This repository was archived by the owner on Oct 23, 2025. It is now read-only.
Login attempt with invalid authentication (Nginx + Authentik + Homeassistant) #300
Description
Hi I'm running Homeassistant as well as Authentik and nginx as Docker containers and want so acces Homeassistant via the nginx reverse proxy using the authentik Auth.
When I use hass2.mysdomain.com (wich is set up in nginx) i get redirected to the Authentik login. So far so good.
After Signing in I get redicrectet to Homeassistant where this error pops up.
The Homeassistant log states:
Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'
Homeassistant Log:
2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy(
'X-authentik-username': 'test',
'X-authentik-name': 'test',
'X-authentik-uid': '1ae74557218bb98d96b177878660de63d1848a2830c26c35afbad47ff9ecb851',
'Host': '192.168.178.101:8123',
'Connection': 'close',
'Content-Length': '129',
'sec-ch-ua': '"Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"',
'sec-ch-ua-platform': '"Windows"',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36',
'Content-Type': 'text/plain;charset=UTF-8',
'Accept': '*/*',
'sec-gpc': '1',
'Accept-Language': 'de-DE,de;q=0.6',
'Origin': 'https://hass2.mydomain.com',
'sec-fetch-site': 'same-origin',
'sec-fetch-mode': 'cors',
'sec-fetch-dest': 'empty',
'Accept-Encoding': 'gzip, deflate, br',
'Cookie': 'authentik_proxy_3r6W7vF2=SFORLJB5QA7PQ3QFU2ARAH5COBD3IV76G7S7T4ZHS756WOCWKQUDQVVRLBDO3KBE7XOOIWMGMPPWIOTSK3AYLSLWQ5VCOSGF5ZUT5FI')>
2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 192.168.178.101
2024-01-27 18:45:39.405 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36)
192.168.178.101 is the Local Network IP of my Server wich is running all 3 docker containers
'test' is set up as a username in Authentik as well as Homeassistant
in my config.yaml i have added:
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.178.0/24
auth_header:
username_header: X-authentik-username
logger:
default: info
logs:
custom_components.auth_header: debug
The custom configuration for the Proxy Host in Nginx is:
# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# authentik-specific config
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://192.168.178.101:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
Any help on how to tackle this problem would be appreciated,
I suspect Homeassistant doesn't like the way Authentik hands over the auth_header?
Do i need to add or modify the '/auth/token' somewhere?