This is the way. I just hope they don’t start gatekeeping essential features behind the “enterprise” license. Already they have announced push-based 2fa (like Duo) will be enterprise which is a bit of a bummer but it’s honestly awesome software otherwise and beggars can’t be choosers!

This is typically the case. Increasingly, self-hosted apps use integrated OIDC or OAuth but for those that don’t there are various other methods of integration into the SSO provider you’re using including forward auth and remote username. Authentik is nice in that it is also a forward-auth proxy and so you don’t need to use an additional oauth proxy software like oauth2-proxy.