Multi-Factor-Authentication via OAuth (nginx reverse proxy in Docker container)

Hey guys,

for those of you who have a bad feeling exposing their HASS to the web with just the HASS-internal authentication I hereby present you a Docker-based solution to require OAuth authentication before access to HASS is granted. Requests will only be forwarded if the authenticated e-mail address is one of those you have configured the container to accept. So if for example you set this up with Google and have your Google-Account require Multi-Factor-Authentication, then you’ll actually have 3FA (2FA of Google + the HASS password).

As of now I have not built an image you can just pull. Instead you have to build the image yourself. I’m fairly new to Docker, so I’ll have to find out how to do that. :smiley:
Until then I have a brief guide on how to get this up and running at the repository: https://github.com/danielperna84/openresty-oidc-ssl-proxy-email

This only works with SSL, and because of the added authentication requirement it’s obviously not possible anymore to use external (inbound) services which need access to HASS. So this may be useless to a lot of users. But for those who did not yet expose their HASS to the web, this might be a more secure solution to have a glimpse of what is happening at home while not requiring a VPN connection (or whatever other solution you’re using).

I hope this is useful for somebody. In the long run I plan to make a hass.io addon out of this.

7 Likes

Played around a bit. If you add

    location ^~ /api {
        proxy_set_header Cookie $upstream_cookies;
        proxy_set_header Host $http_host;
        proxy_pass $proxy_pass;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

above the existing location / block in nginx/conf/sites/proxy.conf and rebuild the image, the api is excluded from the authentication. Which would allow you to use external services while still having the frontend secured. :slight_smile:

Hi @danielperna84

Inspired by your solution I’ve created something similar. The one problem with your docker image is that it won’t work on Raspberry. I’ve tried to solve that but it turned out much harder than I initially assumed.

Instead, I’ve created a small proxy in Java, which basically works the same, with one security improvement - the api is secured with OAuth2 too, also implementing several additional security schemas, like basic auth, secret key in header etc.

The whole setup is described on my blog, feel free to check it out: https://blog.luciow.pl/automation/2018/02/10/dont-reinvent-the-wheel/

Cheers,
Mariusz

3 Likes

@danielperna84 @mariuszluciow would you guys like to partner up with me and implement single sign-on using keycloak? I recently setup keycloak to protect my public facing services. Keycloak also allows 2FA so we could use that for all public facing services while providing a single sign-in solution to Home Assistant. Thoughts?

1 Like

Unfortunately at least I don’t haev the resources to participate. But it still would be a great project. :slight_smile: