Issue configuring new auth system on 0.74.2

bosbefok · July 26, 2018, 4:05am

Having an issue getting new auth system working when accessing HA externally via nginx.
When accessed locally the following appears which indicates auth loaded correctly:

https://gyazo.com/3a0286ab15b26c3eb19ede987bbba9ed

When accessed via my domain via nginx to serve local instance

https://gyazo.com/031f90fe14cba100e022f4d76775efc5

There are no errors or warnings in log.
Any idea what the issue is?

@awarecan

awarecan · July 26, 2018, 4:18am

Can you try to open “https://yourdomain.com/auth/providers”

bosbefok · July 26, 2018, 4:57am

It returns the json string:

[{"id": null, "name": "Home Assistant Local", "type": "homeassistant"}, {"id": null, "name": "Legacy API Password", "type": "legacy_api_password"}]

I’ve had a look in chrome console while loading ha.mydomain.com. I see the following error:

Failed to load https://[redacted].cloudflareaccess.com/cdn-cgi/access/login/ha.[redacted].com?kid=redacted&redirect_url=%2Fauth%2Fproviders: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://ha.[redacted].com' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I should have posted my confg yaml. Here’s the relevant parts:

homeassistant:
  name: Home
  auth_providers:
   - type: homeassistant
   - type: legacy_api_password
http:
 base_url: https://ha.mydomain.com
 cors_allowed_origins:
   - https://ha.mydomain.com
   - https://[redacted].cloudflareaccess.com
 use_x_forwarded_for: True
 trusted_proxies: 127.0.0.1

Sunonline · July 26, 2018, 5:02am

comment # all from cors_allowed_origins:

 #cors_allowed_origins:
 #  - https://ha.mydomain.com
 #  - https://[redacted].cloudflareaccess.com
 #use_x_forwarded_for: True
 #trusted_proxies: 127.0.0.1

bosbefok · July 26, 2018, 5:06am

Tried that but it hasn’t resolved the issue.
After that change I see an additional two warnings in chrome console:

The FetchEvent for "https://ha.mydomain.com/auth/providers" resulted in a network error response: an "opaqueredirect" type response was used for a request whose redirect mode is not "manual".

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://[redacted].cloudflareaccess.com/cdn-cgi/access/login/ha.mydomain.com?kid=redacted&redirect_url=%2Fauth%2Fproviders with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.

awarecan · July 26, 2018, 5:10am

This auth/provider endpoint has explicitly blocked CORS, please fill an issue report in github

bosbefok · July 26, 2018, 5:12am

According to cloudflare:

Cloudflare supports CORS and operates in the following way:

The Cloudflare CDN identifies cache items based on the Host Header + Origin Header + Path and Query, which supports different objects using the same host header, but different origin headers
Cloudflare passes Access-Control-Allow-Origin header through unaltered from the origin server to the browser

awarecan · July 26, 2018, 5:14am

Yes, I know.

This auth/provider endpoint blocked CORS in purpose. However we should hornor the cors_allowed_origins config to allow your setup working.

bosbefok · July 26, 2018, 5:16am

Are you referring to the specific auth provider I’m using with this cloudflare access instance?

awarecan · July 26, 2018, 5:17am

https://…/auth/providers is the url we returned list of available authentication provider to “client”, HA frontend web is one of our “client”, we also has others likes iOS app etc.

bosbefok · July 26, 2018, 6:08am

Issue logged.
Thanks

awarecan · July 26, 2018, 7:06am

Per the comment in github issue, you probably need to adjust your Cloudflare’s config to NOT cache HA site.