website/integrations: Update Home Assistant integration docs #12233
Conversation
✅ Deploy Preview for authentik-docs canceled.
|
✅ Deploy Preview for authentik-storybook canceled.
|
BeryJu
changed the title
| @@ -16,6 +16,9 @@ sidebar_label: Home Assistant | |||
| :::caution | |||
| You might run into CSRF errors, this is caused by a technology Home-assistant uses and not authentik, see [this GitHub issue](https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477). | |||
| ::: | |||
| :::caution | |||
| Only `/auth` needs to proxied (excluding `/auth/token`), see [this GitHub issue](https://github.com/BeryJu/hass-auth-header/issues/212). | |||
There was a problem hiding this comment.
Thanks for this important addition! Can you explain a little more what you mean by "excluding /auth/token please?
There was a problem hiding this comment.
Sure. That means we should proxy all prefixes starting with /auth except /auth/token.
There was a problem hiding this comment.
Thanks @sbogomolov I appreciate that clarification. This is an area I am trying to learn more about, but not fully there yet, lol.
We do need to provide the reader with info on how to accomplish this task of "proxying the prefixes". Let's add some basic info about how/where to do this in authentik. Let's also add the an example list of prefixes (taken from the Issue #1842 .
There was a problem hiding this comment.
| Only `/auth` needs to proxied (excluding `/auth/token`), see [this GitHub issue](https://github.com/BeryJu/hass-auth-header/issues/212). | |
| You can use the **Unauthenticated Paths** setting in the proxy provider to define regular expressions for which authentication via a proxy is not required. Typically, only `/auth` prefixes needs to proxied (excluding `/auth/token`). | |
| <img width="1219" alt="Screenshot 2024-12-03 at 2 53 31 PM" src="https://github.com/user-attachments/assets/14fa005a-257a-4239-84d8-a406b3517487"> | |
| For more information refer to [GitHub issue #212](https://github.com/BeryJu/hass-auth-header/issues/212). |
There was a problem hiding this comment.
Please review carefully, to verify that my suggestion is accurate (using the Unauthenticated Paths field to add any prefixes that do not need to be proxied) and my attempt at adding escapes to the wildcards in the prefixes. @BeryJu can you also please look over this suggested wording?
There was a problem hiding this comment.
To be honest, I managed to do this via Traefik's Ingress Route setup. I did not know I can do this in authentik :) Here is what I did:
routes:
- kind: Rule
match: Host(`ha.domain.tld`)
services:
- name: ha
port: http
- kind: Rule
match: Host(`ha.domain.tld`) && PathPrefix(`/auth`)
middlewares:
- name: authentik
namespace: authentik
services:
- name: ha
port: http
- kind: Rule
match: Host(`ha.domain.tld`) && PathPrefix(`/auth/token`)
services:
- name: ha
port: http
- kind: Rule
match: Host(`ha.domain.tld`) && PathPrefix(`/outpost.goauthentik.io/`)
services:
- name: authentik-server
namespace: authentik
port: http
nativeLB: true
There was a problem hiding this comment.
I have tried adding this list to Unauthenticated Paths and removing my workaround in IngressRoute:
^/api.*
^/auth/token.*
^/.external_auth=.
^/service_worker.js
^/static.*
^/local.*
^/hacsfiles.*
^/frontend_latest.*
It did not work. I see that requests to /api/... return 401 Unauthorized.
There was a problem hiding this comment.
Ah, okay, thanks very much for that feedback @sbogomolov. I hadn't realized you'd configured it in Traefik, makes perfect sense.
I think for now it's best if we go back to your original wording, but please clarify that this can be set in a reverse proxy (such as Traefik) OR in authentik (on the Proxy Provider), and we get this PR merged. I'll ask Engineering to test what you found; if you have any info to share you could open an Issue and describe what happened when you tried to use the Unauthenticated Paths field in authentik. Thanks so much for this contribution, and for your patience with working out the details.
There was a problem hiding this comment.
I have updated the wording. Let me know what you think.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #12233 +/- ##
==========================================
+ Coverage 92.60% 92.70% +0.09%
==========================================
Files 761 762 +1
Lines 38050 38156 +106
==========================================
+ Hits 35238 35373 +135
+ Misses 2812 2783 -29
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
sbogomolov
force-pushed
the
ha-integration-auth
branch
from
d8513e0 to
1427273
Compare
|
Ach. The build check for If you did run it, you might need to upgrade our build package by running |
|
I have just run EDIT: I have also tried running |
|
Something must be off with that check. I have run it manually and it was successful: Also, the failed check shows problems with file I have not touched: @tanberry I'm not sure what else I can do here... |
Extra care should be taken to proxy only /auth endpoint through Authentik. Signed-off-by: Sergii Bogomolov <[email protected]> Co-authored-by: Tana M Berry <[email protected]> Signed-off-by: Sergii Bogomolov <[email protected]>
sbogomolov
force-pushed
the
ha-integration-auth
branch
from
4c50feb to
79bcf43
Compare
|
Thank you for your patience on this one, @sbogomolov and thank you for adding this important integration guide! |
Extra care should be taken to proxy through Authentik only prefixes starting with
/auth(excluding prefixes starting with/auth/token). If everything is proxied - things break.See BeryJu/hass-auth-header#212.