Home
About
Open source Mobile apps Frequently asked questions Migrating from Google Photos About us
Pricing FAQ Blog Support
Get Started
deep-dive development

The Keys to Our European Castle: Why We Picked Authentik for PixelUnion (and Immich!)

Jochem
4 min read
#Immich #PixelUnions #Authentik #Identity Provider #IDP #Security #Privacy
The Keys to Our European Castle: Why We Picked Authentik for PixelUnion (and Immich!)

The Keys to Our European Castle: Why We Picked Authentik for PixelUnion (and Immich!)

As you know, we’re running PixelUnion—your privacy-focused Google Photos alternative from Europe. Our whole operation is founded on the belief that Europe should fend for itself, and the tech we build here can hold up to its American counterparts.

When you’re building a platform, there’s one service that is absolutely non-negotiable for security: the Identity Provider (IDP). This cornerstone holds the identity of our users and the keys to the castles. For us, it’s a core value that critical services like this must be based in Europe.

So, let’s talk about how we landed on Authentik.

The Problem with Identity in Immich

Our foundation is built on Immich. Immich is awesome, but it’s designed to handle only simple internal users with a username and password, and it does not support multi-factor authentication (MFA).

This isn’t a flaw; it’s a smart design choice! The Immich team believes—and we agree—that running an identity provider is a big job that should be done by specialized software maintained by professionals and security engineers alike. They focus on Immich’s core quality and features, not reinventing solved problems.

But since we’re running a SaaS platform, we desperately needed advanced security:

  1. MFA: We need to support features like user pass keys or a time-bound token (that single-use password you get from scanning a QR code with an authenticator app).
  2. User Flow: We need our users to be able to invite family and friends from within the Immich interface. This means a specific flow: adding a user to the PixelUnion tenant, emailing them to create an account with our IDP, and then redirecting them back to their instance.

Why We Had to Build It Ourselves

We spent some time searching the ecosystem for an IDP that fit our stringent, European-focused criteria. We needed a provider that was:

  1. European and trustworthy
  2. Capable of hosting our needs
  3. Competitively priced for our external users (who number in the thousands)

After a thorough search, we realized we couldn’t find an external identity provider that satisfied all four points.

That left us with only one realistic option: hosting our own identity provider. While we looked at other players like Keycloak, we ultimately chose Authentik.

Authentik: Open Source, Secure, and Cost-Effective

Authentik is a great IDP that immediately ticked all our boxes for security, control, and future growth:

1. Security & Openness

Authentik is properly open source, which provides transparency and allows us to prioritize control, customization, and data privacy. It provides proper support for all the multi-factor authentication stuff we require, and even offers advanced features we think we may need later on.

2. Industry Standards & Flexibility

This is huge: Authentik uses known industry standard protocols. It supports SAML2, OAuth2, OpenID Connect (OIDC), LDAP, and Radius. Why does this matter? Because an application does not need to support Authentik directly, but rather the standard protocols it works with.

Basically, really anything that supports OIDC will work with it. This flexibility means we can handle all our authentication in a single place. Plus, it is described as extremely customizable.

3. Cost-Effectiveness

Authentik is free and open source. This means we can host it ourselves, which is much more cost-effective than using a third-party service that charges per user or per authentication. Given our user base, this is a significant advantage.

What’s Next? We’re Building It!

We are currently in the process of building the solution. We will be moving our users and our platform to Authentik in the coming months, but our absolute priority right now is thoroughly beta testing and securing the identity provider using modern techniques.

For our users, a smooth experience configuring their MFA is essential. Because of the way we need to handle the invite flow, this transition will need a little bit of a change for/in the open-source Immich project. We plan to publish these changes and will keep you totally up to date as we progress with implementing the IDP.

Stay tuned for more updates as we finalize this crucial step toward a secure, European-controlled photo alternative!