Authentik OAuth/ OIDC Setup - Home Assistnat

Authentik uses many ways to connect to services, one being OAuth or Open ID Connect. This method is widely used on many services, such as Home Assistant. Home Assistant doesn't have native Open ID Connection, so we will need to use HACS for setup

Please follow Authentik and Portainer documentation

• Home Assistant OAuth Setup Documentation
• GitHub Hass-openid Setup with HACS

Authentik OAuth:

1. Login to Authentik Admin Interface
2. Go to Applications and select Create with Provider
   1. Choose a name and group
   2. Under URI in Launch URL enter https://portainer.cyberpaw.org
   3. Choose Oauth2 Provider
   4. Name the provider same as application
   5. For Authorization Flow choose Cyberpaw-authorization-flow (or default one)
   6. Make sure Confidential is selected for Client Type
   7. Copy Client ID and Client Key
   8. In Redirect URIs enter http://overseer.cyberpaw.org:8123/auth/openid/callback
   9. For Encryption key choose default-authentic-self-signed-certificate
   10. Under Advanced flow settings choose Welcome to Authentick (or default one)
   11. Under Configure Bindings click  Bind existing policy/group/users
   12. Select Group and choose existing group that is authorized to use this service
   13. Review and Submit
3. The provider is created and should say it's connected to application

Home Assistant Steps:

1. Login to Home Assistant with Admin
2. Open HACS
3. Search for hass-openid

4. Go to Terminal app on HA
5. Navigate to Your Home Assistant Config Directory

cd /config

6. Create custom_components Directory

mkdir -p /config/custom_components/openid

7. Download the Files from GitHub

git clone https://github.com/cavefire/hass-openid.git
cp -r hass-openid/custom_components/openid /config/custom_components/

8. Restart Home Assistant
9. Go back to Terminal and add following configuration to configuration.yaml file

  #OAuth with Authentik
openid:
  client_id: YOUR_CLIENT_ID
  client_secret: YOUR_CLIENT_SECRET
  configure_url: "https://auth.cyberpaw.org/application/o/home-assistant/.well-known/openid-configuration"  # Replace with your Identity Provider's URL
  username_field: "email"  # Adjust based on your IdP's user info response
  scope: "openid profile email"
  block_login: false
  openid_text: "Login with Authentik"  # Text to display on the login page

10. Restart Home Assistant

If you want to disable the default Home Assistant login and only allow OpenID authentication, set block_login to true in your configuration