The My Home Assistant (my) integration that is included in default_config has recently started hijacking ouath URLs, so instead of the callback url being https://myinstanceurl.com/redirect/oauth it now sends it to https://my.home-assistant.io/redirect/oauth. How do I either override the oauth url or disable the My Home Assistant integration without removing default_config and manually adding all the other integrations that are part of the default?
I’m pretty sure that’s not possible.
I think there is a feature request for that ability but it hasn’t been implemented as far as I know.
It’s not possible. You either use default config, or you manage the integrations that default config provides.
That’s unfortunate, default_config is a useful tool, brings in new integrations that you might not otherwise see. But, having all of my oauth callback URLs overridden is a huge hassle and while I get that it makes it easier for some users, it should be possible to opt out.
1 Like
I’ve been managing default config for 3 years now and I’ve had to add things twice. It’s pretty easy to manage.
Has this been fixed by now?
I see many change Requests to have an exclude option but could not find anything in the documentation that this was solved.
No, you have to manage it yourself. This is unlikely to change.
Ok…
so how do I disable the dhcp discovery integration then??
I dont need it, it is broken (or at least not able to cope with my network infrastructure) and might be the cause for my CPU Load issues.
You remove default_config and break it out into it’s individual integrations with dhcp missing.
Is there an up to date list what I need to put there?
How do I get informed if the list of integrations in default_config changes?
Yes, in the default_config documentation.
The release notes will make note of this. You can also create a scrape sensor that searches the bullets.
It’s been updated 4 times in ~4 years and most of the time the additions aren’t needed. In 4 years of me maintaining this, I added energy and bluetooth and omitted the other stuff I don’t care about.
Thank you!
This is absolutely insane! I was hoping to link google mail but in order to do that I have to allow your organization to be able to intercept the oauth and gain access to an API that controls my EMAIL.
Hell no, I don’t mean to put on a tinfoil hat but this feels like some three letter agents came knocking on your door and politely asked you to intercept any oauth and log it for them.
What on earth could be the rationalization for this? So people who don’t have DNS records/port forwarding can do oauth? How are we supposed to trust home assistant to not collect this information? A pinkie promise?
By reading the code, it’s open source…
By these config rules, the my.home-assistant.io webserver is is inherently given the opportunity to MITM the API key that would end up giving API-level access to my personal email. I could care less what the source shows when the webserver and its logging infrastructure is all that is necessary to succeed in such an attack.
All it would take is a gag order and any modern logging stack such as loki or elasticsearch and the feds would gain the ability to spy on thousands of users.
1 Like
You misunderstand how OAuth2 works in Home Assistant.
Using Spotify as an example
With OAuth2 you need a client ID and a client secret. To set up Spotify, you first need to create your own developer account. These credentials are entered directly into your Home Assistant instance during setup of Spotify, and are never shared with anyone else.
When you want to link your account, you start the authorization process. The user is forwarded to Spotify with a URL that includes the client ID. When the user clicks “Link account”, the user is redirected to my.home-assistant in their browser. This URL will include an authorization grant code.
The authorization code cannot be acted upon without the client secret, which lives only in your Home Assistant instance.
Authorization codes are short lived and need to be swapped out for actual refresh and access tokens. Once done, the authorization code is consumed and can no longer be used.
All API requests from Home Assistant are made directly to the Spotify API and My Home Assistant is not used.
The reason My Home Assistant is used as an in-between redirect is that OAuth2 requires the redirect URL (which the user is send to after authorization) to have HTTPS. Using My Home Assistant we can guarantee this. This simplifies setup and documentation.
4 Likes
As an alternative to managing defalt_config yourself you can install GitHub - tronikos/default_config_disabler: Disables components from Home Assistant's default_config that allows you to disable selected integrations. Install the custom integration and in the configure options select the my component and any other component e.g. dhcp that you want to disable.