Client certificate authentication

Hi.

Would it be possible to add TLS client certificate authentication to the iOS app? I think android app already allows it.

My HA is behind a reverse proxy configured to require client certificate authentication, improving it’s security a lot.

I installed the certificate profile on my iPhone and can access HA with Safari, but iOS companion complains with “Client Certificate Authentication is not supported”.

I’m not an expert on iOS programming, but I think there are two ways of supporting it:

1- Using SFSafariViewController (not WKWebView) to login on HA (it can use the certificate profile installed on iPhone, just like Safari)

or

2- Asking for a certificate file to be installed inside Companion app and manage the authentication there.

Regards

1 Like

The login window supporting it does little for the rest of the app also supporting it, and it’s not as simple as installing the certificate somewhere and the app uses it. You can see the current ‘status’ in the following draft (as in, not going to be merged soon) pull request: Allow supplying client certificates by zacwest · Pull Request #2144 · home-assistant/iOS · GitHub

The biggest issue here is that it will basically preclude using the Apple Watch complications and certain (future) types of widgets. Apple’s networking system simply doesn’t support client certificates for background networking operations, which these effectively require. I’m a bit reluctant to introduce a feature with such restrictions, but it may be okay if it’s super clear that it’s happening.

2 Likes

I’m hung up on this as well. Where I have landed, is two different access methods from the phone. The Companion app has a specific URL that allows Pre-Determined web hook ID’s through. This allows for the app to push updates into HA. But I can’t view any of the HA information when external.

Then I have another “External HA” access icon, this loads Safari and connects back home on a different port that requires Client Certificates. It allows un-restricted access to the HA server. It’s not elegant, but it works for the time being.