authentik
authentik copied to clipboard
goauthentik
Home Assistant Forward Auth and Traefik Issue, redirects to "no app for hostname"
Describe your question
I am trying to bypass double-login when accessing home assistant remotely using the Home-Assistant example at https://goauthentik.io/integrations/services/home-assistant/ and the HASS-auth-header configuration.
I have followed the setup guide and now when I log in to https://ha.domain.tld to access home assistant I am first asked to log in via authentik (as expected), but once I log in successfully the page redirects to the following URL and message instead of redirecting to my HA dashboard:
redirected URL =
https://ha.domain.tld/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=3a52a2c1949c406fb795a8d4f2b20332&state=BFY-clpa1miiUN_5ciEzUKPNbsWe7c3X7HnkPdthrLM
Page body:
Message | "no app for hostname" Host | "ha.domain.tld" Detail | "Check the outpost settings and make sure 'ha.domain.tld' is included."
In my troubleshooting prior to posting here, I came across this issue which seems to produce the same error, so I tried implementing priority settings in traefik, but it does not seem to have solved the issue (perhaps I did it wrong? my traefik config is included below)
I will include output logs from relevant sources in the appropriate section below as well
Relevant infos
-
I believe the HASS-Auth-Header configuration is correct. When I log in directly to home assistant via local IP/port I see it is attempting to log in with header auth.
-
Home Assistant OS is running in a VM on an Unraid host.
-
The local IP for Home Assistant and the Unraid Host are on the same network.
-
The unraid host is also where my Authentik and Traefik docker containers are running.
-
The docker containers are all on a separate docker "proxy" network.
-
The embedded outpost is configured properly with Traefik "auth" rule to provide remote access to Authentik itself via "auth.domain.tld"
-
Authentik also works properly to log in and access Traefik's dashboard using the embedded outpost at "traefik.domain.tld", as well as other applications mapped to their own respective subdomains.
-
I was able to access Home Assistant in this same way via "ha.domain.tld" on the embedded outpost, however having to log in to authentik and then again to Home Assistant was cumbersome, so I tried to implement the header auth to allow for a single login
-
Because of Unraid's unique docker implementation I manually created a separate container for the external proxy outpost called, "authentik_ha". I believe it is configured correctly as it is recognized and communicating with the primary authentic container
Traefik Config File:
http:
routers:
# traefik routing - Remove if not used
traefik:
entryPoints:
- http
rule: 'Host(`traefik.domain.tld`)'
service: traefik
priority: 1
middlewares:
- "auth"
# Homeassistant routing
homeassistant:
entryPoints:
- https
rule: "Host(`ha.domain.tld`)"
service: homeassistant
priority: 10
middlewares:
- "auth_ha"
# Homeassistant auth routing
homeassistant-auth:
entryPoints:
- https
rule: "Host(`ha.domain.tld`) && PathPrefix(`/outpost.goauthentik.io/`)"
service: authentik_ha_service
priority: 50
services:
# traefik service - Remove if not used
traefik:
loadBalancer:
servers:
- url: http://traefik:8080/
# Homeassistant service
homeassistant:
loadBalancer:
servers:
- url: http://home-assistant-local-ip:port/
# Authentik HA service
authentik_ha_service:
loadBalancer:
servers:
- url: http://authentik_ha:9000
middlewares:
auth_ha:
forwardAuth:
address: http://authentik_ha:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
auth:
forwardAuth:
address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
# Security headers
securityHeaders:
headers:
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
X-Forwarded-Proto: "https"
server: ""
customRequestHeaders:
X-Forwarded-Proto: "https"
sslProxyHeaders:
X-Forwarded-Proto: "https"
referrerPolicy: "same-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
contentTypeNosniff: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 63072000
stsPreload: true
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
Screenshots If applicable, add screenshots to help explain your problem.
Logs
Traefik Logs - Note: this error occurs on initial load of https://ha.domain.tld there are no more related log entries from traefik after successfully entering my credentials in the authentik login page:
time="2023-04-08T10:30:26-05:00" level=debug msg="Remote error http://authentik_ha:9000/outpost.goauthentik.io/auth/traefik. StatusCode: 302" middlewareName=auth_ha@file middlewareType=ForwardedAuthType
authentik_ha (external outpost container) logs (also only showing entries upon initial page load):
event=/outpost.goauthentik.io/auth/traefik host=ha.domain.tld logger=authentik.outpost.proxyv2.application method=GET name=Home-Assistant remote="[IP address]" runtime=0.287 scheme=http size=355 status=302 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
Associated Event details from Authentik dashboard log:
Event info
Action
Application authorized
App
authentik.providers.oauth2.views.authorize
User
[Username](https://auth.domain.tld/if/admin/#/identity/users/5)
Created
4/8/2023, 10:37:19 AM
Client IP
172.18.0.1
Tenant
Default tenant
Authorized application:
UID
6be76f30dead44acac2d828f6270e5a5
Name
Home-Assistant
App
authentik_core
Model Name
application
Context
{
"flow": "67727ee119cf407d983610865ab2c65f",
"scopes": "ak_proxy email openid profile",
"http_request": {
"args": {
"query": "client_id=cuLEFyvJUHQFDMgd1xdtuBSpH34aqsX3ERQUAl46&redirect_uri=https%3A%2F%2Fha.domain.tld%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=ak_proxy+email+openid+profile&state=h8h1bVZ_YyK02XF9qNCgqn4VvIj84v5-5Vk5dlLndlU"
},
"path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
"method": "GET"
},
"authorized_application": {
"pk": "6be76f30dead44acac2d828f6270e5a5",
"app": "authentik_core",
"name": "Home-Assistant",
"model_name": "application"
}
}
User
{
"pk": 5,
"email": "[email protected]",
"username": "Username"
}
Version and Deployment (please complete the following information):
- authentik version: 2023.3.1
- Deployment: Unraid (details above)
Additional context
I appreciate any help and am happy to provide any additional config details, screenshots, or logs as needed. Thanks!
I'm also running into the same issue, on authentik 2023.3.1. I'm using caddy and trying to reverse proxy to wikijs using authentik as a OAuth2/OpenID Provider
I'm also running into the same issue, on authentik 2023.3.1. I'm using caddy and trying to reverse proxy to wikijs using authentik as a OAuth2/OpenID Provider
Did you ever find a solution? I'm still not having any luck
Unfortunately no. I also haven't been able to troubleshoot it more lately. I feel like I'm at a deadend
Just ran into this issue myself with grafana and OAuth, no solution either
I am also running into the same issue. Did you happen to manage to fix it?
Thanks
I was able to find a solution to this...
I had to modify the middleware url in the traefik config to point directly to the outpost service instead of the generic authentik one.
So the correct value was this for me: http://ak-outpost-authentik-embedded-outpost.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
Check exactly what your service name is, as it might be different depending on what you named your outpost, what helm chart you're using, etc.
So my whole middleware config is:
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: authentik
namespace: default
spec:
forwardAuth:
address: http://ak-outpost-authentik-embedded-outpost.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
And my service being like so:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-radarr
namespace: default
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd,default-authentik@kubernetescrd
spec:
tls:
- secretName: wildcard-domain-le-prod-tls
hosts:
- radarr2.domain.tld
rules:
- host: radarr2.domain.tld
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: radarr-svc
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
name: radarr-svc
namespace: default
spec:
ports:
- protocol: TCP
port: 80
targetPort: 7878
selector:
app: radarr
to resolve the issue you need to add you need to add http://ip-address:9000/outpost.goauthentik.io/auth/traefik instead of http://authentik_server:9000/outpost.goauthentik.io/auth/traefik. the issue will be resolved
In most cases of "no app for hostname", the error is caused by authentik not knowing which application the request is for. This is most often due to a missing "Host" or "X-Forwarded-For" header. The main cause for this is using the external authentik URL as address in forwardAuth. To further debug this, you can set authentik or the outpost to the log level trace. When pasting log messages with the level be very cautious though as it will include sensitive data such as the session token
