Cerbos authorization for Authentik
Authentik is an open source identity provider with flows, stages, and property mappings for flexible authentication. Cerbos uses Authentik's group memberships, custom properties, and OIDC claims to evaluate fine-grained authorization policies at the application layer.
Property mapping claims
Use Authentik's property mappings to shape token claims that feed directly into Cerbos authorization policies
Open source identity and authz
Pair Authentik's open source identity provider with Cerbos for a fully open source authentication and authorization stack
Flow-based flexibility
However you configure Authentik's authentication flows, the same Cerbos policies govern access within your applications
How Cerbos works with Authentik
Authentik handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with Authentik
- Users authenticate via Authentik, Authentik handles login through configurable flows and stages, including social login, LDAP, and passwordless options. Property mappings customize the claims included in OIDC tokens.
- Extract identity from the Authentik-issued token, Your application validates the OIDC token and extracts the user's groups, roles, and any custom claims defined by Authentik's property mappings.
- Send identity and resource context to Cerbos, Pass the Authentik user attributes as principal attributes alongside the target resource and desired action to the Cerbos PDP.
- Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the Authentik identity data and resource attributes, returning allow or deny. Your application enforces the result.
FAQ
How does Cerbos work with Authentik?
Authentik authenticates users via configurable flows and stages, issuing OIDC tokens with claims defined by property mappings. Your application extracts these claims and passes them to Cerbos as principal attributes. Cerbos evaluates them against your policies alongside resource attributes to make fine-grained authorization decisions.
Can I use Authentik property mappings to enrich Cerbos policies?
Yes. Authentik's property mappings let you shape OIDC token claims using Python expressions, pulling from user attributes, group memberships, or external data. These custom claims become principal attributes in Cerbos, giving your policies access to any identity data Authentik can provide.
Does Cerbos replace Authentik's application authorization?
No. Authentik controls which users can access which applications through its policy engine. Cerbos adds resource-level authorization within those applications. Authentik determines whether a user can reach your app. Cerbos determines what they can do once they are there.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Authentik
- Cerbos extends Authentik roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP