Makes sense.
I recently came across this also which I just installed today. So far, its working fine but have not yet tested with multi users.
Makes sense.
I recently came across this also which I just installed today. So far, its working fine but have not yet tested with multi users.
According to this issue here you need to open up a lot of resources for Authelia. Seems like a large attack area, is this ok to have Authelia bypass?
- domain: "ha.domain.com"
policy: bypass
resources:
- "^/api.*"
- "^/auth/token.*"
- "^/.external_auth=."
- "^/service_worker.js"
- "^/static.*"
- "^/local.*"
- "^/hacsfiles.*"
- "^/frontend_latest.*"
Recently lost a drive and Authelia was a victim. Now everything is trying to reauthenticate and I am not even sure what is trying!
I’ve had a read of this thread and might be time to consider other options…
I’m cannot find a homeassistant authelia addon to augment nginx proxy manager. Is anyone working on an add on for this? I found there is a docker container available for authelia but havent pulled it yet. I will begin working on an addon in the upcoming weeks but don’t want to reinvent the wheel if someone is already working on it. i’d like to colab if this is in progress
If you are interested in Authelia working natively with Home Assistant, as the current solution requires bypasses as listed above and does not always work well with the mobile apps, please upvote Open letter for improving Home Assistant's Authentication system and leave your use-case there as well.
If enough people are interested in using SSO with HA, this would be a great spot to let the developers know. Thank you!
My intent is to run Authelia as an addon to work with the nginx Proxy Manager. The holidays have slowed me down a little but this is on the top of my list for the new year.
I just discovered this ticket which i found interesting as after I have Authelia working with Nginx Proxy Manager I was going to look into fail2ban with Nginx Proxy Manager as well.
I wrote a Command Line Authentication script to handle authentication with Authelia. Code is here: Home Assistant Command Line Authentication for Authelia · GitHub
You can also find all instructions on my blog.
Main limitations are:
I just started setting up Authelia. @kevinoconnor7 is this still working well for you? I’m going to go down this path following your blog instructions.
I was able to follow your instructions and the web UI login works mostly great. HomeAssistant doesn’t know who I’m logged in as, but that’s not a big deal.
My next problem was the iOS Companion app. I had to delete the server, and then re-add it. After that, I was fine. Thanks!
I have this working using: GitHub - BeryJu/hass-auth-header: Home Assistant custom component, which allows you to delegate authentication to a reverse proxy.
I think I’ve solved the issue with Authelia and mobile applications. I’ve documented the complete setup here so you can reproduce it on your installation as well.
My solution doesn’t involve bypassing any URL (that would reduce the security of HA, IMHO if API access isn’t authenticated). It simply leave the HASS’ login for mobile application intact but only allow SSO for web access.
I also have authelia working for my hass subdomain.
I’ve found another alternative. I’m using traefik and authentik (but could be authelia)
For browser access, I’m using authentik as a auth proxy + forward, set as middleware on traefik, I’ve to authentified on both systems.
For the App, it’s not working with the middleware, so, i’ve set another url entrypoint, and traefik is configured on it with a client certificate.
2 mn to import the certifcat on each android phones of family members + changing the url and that’s it.
I was not confident with home assistant directly hosted on the web, and i don’t want to use a vpn for that.
Looks like the problem with Authelia and HA app can be solved if the HA app implement support OpenID for OpenID Connect 1.0 | Integration | Authelia
Open endpoint to allow HA app works by-pass authelia is a huge surface attack.
For web app I think Trusted Header SSO (Trusted Header SSO | Integration | Authelia) looks like ok, or even the OpenID with web HA will works great.
At last for web app 2 logins screen when you are in outside network sounds ok, for internal network just put a by-pass and use only the HA login, this will be enough.
Not exactly a nice integration and would be better for proper OIDC but I followed this and used the python script as a starter I added the ability in my script to do duo push.