Adding support for external authentication providers

On the developer documentation for authentication it is mentioned that at the moment only built-in authentication providers are supported and that support for external providers might arrive in the future.

I think that might be very useful. E.g. I created a provider to authenticate using Synology user accounts, but until that’s merged I would be interested in using my own package to authenticate users on hass.

After looking at the code, probably the only changes needed are in load_auth_provider_module in the auth.providers module.

Creating the provider inside an external package and installing that on the same system is quite easy, the only issue is that it will only look for providers inside the auth.providers module: importlib.import_module(f"homeassistant.auth.providers.{provider}")

I’d like to start a discussion to see how we can add support for external providers. I’m very new to contributing to hass, so any feedback is welcome if this is not the right place/way to do so.

A first step would be to let the end user install the package from pypi and then prefix external providers in the config with a fixed string e.g. pypi:namespace.from.your.package.provider and then in that method change the module import so that it will look for the full namespace if the provider name contains pypi.

The disadvantage here is that this might not be as easy for non-tech savvy users as they don’t always know how to install pypi packages in the same environment as hass. So we’d need a way to let hass install these. The current add-on system would not really suffice IMHO since it would be better to install auth providers as Python packages instead of Docker containers.

I noticed @balloob wrote that part of the documentation, but I was wondering if there is already a discussion/roadmap/design for this feature?

I missed the fact that hass can install pip packages on-demand, which would resolve the issue above. I just need some guidelines/second opinion from a contributor on how I can get started working on this.

At this moment we don’t want to extend our authentication provider loading mechanism or supported authentication providers. It’s making the system more complicated and more vulnerable for mistakes/attacks while only serving the use cases of a minority.