Home Assistant Forward Auth and Traefik Issue, redirects to "no app for hostname"

[gabemcg]

Describe your question

I am trying to bypass double-login when accessing home assistant remotely using the Home-Assistant example at https://goauthentik.io/integrations/services/home-assistant/ and the HASS-auth-header configuration.

I have followed the setup guide and now when I log in to https://ha.domain.tld to access home assistant I am first asked to log in via authentik (as expected), but once I log in successfully the page redirects to the following URL and message instead of redirecting to my HA dashboard:

redirected URL =

https://ha.domain.tld/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=3a52a2c1949c406fb795a8d4f2b20332&state=BFY-clpa1miiUN_5ciEzUKPNbsWe7c3X7HnkPdthrLM

Page body:

Message | "no app for hostname" Host | "ha.domain.tld" Detail | "Check the outpost settings and make sure 'ha.domain.tld' is included."

In my troubleshooting prior to posting here, I came across this issue which seems to produce the same error, so I tried implementing priority settings in traefik, but it does not seem to have solved the issue (perhaps I did it wrong? my traefik config is included below)

I will include output logs from relevant sources in the appropriate section below as well

Relevant infos

• I believe the HASS-Auth-Header configuration is correct. When I log in directly to home assistant via local IP/port I see it is attempting to log in with header auth.

• Home Assistant OS is running in a VM on an Unraid host.

• The local IP for Home Assistant and the Unraid Host are on the same network.

• The unraid host is also where my Authentik and Traefik docker containers are running.

• The docker containers are all on a separate docker "proxy" network.

• The embedded outpost is configured properly with Traefik "auth" rule to provide remote access to Authentik itself via "auth.domain.tld"

• Authentik also works properly to log in and access Traefik's dashboard using the embedded outpost at "traefik.domain.tld", as well as other applications mapped to their own respective subdomains.

• I was able to access Home Assistant in this same way via "ha.domain.tld" on the embedded outpost, however having to log in to authentik and then again to Home Assistant was cumbersome, so I tried to implement the header auth to allow for a single login

• Because of Unraid's unique docker implementation I manually created a separate container for the external proxy outpost called, "authentik_ha". I believe it is configured correctly as it is recognized and communicating with the primary authentic container

Traefik Config File:

http:
  routers:
    # traefik routing - Remove if not used
    traefik:
      entryPoints:
        - http
      rule: 'Host(`traefik.domain.tld`)'
      service: traefik
      priority: 1
      middlewares:
        - "auth"
    # Homeassistant routing
    homeassistant:
      entryPoints:
        - https
      rule: "Host(`ha.domain.tld`)"
      service: homeassistant
      priority: 10
      middlewares:
        - "auth_ha"
    # Homeassistant auth routing
    homeassistant-auth:
      entryPoints:
        - https
      rule: "Host(`ha.domain.tld`) && PathPrefix(`/outpost.goauthentik.io/`)"
      service: authentik_ha_service
      priority: 50

  services:
    # traefik service - Remove if not used
    traefik:
      loadBalancer:
        servers:
         - url: http://traefik:8080/
    # Homeassistant service
    homeassistant:
      loadBalancer:
        servers:
         - url: http://home-assistant-local-ip:port/
    # Authentik HA service
    authentik_ha_service:
      loadBalancer:
        servers:
          - url: http://authentik_ha:9000

  middlewares:
    auth_ha:
      forwardAuth:
        address: http://authentik_ha:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
    auth:
      forwardAuth:
        address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

    # Security headers
    securityHeaders:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          X-Forwarded-Proto: "https"
          server: ""
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

Screenshots If applicable, add screenshots to help explain your problem.

Logs

Traefik Logs - Note: this error occurs on initial load of https://ha.domain.tld there are no more related log entries from traefik after successfully entering my credentials in the authentik login page:

time="2023-04-08T10:30:26-05:00" level=debug msg="Remote error http://authentik_ha:9000/outpost.goauthentik.io/auth/traefik. StatusCode: 302" middlewareName=auth_ha@file middlewareType=ForwardedAuthType

authentik_ha (external outpost container) logs (also only showing entries upon initial page load):

event=/outpost.goauthentik.io/auth/traefik host=ha.domain.tld logger=authentik.outpost.proxyv2.application method=GET name=Home-Assistant remote="[IP address]" runtime=0.287 scheme=http size=355 status=302 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"

Associated Event details from Authentik dashboard log:

Event info

Action
    Application authorized
App
    authentik.providers.oauth2.views.authorize
User
    [Username](https://auth.domain.tld/if/admin/#/identity/users/5)
Created
    4/8/2023, 10:37:19 AM
Client IP
    172.18.0.1
Tenant
    Default tenant

Authorized application:

UID
    6be76f30dead44acac2d828f6270e5a5
Name
    Home-Assistant
App
    authentik_core
Model Name
    application

Context
{
    "flow": "67727ee119cf407d983610865ab2c65f",
    "scopes": "ak_proxy email openid profile",
    "http_request": {
        "args": {
            "query": "client_id=cuLEFyvJUHQFDMgd1xdtuBSpH34aqsX3ERQUAl46&redirect_uri=https%3A%2F%2Fha.domain.tld%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=ak_proxy+email+openid+profile&state=h8h1bVZ_YyK02XF9qNCgqn4VvIj84v5-5Vk5dlLndlU"
        },
        "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
        "method": "GET"
    },
    "authorized_application": {
        "pk": "6be76f30dead44acac2d828f6270e5a5",
        "app": "authentik_core",
        "name": "Home-Assistant",
        "model_name": "application"
    }
}
User
{
    "pk": 5,
    "email": "email@domain.tld",
    "username": "Username"
}

Version and Deployment (please complete the following information):

• authentik version: 2023.3.1
• Deployment: Unraid (details above)

Additional context

I appreciate any help and am happy to provide any additional config details, screenshots, or logs as needed. Thanks!

[blathers123]

I'm also running into the same issue, on authentik 2023.3.1. I'm using caddy and trying to reverse proxy to wikijs using authentik as a OAuth2/OpenID Provider

[gabemcg]

I'm also running into the same issue, on authentik 2023.3.1. I'm using caddy and trying to reverse proxy to wikijs using authentik as a OAuth2/OpenID Provider

Did you ever find a solution? I'm still not having any luck

[blathers123]

Unfortunately no. I also haven't been able to troubleshoot it more lately. I feel like I'm at a deadend

[PouletteMC]

Just ran into this issue myself with grafana and OAuth, no solution either

[robump]

I am also running into the same issue. Did you happen to manage to fix it?

Thanks

[evulhotdog]

I was able to find a solution to this...

I had to modify the middleware url in the traefik config to point directly to the outpost service instead of the generic authentik one.

So the correct value was this for me: http://ak-outpost-authentik-embedded-outpost.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik

Check exactly what your service name is, as it might be different depending on what you named your outpost, what helm chart you're using, etc.

So my whole middleware config is:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: authentik
  namespace: default
spec:
  forwardAuth:
    address: http://ak-outpost-authentik-embedded-outpost.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version

And my service being like so:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-radarr
  namespace: default
  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd,default-authentik@kubernetescrd
spec:
  tls:
    - secretName: wildcard-domain-le-prod-tls
      hosts:
      - radarr2.domain.tld
  rules:
    - host: radarr2.domain.tld
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: radarr-svc
                port:
                  number: 80
---
apiVersion: v1
kind: Service
metadata:
  name: radarr-svc
  namespace: default
spec:
  ports:
    - protocol: TCP
      port: 80
      targetPort: 7878
  selector:
    app: radarr

[Mahadevaswamys1999]

to resolve the issue you need to add you need to add http://ip-address:9000/outpost.goauthentik.io/auth/traefik instead of http://authentik_server:9000/outpost.goauthentik.io/auth/traefik. the issue will be resolved

[BeryJu]

In most cases of "no app for hostname", the error is caused by authentik not knowing which application the request is for. This is most often due to a missing "Host" or "X-Forwarded-For" header. The main cause for this is using the external authentik URL as address in forwardAuth. To further debug this, you can set authentik or the outpost to the log level trace. When pasting log messages with the level be very cautious though as it will include sensitive data such as the session token