How to harden Authentik 2025.12.3 -- localhost bind, HAProxy path blocking and rate limiting, OpenBAO AppRole secrets injection, akadmin deactivation, and Docker worker capability hardening. Every command, every dead end, every lesson.
A complete live audit of Authentik 2025.12.3 — every command, every dead end, every lesson. 10 of 15 findings confirmed exploitable including full RCE from a non-superuser account, database compromise, and a two-command path to god-mode. Zero downloaded tools.
A complete walkthrough of deploying Authentik as an OIDC provider for Grafana and Prometheus across a multi-VLAN lab, including every issue encountered, the diagnostic reasoning behind each fix, and the security trade-offs made along the way.