TekOnline

Auth Spikes as a Security Signal: What Authentik Caught (And Why That Matters)

Environment: Oracle host + Authentik + Nginx Proxy Manager

Why This Matters

We saw a useful security pattern:

  • Auth traffic spiked hard at the edge
  • Site analytics did not show matching real-user behavior
  • Authentik still surfaced the right signal through OAuth/authorize and flow activity

This is exactly why keeping identity and proxy telemetry together is valuable. Even when traffic is noisy, the auth layer can still tell you what is being targeted.

What Happened

During investigation, we found two overlapping traffic classes:

  1. Monitoring-driven auth flow noise
    A monitor checked a protected endpoint and followed redirects into authentication flows. That created steady, repetitive auth-flow requests that looked like an incident at first glance.
  2. Scanner-driven authorization noise
    External scanner traffic hit protected routes and was redirected into OAuth authorize endpoints by forward-auth. This inflated authorization counts without representing legitimate sign-in growth.

Why Analytics and Auth Metrics Diverged

This divergence is expected:

  • Many monitor and scanner requests do not execute browser JavaScript analytics
  • Forward-auth can convert generic HTTP probes into authentication endpoint traffic
  • Identity endpoints often become the convergence point for unrelated web probing

So “high auth endpoint volume” does not automatically mean “high user login volume.”

What Authentik Did Well

Authentik made attribution possible at the app/provider level:

  • authorize_application events exposed client_id and redirect_uri
  • We could map noisy authorization spikes to specific protected apps/providers
  • Event context gave enough structure to separate benign monitor noise from suspicious scanner behavior

That visibility is the win.

Minimal Investigation Workflow (Repeatable)

  1. Confirm host scope first (which reverse proxy, which identity instance).
  2. Pull proxy access logs for the suspected window.
  3. Split traffic by path + user-agent + source category.
  4. In Authentik Events -> Logs, filter Action = authorize_application.
  5. Pivot on context.http_request.args.client_id and redirect_uri to identify targeted apps.
  6. Classify:
  • Monitor-induced flow recursion
  • Legitimate user auth
  • Scanner/bot auth-side effects

Security Response Playbook

  1. Fix monitor design
  • Use explicit health endpoints that return 200
  • Avoid redirect-follow checks on protected root URLs
  1. Reduce edge noise
  • Add rate limits/challenges for exploit-style probe patterns
  • Block clearly abusive request classes at the proxy
  1. Preserve auth signal
  • Keep Authentik event retention long enough for correlation
  • Alert on abnormal authorize_application bursts by app/provider
  1. Protect public forward-auth apps
  • Treat internet-exposed forward-auth apps as high-noise surfaces
  • Tighten policy and request filtering around those paths

Key Takeaway

The spike looked like an auth problem, but it was mostly traffic classification:

  • Some volume was monitoring behavior
  • Some volume was scanner behavior
  • Authentik provided the control-plane visibility needed to prove which apps were being targeted

This is good news: the identity layer did exactly what it should do, and now the edge can be tuned to keep future signal cleaner.

Posted

in

by

jcianci12

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *