Open akorb90 opened 1 month ago
Remove:
proxy_buffer_size 32k;
proxy_set_header Connection $connection_upgrade_keepalive;
Add:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
Uncomment:
proxy_set_header Host $host;
Set your Outpost proxy_pass to use the http://[internal_IP]:9000/outpost.goauthentik.io;
This is what I had to do in NPM to make this work, got it working yesterday.
I have same issue with different app but I can't change proxy_set_header Host
to IP because I'm relying on SNI and it's on another server.
This is how my config looks like
location /outpost.goauthentik.io {
proxy_pass https://auth.example.org/outpost.goauthentik.io;
# This doesn't work due to using SNI
#proxy_set_header Host $host
# So need to set explicitly
proxy_set_header Host Auth.example.org;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
I figured it out. In Outpost ENV variable AUTHENTIK_HOST
I had it as AUTHENTIK_HOST=https://Auth.example.org
(note the capital A
). Then in logs I noticed
{"error":"oidc: id token issued by a different provider, expected \"https://Auth.example.org/application/o/app/\" got \"https://auth.example.org/application/o/app/\"","event":"failed to redeem code","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Provider","timestamp":"2024-08-16T14:03:08Z"}
This was such an obscure issue... But it's a bug because domain names should be case insensitive. So anyway need to set AUTHENTIK_HOST
all lowercase and now it works.
This is also why previously proxy_set_header Host $host
wasn't working at all but proxy_set_header Host Auth.example.org;
caused infinite redirect. Also looks like Host
header is not really needed at all, it works fine without it.
Hello everyone,
I'm struggling on setting up authentication through authentik for homeassistant.
I've configured Authentik and Home Assistant according to the manuel: https://docs.goauthentik.io/integrations/services/home-assistant/
When I access homeassistant.public.domain i get redirected to authentik. After authenticating there I get into a redirect loop. The URL looks like this: https://auth.public.domain/if/flow/default-provider-authorization-explicit-consent/?client_id=EMeLuBu9zfN9Lao20TBf3qXwoM9iCfnwOovuhgrR&redirect_uri=https%3A%2F%2Fhomeassistant.public.domain%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=profile+openid+email+ak_proxy&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0L0VNZUx1QnU5emZOOUxhbzIwVEJmM3FYd29NOWlDZm53T292dWhnclIiLCJzaWQiOiJGSkNUNk5ZUUYzS1I3VlFFWTJJNEpDQ0RXU0VNV09IUVo3T1NXREFTVVJZWVEyWFJYRk9aQkFNUlRHQTJSMkZDMkQ0V1lZT0pNVVIySklHNTZHV01FMkRPUzNCRUszNzZMVzdDNk1ZIiwic3RhdGUiOiJIYXlLZ0NMQWwydHR3SEtLdDhSZXRwaDQ2MjEteHl0MFlfZlBKTzF6LXcwIiwicmVkaXJlY3QiOiJodHRwczovL2hvbWVhc3Npc3RhbnQua29yYi5zeXN0ZW1zL2xvdmVsYWNlIn0.CtuLYz05pjPyvNTvct31jz73MZRUGIgJZ8i9FrbFWeU
This is my nginx config:
Im running authentik 2024.6.1 via docker-compose with the integrated outpost
Anyone got an idea?