Support proxies with basic auth or bearer token #1046
Description
Is your feature request related to a problem? Please describe.
I run Frigate behind an Authentik proxy for SSO. Home Assistant is on a different machine, so there's not really a secure way for me to give it access to port 5000 -- it really needs to connect through Authentik instead. But the current Frigate integration uses POST /api/login if provided with a username and password, which the proxy can't support.
Describe the solution you'd like
An additional option in the setup screen to enable basic auth (username + password) and/or bearer token, instead of the default login api. If enabled, the provided credentials should be sent with all requests. Besides setting the authorization header (and ideally accepting cookies), the integration can treat Frigate as if it were unauthenticated.
Describe alternatives you've considered
One alternative would be to support OIDC or OAuth. Either natively in Frigate itself, so its ports can be exposed directly without sacrificing SSO, or in the integration. But that's been discussed many times, and is far more complexity than is actually required to solve this issue.
There are several possible workarounds locally, including:
- Setting up an IP-based bypass in the authentication flow.
- Deploying a secondary proxy next to Frigate, restricting by IP and/or mac address.
- Building a custom service to impersonate Frigate's login API, returning a cookie that's valid for Authentik.
- Exposing Frigate's authenticated port and using built-in user accounts simultaneously with
trustProxy. - Creating a dedicated VLAN just for unauthenticated Frigate connections.
- Hardcode the credentials directly into the URL, in plain text.
In theory, any of those would work; but each one would either create security weaknesses or be a huge pain to do. (Or both.)
Additional context
The UI could be as simple as a checkbox under the password field:
