🔐 Authentication & login Open source Privacy ★★★★★
Authelia
Reverse-proxy authentication gateway
Overview
Authelia sits behind reverse proxies providing SSO, TOTP/WebAuthn 2FA, and access policies for self-hosted apps.
Not a direct replacement for Google Sign-In on public SaaS—but removes Google OAuth from your Nextcloud, Immich, Home Assistant stack.
Lighter Go alternative to Keycloak for personal homelabs.
Scores
Privacy 5/5
Ease of use 2/5
Features 4/5
Value 5/5
Google Sign-In / OAuth — comparison
Provides SSO/2FA for services you host—eliminates Google OAuth inside your infrastructure, not for random SaaS apps.
Pros
- ✓ Seamless Traefik/Nginx/Caddy integration
- ✓ 2FA, WebAuthn, SSO
- ✓ Lighter than Keycloak
- ✓ Unifies homelab authentication
Cons & caveats
- − Requires reverse proxy setup
- − Cannot replace Google login on third-party SaaS
- − Network configuration learning curve
Best for
- Homelab and self-hosted environments
- Traefik/Nginx users
- Unified auth for private services
Not ideal for
- Replacing Google on public websites
- Environments without reverse proxy
Specs
- Pricing
- Self-hosted — Completely free (OSS).
- Difficulty
- Advanced
- Data location
- Your self-hosted server.
- Platforms
- Self-hosted · Docker
SSO/2FA/WebAuthnTraefik/Nginx連携軽量Go製
Migration from Google Sign-In / OAuth
- 1 Deploy Authelia in Docker
- 2 Configure Traefik/Nginx Forward Auth middleware
- 3 Enable 2FA/WebAuthn for users
- 4 Point self-hosted apps from Google OAuth to Authelia
Setup steps
- 1 Run Authelia + Traefik via Docker Compose
- 2 Edit configuration.yml for users and 2FA
- 3 Attach Forward Auth middleware in Traefik
- 4 Verify protected access to each service
Related on Amazon
Books and devices that may help your migration. Verify specs and price before buying.
- Accessories
YubiKey 5 NFC
Hardware 2FA when moving away from “Sign in with Google”.
View on Amazon ↗