Login attempt with invalid authentication (Nginx + Authentik + Homeassistant)
Opened this issue · 3 comments
Hi I'm running Homeassistant as well as Authentik and nginx as Docker containers and want so acces Homeassistant via the nginx reverse proxy using the authentik Auth.
When I use hass2.mysdomain.com (wich is set up in nginx) i get redirected to the Authentik login. So far so good.
After Signing in I get redicrectet to Homeassistant where this error pops up.
The Homeassistant log states:
Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'
Homeassistant Log:
2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy(
'X-authentik-username': 'test',
'X-authentik-name': 'test',
'X-authentik-uid': '1ae74557218bb98d96b177878660de63d1848a2830c26c35afbad47ff9ecb851',
'Host': '192.168.178.101:8123',
'Connection': 'close',
'Content-Length': '129',
'sec-ch-ua': '"Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"',
'sec-ch-ua-platform': '"Windows"',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36',
'Content-Type': 'text/plain;charset=UTF-8',
'Accept': '*/*',
'sec-gpc': '1',
'Accept-Language': 'de-DE,de;q=0.6',
'Origin': 'https://hass2.mydomain.com',
'sec-fetch-site': 'same-origin',
'sec-fetch-mode': 'cors',
'sec-fetch-dest': 'empty',
'Accept-Encoding': 'gzip, deflate, br',
'Cookie': 'authentik_proxy_3r6W7vF2=SFORLJB5QA7PQ3QFU2ARAH5COBD3IV76G7S7T4ZHS756WOCWKQUDQVVRLBDO3KBE7XOOIWMGMPPWIOTSK3AYLSLWQ5VCOSGF5ZUT5FI')>
2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 192.168.178.101
2024-01-27 18:45:39.405 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36)
192.168.178.101 is the Local Network IP of my Server wich is running all 3 docker containers
'test' is set up as a username in Authentik as well as Homeassistant
in my config.yaml i have added:
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.178.0/24
auth_header:
username_header: X-authentik-username
logger:
default: info
logs:
custom_components.auth_header: debug
The custom configuration for the Proxy Host in Nginx is:
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# authentik-specific config
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://192.168.178.101:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
Any help on how to tackle this problem would be appreciated,
I suspect Homeassistant doesn't like the way Authentik hands over the auth_header?
Do i need to add or modify the '/auth/token' somewhere?
Hi, di
Hi I'm running Homeassistant as well as Authentik and nginx as Docker containers and want so acces Homeassistant via the nginx reverse proxy using the authentik Auth.
When I use hass2.mysdomain.com (wich is set up in nginx) i get redirected to the Authentik login. So far so good. After Signing in I get redicrectet to Homeassistant where this error pops up.
The Homeassistant log states:
Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'Homeassistant Log:2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy( 'X-authentik-username': 'test', 'X-authentik-name': 'test', 'X-authentik-uid': '1ae74557218bb98d96b177878660de63d1848a2830c26c35afbad47ff9ecb851', 'Host': '192.168.178.101:8123', 'Connection': 'close', 'Content-Length': '129', 'sec-ch-ua': '"Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"', 'sec-ch-ua-platform': '"Windows"', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36', 'Content-Type': 'text/plain;charset=UTF-8', 'Accept': '*/*', 'sec-gpc': '1', 'Accept-Language': 'de-DE,de;q=0.6', 'Origin': 'https://hass2.mydomain.com', 'sec-fetch-site': 'same-origin', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', 'Accept-Encoding': 'gzip, deflate, br', 'Cookie': 'authentik_proxy_3r6W7vF2=SFORLJB5QA7PQ3QFU2ARAH5COBD3IV76G7S7T4ZHS756WOCWKQUDQVVRLBDO3KBE7XOOIWMGMPPWIOTSK3AYLSLWQ5VCOSGF5ZUT5FI')> 2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 192.168.178.101 2024-01-27 18:45:39.405 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36)192.168.178.101 is the Local Network IP of my Server wich is running all 3 docker containers 'test' is set up as a username in Authentik as well as Homeassistant
in my config.yaml i have added:
http: use_x_forwarded_for: true trusted_proxies: - 192.168.178.0/24 auth_header: username_header: X-authentik-username logger: default: info logs: custom_components.auth_header: debugThe custom configuration for the Proxy Host in Nginx is:
# Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # authentik-specific config auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass http://192.168.178.101:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; # required for POST requests to work proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; }Any help on how to tackle this problem would be appreciated, I suspect Homeassistant doesn't like the way Authentik hands over the auth_header? Do i need to add or modify the '/auth/token' somewhere?
did you get it working? I#m having the same issue.
nope, I shelved the project for now.