[Support]: Authentik Configuration

[jasonlaguidice]

Describe the problem you are having

Now that Frigate supports auth - does someone have an example configuration on the Authentik side to auth with Frigate?

I don't have a reverse proxy or anything in front of frigate right now and only access it locally via mDNS but would like to potentially open it up (which would end up going through a Cloudflare tunnel) and secure it through Authentik.

Is a reverse proxy required?

I've tried a few combinations with the Authentik proxy but can't find something that passes headers appropriately. Just setting auth to disabled (as shown in the attached config) allows anyone in with no authentication whatsoever so that's not ideal.

Version

14.0

What browser(s) are you using?

No response

Frigate config file

auth:
  enabled: False
  trusted_proxies:
    - 192.168.1.204

proxy:
  header_map:
    user: X-authentik-username

version: 0.14

Relevant Frigate log output

N/A

Relevant go2rtc log output

N/A

FFprobe output from your camera

N/A

Frigate stats

No response

Operating system

Proxmox

Install method

Docker Compose

Object Detector

Coral

Network connection

Wired

Camera make and model

Multiple

Screenshots of the Frigate UI's System metrics pages

No response

Any other information that may be helpful

No response

[NickM-27]

if you want to use frigate's built in authentication then there is no need for a reverse proxy to provide authentication. If you want to use proxy authentication then yes frigate's authentication would be disabled. The configuration of the proxy auth is something that you would find better support elsewhere

[miloszlipski]

https://docs.frigate.video/configuration/authentication/#proxy-configuration

[chrislawso]

Were you able to complete the authentik auth setup with frigate or did you use any other auth proxy?

[jasonlaguidice]

Were you able to complete the authentik auth setup with frigate or did you use any other auth proxy?

No, but I'm relatively unfamiliar with a proxy provider with Authentik. I'll give it another pass today and see if I can make it work as expected.

My goal was to have the frigate address exposed on a public URL and logins allowed only via Authentik but it didn't seem like this was possible at first pass - I would have had to have Frigate behind something else protecting it (like, just not exposing it and VPN'ing in) which totally defeats the need for any sort of authentication.

[jasonlaguidice]

So this is specific to my setup but it looks like I was able to make it work this time. Since this is still the top result if I Google Authentik Frigate - I should probably provide some sort of help. I don't know how much of this is necessary as this was frustrating to get working.

For this setup I am using Cloudflare tunnels for all access. My Authentik host is accessed through a CF tunnel. The Authentik host is on the same network as the Frigate host and can be accessed with mDNS.

Frigate

Frigate config changes:

auth:
  enabled: false
  trusted_proxies:
    - [your_proxy_ip/subnet]
proxy:
  header_map:
    user: x-authentik-username

Authentik

In Authentik make a provider with the following settings:
Type: Proxy
External host: https://your-frigate-external-address.com
Internal host: http://frigate.local:5000 (or whatever you're running frigate locally at - this would be the address the Authentik host can reach the Frigate host at)
Disable internal host SSL Validation

Navigate to Applications -> Outposts

Edit the authentik Embedded Outpost and add the provider to the list

Create an Application for Frigate and select the provider created previously (no other changes should be necessary). Set up your preferred access rules

Cloudflare

Modify the tunnel providing access to your Authentik instance. Add a second hostname for your-frigate-external-address.com forwarded to the same port that Authentik is typically accessed at. For me, this is localhost:9000

Deploy and that's it. When accessing the frigate external address you will be prompted to login to Authentik. Once logged in you will be transparently passed through to Frigate. All traffic to Frigate will flow through Authentik's proxy.