Jim, your videos are top notch. Keep them coming. Looking forward to advanced zitadel videos from you with more explaining on different type of integrations ❤
Nice video on not only the installation but also the setup, some concepts, and actual demo. It would be really great if you could create another video to explain in more details the setup and the use cases of roles/grants on a per app-basis as you mentioned.
@@Jims-GarageGreat Video! Loving it! But still stuck at the same topic as jp_baril. Any hints how to get the Statically assigned teams based on zitadel roles working? I am stuck on this topic since hours ^^
Great Video Jim and Thanks for sharing! Zitadel was launched a few years back but had gone quiet but it seems they have been busy with the cloud feature so would love more indepth videos on how Zitadel removes the heavy lifting when implementing Roles in Multi Tenacy SaaS Apps (Next Js, Trpc, tailwind, Drizzle, Postgres Stack). We have struggled implementing this!
Thanks for the video. Really cool! I think Zitadel is more "homelabby" wheres keycloak is more "enterprisy". Keycloak has too much Red Hat fluff added which I personally don't like as much in homelabs. I'm a bit confused though. You said you were using docker volume mounts, when in your docker compose file, only 1 volume mount (in service zitadel) is a docker volume mount, and the other 3 are bind mounts. So it's a mix of both. I guess your explanation was focused on "as their recommendation", which makes total sense. That bit before still might be confusing for beginners
Hey Jim awesome video as always. Question. Can I use zitadel for apps that don't offer OAUTH / OIDC natively. I was holding off on doing Authentik until you this video was out as it seems to be newer and more feature rich. Do you know if Zitadel offers a proxy? I could find anything in the documentation regarding it? Ideally i would want to use treafik middleware to secure apps that don't support OAUTH or OIDC by forcing sign in via a proxy page before allowing access to my apps. Similar to how Authelia works.
Hi Jim, another cool security approach is the open source application freeipa - a central user management for Linux with extended possibilities for the restrictive use of sudo commands and system services such as RDP, SSH etc.
hey great tutorial, but any chance could you provide a docker compose.yml file with nginx configurations as opposed to traefik? that would be greatly appreciated!
Just got comfortable with Authentik. Although there are things still can’t make work, BUT should I switch over to Zitadel? Or there are not much more upsides to it in a homelab environment..
Great video tutorial :) Smooth install and login but i had an issue with portainer where it wouldn't let me login. Had to create the zitadel username manually with the default admin account.
@@Jims-Garage no big issue. Hopefully it doesn't do the same with the other apps. Only tried the portainer one for now. Looking forward to the followup for zitadel you mentioned
I'm not sure this is of any help but I've heard of this issue before. It seems that this might be related to Portainers auto use provisioning, as the issue can occur when using Authentik as well...
ty for the share Jim. However i'm confused how exactly do you get this to work with traefik. I saw that you covered how to do it for portainer. But what about other docker containers? How do you go about getting those containers to use zitadel for authentication using traefik (auth forward is the term i believe) ? Do i have to add traefik labels? any examples :} ?? *update i noticed that DudeItsDallyBoy has a similar question as me
@@Jims-Garage ty for the reply jim. ya i scolled all the the way to the bottom and found your reply on that. so now i've moved onto your authentik video setup xd. now i'm trying to troubleshoot to get that to work ^-^;
hello jim , thanks for the great videos keep it up, please i have a question related to reverse proxy "treafik" how can i use it without a domain name in local environment
@@Jims-Garage i mean in general not with zitadel , how i configure treafik to work with server ip as its test env. and i dont want to use the port for every app i want to use serverip/app , is it possible
Really slick looking project! I'll be giving this a shot in my homelab. Have you found a way to integrate the authentication with Proxmox? If it's in the documentation, I'm still watching this vid, so haven't delved into the docs for Zitadel yet, but will.
Thanks, sadly I haven't managed to integrate Proxmox yet. Hoping we can have a community effort, try by numbers approach ha. I have a feeling it's an issue on the Proxmox side... But Proxmox does work with Keycloak and Authentik.
@@Jims-Garage arf :) reading this comment now after finalizing the installation :D which one do you recommend between keycloak and authentik based on your experience ? Like which one do you use yourself in your homelab ?
Spent 3 hours on trying to log in to the thing using the external domain, for some reason it wouldn't work with admin-zitadel account if the externaldomain had 4 parts, it workd only when adding new user through env variable, and even then the webpage would error out just after logging in I think it was missing email address. If first logging in is this convoluted I'm too young and beautiful to waste time figuring out the rest.
I've yet to figure out which is the best, but Authentik supports SCIM which the others seem to be missing. I actually think this is an important feature long term. So the user can be created in Authentik and then automatically added with the right group/role in Portainer in this case (sadly Portainer does not support this I believe).
@@autohmaeMy understanding is that Authentik is community driven which means it's community supported, patched, updated etc. This could leave you with security vulnerabilities and issues that there is no typical SLA in place to fix. Very unlikely to be an issue, and you can migrate, risk control etc, but something to think about.
@@Jims-Garage their is a company build around it. Which is also why they have pricing for hosted solution and "Enterprise Self-Hosted" on their website. 🙂 Is that different from the offerings for Zitadel ? Maybe this is a problem with the language barrier, English isn't my first language, but as far as I can see, I see no difference between these 2 in that category.
Very nice! Another fenomenal option for authentication. Can I make a request? Since you mentioned on this video, about the plain passwords on the compose files. It is a flaw we all do have. It would be really nice to explore solutions like Hashicopr's Vault for instance and create some content around it. Thanks!
Thanks 👍 it's not really too much to worry about in a homelab, but in production you'll want to secure your secrets. Kubernetes makes it pretty simple with things like sealed-secrets
@@Jims-Garage yes, but I use most of the Homelab to learn (and play for fun too) and then many times end up adding these tools, products, solution, etc at work. Vault is something I am currently testing, that's why the request ;) Is it possible to use a tool like Vaultwarden/Bitwarden for this purpose?
You could just add environment variables for passwords in Portainer. In this case, add the env var "secret", and place it in the compose file as "$secret"
@@olsenlid Hi. Yes that is correct. I like a bit better that approach, since you are not exposing the secrets in the compose file, and also let you define your secrets in a more organised (and centralised?) fashion. Nevertheless from the security perspective, it is just moving the issue somewhere else.
@@Jims-Garage I’ve seen your messages in their discord asking for support about setting up proxmox but can’t find the definitive answer to those questions
having to manually add users defeats the purpose of this overall. I can't add this to a website to allow users to authenticate since I'd have to manually add them. Probably just stick with normal email authentication codes as it's much simpler and just as secure.
I disagree, the setup I demonstrated is not for customer login / public. This is typically used in enterprise for trusted users / employees. You can integrate it with third party identity providers like Google/Microsoft etc to enable what you're after.
Jim, your videos are top notch. Keep them coming. Looking forward to advanced zitadel videos from you with more explaining on different type of integrations ❤
Thanks 👍
Nice video on not only the installation but also the setup, some concepts, and actual demo. It would be really great if you could create another video to explain in more details the setup and the use cases of roles/grants on a per app-basis as you mentioned.
Thanks, I plan to revisit at a later time. I'm still learning some of the concepts and how best to use them. Some of the joys of a new product.
@@Jims-GarageGreat Video! Loving it! But still stuck at the same topic as jp_baril.
Any hints how to get the Statically assigned teams based on zitadel roles working? I am stuck on this topic since hours ^^
Great Video Jim and Thanks for sharing! Zitadel was launched a few years back but had gone quiet but it seems they have been busy with the cloud feature so would love more indepth videos on how Zitadel removes the heavy lifting when implementing Roles in Multi Tenacy SaaS Apps (Next Js, Trpc, tailwind, Drizzle, Postgres Stack). We have struggled implementing this!
Awesome 👍 I'm planning to come back and revisit soon!
Another great video Jim, keep ‘em coming. I will definitely be playing with this in the HL, curious to compare it to keycloak and authentik.
Thanks 👍 it's a tough one, depends if all your apps are OAuth/OIDC compliant. I suspect Authentik ticks most boxes for homelabbing.
For those who get a "network proxy declared as external, but could not be found" error.
Just run the command "sudo docker network create proxy"
Thanks for the video. Really cool! I think Zitadel is more "homelabby" wheres keycloak is more "enterprisy". Keycloak has too much Red Hat fluff added which I personally don't like as much in homelabs.
I'm a bit confused though. You said you were using docker volume mounts, when in your docker compose file, only 1 volume mount (in service zitadel) is a docker volume mount, and the other 3 are bind mounts. So it's a mix of both. I guess your explanation was focused on "as their recommendation", which makes total sense. That bit before still might be confusing for beginners
Hi Jim
Thank you very much for this great video 👍
It’s interesting to see how zitadel is used and how we can further improve
Glad you enjoyed it
jim, you are the best! :)
Haha, thanks 👍
Hey Jim awesome video as always. Question. Can I use zitadel for apps that don't offer OAUTH / OIDC natively. I was holding off on doing Authentik until you this video was out as it seems to be newer and more feature rich. Do you know if Zitadel offers a proxy? I could find anything in the documentation regarding it? Ideally i would want to use treafik middleware to secure apps that don't support OAUTH or OIDC by forcing sign in via a proxy page before allowing access to my apps. Similar to how Authelia works.
Thanks. I don't believe so. To my knowledge Authentik is the only 1 stop shop for homelabbers.
I know what I'll be doing this weekend :D
It's really impressive
Hi Jim, another cool security approach is the open source application freeipa - a central user management for Linux with extended possibilities for the restrictive use of sudo commands and system services such as RDP, SSH etc.
Thanks, I'll take a look at that.
hey great tutorial, but any chance could you provide a docker compose.yml file with nginx configurations as opposed to traefik? that would be greatly appreciated!
Just got comfortable with Authentik. Although there are things still can’t make work, BUT should I switch over to Zitadel? Or there are not much more upsides to it in a homelab environment..
Authentik is probably the best solution at the moment as it does both OAuth and proxying.
Great video tutorial :)
Smooth install and login but i had an issue with portainer where it wouldn't let me login. Had to create the zitadel username manually with the default admin account.
Thanks, that issue is odd. During testing I had to do the same, and then another time I didn't...
@@Jims-Garage no big issue. Hopefully it doesn't do the same with the other apps. Only tried the portainer one for now. Looking forward to the followup for zitadel you mentioned
I'm not sure this is of any help but I've heard of this issue before. It seems that this might be related to Portainers auto use provisioning, as the issue can occur when using Authentik as well...
Love your content! What’s your take on Authentik vs Zitadel?
I'd go with Authentik for a homelab. Does it all
ty for the share Jim.
However i'm confused how exactly do you get this to work with traefik. I saw that you covered how to do it for portainer. But what about other docker containers? How do you go about getting those containers to use zitadel for authentication using traefik (auth forward is the term i believe) ?
Do i have to add traefik labels? any examples :} ??
*update
i noticed that DudeItsDallyBoy has a similar question as me
This is only for apps that support OAuth2/OIDC. Apps that's don't you'll need to use a proxy like Authentik or Authelia.
@@Jims-Garage ty for the reply jim. ya i scolled all the the way to the bottom and found your reply on that. so now i've moved onto your authentik video setup xd. now i'm trying to troubleshoot to get that to work ^-^;
hey i want to setup authentication server on any open source mail server on my ubuntu local machine so please help me.
Does it support external authentication?
Jim, would you recommend Zitadel over Authentik?
@@ltonchis1245 not for a homelab, many homelab apps don't support oauth2
hello jim , thanks for the great videos keep it up, please i have a question related to reverse proxy "treafik" how can i use it without a domain name in local environment
Thanks 👍 you'll need to follow the localhost guide. Everything else in my video should be valid. zitadel.com/docs/self-hosting/deploy/compose
@@Jims-Garage i mean in general not with zitadel , how i configure treafik to work with server ip as its test env. and i dont want to use the port for every app i want to use serverip/app , is it possible
@@subzizo091 typically you would simply specify ports in the compose app, and then you would access it by doing dockerIP:appPort
@@Jims-Garage ok , thanks jim for your efforts
Really slick looking project! I'll be giving this a shot in my homelab. Have you found a way to integrate the authentication with Proxmox? If it's in the documentation, I'm still watching this vid, so haven't delved into the docs for Zitadel yet, but will.
Thanks, sadly I haven't managed to integrate Proxmox yet. Hoping we can have a community effort, try by numbers approach ha. I have a feeling it's an issue on the Proxmox side... But Proxmox does work with Keycloak and Authentik.
@@Jims-Garage arf :) reading this comment now after finalizing the installation :D which one do you recommend between keycloak and authentik based on your experience ? Like which one do you use yourself in your homelab ?
@@loicdupond7550 Authentik. It does both OAuth and proxy for non-OAuth apps.
@@Jims-Garage Thanks for the blazing fast answer and great content !
Spent 3 hours on trying to log in to the thing using the external domain, for some reason it wouldn't work with admin-zitadel account if the externaldomain had 4 parts, it workd only when adding new user through env variable, and even then the webpage would error out just after logging in I think it was missing email address.
If first logging in is this convoluted I'm too young and beautiful to waste time figuring out the rest.
Can you do a demo what to do with the grant?
I've yet to figure out which is the best, but Authentik supports SCIM which the others seem to be missing. I actually think this is an important feature long term. So the user can be created in Authentik and then automatically added with the right group/role in Portainer in this case (sadly Portainer does not support this I believe).
I think Authentik is probably the best homelab solution as it covers all bases. It is, however, community made so it comes with usual possible issues.
@@Jims-Garage what do you mean with community made in this case ?
@@autohmaeMy understanding is that Authentik is community driven which means it's community supported, patched, updated etc. This could leave you with security vulnerabilities and issues that there is no typical SLA in place to fix. Very unlikely to be an issue, and you can migrate, risk control etc, but something to think about.
@@Jims-Garage their is a company build around it. Which is also why they have pricing for hosted solution and "Enterprise Self-Hosted" on their website. 🙂 Is that different from the offerings for Zitadel ? Maybe this is a problem with the language barrier, English isn't my first language, but as far as I can see, I see no difference between these 2 in that category.
@@autohmae okay, you're right. I wasn't aware of the enterprise subscription. My last post is likely invalid
Very nice! Another fenomenal option for authentication.
Can I make a request? Since you mentioned on this video, about the plain passwords on the compose files. It is a flaw we all do have. It would be really nice to explore solutions like Hashicopr's Vault for instance and create some content around it.
Thanks!
Thanks 👍 it's not really too much to worry about in a homelab, but in production you'll want to secure your secrets. Kubernetes makes it pretty simple with things like sealed-secrets
@@Jims-Garage yes, but I use most of the Homelab to learn (and play for fun too) and then many times end up adding these tools, products, solution, etc at work. Vault is something I am currently testing, that's why the request ;)
Is it possible to use a tool like Vaultwarden/Bitwarden for this purpose?
You could just add environment variables for passwords in Portainer. In this case, add the env var "secret", and place it in the compose file as "$secret"
@@olsenlid Hi. Yes that is correct. I like a bit better that approach, since you are not exposing the secrets in the compose file, and also let you define your secrets in a more organised (and centralised?) fashion. Nevertheless from the security perspective, it is just moving the issue somewhere else.
Nice video anymore Zitadel videos coming?
Yes, soon (no timelines). I want to do it when it makes sense with major releases.
Is there a way to set this up with proxmox?
Yea, should support OAuth2
@@Jims-Garage I’ve seen your messages in their discord asking for support about setting up proxmox but can’t find the definitive answer to those questions
Is it an open source ?
I don't believe so
Yes it is
@@swish6143 thanks for clarifying
Have you also tried Zitadel as realm for Proxmox? What was your experience?
At the time I struggled to get it to work. I should revisit (albeit Authentik has been working well)
having to manually add users defeats the purpose of this overall. I can't add this to a website to allow users to authenticate since I'd have to manually add them. Probably just stick with normal email authentication codes as it's much simpler and just as secure.
I disagree, the setup I demonstrated is not for customer login / public. This is typically used in enterprise for trusted users / employees. You can integrate it with third party identity providers like Google/Microsoft etc to enable what you're after.
Is this better than Authentik?
Spin it up and decide... It's a good product, but if you need a proxy and OAuth you're better off with Authentik at the moment.