OpenBAO

How to harden Authentik 2025.12.3 -- localhost bind, HAProxy path blocking and rate limiting, OpenBAO AppRole secrets injection, akadmin deactivation, and Docker worker capability hardening. Every command, every dead end, every lesson.

A complete walkthrough of deploying Authentik as an OIDC provider for Grafana and Prometheus across a multi-VLAN lab, including every issue encountered, the diagnostic reasoning behind each fix, and the security trade-offs made along the way.