I’ve actually tried the trusted network authenticator already, and I run into the same problem that I do with the default authenticator (I’d prefer to use the default authenticator if I’m forced to use one).
Let me attempt to clarify the position I’m in a little bit:
- I use client certificates for auth. I feel better about mutual TLS from both a security and convenience perspective than basically any application-level authentication mechanism I can imagine.
- I would be perfectly happy to type in a password every now and again, so long as that’s in addition to client certs, and not a substitute for them. In other words, I wouldn’t be asking about this if the new auth system was compatible with my own setup.
- Unfortunately, the mechanism I have set up was broken in 0.77 by the new auth code. Actually think it’s related to this change.
- I think the features you guys are working towards are really cool, and totally see how some households would be excited about them. It also seems like it’s a fun technical problem. For my personal situation, though, these features add 0 value to my experience with HA.
Some additional technical context on how I’ve set things up and why I’ve done it in this way:
- It’s unfortunately not enough to simply require that every HTTP request send along client certificate info. Every browser I’ve dealt with does not yet seem fully capable of leveraging client certs in conjunction with “new” technologies like web sockets and service workers (quotes because they’re only new in the context of nginx/TLS. realize they’ve been around the block). I admit to having only a vague understanding for why this is the case.
- These new technologies work are perfectly happy to submit whatever cookies that have been dropped.
- The mechanism I have set up first checks for some auth cookies: a client ID, an expiration timestamp, and an HMAC that validates the authenticity of the previous two. If those aren’t present, it redirects to an “sso” subdomain of my domain which does require client certificates. If client certificate verification passes, it generates and drops the auth cookies.
This has worked beautifully on all of the devices/browsers I care about for nearly a year (I use Chrome on OS X and Android, my wife uses Safari on iOS).
I have some more of the nitty gritty in this blog post, in case that’s helpful.
If I had to distill my humble request, it would be to make HA fully compatible with mutual TLS somehow. I’m not attached to the particular technical solution I have in place, but I would prefer to use client certs over user/password/2FA/etc.