HomarrH
Homarr10mo ago
8 replies
BitNotFound

Authentik SSO not appearing on log-in screen

I, for the life of me, can't get SSO sorted out for Authentik and Homarr. I have it set up for various other services, but Homarr is the only one that's given me trouble. Below is my docker compose for Homarr. I have followed the instructions given on the Authentik site as well as Homarr's site for setting up OIDC, but on Homarr's log in screen, I get the standard username and password prompt. Only the original account I set Homarr up with works with it.

I have gone through well over a dozendifferent help threads here, GitHub, and elsewhere, implementing any fixes that others propose, but nothing seems to fix the issue.

I could use some help! Thanks!

services:
  homarr:
    container_name: homarr
    image: ghcr.io/homarr-labs/homarr:latest
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./homarr:/appdata
    environment:
      - SECRET_ENCRYPTION_KEY=<KEY>
      - AUTH_PROVIDER=oidc
      - AUTH_OIDC_CLIENT_ID=<SECRETID>
      - AUTH_OIDC_CLIENT_SECRET=<SECRET KEY>
      - AUTH_OIDC_ISSUER=https://auth.mysite.com/application/o/homarr/
      - AUTH_OIDC_URI=https://auth.mysite.com/application/o/authorize
      - BASE_URL=https://mysite.com
      - NEXTAUTH_URL=https://mysite.com
      - AUTH_OIDC_CLIENT_NAME=Authentik
      - OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true
      - AUTH_OIDC_ADMIN_GROUP=authentik Admins
      - AUTH_OIDC_OWNER_GROUP=authentik Admins
      - AUTH_OIDC_AUTO_LOGIN=true
    labels:
      - traefik.enable=true
      - traefik.http.routers.homarr.rule=Host(`mysite.com`)
      - traefik.http.routers.homarr.entryPoints=websecure
      - traefik.http.routers.homarr.tls.certresolver=letsencrypt
      - traefik.http.services.homarr.loadbalancer.server.port=7575
      #- traefik.http.routers.homarr.middlewares=authentik-auth@docker
    networks:
      - private
networks:
  private:
    external: true
Screenshot_2025-04-23_at_11.22.59_PM.png
Solution
Ok, so I asked ChatGPT, and I got about 99% of the way there. After tweaking, here are my compose and .env files for those who need something that works!

services:
  homarr:
    image: ghcr.io/homarr-labs/homarr:latest
    container_name: homarr
    restart: unless-stopped
    ports:
      - '7575:7575'
    volumes:
      - ./homarr:/appdata
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - TZ=America/Los_Angeles
      - BASE_URL=https://${HOMARR_FQDN}
      - NEXTAUTH_URL=https://${HOMARR_FQDN}
      - SECRET_ENCRYPTION_KEY=${SECRET_ENCRYPTION_KEY}
      - AUTH_PROVIDERS=oidc #,credentials # keep local accounts as fallback
      - AUTH_OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
      - AUTH_OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
      - AUTH_OIDC_ISSUER=https://${AUTH_DOMAIN}/application/o/${OIDC_SLUG}/
      - AUTH_OIDC_URI=https://${AUTH_DOMAIN}/application/o/authorize
      - AUTH_OIDC_CLIENT_NAME=authentik
      - AUTH_OIDC_SCOPE_OVERWRITE=openid email profile groups
      - AUTH_OIDC_ADMIN_GROUP=${ADMIN_GROUP}
      - AUTH_OIDC_GROUPS_ATTRIBUTE=groups
      - AUTH_LOGOUT_REDIRECT_URL=https://${AUTH_DOMAIN}/application/o/${OIDC_SLUG}/end-session/
      - AUTH_OIDC_AUTO_LOGIN=true
    networks:
      - my-network
networks:
  my-network:
    external: true

Here is the .env file, redacted of course:
OIDC_CLIENT_ID=identificationid # OIDC client ID here
OIDC_CLIENT_SECRET=secretsecretsecret # OIDC client secret here
OIDC_SLUG=homarr # The slug you gave the 'homarr' application
AUTH_DOMAIN= auth.example.com # The FQDN of your Authentik endpoint
ADMIN_GROUP=homarr-admins # The name of the group in Authentik for Homarr admins. Add yourself to the group!
HOMARR_FQDN=homarr.example.com # FQDN of your homarr instance
SECRET_ENCRYPTION_KEY=encryptencryptencrypt # The Homarr encryption key
Jump to solution
Was this page helpful?
CommunitiesDocsAboutTermsPrivacy