github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-11 08:29:13 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[GH-ISSUE #757] Authentication Breaking HA Login #1611

New Issue
Closed
opened 2026-04-16 08:19:25 -05:00 by GiteaMirror · 30 comments
GiteaMirror commented 2026-04-16 08:19:25 -05:00
Owner
Copy Link

Originally created by @samumatic on GitHub (May 21, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/757

This is a moved issue from Ferdinand99/home-assistant-newt-addon#3, as it affects the Pangolin authentication.

Describe the bug

After successfully installing the Home Assistant Newt Addon the HA instance is available through the specified domain in a Browser. But when trying to connect via android app to the ha instance an error message

Unable to connect to Home Assistant.

Retrying in 41 seconds...

under the URL https://my.domain.com/lovelace?external_auth=1 is interrupting the login process.
When disabling the Pangolin authentication the app authentication works, but not when enabled.

To Reproduce

Steps to reproduce the behavior:

  1. Install Newt Addon on Home Assistant
  2. Enable resource authentication in Pangolin
  3. Try to log in via the Home Assistant Android app
  4. Login with Pangolin authentication
  5. Unable to connect

Expected behavior

The browser would backlink to the android app and successful log me in

📜 Logs

Paste any relevant logs here:

There are no logs in HA, as the url https://my.domain.com/lovelace?external_auth=1 doesn't reach the HA instance.

🏠 Home Assistant Version
Home Assistant Version: 2025.5.2
Newt Add-on Version: 1.3.2
Installation Type: Home Assistant OS

💻 System Details
Hardware: HP-Thinclient
Network Setup: Ethernet

ℹ️ Additional context
After a while sometimes the url

https://my.domain.com/lovelace?external_auth=1&p_session_request=6rapopppx5bzsx5w63fb6iy6yrlq4abq&p_session_request=zdctmsjpa2zzg54bjqzn45oyeid3ps5e&p_session_request=z3szsii6kzux4nzyl6bfjcxqqk367vla&p_session_request=4ygwrug4ylivl4cslm3qmexjznm6uquq&p_session_request=ntcr5bkxxv4dbyw3xbbby53j54nulu5v&p_session_request=q7cgbrn4abt47ztnuihl44r5id223pdc&p_session_request=jt75bu5m3pzfizck2iotkut2gxad7lgk&p_session_request=2x6waf6ose5pn2hhcagwyqkr4ey5d5eh&p_session_request=j623z6g3xd5scvfxpqi3cmfx3g5txc6k&p_session_request=mosy66xw7wkycmyk46ij2ahn7oo6aom4&p_session_request=ljj3wzrutpfoo4433ngwepo43fy3fed3&p_session_request=nx7yrdhr3u3bqubabp3mgjgwh7moy2x2&p_session_request=7azm5ikh2wctp3uqyr77acq5ycntqgq3&p_session_request=t23xxg2kucf773g4sgkgduh5v3lu7vka&p_session_request=mfoauszb4h7saarcddhpyfs5ghatb44r&p_session_request=krro4m55qenqyhepyfyfpoeuvpfatihu&p_session_request=3vjtinsjd5tvnxrbxypnbxnubmulsxyc&p_session_request=23wlkjr23oyv2w7ltd4ra6dnn3xihkgr&p_session_request=d5tdwx6dxnwyhiklkkbo7b7mx4lmfz4v&p_session_request=ahwkljkhq5n7duxvjwwfuixf5tg7gc5b&p_session_request=lbgasmc7uupn67vjumo2m3izwluhot37

is opened, firefox is then refusing to open the page with

The page isn’t redirecting properly

The browser has stopped trying to retrieve the requested item. The site is redirecting the request in a way that will never complete.

Is there possibly a path that must be rule whitelisted?

Originally created by @samumatic on GitHub (May 21, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/757 This is a moved issue from Ferdinand99/home-assistant-newt-addon#3, as it affects the Pangolin authentication. ### **Describe the bug** After successfully installing the Home Assistant Newt Addon the HA instance is available through the specified domain in a Browser. But when trying to connect via android app to the ha instance an error message ``` Unable to connect to Home Assistant. Retrying in 41 seconds... ``` under the URL `https://my.domain.com/lovelace?external_auth=1` is interrupting the login process. When disabling the Pangolin authentication the app authentication works, but not when enabled. ### **To Reproduce** Steps to reproduce the behavior: 1. Install Newt Addon on Home Assistant 2. Enable resource authentication in Pangolin 3. Try to log in via the Home Assistant Android app 4. Login with Pangolin authentication 5. Unable to connect ### **Expected behavior** The browser would backlink to the android app and successful log me in ### **📜 Logs** Paste any relevant logs here: There are no logs in HA, as the url `https://my.domain.com/lovelace?external_auth=1` doesn't reach the HA instance. 🏠 Home Assistant Version Home Assistant Version: 2025.5.2 Newt Add-on Version: 1.3.2 Installation Type: Home Assistant OS 💻 System Details Hardware: HP-Thinclient Network Setup: Ethernet ℹ️ Additional context After a while sometimes the url ``` https://my.domain.com/lovelace?external_auth=1&p_session_request=6rapopppx5bzsx5w63fb6iy6yrlq4abq&p_session_request=zdctmsjpa2zzg54bjqzn45oyeid3ps5e&p_session_request=z3szsii6kzux4nzyl6bfjcxqqk367vla&p_session_request=4ygwrug4ylivl4cslm3qmexjznm6uquq&p_session_request=ntcr5bkxxv4dbyw3xbbby53j54nulu5v&p_session_request=q7cgbrn4abt47ztnuihl44r5id223pdc&p_session_request=jt75bu5m3pzfizck2iotkut2gxad7lgk&p_session_request=2x6waf6ose5pn2hhcagwyqkr4ey5d5eh&p_session_request=j623z6g3xd5scvfxpqi3cmfx3g5txc6k&p_session_request=mosy66xw7wkycmyk46ij2ahn7oo6aom4&p_session_request=ljj3wzrutpfoo4433ngwepo43fy3fed3&p_session_request=nx7yrdhr3u3bqubabp3mgjgwh7moy2x2&p_session_request=7azm5ikh2wctp3uqyr77acq5ycntqgq3&p_session_request=t23xxg2kucf773g4sgkgduh5v3lu7vka&p_session_request=mfoauszb4h7saarcddhpyfs5ghatb44r&p_session_request=krro4m55qenqyhepyfyfpoeuvpfatihu&p_session_request=3vjtinsjd5tvnxrbxypnbxnubmulsxyc&p_session_request=23wlkjr23oyv2w7ltd4ra6dnn3xihkgr&p_session_request=d5tdwx6dxnwyhiklkkbo7b7mx4lmfz4v&p_session_request=ahwkljkhq5n7duxvjwwfuixf5tg7gc5b&p_session_request=lbgasmc7uupn67vjumo2m3izwluhot37 ``` is opened, firefox is then refusing to open the page with ``` The page isn’t redirecting properly The browser has stopped trying to retrieve the requested item. The site is redirecting the request in a way that will never complete. ``` Is there possibly a path that must be rule whitelisted?
GiteaMirror added the stale label 2026-04-16 08:19:25 -05:00
GiteaMirror commented 2026-04-16 08:19:29 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (May 22, 2025):

Hi!

This is typically where the bypass rules come in handy but I dont think the community has found them for the HA app yet. If you are feeling technical you could work to find the API endpoints or unfortunately most of the time with the apps it is just required to disable the Pangolin auth because the app needs to be able to talk to its http API endpoints without being redirected.

<!-- gh-comment-id:2899896907 --> @oschwartz10612 commented on GitHub (May 22, 2025): Hi! This is typically where the [bypass rules](https://docs.fossorial.io/Pangolin/bypass-rules) come in handy but I dont think the community has found them for the HA app yet. If you are feeling technical you could work to find the API endpoints or unfortunately most of the time with the apps it is just required to disable the Pangolin auth because the app needs to be able to talk to its http API endpoints without being redirected.
GiteaMirror commented 2026-04-16 08:19:30 -05:00
Author
Owner
Copy Link

@samumatic commented on GitHub (May 22, 2025):

The Home Assistant Authentik Docs are using a BeryJu/hass-auth-header, maybe this is missing here?
Whitelisting the /api/* or /auth/* in the bypass rules resulted in no change.

<!-- gh-comment-id:2901204582 --> @samumatic commented on GitHub (May 22, 2025): The [Home Assistant Authentik Docs](https://docs.goauthentik.io/integrations/services/home-assistant/) are using a [BeryJu/hass-auth-header](https://github.com/BeryJu/hass-auth-header), maybe this is missing here? Whitelisting the `/api/*` or `/auth/*` in the bypass rules resulted in no change.
GiteaMirror commented 2026-04-16 08:19:31 -05:00
Author
Owner
Copy Link

@samumatic commented on GitHub (May 23, 2025):

I found an error message when debugging with eruda.

Error: External auth requires either externalApp or webkit defined on Window object.
at 27127 (https://my.domain.com/frontend_latest/4691.c6b510e7a63f5f16.js:1:1417)
at o (https://my.domain.com/frontend_latest/core.79a14ae7dd7b6dce.js:1:34311)

Whitelisting /frontend_latest* or /lovelace* has also no effect.

<!-- gh-comment-id:2903730339 --> @samumatic commented on GitHub (May 23, 2025): I found an error message when debugging with [eruda](https://github.com/liriliri/eruda). ``` Error: External auth requires either externalApp or webkit defined on Window object. at 27127 (https://my.domain.com/frontend_latest/4691.c6b510e7a63f5f16.js:1:1417) at o (https://my.domain.com/frontend_latest/core.79a14ae7dd7b6dce.js:1:34311) ``` Whitelisting `/frontend_latest*` or `/lovelace*` has also no effect.
GiteaMirror commented 2026-04-16 08:19:31 -05:00
Author
Owner
Copy Link

@steuerlexi commented on GitHub (May 23, 2025):

I think i found a way

Here is what i have set as bypass rules

Image

and here is what needs to be written in the configuration.yml

http:
cors_allowed_origins:
- https://google.com
- https://www.home-assistant.io
ip_ban_enabled: true
login_attempts_threshold: 2
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- Local IP of your NEWT instance
- VPS IP

<!-- gh-comment-id:2903774897 --> @steuerlexi commented on GitHub (May 23, 2025): I think i found a way Here is what i have set as bypass rules ![Image](https://github.com/user-attachments/assets/e111ca12-08cb-4889-a60d-490ae479855f) and here is what needs to be written in the configuration.yml http: cors_allowed_origins: - https://google.com - https://www.home-assistant.io ip_ban_enabled: true login_attempts_threshold: 2 use_x_forwarded_for: true trusted_proxies: - 127.0.0.1 - Local IP of your NEWT instance - VPS IP
GiteaMirror commented 2026-04-16 08:19:32 -05:00
Author
Owner
Copy Link

@jhhaul commented on GitHub (May 26, 2025):

I can confirm both the issue and that the workaround given by steuerlexi works.

<!-- gh-comment-id:2910219245 --> @jhhaul commented on GitHub (May 26, 2025): I can confirm both the issue and that the workaround given by steuerlexi works.
GiteaMirror commented 2026-04-16 08:19:33 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (May 27, 2025):

Awesome! We can add to the docs.

<!-- gh-comment-id:2912753471 --> @oschwartz10612 commented on GitHub (May 27, 2025): Awesome! We can add to the docs.
GiteaMirror commented 2026-04-16 08:19:33 -05:00
Author
Owner
Copy Link

@samumatic commented on GitHub (May 27, 2025):

I can also confirm that logging in now works on mobile devices.
However, I would like to raise the issue that Pangolin authentication is effectively no longer working with the suggested rules in place.

When you open the HA instance in a browser at https://my.domain.com/, you are redirected to Pangolin authentication.
However, when you enter https://my.domain.com/lovelace, you are no longer prompted for Pangolin authentication; you are only prompted for HA authentication.

The same behaviour occurs on the Android app: when you enter the URL as a new HA site, you go straight to the login page and no Pangolin authentication is required.

The question is, if you can access the HA instance without Pangolin authentication, why have Pangolin authentication enabled? This bypasses the purpose of Pangolin authentication.

<!-- gh-comment-id:2912908738 --> @samumatic commented on GitHub (May 27, 2025): I can also confirm that logging in now works on mobile devices. However, I would like to raise the issue that Pangolin authentication is effectively no longer working with the suggested rules in place. When you open the HA instance in a browser at `https://my.domain.com/`, you are redirected to Pangolin authentication. However, when you enter `https://my.domain.com/lovelace`, you are no longer prompted for Pangolin authentication; you are only prompted for HA authentication. The same behaviour occurs on the Android app: when you enter the URL as a new HA site, you go straight to the login page and no Pangolin authentication is required. The question is, if you can access the HA instance without Pangolin authentication, why have Pangolin authentication enabled? This bypasses the purpose of Pangolin authentication.
GiteaMirror commented 2026-04-16 08:19:35 -05:00
Author
Owner
Copy Link

@steuerlexi commented on GitHub (May 27, 2025):

@samumatic Yes, I think we are bypassing Pangolin auth with this approach. But as far as I know Home Assistant OS is very secure and when your user has also TFA activated you should be rather save with this approach.

Image

<!-- gh-comment-id:2913479220 --> @steuerlexi commented on GitHub (May 27, 2025): @samumatic Yes, I think we are bypassing Pangolin auth with this approach. But as far as I know Home Assistant OS is very secure and when your user has also TFA activated you should be rather save with this approach. ---------- ![Image](https://github.com/user-attachments/assets/d5c8306d-29b9-4e85-9165-e728d294814d)
GiteaMirror commented 2026-04-16 08:19:35 -05:00
Author
Owner
Copy Link

@samumatic commented on GitHub (May 27, 2025):

Im not questioning the security of Home Assistant, but this approach has the same effect as adding a rule with /*. At this point you should disable the Pangolin authentication completely for Home Assistant.

We should look for a solution that enables the login via the Android HA app but also requires the Pangolin authentication on all devices.

<!-- gh-comment-id:2913610660 --> @samumatic commented on GitHub (May 27, 2025): Im not questioning the security of Home Assistant, but this approach has the same effect as adding a rule with `/*`. At this point you should disable the Pangolin authentication completely for Home Assistant. We should look for a solution that enables the login via the Android HA app but also requires the Pangolin authentication on all devices.
GiteaMirror commented 2026-04-16 08:19:36 -05:00
Author
Owner
Copy Link

@steuerlexi commented on GitHub (May 27, 2025):

I do not agree as /* would really open up everything. But the question is the extra layer of security that pangolin gives you and if this is even necessary.

<!-- gh-comment-id:2913635698 --> @steuerlexi commented on GitHub (May 27, 2025): I do not agree as /* would really open up everything. But the question is the extra layer of security that pangolin gives you and if this is even necessary.
GiteaMirror commented 2026-04-16 08:19:38 -05:00
Author
Owner
Copy Link

@miloschwartz commented on GitHub (May 27, 2025):

@steuerlexi Yeah for some apps it's easier/best to disable the dual auth as it's only a hinderance for apps with their own system.

<!-- gh-comment-id:2913746106 --> @miloschwartz commented on GitHub (May 27, 2025): @steuerlexi Yeah for some apps it's easier/best to disable the dual auth as it's only a hinderance for apps with their own system.
GiteaMirror commented 2026-04-16 08:19:38 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jun 11, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:2960879902 --> @github-actions[bot] commented on GitHub (Jun 11, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-04-16 08:19:39 -05:00
Author
Owner
Copy Link

@ConGp20 commented on GitHub (Jun 11, 2025):

Hello everyone, unfortunately this does not work for me. Nevertheless, I am always directed to the Pangolin side or no connection is established. Only if I activate /* as a rule does it work reliably. Does anyone have an idea? Can it be due to the appcache?
Edit: some hacs-dsshboard cards show an error, so the path rules in pangolin dont work correctly. Does someone have an idea?

<!-- gh-comment-id:2963138938 --> @ConGp20 commented on GitHub (Jun 11, 2025): Hello everyone, unfortunately this does not work for me. Nevertheless, I am always directed to the Pangolin side or no connection is established. Only if I activate /* as a rule does it work reliably. Does anyone have an idea? Can it be due to the appcache? Edit: some hacs-dsshboard cards show an error, so the path rules in pangolin dont work correctly. Does someone have an idea?
GiteaMirror commented 2026-04-16 08:19:41 -05:00
Author
Owner
Copy Link

@D3r3k23 commented on GitHub (Jun 16, 2025):

How can you get the IP address of the Newt instance?

<!-- gh-comment-id:2975212671 --> @D3r3k23 commented on GitHub (Jun 16, 2025): How can you get the IP address of the Newt instance?
GiteaMirror commented 2026-04-16 08:19:42 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Jun 16, 2025):

@ConGp20 if the rules above do not work for you for some reason then you are pretty much only able to turn off auth that is fine too. It is okay to rely on application auth and I think HA has enough traction where it will be fine if you are comfortable with it.

@D3r3k23 - you can visit ipchicken.com or curl ifconfig.io

<!-- gh-comment-id:2976670436 --> @oschwartz10612 commented on GitHub (Jun 16, 2025): @ConGp20 if the rules above do not work for you for some reason then you are pretty much only able to turn off auth that is fine too. It is okay to rely on application auth and I think HA has enough traction where it will be fine if you are comfortable with it. @D3r3k23 - you can visit ipchicken.com or curl ifconfig.io
GiteaMirror commented 2026-04-16 08:19:43 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jul 1, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3021270319 --> @github-actions[bot] commented on GitHub (Jul 1, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-04-16 08:19:43 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jul 16, 2025):

This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

<!-- gh-comment-id:3076343801 --> @github-actions[bot] commented on GitHub (Jul 16, 2025): This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.
GiteaMirror commented 2026-04-16 08:19:44 -05:00
Author
Owner
Copy Link

@firecat53 commented on GitHub (Aug 17, 2025):

For anyone finding this issue, the Home Assistant companion app (Android) now has a built-in webview browser that redirects to the Pangolin authentication page and allows the Pangolin login before logging in to Homeassistant. No bypass rules required. 🎉

<!-- gh-comment-id:3194646353 --> @firecat53 commented on GitHub (Aug 17, 2025): For anyone finding this issue, the Home Assistant companion app (Android) now has a built-in webview browser that redirects to the Pangolin authentication page and allows the Pangolin login before logging in to Homeassistant. No bypass rules required. 🎉
GiteaMirror commented 2026-04-16 08:19:45 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Aug 23, 2025):

@firecat53 that's awesome if that works! We should update the docs if so!

<!-- gh-comment-id:3216244553 --> @oschwartz10612 commented on GitHub (Aug 23, 2025): @firecat53 that's awesome if that works! We should update the docs if so!
GiteaMirror commented 2026-04-16 08:19:45 -05:00
Author
Owner
Copy Link

@firecat53 commented on GitHub (Aug 23, 2025):

Probably should get some others to verify 😁

I forgot to add, HA app version 2025.8.7-full and HA server (core) version 2025.8.2. I don't know in which version it became usable.

<!-- gh-comment-id:3217036497 --> @firecat53 commented on GitHub (Aug 23, 2025): Probably should get some others to verify 😁 I forgot to add, HA app version 2025.8.7-full and HA server (core) version 2025.8.2. I don't know in which version it became usable.
GiteaMirror commented 2026-04-16 08:19:46 -05:00
Author
Owner
Copy Link

@jhhaul commented on GitHub (Aug 23, 2025):

Probably should get some others to verify 😁

I forgot to add, HA app version 2025.8.7-full and HA server (core) version 2025.8.2. I don't know in which version it became usable.

Yes, I can confirm that it works with the current versions of Home Assistant and the Android client (August 2025). Great!

<!-- gh-comment-id:3217042890 --> @jhhaul commented on GitHub (Aug 23, 2025): > Probably should get some others to verify 😁 > > I forgot to add, HA app version 2025.8.7-full and HA server (core) version 2025.8.2. I don't know in which version it became usable. Yes, I can confirm that it works with the current versions of Home Assistant and the Android client (August 2025). Great!
GiteaMirror commented 2026-04-16 08:19:46 -05:00
Author
Owner
Copy Link

@steuerlexi commented on GitHub (Aug 23, 2025):

That sounds great! How often do we need to log in to Pangolin before a new token is required? I have my whole family using the Home Assistant app, and I’d like to give them a Pangolin PIN, but I hope they don’t have to renew it every couple of weeks. Any thoughts?

<!-- gh-comment-id:3217264772 --> @steuerlexi commented on GitHub (Aug 23, 2025): That sounds great! How often do we need to log in to Pangolin before a new token is required? I have my whole family using the Home Assistant app, and I’d like to give them a Pangolin PIN, but I hope they don’t have to renew it every couple of weeks. Any thoughts?
GiteaMirror commented 2026-04-16 08:19:47 -05:00
Author
Owner
Copy Link

@firecat53 commented on GitHub (Aug 24, 2025):

It seems like every time I reboot the pangolin server I have to reauthenticate, but honestly haven't paid that close attention because it's just me.

<!-- gh-comment-id:3217521453 --> @firecat53 commented on GitHub (Aug 24, 2025): It seems like every time I reboot the pangolin server I have to reauthenticate, but honestly haven't paid that close attention because it's just me.
GiteaMirror commented 2026-04-16 08:19:47 -05:00
Author
Owner
Copy Link

@vmfventura commented on GitHub (Sep 7, 2025):

For anyone finding this issue, the Home Assistant companion app (Android) now has a built-in webview browser that redirects to the Pangolin authentication page and allows the Pangolin login before logging in to Homeassistant. No bypass rules required. 🎉

I updated my app from minimal to full, but still has the same problem. Using external URL, open Firefox and "Unable to connect to Home Assistant.".
Missed something?

Edit: android app 2025.8.7-full
Ha core 2025.9.1

<!-- gh-comment-id:3264148645 --> @vmfventura commented on GitHub (Sep 7, 2025): > For anyone finding this issue, the Home Assistant companion app (Android) now has a built-in webview browser that redirects to the Pangolin authentication page and allows the Pangolin login before logging in to Homeassistant. No bypass rules required. 🎉 I updated my app from minimal to full, but still has the same problem. Using external URL, open Firefox and "Unable to connect to Home Assistant.". Missed something? Edit: android app 2025.8.7-full Ha core 2025.9.1
GiteaMirror commented 2026-04-16 08:19:48 -05:00
Author
Owner
Copy Link

@firecat53 commented on GitHub (Sep 10, 2025):

@vmfventura There should be a built-in webview browser in the home assistant app. You might investigate why it's opening Firefox instead...that is probably the reason you can't authenticate.

<!-- gh-comment-id:3276851710 --> @firecat53 commented on GitHub (Sep 10, 2025): @vmfventura There should be a built-in webview browser in the home assistant app. You might investigate why it's opening Firefox instead...that is probably the reason you can't authenticate.
GiteaMirror commented 2026-04-16 08:19:48 -05:00
Author
Owner
Copy Link

@funkypopcorn commented on GitHub (Nov 11, 2025):

I'm having the same issue on my Android phone. Can someone with a proper setup sum up all the necessary settings?

How must this be setup in Nov-2025 when newt node is running as Addon in HA:

  • how does the configuration.yaml of HA look like?
  • how does the pangolin target server look like (127.0.0.1:8123)
  • how about rules (turned off?)
  • What about SSO setting? (possible to leave on?)

Would really appreciate if someone could share his working setup, can't get it to run.

PS: I set the default Browser (Standard App from firefox back to chrome) on my android phone, but still no luck!

<!-- gh-comment-id:3518230164 --> @funkypopcorn commented on GitHub (Nov 11, 2025): I'm having the same issue on my Android phone. Can someone with a proper setup sum up all the necessary settings? How must this be setup in Nov-2025 when newt node is running as Addon in HA: - how does the configuration.yaml of HA look like? - how does the pangolin target server look like (127.0.0.1:8123) - how about rules (turned off?) - What about SSO setting? (possible to leave on?) Would really appreciate if someone could share his working setup, can't get it to run. PS: I set the default Browser (Standard App from firefox back to chrome) on my android phone, but still no luck!
GiteaMirror commented 2026-04-16 08:19:50 -05:00
Author
Owner
Copy Link

@Selmaks commented on GitHub (Jan 18, 2026):

hopefully this helps someone.

I have setup google assistant with these path rules for it to work

bypass auth /api/google_assistant
bypass auth /auth/token
bypass auth /auth/authorize

These are the only rules I have enabled apart from allow county and block countries. rules .Google assistant works and I can login via the android app using the pangolin authenticaton.

<!-- gh-comment-id:3764902913 --> @Selmaks commented on GitHub (Jan 18, 2026): hopefully this helps someone. I have setup [google assistant ](https://www.home-assistant.io/integrations/google_assistant/) with these path rules for it to work bypass auth /api/google_assistant bypass auth /auth/token bypass auth /auth/authorize These are the only rules I have enabled apart from allow county and block countries. rules .Google assistant works and I can login via the android app using the pangolin authenticaton.
GiteaMirror commented 2026-04-16 08:19:50 -05:00
Author
Owner
Copy Link

@CorentinJ commented on GitHub (Jan 22, 2026):

Even with the android change to use chrome for logging in, I can't pass login with pangolin enabled. My take is to disable pangolin auth entirely for logging in via the mobile app, and once logged in, re-enable auth with the rules from @steuerlexi. So far I haven't been logged out doing this, so this kinda works.

<!-- gh-comment-id:3786564045 --> @CorentinJ commented on GitHub (Jan 22, 2026): Even with the android change to use chrome for logging in, I can't pass login with pangolin enabled. My take is to disable pangolin auth entirely for logging in via the mobile app, and once logged in, re-enable auth with the rules from @steuerlexi. So far I haven't been logged out doing this, so this kinda works.
GiteaMirror commented 2026-04-16 08:19:51 -05:00
Author
Owner
Copy Link

@mazarian commented on GitHub (Mar 18, 2026):

For some reason, after a successful login, the HA Android app redirects to https://ha.mydomain.com/?external_auth=1 which breaks things. If the external_auth value is changed to 0 or removed entirely, I am able to view my HA (not in the app, but in the browser). Is the HA app adding that key at the end of the URL that is causing it all to break? I'm on HA app version 2026.3.2-full on Android and HA 2026.3.2

<!-- gh-comment-id:4086157651 --> @mazarian commented on GitHub (Mar 18, 2026): For some reason, after a successful login, the HA Android app redirects to https://ha.mydomain.com/?external_auth=1 which breaks things. If the external_auth value is changed to 0 or removed entirely, I am able to view my HA (not in the app, but in the browser). Is the HA app adding that key at the end of the URL that is causing it all to break? I'm on HA app version 2026.3.2-full on Android and HA 2026.3.2
GiteaMirror commented 2026-04-16 08:19:52 -05:00
Author
Owner
Copy Link

@bbreton09 commented on GitHub (Apr 10, 2026):

I have the same issue. Work's in chrome but not in Android HA apps.

<!-- gh-comment-id:4222681714 --> @bbreton09 commented on GitHub (Apr 10, 2026): I have the same issue. Work's in chrome but not in Android HA apps.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1611
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?