goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.7k stars 917 forks source link

Home Assistant Forward Auth and Traefik Issue, redirects to "no app for hostname" #5209

Open gabemcg opened 1 year ago

gabemcg commented 1 year ago

Describe your question

I am trying to bypass double-login when accessing home assistant remotely using the Home-Assistant example at https://goauthentik.io/integrations/services/home-assistant/ and the HASS-auth-header configuration.

I have followed the setup guide and now when I log in to https://ha.domain.tld to access home assistant I am first asked to log in via authentik (as expected), but once I log in successfully the page redirects to the following URL and message instead of redirecting to my HA dashboard:

redirected URL =

https://ha.domain.tld/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=3a52a2c1949c406fb795a8d4f2b20332&state=BFY-clpa1miiUN_5ciEzUKPNbsWe7c3X7HnkPdthrLM

Page body:

Message | "no app for hostname" Host | "ha.domain.tld" Detail | "Check the outpost settings and make sure 'ha.domain.tld' is included."

In my troubleshooting prior to posting here, I came across this issue which seems to produce the same error, so I tried implementing priority settings in traefik, but it does not seem to have solved the issue (perhaps I did it wrong? my traefik config is included below)

I will include output logs from relevant sources in the appropriate section below as well

Relevant infos

Traefik Config File:

http:
  routers:
    # traefik routing - Remove if not used
    traefik:
      entryPoints:
        - http
      rule: 'Host(`traefik.domain.tld`)'
      service: traefik
      priority: 1
      middlewares:
        - "auth"
    # Homeassistant routing
    homeassistant:
      entryPoints:
        - https
      rule: "Host(`ha.domain.tld`)"
      service: homeassistant
      priority: 10
      middlewares:
        - "auth_ha"
    # Homeassistant auth routing
    homeassistant-auth:
      entryPoints:
        - https
      rule: "Host(`ha.domain.tld`) && PathPrefix(`/outpost.goauthentik.io/`)"
      service: authentik_ha_service
      priority: 50

  services:
    # traefik service - Remove if not used
    traefik:
      loadBalancer:
        servers:
         - url: http://traefik:8080/
    # Homeassistant service
    homeassistant:
      loadBalancer:
        servers:
         - url: http://home-assistant-local-ip:port/
    # Authentik HA service
    authentik_ha_service:
      loadBalancer:
        servers:
          - url: http://authentik_ha:9000

  middlewares:
    auth_ha:
      forwardAuth:
        address: http://authentik_ha:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
    auth:
      forwardAuth:
        address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

    # Security headers
    securityHeaders:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          X-Forwarded-Proto: "https"
          server: ""
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

Screenshots If applicable, add screenshots to help explain your problem.

Logs

Traefik Logs - Note: this error occurs on initial load of https://ha.domain.tld there are no more related log entries from traefik after successfully entering my credentials in the authentik login page:

time="2023-04-08T10:30:26-05:00" level=debug msg="Remote error http://authentik_ha:9000/outpost.goauthentik.io/auth/traefik. StatusCode: 302" middlewareName=auth_ha@file middlewareType=ForwardedAuthType

authentik_ha (external outpost container) logs (also only showing entries upon initial page load):

event=/outpost.goauthentik.io/auth/traefik host=ha.domain.tld logger=authentik.outpost.proxyv2.application method=GET name=Home-Assistant remote="[IP address]" runtime=0.287 scheme=http size=355 status=302 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"

Associated Event details from Authentik dashboard log:

Event info

Action
    Application authorized
App
    authentik.providers.oauth2.views.authorize
User
    [Username](https://auth.domain.tld/if/admin/#/identity/users/5)
Created
    4/8/2023, 10:37:19 AM
Client IP
    172.18.0.1
Tenant
    Default tenant
Authorized application:

UID
    6be76f30dead44acac2d828f6270e5a5
Name
    Home-Assistant
App
    authentik_core
Model Name
    application
Context
{
    "flow": "67727ee119cf407d983610865ab2c65f",
    "scopes": "ak_proxy email openid profile",
    "http_request": {
        "args": {
            "query": "client_id=cuLEFyvJUHQFDMgd1xdtuBSpH34aqsX3ERQUAl46&redirect_uri=https%3A%2F%2Fha.domain.tld%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=ak_proxy+email+openid+profile&state=h8h1bVZ_YyK02XF9qNCgqn4VvIj84v5-5Vk5dlLndlU"
        },
        "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
        "method": "GET"
    },
    "authorized_application": {
        "pk": "6be76f30dead44acac2d828f6270e5a5",
        "app": "authentik_core",
        "name": "Home-Assistant",
        "model_name": "application"
    }
}
User
{
    "pk": 5,
    "email": "email@domain.tld",
    "username": "Username"
}

Version and Deployment (please complete the following information):

Additional context

I appreciate any help and am happy to provide any additional config details, screenshots, or logs as needed. Thanks!

blathers123 commented 1 year ago

I'm also running into the same issue, on authentik 2023.3.1. I'm using caddy and trying to reverse proxy to wikijs using authentik as a OAuth2/OpenID Provider

gabemcg commented 1 year ago

I'm also running into the same issue, on authentik 2023.3.1. I'm using caddy and trying to reverse proxy to wikijs using authentik as a OAuth2/OpenID Provider

Did you ever find a solution? I'm still not having any luck

blathers123 commented 1 year ago

Unfortunately no. I also haven't been able to troubleshoot it more lately. I feel like I'm at a deadend

PouletteMC commented 1 year ago

Just ran into this issue myself with grafana and OAuth, no solution either

robump commented 1 year ago

I am also running into the same issue. Did you happen to manage to fix it?

Thanks

evulhotdog commented 1 year ago

I was able to find a solution to this...

I had to modify the middleware url in the traefik config to point directly to the outpost service instead of the generic authentik one.

So the correct value was this for me: http://ak-outpost-authentik-embedded-outpost.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik

Check exactly what your service name is, as it might be different depending on what you named your outpost, what helm chart you're using, etc.

So my whole middleware config is:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: authentik
  namespace: default
spec:
  forwardAuth:
    address: http://ak-outpost-authentik-embedded-outpost.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version

And my service being like so:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-radarr
  namespace: default
  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd,default-authentik@kubernetescrd
spec:
  tls:
    - secretName: wildcard-domain-le-prod-tls
      hosts:
      - radarr2.domain.tld
  rules:
    - host: radarr2.domain.tld
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: radarr-svc
                port:
                  number: 80
---
apiVersion: v1
kind: Service
metadata:
  name: radarr-svc
  namespace: default
spec:
  ports:
    - protocol: TCP
      port: 80
      targetPort: 7878
  selector:
    app: radarr
Mahadevaswamys1999 commented 1 year ago

to resolve the issue you need to add you need to add http://ip-address:9000/outpost.goauthentik.io/auth/traefik instead of http://authentik_server:9000/outpost.goauthentik.io/auth/traefik. the issue will be resolved

BeryJu commented 6 months ago

In most cases of "no app for hostname", the error is caused by authentik not knowing which application the request is for. This is most often due to a missing "Host" or "X-Forwarded-For" header. The main cause for this is using the external authentik URL as address in forwardAuth. To further debug this, you can set authentik or the outpost to the log level trace. When pasting log messages with the level be very cautious though as it will include sensitive data such as the session token