Rauthy on Ubuntu 24.04 on Azure User Guide
Overview
This guide covers the deployment and configuration of Rauthy on Ubuntu 24.04 on Azure using cloudimg Azure Marketplace images. Rauthy is an open source, self hosted OpenID Connect (OIDC) provider and identity and access management server. It lets you run your own single sign on for your applications: it issues signed OIDC and OAuth2 tokens, manages users, clients, roles, scopes and sessions, and supports passwords and passkeys, all from a clean admin console and an account self service interface.
The image installs the latest stable Rauthy release, taken directly from the official upstream container image and recorded with its digest in /opt/rauthy/VERSION. Rauthy runs as a single self contained Rust binary under systemd as the unprivileged rauthy system user and binds to loopback only (127.0.0.1:8080), backed by an embedded Hiqlite (SQLite and Raft) store that needs no external database. nginx is the sole network facing surface and terminates TLS on port 443, reverse proxying to Rauthy so the OIDC issuer is served over HTTPS.
The image ships with no known login. Rauthy applies its bootstrap admin password only while initialising an empty database, and the captured image ships an empty database with no baked secrets. On the first boot of every instance, a one shot service generates a unique admin password, unique encryption keys and unique internal secrets for that specific instance, boots Rauthy against the empty database so it creates the admin@localhost user with that per instance password, and writes it to a file that only the root user can read. No credentials and no key material are ever shared between instances.
What is included:
-
The latest stable Rauthy release (the official upstream binary, with its full admin and account web UI embedded), run under systemd as the unprivileged
rauthysystem user -
Rauthy and its internal Raft ports bound to loopback only (
127.0.0.1:8080,127.0.0.1:8100,127.0.0.1:8200) — none are network exposed -
An embedded Hiqlite (SQLite and Raft) store, so a full identity provider runs with no separate database to operate
-
nginx terminating TLS on :443 and reverse proxying to Rauthy, with HSTS and sensible security headers
-
Port
:80returns a301redirect to HTTPS for every path except an unauthenticated/healthzendpoint (HTTP 200) for load balancer probes -
A self signed TLS certificate regenerated per VM on first boot (SAN includes the VM public IP, hostname and
127.0.0.1) — replace it with your own CA signed certificate for production -
A per instance admin password generated on first boot into
/root/rauthy-credentials.txt(readable by root only) — no default or shared credential is ever baked in -
A built in self test at
/opt/rauthy/rauthy-selftest.shthat proves the admin login round trip end to end over TLS -
Ubuntu 24.04 LTS base with latest security patches applied at build time
-
Azure Linux Agent for seamless cloud integration and SSH key injection
-
24/7 cloudimg support with guaranteed 24 hour response SLA
Prerequisites
-
An Azure subscription with permission to deploy virtual machines
-
An SSH key pair for administrative access to the VM as the
azureuseraccount -
A Network Security Group allowing inbound TCP
443(HTTPS) and80(redirect) from the networks that should reach the service, and22(SSH) from your management network only -
A recommended size of Standard_B2s or larger
Step 1: Deploy from the Azure Portal
-
Locate the Rauthy on Ubuntu 24.04 LTS by cloudimg image in the Azure Marketplace and select Create.
-
Choose your subscription, resource group and region.
-
Select a VM size (Standard_B2s or larger) and provide your SSH public key for the
azureuseraccount. -
On the Networking tab, allow inbound
443and80from the clients and applications that will use single sign on, and restrict22to your management network. -
Review and create. When the VM is running, browse to
https://<your-public-ip>/auth/v1/account.
Step 2: Deploy from the Azure CLI
You can deploy the same image from the Azure CLI. Replace the resource group, location and image URN as needed:
az vm create \
--resource-group my-rauthy-rg \
--name rauthy \
--image <cloudimg-rauthy-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
# then open the required ports
az vm open-port --resource-group my-rauthy-rg --name rauthy --port 443 --priority 1001
az vm open-port --resource-group my-rauthy-rg --name rauthy --port 80 --priority 1002
Step 3: Verify the Rauthy and nginx services
SSH in as azureuser and confirm the services are active and that Rauthy and its internal Raft ports are bound to loopback only, with nginx the only public listener:
sudo systemctl is-active rauthy nginx rauthy-firstboot
ss -tln | grep -E ':8080|:8100|:8200|:80 |:443 '
You should see Rauthy on 127.0.0.1:8080 and its Raft ports on 127.0.0.1:8100 and 127.0.0.1:8200 (all loopback only), while nginx listens on 0.0.0.0:80 and 0.0.0.0:443.

Step 4: Inspect the OIDC discovery document
Rauthy publishes its OpenID Connect configuration at the standard discovery URL. Confirm it answers over TLS and shows the issuer and the core OIDC endpoints your applications will use:
curl -sk https://127.0.0.1/auth/v1/.well-known/openid-configuration | python3 -m json.tool
The issuer is the public URL of this instance, and the document advertises the authorization, token, userinfo, introspection, revocation and JWKS endpoints under /auth/v1/oidc/.

Step 5: Retrieve the per instance admin login
The unique admin password generated for this specific VM on first boot is written to a root only file. Read it to get the admin email and password:
sudo cat /root/rauthy-credentials.txt
The default admin user is admin@localhost. Note the rauthy.admin_password value — you will use it to log in in the next step, and you should change it immediately afterwards.
Step 6: Sign in to the Rauthy web interface
Browse to https://<your-public-ip>/auth/v1/account. Because the certificate is self signed and generated per VM, your browser will warn about the certificate the first time. Accept it (or install your own certificate, see Step 12). You are presented with the Rauthy sign in form. Enter the admin email admin@localhost and select Login, then enter the per instance password from Step 5.

Step 7: Review the account dashboard
After signing in you land on the account page. It shows the admin user's details: email, given and family name, the rauthy_admin and admin roles, whether MFA is activated, and login and password metadata. From here you can manage MFA keys, devices, profile details and your password.

Step 8: Change the admin password
Open the Password tab. Rauthy shows the active password policy (minimum length, character classes and password history) and lets you set a new password, or generate a strong one. Change the per instance admin password to one you control as your first action after signing in.

Step 9: Edit the admin profile
The Edit tab lets you maintain the admin user's profile details, including email, name, timezone and an optional preferred username. Rauthy exposes these standard OIDC claims to your connected applications.

Step 10: Prove the admin login from the command line
The image ships a self test that proves the per instance admin credential authenticates end to end over TLS. It performs the real OIDC login flow: it rejects a wrong password with 401, then accepts the correct per instance password with 202 and an issued authorization code:
sudo /opt/rauthy/rauthy-selftest.sh
The expected output reports round-trip OK, confirming the wrong password was rejected and the correct password was accepted over TLS.

Step 11: Check the baked version and appliance info
The exact Rauthy version and the official source image digest baked into the image, along with the per VM appliance details, are recorded on the VM:
cat /opt/rauthy/VERSION
sudo cat /root/rauthy-credentials.txt

Step 12: Enable the admin console
Rauthy's full admin console, at /auth/v1/admin, lets you manage users, OIDC and OAuth2 clients, roles, scopes, groups, sessions and events. As a security measure, Rauthy requires the admin account to have multi factor authentication (a passkey) enabled before it will open the admin console. From the account page (Step 7), open the MFA tab, choose Register New Key to enrol a passkey, then log out and log back in. Passkeys require a real domain name, so enrol your passkey after you have pointed a DNS name at the instance and set the public URL (Step 13).
Step 13: Use your own domain and a trusted certificate (production)
The image ships a self signed certificate and is served on the instance's IP address, so it is secure out of the box but browsers will warn on the certificate and passkeys cannot be enrolled against a bare IP. For production, point a DNS name at the VM, set the public URL, and install a CA signed certificate.
First set the public URL and WebAuthn settings so the OIDC issuer and passkeys use your domain. Edit /etc/rauthy/firstboot.env and set PUB_URL, RP_ID and RP_ORIGIN to your domain, then restart Rauthy:
sudo sed -i \
-e 's#^PUB_URL=.*#PUB_URL=<your-domain>#' \
-e 's#^RP_ID=.*#RP_ID=<your-domain>#' \
-e 's#^RP_ORIGIN=.*#RP_ORIGIN=https://<your-domain>:443#' \
/etc/rauthy/firstboot.env
sudo systemctl restart rauthy
Then obtain a free CA signed certificate for your domain with Let's Encrypt:
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>
Certbot installs the certificate into nginx and sets up automatic renewal.
Step 14: Managing the Rauthy service
sudo systemctl restart rauthy
sudo journalctl -u rauthy.service --no-pager | tail -20
Rauthy's configuration lives in /etc/rauthy/config.toml (static settings) and /etc/rauthy/firstboot.env (the per instance secrets and public URL). After editing either, run sudo systemctl restart rauthy.
Step 15: Security recommendations
-
Change the admin password immediately. The per instance password in
/root/rauthy-credentials.txtis for first sign in only; change it from the account page (Step 8) as your first action. -
Restrict SSH. Allow inbound
22only from your management network; keep443(and80for the redirect) open to the applications and users that need single sign on. -
Install a trusted certificate and a real domain. Replace the self signed certificate with a CA signed one (Step 13) so users are not trained to click through warnings, and so passkeys can be enrolled.
-
Enable MFA on the admin account. Rauthy already requires a passkey for the admin console; enrol one as soon as you are on your own domain.
-
Keep the image updated. Unattended security upgrades remain enabled so the OS keeps receiving patches.
Step 16: Support and Licensing
Rauthy is open source software distributed under the Apache License 2.0. This image bundles the upstream Rauthy release unmodified; the licence is retained on the image. cloudimg packaging, hardening and support are provided by cloudimg.
Deploy on Azure
Find this image on the Azure Marketplace and deploy it in minutes. See www.cloudimg.co.uk for the full catalogue.
Need Help?
cloudimg provides 24/7 support with a guaranteed 24 hour response SLA. Contact us through www.cloudimg.co.uk for deployment assistance, configuration help or any questions about this image.