Skip to main content

Authentik OAuth/ OIDC Setup - Home Assistnat

Authentik uses many ways to connect to services, one being OAuth or Open ID Connect. This method is widely used on many services, such as Portainer.Home Assistant. Home Assistant doesn't have native Open ID Connection, so we will need to use HACS for setup

Please follow Authentik and Portainer documentation

Authentik OAuth:
  1. Login to Authentik Admin Interface
  2. Go to Applications and select Create with Provider
    1. Choose a name and group
    2. Under URI in Launch URL enter https://portainer.cyberpaw.org
    3. Choose Oauth2 Provider
    4. Name the provider same as application
    5. For Authorization Flow choose Cyberpaw-authorization-flow (or default one)
    6. Make sure Confidential is selected for Client Type
    7. Copy Client ID and Client Key
    8. In Redirect URIs enter https:http://portainer.overseer.cyberpaw.org (check portainer instructions for more detail)org:8123/auth/openid/callback
    9. For Encryption key choose default-authentic-self-signed-certificate
    10. Under Advanced flow settings choose Welcome to Authentick (or default one)
    11. Under Configure Bindings click  Bind existing policy/group/users
    12. Select Group and choose existing group that is authorized to use this service
    13. Review and Submit
  3. The provider is created and should say it's connected to application
PortainerHome Assistant Steps:
  1. NavigateLogin to PortainerHome pageAssistant andwith loginAdmin
  2. UnderOpen Settings go to Authentication and select OAuthHACS
  3. EnableSearch usefor SSOhass-openid

image.pngimage.png

  1. ChooseGo to AutomaticTerminal Userapp Provisioningon allowingHA
    2. other
  2. Navigate Authentikto usersYour thatHome don'tAssistant haveConfig PortainerDirectory
    3. user
can
cd login/config
  1. IfCreate notcustom_components selected you will need to create an account with same email as Authentik userDirectory
mkdir 
  • Scroll-p down to OAuth Configuration/config/custom_components/openid
    1. Copy and Paste allDownload the field ID, secret and URLsFiles from ProviderGitHub
      2. information
    in
    git Authentikclone https://github.com/cavefire/hass-openid.git
cp -r hass-openid/custom_components/openid /config/custom_components/
    1. Restart Home Assistant
    2. Go back to Authentik Admin Interface
    3. Lower Application SectionTerminal and clickadd Providers
      4. following
    4. Click on Portainer Provider and copy all the required informationconfiguration to Portainersconfiguration.yaml OAuth Configurationfile
      
  • For#OAuth Userwith IdentificationAuthentik
typeopenid:
  client_id: YOUR_CLIENT_ID
  client_secret: YOUR_CLIENT_SECRET
  configure_url: "email"
    • https://auth.cyberpaw.org/application/o/home-assistant/.well-known/openid-configuration"  
  • For# ScopeReplace typewith your Identity Provider's URL
  username_field: "emailemail"  oauth# provider"Adjust -Portainerbased documentationon saysyour IdP's user info response
  scope: "openid profile email"
  block_login: false
  openid_text: "Login with Authentik"  # Text to usedisplay dasheson butthe uselogin spacepage
    • instead
    1. SaveRestart Home Assistant

    If

  • Logoutyou want to disable the default Home Assistant login and youonly shouldallow seeOpenID Loginauthentication, withset OAuthblock_login button
    • to true in your configuration

    Back to top