[BUG] Broken login with Authentik

[ballfire]

Describe the bug
The Auth does not work with an authentik provider after upgrade to 1.2.0

To Reproduce
Steps to reproduce the behavior:

1. In login page, click OpenID/OAuth2 Authentication
2. Receive a nice 500 error

Expected behavior
Should take you to Authentik login

Setup
Home Assistant: Core 2025.12.5
Integration: 1.2.0
Identity Provider: Authentik 2025.10.3

Additional context
With my limited understanding of OIDC/OpenID and Homeassistant, and taking a look at the code, I think the problem lies in the code introduced in views.py,

there's a direct call to conf[CONF_AUTHORIZE_URL] that according to the documentation, is not necessary if the OpenID endpoint provides a configuration url. I think there should be something in place to check if the url is to be obtained from the configuration.yml of from the config url from the authenticator, instead of using directly a config key from yml

Once I added the corresponding configuration in my .yml to match the offered "authorization_endpoint" through the "authorize_url" in the yml config file everything went back to working condition

[H4K0N42]

I have tried to set the authroize, token and userinfo urls myself and got an interesting response:

home-assistant  | 2026-01-12 19:45:21.029 ERROR (MainThread) [custom_components.openid.views] Token exchange or user info fetch failed
home-assistant  | Traceback (most recent call last):
home-assistant  |   File "/config/custom_components/openid/views.py", line 276, in get
home-assistant  |     token_data = await exchange_code_for_token(
home-assistant  |                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
home-assistant  |     ...<7 lines>...
home-assistant  |     )
home-assistant  |     ^
home-assistant  |   File "/config/custom_components/openid/oauth_helper.py", line 52, in exchange_code_for_token
home-assistant  |     raise RuntimeError(f"Token endpoint returned {resp.status}: {text}")
home-assistant  | RuntimeError: Token endpoint returned 400: <!DOCTYPE html>
home-assistant  | <html>
...
home-assistant  | <body>
home-assistant  | <div id="main_page_all">
home-assistant  |     <header class="" name="" id="blueBarBox">
home-assistant  |         <div class="blue_bar_titel" name="" id="blueBarTitel">
home-assistant  |                     FRITZ!Box
home-assistant  |         </div>
home-assistant  |     </header>
home-assistant  |     <div id="page_content_no_menu_box">
home-assistant  |         <div class="area_box">
home-assistant  |             <div class="blue_bar_back" >
home-assistant  |                 <div><h2>FRITZ!Box</h2></div>
home-assistant  |             </div>
home-assistant  |             <div class="page_content">
home-assistant  |                 <p>Der DNS-Rebind-Schutz Ihrer FRITZ!Box hat Ihre Anfrage aus Sicherheitsgründen abgewiesen.</p>
home-assistant  |                 <p>Der Host-Header Ihrer Anfrage stimmt nicht mit dem Namen der FRITZ!Box überein.</p>
home-assistant  |                 <p>Wenn Sie über einen anderen Hostnamen auf die FRITZ!Box zugreifen wollen, ergänzen Sie diesen bitte als Ausnahme in der Benutzeroberfläche Ihrer FRITZ!Box unter "Heimnetz > Netzwerk > Netzwerkeinstellungen" im Bereich "DNS-Rebind-Schutz".</p>
home-assistant  |                 <br>
home-assistant  |             </div>
home-assistant  |         </div>
home-assistant  |     </div>
home-assistant  | </div>
home-assistant  | </body>
home-assistant  | </html>

for some reason my router answered instead of the authentik server. I have never had this problem before, I hope this is related and helps

[mi7chal]

Same issue here, added fix in PR #56. @cavefire can you merge and add it as 1.2.1?

[KewlGuyRox]

Same issue here, added fix in PR #56. @cavefire can you merge and add it as 1.2.1?

I downloaded the updated files from your repository. Same issue.

[cavefire]

This does not seem to be related to #56.
Please check your dns settings. Your homeassistant tries to contact your IdP, but gets a response from your router.

[KewlGuyRox]

This does not seem to be related to #56. Please check your dns settings. Your homeassistant tries to contact your IdP, but gets a response from your router.

Nothing has changed on HA since past 10 months. I re-checked my reverse proxy (Traefik), Authentik, internal DNS and also HA itself. It was working very smoothly up until I updated to 1.2.0. I even did a full restore from my full backup before the update.

Now in browser too many times it just says this after successfully authenticating through Authentik

https://hass.xxxxxnet/auth_callback=1&code=12219c1ff10948238313cf8a65439bae&storeToken=true&provider_id=homeassistant&state=mCfb34A9Oy29I6cl9_PhSg

Unable to connect to Home Assistant.
Retrying in 38 seconds...

Could it be that the recent HA updates may have broken the Authentik verification and callback?

[cavefire]

Version 1.2.0 change quite a bit on the frontend side. Can you try logging in in a different browser or clearing your cache completely?

[KewlGuyRox]

Version 1.2.0 change quite a bit on the frontend side. Can you try logging in in a different browser or clearing your cache completely?

Used Chrome and Edge. Cleared cache "all time" and opened in incognito/private mode. Below is my configuration in configuration.yml. I have also tried using create_user: false .. Also, I get this OpenID connect option along with the text

---

openid:
client_id: xxxxxxxxx
client_secret: xxxxxxxx
configure_url: "https://auth.xxxxx.net/application/o/homeassistant/.well-known/openid-configuration"
username_field: "preferred_username"
scope: "openid profile email"
block_login: false
openid_text: "Login with Authentik"

---