"Not authorized" error when trying to login to Home Assistant app externally

[crazytimmy]

I don't think this is a bug in your code but hoping you can help me out.

I'm running Traefik and Home Assistant in docker containers. Bridge networking with HA behind Traefik (of course).

I have crowdsec bouncer & geoblock middleware add-ons enabled on HA service. This works as expected externally with browser & HA app.

When I add your google-oidc-auth middleware add-on externally HA in browser works as expected but when using the app the browser opens and ends with "Not authorized". I believe this page is presented by HA but I've been unable to see anything in either Traefik or HA logs with an error. URL that is opened by HA app: https://hostname.duckdns.org/oidc/callback?state=13c2ef0266fb05d1105b2c532bc4f42f&code=4%2F0AeaYSHAWFHd98dvaNRX1BiQrqgvzNdcyqvI7OFgbo9koZQ_APndDH0ZjyNLCZqTgXuaf9A&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=none

I should also note that I have added traefik's interface accessible to HA to the trusted proxies list in HA's configuration.yaml file. As well as cleared any cookies during testing.

Any thoughts or suggestions?

[andrewkroh]

HA in browser works as expected but when using the app the browser opens and ends with "Not authorized"

I haven't tried this myself, but from my some reading it appears to be known issue with HA ^1. Are you using the Android or IOS apps?

My guess is that the native apps for Home Assistant are not honoring the redirects issued by the proxy or are not persisting the cookie that is set by the proxy the proves you're authorized. If you add debug: true into this middleware's config you might get a little bit more logging.

My ideal user flow would be to have Home Assistant use the X-Forwarded-User header that is set by this middleware to bypass the authentication on the HA side. That is similar to what BeryJu/hass-auth-header provides but it seems the apps don't work.

[crazytimmy]

Thanks for your reply.

I'm using the Android app.

I've read about the authentication discussions in Home Assistant. I should have specified I don't expect this to log me into HA with user mapping. But function as a first step login and require me to login to HA after this passes me to the app. This is how using the browser works currently (externally). It's just the app that seems to have difficulties.

I've enabled debug: true through label on the HA container but don't see any extra log data aside from my crowdsec bouncer and geoblock log entries. "traefik.http.middlewares.googleoauth-homeassistant.plugin.googleoauth.debug=true"

I agree with your ideal user flow but for now would be happy with it working as a secondary login step.

[andrewkroh]

https://github.com/andrewkroh/google-oidc-auth-middleware/assets/4565752/01a30930-1e6b-4ebf-b7be-aeb3f5863efb

I tried it using the IOS app. It looks like the app opens an iframe to handle the redirect to Google, but when Google redirects back it keeps the iframe open. It should redirect back into the native app without the iframe (e.g. redirect to homeassistant://auth-callback), b/c this is where the CSRF protection cookie is present. That cookie is necessary to complete authentication.

But in order to redirect to an app you would need to use a different type of oauth flow (https://developers.google.com/identity/protocols/oauth2/native-app) and different Google oauth credentials. Otherwise, with the standard web app flow you cannot redirect out of the iframe and back to the app since Google will disallow you to setup a redirect_uri for homeassistant://auth-callback.

You would probably need to run a dedicated middleware for the app flow since it uses different oauth creds. Additionally this middleware would need to construct the redirect URI differently than it does today. Currently it builds the URI based on the browser's requested scheme (https or http) and the host name in the request. It would need a config option to say to use homeassistant://auth-callback.

And all of that assumes that if the iframe did redirect back to the app that it just work from there, and that seems like a long shot. So I don't think this is easy to do without some proper support from the HA app.

[crazytimmy]

Wow thanks for the detailed testing & explanation. Way over my head. I have some learning to do as I get time but it sounds like I'm better to disable this auth middleware for this service for now.

Thank you so much for your time looking into this for me. I very much appreciate it!