Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login attempt with invalid authentication (Nginx + Authentik + Homeassistant) #300

Open
Aqui1us opened this issue Jan 27, 2024 · 3 comments
Open

Login attempt with invalid authentication (Nginx + Authentik + Homeassistant) #300

Aqui1us opened this issue Jan 27, 2024 · 3 comments

Comments

@Aqui1us
Copy link

Aqui1us commented Jan 27, 2024

Hi I'm running Homeassistant as well as Authentik and nginx as Docker containers and want so acces Homeassistant via the nginx reverse proxy using the authentik Auth.

When I use hass2.mysdomain.com (wich is set up in nginx) i get redirected to the Authentik login. So far so good.
After Signing in I get redicrectet to Homeassistant where this error pops up.

image

The Homeassistant log states:
Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'
Homeassistant Log:

2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy(
    'X-authentik-username': 'test', 
    'X-authentik-name': 'test', 
    'X-authentik-uid': '1ae74557218bb98d96b177878660de63d1848a2830c26c35afbad47ff9ecb851', 
    'Host': '192.168.178.101:8123', 
    'Connection': 'close', 
    'Content-Length': '129', 
    'sec-ch-ua': '"Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"', 
    'sec-ch-ua-platform': '"Windows"', 
    'sec-ch-ua-mobile': '?0', 
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36', 
    'Content-Type': 'text/plain;charset=UTF-8', 
    'Accept': '*/*', 
    'sec-gpc': '1', 
    'Accept-Language': 'de-DE,de;q=0.6', 
    'Origin': 'https://hass2.mydomain.com', 
    'sec-fetch-site': 'same-origin', 
    'sec-fetch-mode': 'cors', 
    'sec-fetch-dest': 'empty', 
    'Accept-Encoding': 'gzip, deflate, br', 
    'Cookie': 'authentik_proxy_3r6W7vF2=SFORLJB5QA7PQ3QFU2ARAH5COBD3IV76G7S7T4ZHS756WOCWKQUDQVVRLBDO3KBE7XOOIWMGMPPWIOTSK3AYLSLWQ5VCOSGF5ZUT5FI')>
2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 192.168.178.101
2024-01-27 18:45:39.405 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36)

192.168.178.101 is the Local Network IP of my Server wich is running all 3 docker containers
'test' is set up as a username in Authentik as well as Homeassistant

in my config.yaml i have added:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.178.0/24
    
auth_header:
    username_header: X-authentik-username

logger:
    default: info
    logs:
        custom_components.auth_header: debug

The custom configuration for the Proxy Host in Nginx is:

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass          http://192.168.178.101:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;

    # required for POST requests to work
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

Any help on how to tackle this problem would be appreciated,
I suspect Homeassistant doesn't like the way Authentik hands over the auth_header?
Do i need to add or modify the '/auth/token' somewhere?
@Aqui1us Aqui1us changed the title Login attempt with Invalid authentication (Nginx + Authentik + Homeassistant) Login attempt with nvalid authentication (Nginx + Authentik + Homeassistant) Jan 27, 2024
@Aqui1us Aqui1us changed the title Login attempt with nvalid authentication (Nginx + Authentik + Homeassistant) Login attempt with invalid authentication (Nginx + Authentik + Homeassistant) Jan 27, 2024
@hahnet
Copy link

hahnet commented Apr 17, 2024

Hi, di

Hi I'm running Homeassistant as well as Authentik and nginx as Docker containers and want so acces Homeassistant via the nginx reverse proxy using the authentik Auth.

When I use hass2.mysdomain.com (wich is set up in nginx) i get redirected to the Authentik login. So far so good. After Signing in I get redicrectet to Homeassistant where this error pops up.

image

The Homeassistant log states: Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token' Homeassistant Log:

2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy(
    'X-authentik-username': 'test', 
    'X-authentik-name': 'test', 
    'X-authentik-uid': '1ae74557218bb98d96b177878660de63d1848a2830c26c35afbad47ff9ecb851', 
    'Host': '192.168.178.101:8123', 
    'Connection': 'close', 
    'Content-Length': '129', 
    'sec-ch-ua': '"Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"', 
    'sec-ch-ua-platform': '"Windows"', 
    'sec-ch-ua-mobile': '?0', 
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36', 
    'Content-Type': 'text/plain;charset=UTF-8', 
    'Accept': '*/*', 
    'sec-gpc': '1', 
    'Accept-Language': 'de-DE,de;q=0.6', 
    'Origin': 'https://hass2.mydomain.com', 
    'sec-fetch-site': 'same-origin', 
    'sec-fetch-mode': 'cors', 
    'sec-fetch-dest': 'empty', 
    'Accept-Encoding': 'gzip, deflate, br', 
    'Cookie': 'authentik_proxy_3r6W7vF2=SFORLJB5QA7PQ3QFU2ARAH5COBD3IV76G7S7T4ZHS756WOCWKQUDQVVRLBDO3KBE7XOOIWMGMPPWIOTSK3AYLSLWQ5VCOSGF5ZUT5FI')>
2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 192.168.178.101
2024-01-27 18:45:39.405 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36)

192.168.178.101 is the Local Network IP of my Server wich is running all 3 docker containers 'test' is set up as a username in Authentik as well as Homeassistant

in my config.yaml i have added:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.178.0/24
    
auth_header:
    username_header: X-authentik-username

logger:
    default: info
    logs:
        custom_components.auth_header: debug

The custom configuration for the Proxy Host in Nginx is:

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass          http://192.168.178.101:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;

    # required for POST requests to work
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

Any help on how to tackle this problem would be appreciated, I suspect Homeassistant doesn't like the way Authentik hands over the auth_header? Do i need to add or modify the '/auth/token' somewhere?

did you get it working? I#m having the same issue.

@Aqui1us
Copy link
Author

Aqui1us commented Apr 18, 2024

nope, I shelved the project for now.

@hahnet
Copy link

hahnet commented Apr 25, 2024

Solution is to add:

proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

to the config
#236

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Aqui1us @hahnet