authelia/docs/home/architecture.md

---
layout: default
title: Architecture
parent: Home
nav_order: 1
---

# Architecture

**Authelia** is a companion of reverse proxies like Nginx, Traefik and HAProxy.
It can be seen as an extension of those proxies providing authentication functions
and a login portal.

As shown in the following architecture diagram, Authelia is directly connected to
the reverse proxy but never directly connected to application backends.

<p align="center" style="margin:50px">
  <img src="../images/archi.png"/>
</p>

## Workflow

Reverse proxies are configured so that every incoming requests generates an authentication
request sent to Authelia and to which Authelia responds to order the reverse
proxy to let the incoming request pass through or block it because user is not authenticated
or is not sufficiently authorized.

### Step by step

When the first request of an unauthenticated user hits the reverse proxy, Authelia
determines the user is not authenticated because no session cookie has been sent along with
the request. Consequently, Authelia redirects the user to the authentication portal provided
by Authelia itself. The user can then execute the authentication workflow using that portal
to obtain a session cookie valid for all subdomains of the domain protected by Authelia.

When the user visits the initial website again, the query is sent along with the
session cookie which is forwarded in the authentication request to Authelia. This time,
Authelia can verify the user is authenticated and order the reverse proxy to let the query
pass through.

### Sequence Diagram

Here is a description of the complete workflow:

<p align="center">
  <img src="../images/sequence-diagram.png"/>
</p>
[DOCS] Bootstrap new documentation website based on just-the-docs (#659) 2020-02-29 00:43:59 +00:00			`---`
			`layout: default`
			`title: Architecture`
			`parent: Home`
			`nav_order: 1`
			`---`

			`# Architecture`

			`Authelia is a companion of reverse proxies like Nginx, Traefik and HAProxy.`
			`It can be seen as an extension of those proxies providing authentication functions`
			`and a login portal.`

			`As shown in the following architecture diagram, Authelia is directly connected to`
			`the reverse proxy but never directly connected to application backends.`

			`<p align="center" style="margin:50px">`
			`<img src="../images/archi.png"/>`
			`</p>`

			`## Workflow`

			`Reverse proxies are configured so that every incoming requests generates an authentication`
			`request sent to Authelia and to which Authelia responds to order the reverse`
			`proxy to let the incoming request pass through or block it because user is not authenticated`
			`or is not sufficiently authorized.`

			`### Step by step`

			`When the first request of an unauthenticated user hits the reverse proxy, Authelia`
			`determines the user is not authenticated because no session cookie has been sent along with`
			`the request. Consequently, Authelia redirects the user to the authentication portal provided`
			`by Authelia itself. The user can then execute the authentication workflow using that portal`
			`to obtain a session cookie valid for all subdomains of the domain protected by Authelia.`

			`When the user visits the initial website again, the query is sent along with the`
			`session cookie which is forwarded in the authentication request to Authelia. This time,`
			`Authelia can verify the user is authenticated and order the reverse proxy to let the query`
			`pass through.`

			`### Sequence Diagram`

			`Here is a description of the complete workflow:`

			`<p align="center">`
			`<img src="../images/sequence-diagram.png"/>`
			`</p>`