0.77: Authentication system 👮‍♂️ + Hangouts bot 🤖

The Home Assistant auth system is here to stay and it will not be able to disable it. The user system is unlocking a wide range of new possibilities for Home Assistant:

  • being able to attribute actions to individual users
  • have users with different permissions
  • per user UIs

All things that are impossible with external authentication methods.

8 Likes

I applaude this direction and am extremly eager to learn the methods of federating Home Assistant with other OAuth2 platforms, for example Azure AD.

Is there any plans currently to document or tests some examples?

keep up the amazing progress and pace
Damian

Auth provider documentation can be found on the dev site https://developers.home-assistant.io/docs/en/auth_auth_provider.html

Thanks @balloob, I understand that this is a cool feature for the platform in general, and I can appreciate committing to a technical direction.

I do want to voice my personal opinion as an otherwise very happy user, though – these aren’t things I care about, and I don’t think I ever will. I expect there is a segment of the HA userbase that this applies to, but no sense for how large it is. I would personally appreciate a way to opt out of this, while fully accepting that I wouldn’t have access to the features it enables.

1 Like

Why can’t you use trusted networks? It will ask you once on each device which user you are, after that you click save login and you are never asked again.

Hi,

I’ve done that, but while it works with a basic browser (ex : android internal, using Assistant Launcher app), I have troubles with my Firefox configurations. I use a cookies cleaner, and though I white listed my servers’s IP, auth gets deleted anyway ?

I’m also wondering if there’s a way to retrieve auth information. An entity listing who is connected and when, that I could use in an automation : for instance, a basic idea that needs that, if someone connects to an on-wall tablet, then I turn of alarm.

2 Likes

No, it doesn’t . It asks every time for a user, if you purge browser cookies on browser close (which is enabled for privacy reasons).

  • being able to attribute actions to individual users
  • have users with different permissions
  • per user UIs

All this is not necessary for a (what I assume) typical, on-premise installation, allowing (family) members of your smart home to easily check status and perform actions for your house.

I understand that an authentication system is a meaningful or even mandatory option for exposed or multi-user installations, but there should be a shortcut to bypass it using

  • trusted networks AND
  • a defined default user

Please consider this.

Kind regards,

m0wlheld

1 Like

I’ve actually tried the trusted network authenticator already, and I run into the same problem that I do with the default authenticator (I’d prefer to use the default authenticator if I’m forced to use one).

Let me attempt to clarify the position I’m in a little bit:

  1. I use client certificates for auth. I feel better about mutual TLS from both a security and convenience perspective than basically any application-level authentication mechanism I can imagine.
  2. I would be perfectly happy to type in a password every now and again, so long as that’s in addition to client certs, and not a substitute for them. In other words, I wouldn’t be asking about this if the new auth system was compatible with my own setup.
  3. Unfortunately, the mechanism I have set up was broken in 0.77 by the new auth code. Actually think it’s related to this change.
  4. I think the features you guys are working towards are really cool, and totally see how some households would be excited about them. It also seems like it’s a fun technical problem. For my personal situation, though, these features add 0 value to my experience with HA.

Some additional technical context on how I’ve set things up and why I’ve done it in this way:

  1. It’s unfortunately not enough to simply require that every HTTP request send along client certificate info. Every browser I’ve dealt with does not yet seem fully capable of leveraging client certs in conjunction with “new” technologies like web sockets and service workers (quotes because they’re only new in the context of nginx/TLS. realize they’ve been around the block). I admit to having only a vague understanding for why this is the case.
  2. These new technologies work are perfectly happy to submit whatever cookies that have been dropped.
  3. The mechanism I have set up first checks for some auth cookies: a client ID, an expiration timestamp, and an HMAC that validates the authenticity of the previous two. If those aren’t present, it redirects to an “sso” subdomain of my domain which does require client certificates. If client certificate verification passes, it generates and drops the auth cookies.

This has worked beautifully on all of the devices/browsers I care about for nearly a year (I use Chrome on OS X and Android, my wife uses Safari on iOS).

I have some more of the nitty gritty in this blog post, in case that’s helpful.

If I had to distill my humble request, it would be to make HA fully compatible with mutual TLS somehow. I’m not attached to the particular technical solution I have in place, but I would prefer to use client certs over user/password/2FA/etc.

1 Like

If people are interested in exploring ways of integrating default users into Home Assistant and are willing to contribute development resources to implement a solution, feel free to open an issue in our architecture repository to discuss this topic. I personally won’t spend any time on this as I consider these edge cases that are only for a very few technically inclined users.

1 Like

Your request for contribution instead of complaining is valid, I get the point. I’m not into Python yet, but - yeah, why not.

I disagree on the “edge case” however, as I am convinced that the majority of all HA installations do not have more than one user account. A configuration option to Trusted Networks authenticator to pre-select this user instead of forcing users to select this user by the UI would not degrade security, but increase comfort.

You’ll disagree, which is okay. I won’t insist.

2 Likes

I don’t think that this is true.

  • The US has an average of 2.54 people per household (source)
  • The UK has an average of 2.4 people per household (source)

No doubt that other countries have similar statistics.

1 Like

I have found that since 0.77.3 this is not actually necessary. Using only the Trusted Networks authenticator I can save the login in my browser, and it no longer asks for a user.

There were bugs that prevented this in previous versions, but at the moment, it seems to work well.

That doesn’t mean they would all want more than one user account though… (I have no dog in this fight - I’m happy with auth as is)

1 Like

Unless you clear your cookies. This is what I have enabled on browser close, because I do care about privacy, but not in-family security.

No doubt either, I have 4 people in my home. But my partner and my kids don’t have an user account (infact, previously to 0.77.x they didn’t even had the chance to get one), they use “mine”. Why should I keep them from home automation? It’s our house they live in.

1 Like

Just my 5 cents on this.
I’m the only person living in my home so I’m not updating because of this new authentication system.

I agree what a authentication system is necessary and should be enable by default. As someone wrote the user should de efforts to decrease security being the default security as high as reasonable posible.

But once said that if the effort to decrease security is higher than change home automation software with tools like docker and node red, so probably users will feel to change software because there is no easy way to use a generic user for all of the home inhabitants in home assistant.

2 Likes

And that is entirely their prerogative to change software, but the idea of reducing security to accommodate certain use cases seems like a backwards step and is also problematic as this could expose other security risks. As i have said before, the devs should be applauded for making HA as secure as possible. I think people also have to understand that this is the 2nd release i believe with the new auth system, there will always be teething issues that need ironing out.

1 Like

But the option is already there. The Trusted Networks authenticator is for convenience only, not for security. I don’t see how picking a user from a (single item) list in the UI provides a security benefit over defining that user by an admin-managed configuration?

1 Like

I’ve just tried the trusted network auth, and if I have only ONE account set and I come from the right subnet, then it doesn’t ask to select a user ? It’s just like you don’t have the auth.
Network can be entered as a single IP or a subnet mask.

Maybe the syntax could be enhanced, so that if they are several users defined, then we could force a user for each trusted network.

What I have in mind comes from what I expect to do : have a wall mounted tablet (or several) in the home, in a specific VLAN (in which I have the security cameras, the IoT things…), would have options for a standard user. If I connect from a browser, coming from the standard user network, I’ll have a full option account.
And if I connect from the server VLAN (in which I have the VPN server), then I want to be admin.

Config, please? I have trusted networt auth and only one account and it does ask to select a user. Everytime I open the UI in Firefox and even when I reload (Ctrl-r) the page. My browser is configured to only allow session cookies, they get purged once the browser closes. With my mobile, where programs never really stop, the selected user persists among various sessions.