Unable to authenticate via browser

[mag1c22]

``Apologies for what probably is an easy solution, I am just new to this.

I've got my reverse proxy working and the header integration installed.
When I click the ha.domain.com URL in nginx it brings me to a page that says:

Home Assistant

You're about to give https://ha.domain.com access to your Home Assistant instance.

Logging in with Header Authentication

Login Aborted:

START OVER

or log in with:

Home Assistant Local

Here is my conf.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24
auth_header:
    # Optionally set this if you're not using authentik proxy or oauth2_proxy
    # username_header: X-Forwarded-Preferred-Username
    # Optionally enable debug mode to see the headers Home-Assistant gets
    # debug: false
Optionally, if something is not working right, add this block below to get more information
logger:
    default: info
    logs:
        custom_components.auth_header: debug

I've tried un-commenting the username_header: line and adding my authentik and HA username there but neither work. I'm not really sure what I am supposed to be putting there so I assume that is my issue...

Many thanks!

[BeryJu]

Check in the Homeassistant logs if there's any errors/warnings in there

[mag1c22]

Here's the log with no username exact header in the config is shown in my prior post (also added the Cloudflare IP and my public IP to the trusted IPs). I removed my public IP, domain and other potentially private info from the log below.

�[32m2022-10-20 08:22:35.222 INFO (MainThread) [custom_components.hacs] Stage changed: HacsStage.RUNNING�[0m
�[36m2022-10-20 08:22:53.075 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy('X-authentik-username': 'TEST', 'X-authentik-groups': 'authentik Admins', 'X-authentik-email': '[email protected]', 'X-authentik-uid': '#', 'Host': '192.168.1.246:8123', 'Connection': 'close', 'Content-Length': '145', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.42', 'Accept': '*/*', 'Accept-Encoding': 'gzip', 'Accept-Language': 'en-US,en;q=0.9', 'Cdn-Loop': 'cloudflare', 'Cf-Connecting-Ip': '#', 'Cf-Ipcountry': 'US', 'Cf-Ray': -IAD', 'Cf-Visitor': '{"scheme":"https"}', '37354d9ff627', 'Content-Type': 'text/plain;charset=UTF-8', 'Cookie': 'authentik_proxy=MTY2', 'Dnt': '1', 'Origin': 'https://ha.DOMAIN.com', 'Priority': 'u=1', 'Referer': 'https://ha.DOMAIN.com/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fha.DOMAIN.com%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fha.DOMAIN.com%2F&state=eyJo', 'Sec-Ch-Ua': '"Chromium";v="106", "Microsoft Edge";v="106", "Not;A=Brand";v="99"', 'Sec-Ch-Ua-Mobile': '?0', 'Sec-Ch-Ua-Platform': '"Windows"', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-origin', 'X-Forwarded-For': IP', 'X-Forwarded-Proto': 'https')>�[0m
�[36m2022-10-20 08:22:53.075 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 172.17.0.1�[0m
�[32m2022-10-20 08:22:53.075 INFO (MainThread) [custom_components.auth_header.headers] No header set, returning empty flow�[0m
�[36m2022-10-20 08:22:53.075 DEBUG (MainThread) [custom_components.auth_header.headers] no user found�[0m

[BeryJu]

configure

auth_header:
    # Optionally set this if you're not using authentik proxy or oauth2_proxy
    username_header: X-authentik-username

[mag1c22]

configure

auth_header:
    # Optionally set this if you're not using authentik proxy or oauth2_proxy
    username_header: X-authentik-username

Edit: I am dumb, testing now.

Edit2 : I get the same error I think

�[36m2022-10-20 08:40:50.692 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 172.17.0.1�[0m
�[32m2022-10-20 08:40:50.692 INFO (MainThread) [custom_components.auth_header.headers] No header set, returning empty flow�[0m
�[36m2022-10-20 08:40:50.693 DEBUG (MainThread) [custom_components.auth_header.headers] no user found�[0m

config

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24 
    #local IP range
    - 172.17.0.1 
    #cloudflare IP
    - 1.2.3.4 
    #public IP
auth_header:
    # Optionally set this if you're not using authentik proxy or oauth2_proxy
    username_header: Magic
    # Optionally enable debug mode to see the headers Home-Assistant gets
    # debug: false
# Optionally, if something is not working right, add this block below to get more information
logger:
    default: info
    logs:
        custom_components.auth_header: debug

[BeryJu]

why did you set username_header to Magic instead of username_header: X-authentik-username

[mag1c22]

X-authentik-username

I misinterpreted and thought I was supposed to put the actual username there. I also tried username_header: X-authentik-username

and get

�[36m2022-10-20 08:58:42.532 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 172.17.0.1�[0m
�[36m2022-10-20 08:58:42.532 DEBUG (MainThread) [custom_components.auth_header.headers] no user found�[0m

[BeryJu]

your username in authentik needs to match the username in HASS, the username that is shown under :8123/config/users

[mag1c22]

Ah that progress me forward. I get a new error:

�[36m2022-10-20 09:22:34.641 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 172.17.0.1�[0m
�[33m2022-10-20 09:22:44.303 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from d1-2-3-4col.INTERNETPROVIDER.com (1.2.3.4). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.42)�[0m

1.2.3.4 = my ISP IP address which I've added in the config as a trusted IP, not sure why it gets an error.

[mag1c22]

Just an update on this. I tried with an incognito browser and get a different error:

�[36m2022-10-20 15:36:14.764 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 172.17.0.1�[0m
�[32m2022-10-20 15:36:14.764 INFO (MainThread) [custom_components.auth_header.headers] No header set, returning empty flow�[0m
�[36m2022-10-20 15:36:14.765 DEBUG (MainThread) [custom_components.auth_header.headers] no user found�[0m

my authnetik username = eric as does my HA username.

My config:

# Loads default set of integrations. Do not remove.
default_config:

# Text to speech
tts:
  - platform: google_translate

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

http:
    use_x_forwarded_for: true
    trusted_proxies:
        - 172.17.0.1
        - 172.17.0.20 # This needs to be set to the IP of your reverse proxy
auth_header:
    # Optionally set this if you're not using authentik proxy or oauth2_proxy
    # username_header: X-Forwarded-Preferred-Username
    # Optionally enable debug mode to see the headers Home-Assistant gets
    # debug: false
# Optionally, if something is not working right, add this block below to get more information
logger:
    default: info
    logs:
        custom_components.auth_header: debug

I've tried # username_header: X-Forwarded-Preferred-Username both enabled and disabled to no avail.

I also tested this bypassing the proxies by just opening the port on my router and it worked fine. There's clearly something wrong in my HA config I just don't know what I am doing wrong.

I am able to authenticate via authentik and it redirects to HA which says header authentication, login aborted.

[pbvdven]

Other questions kind off same topic. I cant login with username password everything else works fine but it wont let me login when i put in user/pw click login and then it changes to start again and stays stuck at the login page?

[ajvpot]

@pbvdven I fixed that in #179 but it has not been released yet. You could try installing the latest from master. @BeryJu Please consider creating a new minor/patch release to push this bugfix.

[nicedevil007]

@pbvdven I fixed that in #179 but it has not been released yet. You could try installing the latest from master. @BeryJu Please consider creating a new minor/patch release to push this bugfix.

I installed the addon about 1 week ago and I'm running in the same error as @mag1c22. I just opened hass in a private window of my browser and it just shows me the same screen without a redirection to my authentik instance.

My hass is behind a NginxProxyManager, do I have to add there something as well?

[pbvdven]

You need to add a snippet to npm you can find it in authentik under the provider you created for home assistant. Then copy past it in npm proxy host > your poxy > advanced tab.

[nicedevil007]

You need to add a snippet to npm you can find it in authentik under the provider you created for home assistant. Then copy past it in npm proxy host > your poxy > advanced tab.

maybe I'm a bit stupid, but I can't find the snippet :(

EDIT: Ok I'm trying it with forward auth now instead of proxy (that was my old setting from the documentation, what is the right one to choose here?)

[pbvdven]

Overview scroll down to setup select npm

[nicedevil007]

yeah sure I found it, but that is only visible when you choose Forward auth instead of Proxy (Proxy is the thing I should create from the documentation, so the documentation is wrong :()

[nicedevil007]

ok, I was able to get it working to that point, that authentik is doing its login process but afterwards its telling me this:

now I have to debug the authheader addon I installed in homeassistant right?
opened a new issue for my new problem now: => #236

[pbvdven]

yeah sure I found it, but that is only visible when you choose Forward auth instead of Proxy (Proxy is the thing I should create from the documentation, so the documentation is wrong :()

No but when you choose proxy authentik will handle the proxy not npm