home-assistant/core#58380

This is causing HA to throw the following error
ERROR (MainThread) [homeassistant.setup] Setup failed for auth_header: Unable to import component: cannot import name 'HTTP_BAD_REQUEST' from 'homeassistant.const' (/usr/src/homeassistant/homeassistant/const.py)

Hello guys. I'm trying to setup homeassistant auth with authentik, following this tutorial https://goauthentik.io/integrations/services/home-assistant/
However, I can't get it working. When I get to Hassio's fronted I get "sign in has been cancelled". Here are the logs of the HACS addon:

2023-03-15 16:27:06.578 INFO (MainThread) [custom_components.auth_header.headers] No header set, returning empty flow

Currently Homeassistant immediately logs back in when using the logout button. Would be nice to redirect to a logout URL such as authentik's signout url https://example.tld/outpost.goauthentik.io/sign_out

I would normaly try and use my reverse proxy to redirect /logout urls but it looks like HA dosn't work that way. The only hint I've found so far is this pull request for disconnecting websockets after a token is revoked.

Hi,
I'm currently setting up SSO for myself and would like to add my family's home assistant instance. Issue is, they already have it exposed via their own reverse proxy. I can add mine to the trusted proxies and configure SSO, but that would leave them vulnerable through their other reverse proxy.

I'd really like a way block auth headers from specific trusted proxies / IPs if possible.

Thank you!

I got this working with Authentik SSO, but this breaks long all /api-endpoints that requires Authorization header and WebSocket

I'm able to connect to HASS just fine using a standard NPM reverse proxy setup. Once I introduce the authentik and auth-header bits, I get stuck at the wonderful Unable to connect to Home Assistant screen. I am unfortunately fairly new to this and am afraid I'm missing something obvious. My authentik username and HASS username are identical and TOTP is disabled in HASS

Authentik user:

HASS user:

configuration.yaml

auth_header.yaml

http.yaml

192.168.10.10 is my Nginx Proxy Manager
192.168.10.3 is my Docker instance running Authentik

Debug Log entries: (whitespace added by me for clarity)

was trying to setup hass-auth-header but kept getting username/password invalid when entering username/password in hass.
so decided to rollback all changes.
result is the same. I cannot login via ios app or browser on mobile.
I've quadruple checked username/password and what works in my laptop browser does not work on mobile. Even in incognito.

I've removed hass-auth-header from configuration.yaml and even deleted the integration, but nothing seems to work.
I cleared all my refresh-tokens for my user.
I tried other usernames. Nothing.

I am not saying this is a hass-auth-header issue but I am hoping someone might have an idea what might have caused this.

here's hoping :)

``Apologies for what probably is an easy solution, I am just new to this.

I've got my reverse proxy working and the header integration installed.
When I click the ha.domain.com URL in nginx it brings me to a page that says:

Home Assistant

You're about to give https://ha.domain.com access to your Home Assistant instance.

Logging in with Header Authentication

Login Aborted:

START OVER

or log in with:

Home Assistant Local

Here is my conf.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24
auth_header:
    # Optionally set this if you're not using authentik proxy or oauth2_proxy
    # username_header: X-Forwarded-Preferred-Username
    # Optionally enable debug mode to see the headers Home-Assistant gets
    # debug: false
Optionally, if something is not working right, add this block below to get more information
logger:
    default: info
    logs:
        custom_components.auth_header: debug

I've tried un-commenting the username_header: line and adding my authentik and HA username there but neither work. I'm not really sure what I am supposed to be putting there so I assume that is my issue...

Many thanks!

Hi! Since I've updated to the latest version of homeassistant I noticed this error in the logs:

ERROR (MainThread) [homeassistant.loader] No 'version' key in the manifest file for custom integration 'auth_header'. As of Home Assistant 2021.6, this integration will no longer be loaded. Please report this to the maintainer of 'auth_header'
It seems to be related to this so I thought I'd just give you a heads up so nothing breaks when 2021.6 is released.

home-assistant/core#49726

Thank you so much for this integration, finally got SSO working for my family thanks to this.

Hello,

I'll be grateful for assistance please.

I have Traefik and Authelia up and running. Using a basic WhoAmI service, the user name is provided in the header as "Remote-User: paul" as below (url's and IP redacted).

IP: 127.0.0.1
IP: 172.18.0.3
RemoteAddr: 172.18.0.4:36928
GET / HTTP/1.1
Host: whoami.redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cache-Control: max-age=0
Cdn-Loop: cloudflare
Cf-Connecting-Ip: redacted
Cf-Ipcountry: GB
Cf-Ray: 808913071a7071fe-LHR
Cf-Visitor: {"scheme":"https"}
Cookie: cf_clearance=gxwM7vXDTNfce1t..lFe7T1JWZCsob_dUBhGtdY6mny-1695033460-0-1-621f681.ea0a671b.5120a961-0.2.1695033460; authelia_session=tC4Cbv!Oxt%an7BTiZf$ggHp1YipNsY^
Dnt: 1
Referer: https://login.redacted.com/
Remote-Name: paul
Remote-User: paul
Sec-Ch-Ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 172.70.91.58
X-Forwarded-Host: whoami.redacted.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: a4229f013d36
X-Real-Ip: 172.70.91.58

This is the section from my Home Assistant configuration.yaml

http:
 use_x_forwarded_for: true
 trusted_proxies:
    - 172.0.0.0/8
    - 192.168.1.11/32 # This needs to be set to the IP of your reverse proxy
 auth_header:
    username_header: Remote-User

however in the debug log below (url's and IP redacted), Remote-User doesn't appear in the header and unsurprisingly "No header set" and "no matching user found" errors then occur

2023-09-18 11:57:54.386 DEBUG (MainThread) [custom_components.auth_header] Removed original login_flow route (UrlDispatcher) <PlainResource /auth/login_flow>
2023-09-18 11:57:54.386 DEBUG (MainThread) [custom_components.auth_header] Removed original login_flow route (FastUrlDispatcher) <PlainResource /auth/login_flow>
2023-09-18 11:57:54.386 DEBUG (MainThread) [custom_components.auth_header] Add new login_flow route
2023-09-18 11:57:54.387 DEBUG (MainThread) [custom_components.auth_header] Injected auth_header provider
2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy('Host': 'ha.redacted.com', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36', 'Content-Length': '135', 'Accept': '*/*', 'Accept-Encoding': 'gzip', 'Accept-Language': 'en-GB,en-US;q=0.9,en;q=0.8', 'Cdn-Loop': 'cloudflare', 'Cf-Connecting-Ip': 'redacted', 'Cf-Ipcountry': 'GB', 'Cf-Ray': '8089121bcd4771fe-LHR', 'Cf-Visitor': '{"scheme":"https"}', 'Content-Type': 'text/plain;charset=UTF-8', 'Cookie': 'cf_clearance=gxwM7vXDTNfce1t..lFe7T1JWZCsob_dUBhGtdY6mny-1695033460-0-1-621f681.ea0a671b.5120a961-0.2.1695033460; authelia_session=tC4Cbv!Oxt%an7BTiZf$ggHp1YipNsY^', 'Dnt': '1', 'Origin': 'https://ha.redacted.com', 'Sec-Ch-Ua': '"Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116"', 'Sec-Ch-Ua-Mobile': '?0', 'Sec-Ch-Ua-Platform': '"Windows"', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-origin', 'X-Forwarded-For': '172.70.91.58', 'X-Forwarded-Host': 'ha.redacted.com', 'X-Forwarded-Port': '443', 'X-Forwarded-Proto': 'https', 'X-Forwarded-Server': 'a4229f013d36', 'X-Real-Ip': '172.70.91.58')>
2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 192.168.1.11
2023-09-18 11:57:54.650 INFO (MainThread) [custom_components.auth_header.headers] No header set, returning empty flow
2023-09-18 11:57:54.650 DEBUG (MainThread) [custom_components.auth_header.headers] no matching user found

thanks in advance

Hello! Love your work on Authentik and on this integration. I am hitting a small issue with the latest version of Home Assistant.

In Home Assistant 2021.11, the popup message that asks if a user wants to stay logged in has been replaced. Now, there is a checkbox on the login form. When using hass-auth-header, this box cannot be checked and so logins never persist.

Here is a screenshot of the popup in 2021.10 and earlier:

And here's a screenshot of the checkbox beginning 2021.11:

Hi all,

Thanks for that nice integration.

I added it to my HA instance and prepared everything around. The forwarded user also reach the HA instance but than I get following error

WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.178.4 (192.168.178.4). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.42)

The user exists and the proxy whitelist also hold the proxy ip's

Do you have an idea?

BR

I've been testing Header Auth with Cloudflare Zero Trust, but I've run into an odd limitation. I have no way of setting what the header passes to Home Assistant. The only value that seems to be passed is the users email address.

Would it be possible to add a list of [header_value] => [username] translations, to account for such situations?

I'm thinking something along these lines:

auth_header:
  username_header: Cf-Access-Authenticated-User-Email
  username_mapping:
    - [email protected]: user1
    - [email protected]: user2
    - [email protected]: user2

Not an issue as such although I was not sure where to post. I have just installed this today and so far seems like it is working great.

1. I soon would like to expose my HA to the internet and conscious about security and if I have not configured it correctly. What are the main things to look out for when exposing this in a live PROD instance?
2. Another thought I had, is there a way that I can use this script only internally? And, if my HA is exposed to the web, it will prompt the user to login twice (once if Authelia and the other with HA)?
   /
3. Separately, I had to add username_header: Remote-User (auth_header) to my HA config file. From my understanding, it passes and allows access to HA for anyone with the same username? Whats to stop someone being able to pass this header by using my username? Bare with as my understanding is super patchy and still trying to figure it out! Thanks for your guidance

Hello i am trying whole day to setup these stacks together to make it working, bud no luck.
Are you able to provide some demo how to setup some auth stacks to work with your addon?

e.g. redirect-url
i was trying to set https://myha/auth/authorize but getting Message format incorrect: required key not provided @ data['client_id']

Just a helpful tip:

Let's say that you want to use SSO for Home Assistant in the browser, but you also want to be able to use the Home Assistant app on your phone (that does not work with SSO). The logical solution is to expose two Home Assistant endpoints: once with SSO and once without.

The issue with this addon is that if there is no SSO in front of Home Assistant and you expose both endpoints with the same proxy, then anyone can insert the 'Remote-User' (or equivalent) header and be logged in without any password.

If you use traefik you can use a middleware to remove the 'Remote-User' (or equivalent) header from requests sent to one of the exposed Home Assistant endpoints.

Docker compose labels:

• traefik.http.routers.homeassistantmobile.middlewares=removeheader
• traefik.http.middlewares.removeheader.headers.customrequestheaders.Remote-User=

'homeassistantmobile' is the name of my traefik router without SSO.
'removeheader' is the name that I chose for the middleware.

Hope this helps someone.

During setup of SSO I ran into #104, which meant that I was unable to properly auth through SSO.

After getting things into a near workable state in the hopes that the feature can be added at some point, I moved on to ensuring things would work if left in the current state where two logins (SSO and Home Assistant Local) are required.

However, it seems that no matter how I access the login page, it is impossible to authenticate through Home Assistant Local. Removing Header Auth seems to correct this problem.

I just setup auth_header with use of swag and Authelia authentication. It works fine in the browser but on the mobile companion app it just gets a black screen when i try to set it up.

Is the mobile app not supported?

Receive the following error when connecting to HA instance after updating to 2023.8.0.b0:

Enabled Debug logs; output:

HA Host Logs:
Jul 26 22:10:03 homeassistant systemd-journald[235]: /var/log/journal/b40d07b636f746f7876476d129745794/system.journal: Journal header limits reached or header out-of-date, rotating.
Jul 26 22:14:47 homeassistant systemd-journald[235]: /var/log/journal/b40d07b636f746f7876476d129745794/system.journal: Journal header limits reached or header out-of-date, rotating.
Jul 26 22:19:22 homeassistant systemd-journald[235]: /var/log/journal/b40d07b636f746f7876476d129745794/system.journal: Journal header limits reached or header out-of-date, rotating.

I see the request passed through Nginx successfully:
26/Jul/2023:15:34:26 -0700] - 500 500 - POST https homeassistant "/auth/login_flow" [Client 10.17.15.204] [Length 55] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" "https://homeassistant/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fhomeassistant%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fhomeassistant%2F&state=[token]

I don't see any other applicable log entries, but am happy to help troubleshoot further.

I created the configuration from authentik as it is described in the documentation now but I still can't login:

In this example I use this environment:
10.0.4.248 => nginx proxy manager
10.0.4.238 => authentik

The message in the browser looks like this:

the log shows this:
2023-02-24 17:07:58.083 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 10.0.4.248 (10.0.4.248). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.50)

and this is my entry in configuration.yaml

logger:
  default: info
  logs:
    custom_components.auth_header: debug

http:
  server_port: 8123
  cors_allowed_origins:
    - https://www.home-assistant.io
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.4.248/32
    - 10.0.4.238/32
  ip_ban_enabled: true
  login_attempts_threshold: 5

auth_header:
  username_header: X-Authentik-Username
  debug: true

Yes the username is 100% identical in homeassistant and authentik

After switching to auth headers, the Alexa skill (https://www.home-assistant.io/integrations/alexa.intent/) seems no longer be able to authenticate via access token.

I have just upgraded to 2022.9 and unable to login.

I receive the below on the logs:

2022-09-07 21:21:10.525 ERROR (MainThread) [homeassistant.components.http.view] Unable to serialize to JSON: Type is not JSON serializable: Request
{'version': 1, 'type': <FlowResultType.CREATE_ENTRY: 'create_entry'>, 'flow_id': '0582514feb0a56723f3bca3811054a83', 'handler': ('auth_header', None), 'title': 'Header Authentication', 'description': None, 'description_placeholders': None, 'context': {'request': <Request POST /auth/login_flow >, 'ip_address': IPv4Address('172.18.0.2'), 'credential_only': False}, 'result': '2fe8c3edc78547a59f053493d8b96704'}

Downgraded back to 2022.8 and that works fine.

Anyone getting having issues with 2022.9?

There are few related auth changes in the HA 2022.9 changelog: https://www.home-assistant.io/changelogs/core-2022.9

unable to add to hacs. It's too outdated

Hey,

I need some help with configuring the following setup:

I use cloudflare tunnel as my reverse proxy. It's setup to login (via cloudflare access) via authentik (on websites that don't support oAuth).
I want to set the cloudflare output as my header credentials for home assistant but it won't work. I don't know if this is in issue related to cloudflare tunnel (do they even support header auth?).

Is there a way to do that ? :D I need cloudflare as my reverse proxy. Anything else is not required for a working setup.

Or is it even possible to "deactivate" home assistant auth and use the cloudflare access auth instead?

Error: https://github.com/BeryJu/hass-auth-header is not a valid add-on repository

I have successfully configured this plugin using traefik and authelia and it is working nicely.

Unfortunately, it seems that the integration creates a new login token every time I visit my HA instance via the browser, or at least every time a new authelia session is started (although I am using "Remember me" login).

Is this intended? Would it be possible to change the behaviour of the integration so it only generates a new token once, or at least deletes the old token from HA when it is generating a new one?

Hi, im currently trying to install this component into my home assistant but everything is configured as per the instructions i did changed the line for the new header authentik use. but the login is getting a message of unable to connect to home assistant and there is a countdown.
auth_header: username_header: X-authentik-username
with the debug enabled i can see the auth header showing up in the logs but nothing much after it.
here is the part of the log when i try to connect ;
2022-11-27 01:51:25.704 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy('Host': 'domo.XXX.ca', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0', 'Content-Length': '143', 'Accept': '*/*', 'Accept-Language': 'fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3', 'Content-Type': 'text/plain;charset=UTF-8', 'Cookie': 'authentik_csrf=FfZLpUXXX; authentik_session=XXX; authentik_proxy=XXX', 'Origin': 'https://domo.XXX.ca', 'Referer': 'https://domo.XXX.ca/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fdomo.XXX.ca%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fdomo.XXX.ca%2F&state=XXX', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-origin', 'Sentry-Trace': 'XXX0', 'X-Authentik-Email': '[email protected]', 'X-Authentik-Groups': 'Domain Admins|XXX|XXX|XXX|authentik Admins|admin', 'X-Authentik-Jwt': 'XXX', 'X-Authentik-Meta-App': 'homeassistant', 'X-Authentik-Meta-Jwks': 'https://auth.XXX.ca/application/o/homeassistant/jwks/', 'X-Authentik-Meta-Outpost': 'authentik Embedded Outpost', 'X-Authentik-Meta-Provider': 'Homeassistant', 'X-Authentik-Meta-Version': 'goauthentik.io/outpost/2022.10.1', 'X-Authentik-Name': 'My full name', 'X-Authentik-Uid': 'XXX', 'X-Authentik-Username': 'daniel', 'X-Forwarded-For': '10.30.101.238', 'X-Forwarded-Host': 'domo.XXX.ca', 'X-Forwarded-Proto': 'https', 'X-Forwarded-Scheme': 'https', 'X-Real-Ip': '10.30.101.238', 'Accept-Encoding': 'gzip')> 2022-11-27 01:51:25.705 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 10.0.0.3
and after that bunch of debuging there is no more line concerning the auth header.

is there any idea on what i could check i tried to rename the home assistant user to get it with my full name and i then tried with my username.

Thanks in advance and thanks for the great work you did with this and authentik

I can't seem to get this to work with the IOS app. I've installed it and added the necessary items to my config. I can use authentik to authenticate in the browser with no issues. However, The iOS app is not able to sign in. The authentik prompt appears and allows me to sign in successfully, but right when it would redirect me back to the app, I get an error. This causes the first issue, unable to log in with mobile app.

To work around this, I sign in locally first with hass ip address then I try to use use my domain name. When i do this the app appears to work as intended, but the device tracker never updates. Location updates don't trigger, manual refreshes, don't update hass.

If I disable this plugin, everything goes back to normal. Does anyone know how to correct this issue?

TLDR:
Plugin works through browser, but cannot use with iOS mobile app.

Hi I'm running Homeassistant as well as Authentik and nginx as Docker containers and want so acces Homeassistant via the nginx reverse proxy using the authentik Auth.

When I use hass2.mysdomain.com (wich is set up in nginx) i get redirected to the Authentik login. So far so good.
After Signing in I get redicrectet to Homeassistant where this error pops up.

The Homeassistant log states:
Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'
Homeassistant Log:

2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy(
    'X-authentik-username': 'test', 
    'X-authentik-name': 'test', 
    'X-authentik-uid': '1ae74557218bb98d96b177878660de63d1848a2830c26c35afbad47ff9ecb851', 
    'Host': '192.168.178.101:8123', 
    'Connection': 'close', 
    'Content-Length': '129', 
    'sec-ch-ua': '"Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"', 
    'sec-ch-ua-platform': '"Windows"', 
    'sec-ch-ua-mobile': '?0', 
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36', 
    'Content-Type': 'text/plain;charset=UTF-8', 
    'Accept': '*/*', 
    'sec-gpc': '1', 
    'Accept-Language': 'de-DE,de;q=0.6', 
    'Origin': 'https://hass2.mydomain.com', 
    'sec-fetch-site': 'same-origin', 
    'sec-fetch-mode': 'cors', 
    'sec-fetch-dest': 'empty', 
    'Accept-Encoding': 'gzip, deflate, br', 
    'Cookie': 'authentik_proxy_3r6W7vF2=SFORLJB5QA7PQ3QFU2ARAH5COBD3IV76G7S7T4ZHS756WOCWKQUDQVVRLBDO3KBE7XOOIWMGMPPWIOTSK3AYLSLWQ5VCOSGF5ZUT5FI')>
2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 192.168.178.101
2024-01-27 18:45:39.405 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36)

192.168.178.101 is the Local Network IP of my Server wich is running all 3 docker containers
'test' is set up as a username in Authentik as well as Homeassistant

in my config.yaml i have added:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.178.0/24
    
auth_header:
    username_header: X-authentik-username

logger:
    default: info
    logs:
        custom_components.auth_header: debug

The custom configuration for the Proxy Host in Nginx is:

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass          http://192.168.178.101:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;

    # required for POST requests to work
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

Any help on how to tackle this problem would be appreciated,
I suspect Homeassistant doesn't like the way Authentik hands over the auth_header?
Do i need to add or modify the '/auth/token' somewhere?

Starting with HomeAssistant 2021.7, the use of use_x_forwarded_for will be enforced if behind a reverse proxy (see release notes of 2021.6). This, however, conflicts with this component.
HA 2021.6 logs this warning:
A request from a reverse proxy was received from x.x.x.x, but your HTTP integration is not set-up for reverse proxies; This request will be blocked in Home Assistant 2021.7 unless you configure your HTTP integration to allow this header

Hello, thanks for the great integration! I'm a bit curious if you've considered using the default credentials name (username) of Home Assistant for authentication instead of the "display name". While of course one can configure any mapping on either end and any header, I'd expect it to match on the name I use to login by default.

Hi, I added the repo https://github.com/BeryJu/hass-auth-header to HACS and then restarted HASS.
Afterwards I added this to my HASS configuration.yaml

auth_header:
  username_header: X-authentik-username

This ends with a not restartable HASS with the error message in the title. I also tried to find an integration after adding the repo with "hass-auth-header" but nothing can be found.

I am running Authentik, Home Assistant, Traefik and an internal dns server. I setup everything acording to the guides but Home Assistant is not forwarding authentication to Authentik. It makes the auth url but doesnt forward to Authentik and HA stays in this screen:

My Authentik Provider config:

(External Host is set to Home Assistant Traefik Host)

My Traefik Authentik Middleware:

(Address is pointing to the authentik docker container)

My Traefik Home Assistant Router Config:

My Traefik Home Assistant Service Config:

(The Server URL is pointing to the internal Home Assistant instance)

(Sorry if images are small, you can open them in another tab to make them larger.)