Authentik OIDC for Proxmox
Overview
This pattern demonstrates how to configure Proxmox VE to authenticate users through Authentik using OpenID Connect (OIDC), providing centralized identity management and single sign-on capabilities for the hypervisor infrastructure.
Context and Assumptions
- Authentik identity provider is already deployed and configured
- Proxmox VE 7.0+ cluster is operational
- Network connectivity exists between Proxmox nodes and Authentik
- Administrative access to both Authentik and Proxmox web interfaces
- SSL/TLS certificates are properly configured
Architecture
The integration creates a trust relationship where Proxmox delegates authentication to Authentik using the OAuth 2.0/OIDC protocol. Users authenticate against Authentik and receive JWT tokens that Proxmox validates for access control.
Implementation Notes
Key configuration steps include creating an OIDC application in Authentik, configuring the Proxmox realm with the appropriate client credentials, and mapping user attributes between the systems. Pay attention to group mappings and permission structures.
Commands and Configuration
# Example Proxmox realm configuration via CLI
pveum realm add authentik-oidc --type openid --issuer-url https://auth.example.com/application/o/proxmox/ --client-id proxmox-client
# Test authentication
pveum user add testuser@authentik-oidc --enable 1
Operational Notes
- Monitor authentication logs in both systems during initial deployment
- Common pitfall: mismatched redirect URIs between Authentik and Proxmox
- Consider session timeout alignment between systems
- Test group membership propagation for role-based access
Related Entries
This pattern complements the broader identity architecture and integrates with network segmentation policies for administrative access control.