Example Home Assistant auth_provider using curl -> Authelia #4681
Replies: 2 comments 2 replies
-
Wish I searched before writing something lol 🤦 . I went a little different, since that I'm using the My script: #!/usr/bin/env python
import argparse
import os
import requests
from requests.auth import HTTPBasicAuth
username = os.environ.get('username')
password = os.environ.get('password')
if username == None:
raise Exception('Environment variable missing: username')
if password == None:
raise Exception('Environment variable missing: password')
parser = argparse.ArgumentParser()
parser.add_argument(
'--authelia-base',
required=True,
)
parser.add_argument(
'--authelia-header-email',
default='Remote-Email',
)
parser.add_argument(
'--authelia-header-groups',
default='Remote-Groups',
)
parser.add_argument(
'--authelia-header-full-name',
default='Remote-Name',
)
parser.add_argument(
'--authelia-admin-group',
default='admins',
)
parser.add_argument(
'--authelia-home-assistant-proto',
default='https',
choices=['http', 'https'],
)
parser.add_argument(
'--authelia-home-assistant-domain',
required=True,
)
args = vars(parser.parse_args())
basic = HTTPBasicAuth(username, password)
headers = {
'X-Forwarded-Proto': args['authelia_home_assistant_proto'],
'X-Forwarded-Host': args['authelia_home_assistant_domain'],
'X-Forwarded-URI': '/',
}
request = requests.get(
f"{args['authelia_base']}/api/verify?auth=basic",
auth=basic,
headers=headers,
)
if not request.ok:
raise Exception('Could not log in')
full_name = request.headers.get(args['authelia_header_full_name'], '')
# email = request.headers.get(args['authelia_header_email'], '')
groups = request.headers.get(args['authelia_header_groups'], '').split(',')
is_admin = args['authelia_admin_group'] in groups
home_assistant_group = 'system-admin' if is_admin else 'system-users'
print(f"name = {full_name}")
print(f"group = {home_assistant_group}")
print(f"local_only = false") my Home Assistant homeassistant:
auth_providers:
- type: command_line
meta: true
command: /authelia-auth
args:
- --authelia-base
- !env_var AUTHELIA_BASE
- --authelia-home-assistant-domain
- !env_var AUTHELIA_HOME_ASSISTANT_DOMAIN and since I use docker, my services:
homeassistant:
image: ghcr.io/home-assistant/home-assistant
volumes:
- ./data/authelia-auth:/authelia-auth
environment:
# For Authelia Auth
- AUTHELIA_BASE=https://auth.${HOMELAB_BASE_DOMAIN}
- AUTHELIA_HOME_ASSISTANT_DOMAIN=home.${HOMELAB_BASE_DOMAIN} |
Beta Was this translation helpful? Give feedback.
-
I hope this script still works for you. I figured I'd mention this pr was merged to allow setting the group. Are changes needed for your script to implement this? Edit: just read the comment before mine and realized @mikew implemented the ability to pass back user groups. @mikew does this still work for you and would it work for second factor auth? |
Beta Was this translation helpful? Give feedback.
-
The back story is:
curl
andjq
to be available to your Home Assistant instance; both are present in current versions of the docker imageYou need to deploy this
authelia.sh
script to your Home Assistant instance. I use a bind mount in my docker-compose.yml:then this script goes in
auth/authelia.sh
in the same directory as the compose file:then you need to put this fragment into your home assistant
configuration.yml
:Restart home assistant, and users will have the choice of Command Line authentication or Home Assistant Local authentication when they log in.
When using Command Line authentication to talk to Authelia, the user is authenticated, and if successful, their display name is reported back to Home Assistant, and Home Assistant will create a user record for that user, as a member of the Administrators group. There is not currently a way to have those users placed into the Users group instead:
You can review users by visiting the
/config/users
URL in your home assistant instance:Beta Was this translation helpful? Give feedback.
All reactions