · April 26, 2026, 4:50pm

@netzy-cloud

i guess you did some wizrardy with yunhost ldap to open it on its ip and not on localhost only ?
I was looking for this some minutes ago
You can see my comment and security recommendation here

netzy-cloud · April 26, 2026, 5:03pm

I did it this way because both are hosted on the same machine and I used the Loopback IP (172.0.X.X) and not the Public IP which is exposed to the internet. And I only use this to pull and synchronize users into Authentik’s own LDAP directory. Then use the internal LDAP directory to authenticate the user. This keeps everything updated especially when you add or delete users using the webadmin which pushes it to the LDAP directory and when Authentik synchronizes it adds or removes the user from Authentik’s internal LDAP directory. In effect it denies access to accounts that has been removed from the system

artlog · April 26, 2026, 5:08pm

So that <YunoHost_IP> is loopback 127.0.X.X , then it explains why it is working, current slapd is listening only on local system.

netzy-cloud · April 26, 2026, 5:12pm

Correct. It is not smart to do it on a public interface anyways. So, I didn’t even try that route