I absolutely love the fact I can log into authentik and then bypass all app login screens for instant access. This was a slight challenge with Home Assistant as placing this behind Authentik behind this would break the phone companion app. Here is a quick guide on how I overcame this.
This was solved by setting two pathways leading back to my home assistant in traefik, one being behind authentik for the SSO, and the other using the default home assistant login screen for the companion app.
This requires a few things first:
Traefik setup with dynamic config
HTTP Header Authentication integration for home assistant found here
Authentik setup with provider and application, instructions found here
The added lines I used in configuration.yaml in Home Assistant
http:
use_x_forwarded_for: true
trusted_proxies:
- 10.10.10.0/24 # Change to your home network
- 172.22.0.0/16 # Change to your traefik proxy network
auth_header:
username_header: X-authentik-username
The config.yaml for my traefik
Please not there is two routers for the one service, one being behind Authentik (/auth) and the other bypassing Authentik. There is also a path prefix for the outpost so there is no 404 error.
http:
routers:
# Router for SSO - PROTECTED by Authentik
home-assistant:
entryPoints:
- "https"
rule: "Host(`home-assistant.richay.au`) && PathPrefix(`/auth`) && !PathPrefix(`/auth/token`) || PathPrefix(`/outpost.goauthentik.io`))" # Change host domain
middlewares:
- https-redirectscheme
- authentik
tls: {}
service: home-assistant
# Router for Companion App - UNPROTECTED by Authentik
home-companion:
entryPoints:
- "https"
rule: "Host(`home-companion.richay.au`) || Host(`home-assistant.richay.au`)" # Change host domain
middlewares:
- https-redirectscheme
tls: {}
service: home-assistant
services:
home-assistant:
loadBalancer:
servers:
- url: "http://10.10.10.10:8123" # change this to your IP of your Home Assistant
passHostHeader: true
middlewares:
authentik:
forwardAuth:
address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
- authorization
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
When you select your server on the companion app, choose the
https://home-companion.richay.au option. This will allow the app to work.
When using a web browser, use https://home-assistant.richay.au for SSO access using Authentik.