(I asked this in the Development forum but didn’t get a response, hoping someone here may have some insights.)
Based on the documentation at Authentication API | Home Assistant Developer Docs , it sounds like the only requirement for the client id and the redirect uri is that
The redirect url has to be of the same host and port as the client ID.
Is the client ID itself not registered anywhere?
It seems like this can potentially open the platform up to phishing attacks.
For example, suppose your Home Assistant is open to the internet to integrate with Alexa. You set it up and link the account per the instructions at Amazon Alexa Smart Home Skill - Home Assistant .
Now suppose someone malicious emails you masquerading as an email from Alexa, telling you that you need to relink your account or else the existing integration will fail. They provide a helpful link that “looks” like it’s legitimately from Alexa, you navigate to their “pretend-Alexa” page where you click ‘Enable to use’. It redirects you to your Home Assistant auth endpoint with clientID https://pretend-alexa.com and redirect URI https://pretend-alexa.com/auth/callback. You authenticate with your home assistant, and now it sends a valid auth code to the malicious entity. If there’s no check of the validity of the clientID, then the token endpoint will happily generate a token for the new entity, which can be used with your system.
Have I overlooked something here? It seems like this attack vector can be easily plugged if there was a mechanism for configuring allowed client IDs.
Thanks.