Authentik SSO not appearing on log-in screen
I, for the life of me, can't get SSO sorted out for Authentik and Homarr. I have it set up for various other services, but Homarr is the only one that's given me trouble. Below is my docker compose for Homarr. I have followed the instructions given on the Authentik site as well as Homarr's site for setting up OIDC, but on Homarr's log in screen, I get the standard username and password prompt. Only the original account I set Homarr up with works with it.
I have gone through well over a dozendifferent help threads here, GitHub, and elsewhere, implementing any fixes that others propose, but nothing seems to fix the issue.
I could use some help! Thanks!
I have gone through well over a dozendifferent help threads here, GitHub, and elsewhere, implementing any fixes that others propose, but nothing seems to fix the issue.
I could use some help! Thanks!
services:
homarr:
container_name: homarr
image: ghcr.io/homarr-labs/homarr:latest
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./homarr:/appdata
environment:
- SECRET_ENCRYPTION_KEY=<KEY>
- AUTH_PROVIDER=oidc
- AUTH_OIDC_CLIENT_ID=<SECRETID>
- AUTH_OIDC_CLIENT_SECRET=<SECRET KEY>
- AUTH_OIDC_ISSUER=https://auth.mysite.com/application/o/homarr/
- AUTH_OIDC_URI=https://auth.mysite.com/application/o/authorize
- BASE_URL=https://mysite.com
- NEXTAUTH_URL=https://mysite.com
- AUTH_OIDC_CLIENT_NAME=Authentik
- OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true
- AUTH_OIDC_ADMIN_GROUP=authentik Admins
- AUTH_OIDC_OWNER_GROUP=authentik Admins
- AUTH_OIDC_AUTO_LOGIN=true
labels:
- traefik.enable=true
- traefik.http.routers.homarr.rule=Host(`mysite.com`)
- traefik.http.routers.homarr.entryPoints=websecure
- traefik.http.routers.homarr.tls.certresolver=letsencrypt
- traefik.http.services.homarr.loadbalancer.server.port=7575
#- traefik.http.routers.homarr.middlewares=authentik-auth@docker
networks:
- private
networks:
private:
external: trueservices:
homarr:
container_name: homarr
image: ghcr.io/homarr-labs/homarr:latest
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./homarr:/appdata
environment:
- SECRET_ENCRYPTION_KEY=<KEY>
- AUTH_PROVIDER=oidc
- AUTH_OIDC_CLIENT_ID=<SECRETID>
- AUTH_OIDC_CLIENT_SECRET=<SECRET KEY>
- AUTH_OIDC_ISSUER=https://auth.mysite.com/application/o/homarr/
- AUTH_OIDC_URI=https://auth.mysite.com/application/o/authorize
- BASE_URL=https://mysite.com
- NEXTAUTH_URL=https://mysite.com
- AUTH_OIDC_CLIENT_NAME=Authentik
- OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true
- AUTH_OIDC_ADMIN_GROUP=authentik Admins
- AUTH_OIDC_OWNER_GROUP=authentik Admins
- AUTH_OIDC_AUTO_LOGIN=true
labels:
- traefik.enable=true
- traefik.http.routers.homarr.rule=Host(`mysite.com`)
- traefik.http.routers.homarr.entryPoints=websecure
- traefik.http.routers.homarr.tls.certresolver=letsencrypt
- traefik.http.services.homarr.loadbalancer.server.port=7575
#- traefik.http.routers.homarr.middlewares=authentik-auth@docker
networks:
- private
networks:
private:
external: true
Solution
Ok, so I asked ChatGPT, and I got about 99% of the way there. After tweaking, here are my compose and .env files for those who need something that works!
Here is the .env file, redacted of course:
services:
homarr:
image: ghcr.io/homarr-labs/homarr:latest
container_name: homarr
restart: unless-stopped
ports:
- '7575:7575'
volumes:
- ./homarr:/appdata
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- TZ=America/Los_Angeles
- BASE_URL=https://${HOMARR_FQDN}
- NEXTAUTH_URL=https://${HOMARR_FQDN}
- SECRET_ENCRYPTION_KEY=${SECRET_ENCRYPTION_KEY}
- AUTH_PROVIDERS=oidc #,credentials # keep local accounts as fallback
- AUTH_OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
- AUTH_OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
- AUTH_OIDC_ISSUER=https://${AUTH_DOMAIN}/application/o/${OIDC_SLUG}/
- AUTH_OIDC_URI=https://${AUTH_DOMAIN}/application/o/authorize
- AUTH_OIDC_CLIENT_NAME=authentik
- AUTH_OIDC_SCOPE_OVERWRITE=openid email profile groups
- AUTH_OIDC_ADMIN_GROUP=${ADMIN_GROUP}
- AUTH_OIDC_GROUPS_ATTRIBUTE=groups
- AUTH_LOGOUT_REDIRECT_URL=https://${AUTH_DOMAIN}/application/o/${OIDC_SLUG}/end-session/
- AUTH_OIDC_AUTO_LOGIN=true
networks:
- my-network
networks:
my-network:
external: trueservices:
homarr:
image: ghcr.io/homarr-labs/homarr:latest
container_name: homarr
restart: unless-stopped
ports:
- '7575:7575'
volumes:
- ./homarr:/appdata
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- TZ=America/Los_Angeles
- BASE_URL=https://${HOMARR_FQDN}
- NEXTAUTH_URL=https://${HOMARR_FQDN}
- SECRET_ENCRYPTION_KEY=${SECRET_ENCRYPTION_KEY}
- AUTH_PROVIDERS=oidc #,credentials # keep local accounts as fallback
- AUTH_OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
- AUTH_OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
- AUTH_OIDC_ISSUER=https://${AUTH_DOMAIN}/application/o/${OIDC_SLUG}/
- AUTH_OIDC_URI=https://${AUTH_DOMAIN}/application/o/authorize
- AUTH_OIDC_CLIENT_NAME=authentik
- AUTH_OIDC_SCOPE_OVERWRITE=openid email profile groups
- AUTH_OIDC_ADMIN_GROUP=${ADMIN_GROUP}
- AUTH_OIDC_GROUPS_ATTRIBUTE=groups
- AUTH_LOGOUT_REDIRECT_URL=https://${AUTH_DOMAIN}/application/o/${OIDC_SLUG}/end-session/
- AUTH_OIDC_AUTO_LOGIN=true
networks:
- my-network
networks:
my-network:
external: trueHere is the .env file, redacted of course:
OIDC_CLIENT_ID=identificationid # OIDC client ID here
OIDC_CLIENT_SECRET=secretsecretsecret # OIDC client secret here
OIDC_SLUG=homarr # The slug you gave the 'homarr' application
AUTH_DOMAIN= auth.example.com # The FQDN of your Authentik endpoint
ADMIN_GROUP=homarr-admins # The name of the group in Authentik for Homarr admins. Add yourself to the group!
HOMARR_FQDN=homarr.example.com # FQDN of your homarr instance
SECRET_ENCRYPTION_KEY=encryptencryptencrypt # The Homarr encryption keyOIDC_CLIENT_ID=identificationid # OIDC client ID here
OIDC_CLIENT_SECRET=secretsecretsecret # OIDC client secret here
OIDC_SLUG=homarr # The slug you gave the 'homarr' application
AUTH_DOMAIN= auth.example.com # The FQDN of your Authentik endpoint
ADMIN_GROUP=homarr-admins # The name of the group in Authentik for Homarr admins. Add yourself to the group!
HOMARR_FQDN=homarr.example.com # FQDN of your homarr instance
SECRET_ENCRYPTION_KEY=encryptencryptencrypt # The Homarr encryption key