Login issues iOS app (Cloudflare Zero Trust & Authelia OpenID Connect)

I have an issue when logging in via the HomeAssistant Mobile (iOS) app. I have setup Cloudflare Zero Trust, where I use my Authelia installation as OpenID authenticator. I have setup a Cloudflared tunnel towards my HomeAssistant installation (docker). HomeAssistant is configured as an application in Cloudflare Zero Trust demanding the Authelia authorisation.

This works flawless via my browser on the Mac (safari and chrome) and on iOS (safari). The issue is only applicable in the iOS app. I get the following error code: NSCocoaErrorDomain 3840. I was able to export logfiles, I tried to wrestle through them but I really do not know where to look.

Scenario in a regular browser (both Mac and iOS)

  1. Navigate to the URL
  2. Cloudflare Zero Trust forwards an authentication request to my Authelia installation
  3. I login with Authelia
  4. The HomeAssistant login screen is displayed, I populate my HA credentials
  5. I am logged in to Home Assistant, no issues

Scenario in the HomeAssistant iOS app

  1. I populate the URL of my HomeAssistant
  2. A pop-up opens and Cloudflare Zero Trust forwards an authentication request to my Authelia installation
  3. I login with Authelia
  4. The HomeAssistant login screen is displayed, I populate my HA credentials
  5. I get the NSCocoaErrorDomain 3840 error (translated to English: data could not be read because the do not have the right structure)

My Authelia logs confirmed that my credentials (for Authelia) are correct and the authentication request is properly processed. In my HomeAssistant application I do see that a login attempt failed and in the HomeAssistant log I noticed the following warning

WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from some.intheworld.hi (x.xx.x.x). Requested URL: '/auth/login_flow/69d617482c1a058d4bcc53f64bbee950'. (Mozilla/5.0 (iPhone; CPU iPhone OS 16_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1)

I already checked the Authelia rules and they are as following. But I suspect these rules are not considered at all since the Authelia authentication is for Cloudflare access. If I comment out the policy I get the same error.

   - domain: "homeassistant.somewhere.hi
    policy: bypass
     resources:
        - "^/api.*"
        - "^/auth/token.*"
        - "^/auth/login_flow.*"
        - "^/.external_auth=."
        - "^/service_worker.js"
        - "^/static.*"
        - "^/local.*"
        - "^/hacsfiles.*"
        - "^/frontend_latest.*"`

Anyone an idea what the issue could be? Or an idea where I should continue looking to dig deeper into this issue?

The app does not support authentication providers sitting in front of HA. You can vote up this feature request:

1 Like