I absolutely love the fact I can log into authentik and then bypass all app login screens for instant access. This was a slight challenge with Home Assistant as placing this behind Authentik behind this would break the phone companion app. Here is a quick guide on how I overcame this.
This was solved by setting two pathways leading back to my home assistant in traefik, one being behind authentik for the SSO, and the other using the default home assistant login screen for the companion app.
This requires a few things first:
Traefik setup with dynamic config
HTTP Header Authentication integration for home assistant found here
Authentik setup with provider and application, instructions found here
The added lines I used in configuration.yaml in Home Assistant
http:
use_x_forwarded_for: true
trusted_proxies:
- 10.10.10.0/24 # Change to your home network
- 172.22.0.0/16 # Change to your traefik proxy network
auth_header:
username_header: X-authentik-username
The config.yaml for my traefik
Please not there is two routers for the one service, one being behind Authentik (/auth) and the other bypassing Authentik. There is also a path prefix for the outpost so there is no 404 error.
http:
routers:
# Router for SSO - PROTECTED by Authentik
home-assistant:
entryPoints:
- "https"
rule: "Host(`home-assistant.richay.au`) && PathPrefix(`/auth`) && !PathPrefix(`/auth/token`) || PathPrefix(`/outpost.goauthentik.io`))" # Change host domain
middlewares:
- https-redirectscheme
- authentik
tls: {}
service: home-assistant
# Router for Companion App - UNPROTECTED by Authentik
home-companion:
entryPoints:
- "https"
rule: "Host(`home-companion.richay.au`) || Host(`home-assistant.richay.au`)" # Change host domain
middlewares:
- https-redirectscheme
tls: {}
service: home-assistant
services:
home-assistant:
loadBalancer:
servers:
- url: "http://10.10.10.10:8123" # change this to your IP of your Home Assistant
passHostHeader: true
middlewares:
authentik:
forwardAuth:
address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
- authorization
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
When you select your server on the companion app, choose the
https://home-companion.richay.au option. This will allow the app to work.
When using a web browser, use https://home-assistant.richay.au for SSO access using Authentik.
Thx for tuto . I ll need your help for this . Did it once with home assitant docker but impossible with home assistant supervisée installed on host …. I added proxies but still got error shot xforward for message . Showing xforward : « ,10.0.100.1 » instead of xforward : « 10.0.0.1 » . CAN I have your help ?
Hey mate, Im using HA OS, and not a docker version of Home Assistant? Is that the same one you are using? and which reverse proxy are you using?
I’m on nginxproxymanager so the configuration differs a bit, but isn’t this just adding another entrypoint home-companion.xxxxxx that won’t go through Authentik and therefore won’t be authentified? What’s the advantage of keeping the secured home-assistant.xxxxxx entrypoint in parallel since it can easily be bypassed?
Thanks for the work!
It is, but having authentik on the webpage allows auto logins through authentik 😉
but you can make the companion entry point something obscure so its harder to guess, as you will only need to add and login once. Unfortunately Authentik wont work for companion app login yet, and I need it for my location automations 🙂
I’m using tailscale with split domain dns on my phone, domain: richay.au requests go to my private dns on my home server which has A records and CNAMES set, so my companion app entry point isnt accessible unless on my home network or logged into tailscale. Dont have to do anything special once setup to flick between home server webapps and normal internet browsing. https://richay.au/tailscale-split-dns-by-domain-for-secure-home-server-access/