Open gabemcg opened 1 year ago
I'm also running into the same issue, on authentik 2023.3.1. I'm using caddy and trying to reverse proxy to wikijs using authentik as a OAuth2/OpenID Provider
I'm also running into the same issue, on authentik 2023.3.1. I'm using caddy and trying to reverse proxy to wikijs using authentik as a OAuth2/OpenID Provider
Did you ever find a solution? I'm still not having any luck
Unfortunately no. I also haven't been able to troubleshoot it more lately. I feel like I'm at a deadend
Just ran into this issue myself with grafana and OAuth, no solution either
I am also running into the same issue. Did you happen to manage to fix it?
Thanks
I was able to find a solution to this...
I had to modify the middleware url in the traefik config to point directly to the outpost service instead of the generic authentik one.
So the correct value was this for me: http://ak-outpost-authentik-embedded-outpost.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
Check exactly what your service name is, as it might be different depending on what you named your outpost, what helm chart you're using, etc.
So my whole middleware config is:
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: authentik
namespace: default
spec:
forwardAuth:
address: http://ak-outpost-authentik-embedded-outpost.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
And my service being like so:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-radarr
namespace: default
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd,default-authentik@kubernetescrd
spec:
tls:
- secretName: wildcard-domain-le-prod-tls
hosts:
- radarr2.domain.tld
rules:
- host: radarr2.domain.tld
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: radarr-svc
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
name: radarr-svc
namespace: default
spec:
ports:
- protocol: TCP
port: 80
targetPort: 7878
selector:
app: radarr
to resolve the issue you need to add you need to add http://ip-address:9000/outpost.goauthentik.io/auth/traefik instead of http://authentik_server:9000/outpost.goauthentik.io/auth/traefik. the issue will be resolved
In most cases of "no app for hostname", the error is caused by authentik not knowing which application the request is for. This is most often due to a missing "Host" or "X-Forwarded-For" header. The main cause for this is using the external authentik URL as address in forwardAuth
. To further debug this, you can set authentik or the outpost to the log level trace
. When pasting log messages with the level be very cautious though as it will include sensitive data such as the session token
Describe your question
I am trying to bypass double-login when accessing home assistant remotely using the Home-Assistant example at https://goauthentik.io/integrations/services/home-assistant/ and the HASS-auth-header configuration.
I have followed the setup guide and now when I log in to https://ha.domain.tld to access home assistant I am first asked to log in via authentik (as expected), but once I log in successfully the page redirects to the following URL and message instead of redirecting to my HA dashboard:
redirected URL =
https://ha.domain.tld/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=3a52a2c1949c406fb795a8d4f2b20332&state=BFY-clpa1miiUN_5ciEzUKPNbsWe7c3X7HnkPdthrLM
Page body:
Message | "no app for hostname" Host | "ha.domain.tld" Detail | "Check the outpost settings and make sure 'ha.domain.tld' is included."
In my troubleshooting prior to posting here, I came across this issue which seems to produce the same error, so I tried implementing priority settings in traefik, but it does not seem to have solved the issue (perhaps I did it wrong? my traefik config is included below)
I will include output logs from relevant sources in the appropriate section below as well
Relevant infos
I believe the HASS-Auth-Header configuration is correct. When I log in directly to home assistant via local IP/port I see it is attempting to log in with header auth.
Home Assistant OS is running in a VM on an Unraid host.
The local IP for Home Assistant and the Unraid Host are on the same network.
The unraid host is also where my Authentik and Traefik docker containers are running.
The docker containers are all on a separate docker "proxy" network.
The embedded outpost is configured properly with Traefik "auth" rule to provide remote access to Authentik itself via "auth.domain.tld"
Authentik also works properly to log in and access Traefik's dashboard using the embedded outpost at "traefik.domain.tld", as well as other applications mapped to their own respective subdomains.
I was able to access Home Assistant in this same way via "ha.domain.tld" on the embedded outpost, however having to log in to authentik and then again to Home Assistant was cumbersome, so I tried to implement the header auth to allow for a single login
Because of Unraid's unique docker implementation I manually created a separate container for the external proxy outpost called, "authentik_ha". I believe it is configured correctly as it is recognized and communicating with the primary authentic container
Traefik Config File:
Screenshots If applicable, add screenshots to help explain your problem.
Logs
Traefik Logs - Note: this error occurs on initial load of https://ha.domain.tld there are no more related log entries from traefik after successfully entering my credentials in the authentik login page:
time="2023-04-08T10:30:26-05:00" level=debug msg="Remote error http://authentik_ha:9000/outpost.goauthentik.io/auth/traefik. StatusCode: 302" middlewareName=auth_ha@file middlewareType=ForwardedAuthType
authentik_ha (external outpost container) logs (also only showing entries upon initial page load):
event=/outpost.goauthentik.io/auth/traefik host=ha.domain.tld logger=authentik.outpost.proxyv2.application method=GET name=Home-Assistant remote="[IP address]" runtime=0.287 scheme=http size=355 status=302 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
Associated Event details from Authentik dashboard log:
Version and Deployment (please complete the following information):
Additional context
I appreciate any help and am happy to provide any additional config details, screenshots, or logs as needed. Thanks!