auth_header sign on working on desktop but not in Home Assistant mobile app

[xxxarmitagexxx]

Hi,

I have setup the auth_header sign on with Authentik and can log just fine on desktop.
On Mobile, I am getting the Authentik prompt, successfully sign in in Authentik but then am getting an Unable to connect to Home Assistant error.

Looking at the debug logs, it appears that in both the desktop and mobile case, auth_header is successfully logging in but in the case of the Mobile set up I am getting an additional error.
The two use cases have the exact same debug lines, with the Mobile having the last warning line in addition:

2024-10-24 10:59:20.114 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy('X-authentik-username': 'armitage', 'X-authentik-groups': 'authentik Admins|Portainer\xa0Admins|Arr Admins|Family Users|Family Admins|Grafana Admins', 'X-authentik-email': 'email.com', 'X-authentik-name': 'My Name', 'X-authentik-uid': '2578f0b95145127b0b75230e33b8a8cc49fb61f25e65d78905da3b60ffbb7f04', 'Remote-User': 'armitage', 'Remote-Email': 'matthieu.rosset@gmail.com', 'Remote-Name': 'Matthieu Rosset', 'Host': '192.168.10.82:8123', 'Content-Length': '127', 'cf-ray': '8d75ae269c32a886-SYD', 'X-Forwarded-For': '103.214.222.74', 'Accept': '*/*', 'Accept-Language': 'en-AU,en-US;q=0.9,en;q=0.8', 'Accept-Encoding': 'gzip, br', 'cf-ipcountry': 'AU', 'X-Forwarded-Proto': 'https', 'sec-fetch-dest': 'empty', 'sec-fetch-mode': 'cors', 'cf-visitor': '{"scheme":"https"}', 'sec-fetch-site': 'same-origin', 'x-requested-with': 'io.homeassistant.companion.android', 'cf-connecting-ip': '103.214.222.74', 'Origin': 'https://homeassistant.mc-panda.com', 'priority': 'u=1, i', 'cdn-loop': 'cloudflare; loops=1', 'sec-ch-ua-platform': '"Android"', 'User-Agent': 'Mozilla/5.0 (Linux; Android 14; SM-S908E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/129.0.6668.100 Mobile Safari/537.36 Home Assistant/2024.10.3-14058 (Android 14; SM-S908E)', 'sec-ch-ua': '"Android WebView";v="129", "Not=A?Brand";v="8", "Chromium";v="129"', 'Content-Type': 'text/plain;charset=UTF-8', 'sec-ch-ua-mobile': '?1', 'Cookie': 'authentik_proxy_dHtdDSoh=MTcyOTcyNzg4OXxOd3dBTkVsVU1sTXpXRVpIUzFkUU5FVktURUkzUkRSR05FcFdSa2xIU0U1SlRFdFVVa0ZUUWpSVFJsTkNWazVFVTFCUVFrZENRbEU9fLhMEyEXdxqknBNJsgIhUsN3Q_BUIBZDijZbBFDitg20')>
2024-10-24 10:59:20.114 DEBUG (MainThread) [custom_components.auth_header] Got actual IP [Reverse Proxy docker IP]
2024-10-24 10:59:20.114 DEBUG (MainThread) [custom_components.auth_header.headers] Validating access for IP: [Reverse Proxy docker IP]
2024-10-24 10:59:20.114 DEBUG (MainThread) [custom_components.auth_header.headers] Checking user: My Name
2024-10-24 10:59:20.114 DEBUG (MainThread) [custom_components.auth_header.headers] Found username in credentials: My Username
2024-10-24 10:59:20.114 DEBUG (MainThread) [custom_components.auth_header.headers] Username match found, finishing login flow
2024-10-24 10:59:22.572 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from (WAN IP). Requested URL: '/api/mobile_app/registrations'. (Home Assistant/2024.10.3-14058 (Android 14; SM-S908E))

I have read the few topic discussing issues back in 2022 setting up auth_header to get it to work with the HomeAssistant mobile app but could not figure out a fix.

Any idea on how to get around it?

[Anaphylaxis]

I use forward proxy mode with Traefik middleware, the way I interpreted this in the wiki: Only prefixes starting with /auth need to be proxied (excluding prefixes starting with /auth/token), see [this GitHub issue](https://github.com/BeryJu/hass-auth-header/issues/212). This can be configured in the reverse proxy (e.g. nginx, Traefik) or in authentik Provider's Unauthorized Paths.
was by excluding anything but /auth from authentication (/auth should be authenticated requests), EXCEPT /auth/token should be unauthenticated.
this seems to work for me:

^(?!/auth).*$
^/auth/token.*$

ChatGPT Explanation:

^(?!/auth).*$: Matches any string except those starting with /auth.
^/auth/token.*$: Matches any string that starts with /auth/token.

[alametti]

... this seems to work for me:

^(?!/auth).*$
^/auth/token.*$

In Nginx and otherwise pretty vanilla configuration, this doesn't work for me without implementing this additional fix as well.

Otherwise, I get an error after an otherwise successful login flow: homeassistant | 2025-... WARNING (MainThread) [homeassistant.components.websocket_api.http.connection] from ... (...): Disconnected: Did not receive auth message within 10 seconds

Presumably because of the redirection issue in #333; so make sure to check that out as well.

[Anaphylaxis]

... this seems to work for me:

^(?!/auth).*$
^/auth/token.*$

In Nginx and otherwise pretty vanilla configuration, this doesn't work for me without implementing this additional fix as well.

Otherwise, I get an error after an otherwise successful login flow: homeassistant | 2025-... WARNING (MainThread) [homeassistant.components.websocket_api.http.connection] from ... (...): Disconnected: Did not receive auth message within 10 seconds
Presumably because of the redirection issue in #333; so make sure to check that out as well.

Is this not because vanilla nginx doesn't forward upgrade headers for websockets? I'm assuming you've tried

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

[alametti]

Is this not because vanilla nginx doesn't forward upgrade headers for websockets? I'm assuming you've tried

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

Yes, that was already part of my location block. Regardless, at least for me, the combination of your fix and the one in the other issue do the trick!