core
core copied to clipboard
home-assistant
Invalid Redirect URI - Nginx Proxy Manager & Authentik
The problem
I'm using Home Assistant in Docker as well as Nginx Proxy Manager and Authentik. I have the blocks setup so I can login. But if I try to go a "normal" route to login through a browser, for example, I go to https://ha.domain.tld, I expect to be directed to Authentik to sign in, then back to Home Assistant where I can just click Log In but instead, I end up at a "Invalid Redirect URI" message. If I just go to the main Home Assistant URL again for my domain, I can then click Log In and it takes me right in.
I'm using the https://github.com/BeryJu/hass-auth-header from HACS to provide the auth header information. I don't believe this is causing an issue as it's just providing the header to tie the usernames together.
Here's my blocks in Nginx Proxy Manager. They are setup in this way so the mobile app and the gethomepage.dev Home Assistant widget can properly communicate with the API.
port_in_redirect off;
location /auth {
proxy_pass http://192.168.4.92:8123/auth;
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
auth_request_set $authentik_authorization $upstream_http_authorization;
proxy_set_header X-ak-hass-user $authentik_username;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
proxy_set_header Authorization $authentik_authorization;
}
location /outpost.goauthentik.io {
proxy_pass http://192.168.4.92:9002/outpost.goauthentik.io;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}
location / {
proxy_pass http://192.168.4.92:8123;
}
Here's a screenshot of what I get when going to my https://ha.domain.tld and being redirected to Authentik to sign in. Note the URL at the top does not include a redirect URI at all.
If I then go manually to my https://ha.domain.tld again after I've signed in with Authentik, I get this screen below. Note that this URL includes a full redirect URI and if I click Log In, I'm taken to my dashboard, as expected.
There's also nothing in the logs when I'm refreshing the page while that Invalid Redirect URI message is on the screen. HA is not recording anything for that.
Let me know if there's anymore information I can provide.
What version of Home Assistant Core has the issue?
core-2024.10.2
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant Core
Integration causing the issue
No response
Link to integration documentation on our website
No response
Diagnostics information
No response
Example YAML snippet
No response
Anything in the logs that might be useful for us?
No response
Additional information
No response
