hass-auth-header
hass-auth-header copied to clipboard
BeryJu
Unable to authenticate via browser
``Apologies for what probably is an easy solution, I am just new to this.
I've got my reverse proxy working and the header integration installed. When I click the ha.domain.com URL in nginx it brings me to a page that says:
Home Assistant
You're about to give https://ha.domain.com access to your Home Assistant instance.
Logging in with Header Authentication
Login Aborted:
START OVER
or log in with:
Home Assistant Local
Here is my conf.yaml:
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.1.0/24
auth_header:
# Optionally set this if you're not using authentik proxy or oauth2_proxy
# username_header: X-Forwarded-Preferred-Username
# Optionally enable debug mode to see the headers Home-Assistant gets
# debug: false
Optionally, if something is not working right, add this block below to get more information
logger:
default: info
logs:
custom_components.auth_header: debug
I've tried un-commenting the username_header: line and adding my authentik and HA username there but neither work. I'm not really sure what I am supposed to be putting there so I assume that is my issue...
Many thanks!
Here's the log with no username exact header in the config is shown in my prior post (also added the Cloudflare IP and my public IP to the trusted IPs). I removed my public IP, domain and other potentially private info from the log below.
[32m2022-10-20 08:22:35.222 INFO (MainThread) [custom_components.hacs] Stage changed: HacsStage.RUNNING[0m
[36m2022-10-20 08:22:53.075 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy('X-authentik-username': 'TEST', 'X-authentik-groups': 'authentik Admins', 'X-authentik-email': '[email protected]', 'X-authentik-uid': '#', 'Host': '192.168.1.246:8123', 'Connection': 'close', 'Content-Length': '145', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.42', 'Accept': '*/*', 'Accept-Encoding': 'gzip', 'Accept-Language': 'en-US,en;q=0.9', 'Cdn-Loop': 'cloudflare', 'Cf-Connecting-Ip': '#', 'Cf-Ipcountry': 'US', 'Cf-Ray': -IAD', 'Cf-Visitor': '{"scheme":"https"}', '37354d9ff627', 'Content-Type': 'text/plain;charset=UTF-8', 'Cookie': 'authentik_proxy=MTY2', 'Dnt': '1', 'Origin': 'https://ha.DOMAIN.com', 'Priority': 'u=1', 'Referer': 'https://ha.DOMAIN.com/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fha.DOMAIN.com%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fha.DOMAIN.com%2F&state=eyJo', 'Sec-Ch-Ua': '"Chromium";v="106", "Microsoft Edge";v="106", "Not;A=Brand";v="99"', 'Sec-Ch-Ua-Mobile': '?0', 'Sec-Ch-Ua-Platform': '"Windows"', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-origin', 'X-Forwarded-For': IP', 'X-Forwarded-Proto': 'https')>[0m
[36m2022-10-20 08:22:53.075 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 172.17.0.1[0m
[32m2022-10-20 08:22:53.075 INFO (MainThread) [custom_components.auth_header.headers] No header set, returning empty flow[0m
[36m2022-10-20 08:22:53.075 DEBUG (MainThread) [custom_components.auth_header.headers] no user found[0m
configure
auth_header:
# Optionally set this if you're not using authentik proxy or oauth2_proxy
username_header: X-authentik-username
configure
auth_header: # Optionally set this if you're not using authentik proxy or oauth2_proxy username_header: X-authentik-username
Edit: I am dumb, testing now.
Edit2 : I get the same error I think
[36m2022-10-20 08:40:50.692 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 172.17.0.1[0m
[32m2022-10-20 08:40:50.692 INFO (MainThread) [custom_components.auth_header.headers] No header set, returning empty flow[0m
[36m2022-10-20 08:40:50.693 DEBUG (MainThread) [custom_components.auth_header.headers] no user found[0m
config
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.1.0/24
#local IP range
- 172.17.0.1
#cloudflare IP
- 1.2.3.4
#public IP
auth_header:
# Optionally set this if you're not using authentik proxy or oauth2_proxy
username_header: Magic
# Optionally enable debug mode to see the headers Home-Assistant gets
# debug: false
# Optionally, if something is not working right, add this block below to get more information
logger:
default: info
logs:
custom_components.auth_header: debug
why did you set username_header to Magic instead of username_header: X-authentik-username
X-authentik-username
I misinterpreted and thought I was supposed to put the actual username there. I also tried username_header: X-authentik-username
and get
[36m2022-10-20 08:58:42.532 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 172.17.0.1[0m
[36m2022-10-20 08:58:42.532 DEBUG (MainThread) [custom_components.auth_header.headers] no user found[0m
your username in authentik needs to match the username in HASS, the username that is shown under :8123/config/users
Ah that progress me forward. I get a new error:
[36m2022-10-20 09:22:34.641 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 172.17.0.1[0m
[33m2022-10-20 09:22:44.303 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from d1-2-3-4col.INTERNETPROVIDER.com (1.2.3.4). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.42)[0m
1.2.3.4 = my ISP IP address which I've added in the config as a trusted IP, not sure why it gets an error.
Just an update on this. I tried with an incognito browser and get a different error:
[36m2022-10-20 15:36:14.764 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 172.17.0.1[0m
[32m2022-10-20 15:36:14.764 INFO (MainThread) [custom_components.auth_header.headers] No header set, returning empty flow[0m
[36m2022-10-20 15:36:14.765 DEBUG (MainThread) [custom_components.auth_header.headers] no user found[0m
my authnetik username = eric as does my HA username.
My config:
# Loads default set of integrations. Do not remove.
default_config:
# Text to speech
tts:
- platform: google_translate
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.17.0.1
- 172.17.0.20 # This needs to be set to the IP of your reverse proxy
auth_header:
# Optionally set this if you're not using authentik proxy or oauth2_proxy
# username_header: X-Forwarded-Preferred-Username
# Optionally enable debug mode to see the headers Home-Assistant gets
# debug: false
# Optionally, if something is not working right, add this block below to get more information
logger:
default: info
logs:
custom_components.auth_header: debug
I've tried # username_header: X-Forwarded-Preferred-Username both enabled and disabled to no avail.
I also tested this bypassing the proxies by just opening the port on my router and it worked fine. There's clearly something wrong in my HA config I just don't know what I am doing wrong.
I am able to authenticate via authentik and it redirects to HA which says header authentication, login aborted.
Other questions kind off same topic. I cant login with username password everything else works fine but it wont let me login when i put in user/pw click login and then it changes to start again and stays stuck at the login page? 
@pbvdven I fixed that in #179 but it has not been released yet. You could try installing the latest from master. @BeryJu Please consider creating a new minor/patch release to push this bugfix.
@pbvdven I fixed that in #179 but it has not been released yet. You could try installing the latest from master. @BeryJu Please consider creating a new minor/patch release to push this bugfix.
I installed the addon about 1 week ago and I'm running in the same error as @mag1c22. I just opened hass in a private window of my browser and it just shows me the same screen without a redirection to my authentik instance.
My hass is behind a NginxProxyManager, do I have to add there something as well?
You need to add a snippet to npm you can find it in authentik under the provider you created for home assistant. Then copy past it in npm proxy host > your poxy > advanced tab.
You need to add a snippet to npm you can find it in authentik under the provider you created for home assistant. Then copy past it in npm proxy host > your poxy > advanced tab.
maybe I'm a bit stupid, but I can't find the snippet :(
EDIT: Ok I'm trying it with forward auth now instead of proxy (that was my old setting from the documentation, what is the right one to choose here?)
yeah sure I found it, but that is only visible when you choose Forward auth instead of Proxy (Proxy is the thing I should create from the documentation, so the documentation is wrong :()
ok, I was able to get it working to that point, that authentik is doing its login process but afterwards its telling me this:
now I have to debug the authheader addon I installed in homeassistant right? opened a new issue for my new problem now: => https://github.com/BeryJu/hass-auth-header/issues/236
yeah sure I found it, but that is only visible when you choose Forward auth instead of Proxy (Proxy is the thing I should create from the documentation, so the documentation is wrong :()
No but when you choose proxy authentik will handle the proxy not npm