Open letter for improving Home Assistant's Authentication system (OIDC, SSO)

+1 for this, Just setting up authentik and was shocked to find HA cannot to Oauth2 etc. Quite bizarre for a platform that’s vision is a single integrated platform across multiple provider platforms - that’s exactly what SSO is from a login perspective.

To all those saying that it moves away from the “everything as local as possible” I have no idea why Oauth2 cannot be local (mine is) and who says that is everyone’s goal? For some yes, but for others not so much. HA is just as valid linking cloud platforms from disparate providers together.

I came here to get my vote. I want to use my Azure AD tenant with my conditional access policies and mfa with HA

Yes please i want to add my azure ad to ha

My vote added so I can use Keycloak or Authentik.

Now Entra ID Supports Global Secure Access, which means I can keep my Home Assistant secure without needing VPN.

Can we please make this priority?

Core does not want this. The author of authentik has even tried to add better support for external auth providers and it has been rejected. Multiple times.

This whole feature request is the result of core devs rejecting external auth.

+1

I would love to use my zitadel as oidc provider

+1 on this. Homeassistant is the only selfhosted application out of 34 in my network that doesn’t use oauth. Embarassing for such a large project

Hello first of all I would like to thanks all contributors on this such great project !

I did not took time to read the whole thread as it is definitely too long, all my apologies if I missed important information.
I am also interested in plugging an external identity provider via OIDC

If I check the current login flow on my HA freshly upgraded, I see it is already using Oauth mechanism with HA as a resource provider and as an IDP too:

https://[my-ha-domain]/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2F[my-ha-domain]%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2F[my-ha-domain]%2F&state=…

Checking the page “Authentication - Home Assistant” I also see
“* Configure integrations and other settings (coming soon).”

So technically the step to move forward seems relatively easy and seems already planned for that purpose, did I missed any comment in this part or any thread relative to this point ?

King regards

There is a button to summarise a thread below the first post.

That’s why you should read the thread. Why should someone else make an effort if you won’t?

Hello I did read the thread, with all my optimism I still hope it will be accepted in the future

just chiming in to say that the devs can make their lives way easier if they implement something like https://next-auth.js.org/

NextAuth has support for pretty much every SSO method you can thing of (google, github) along with self hosted options like Authentik/keycloak etc.

If NextAuth was implemented, devs would not need to worry about constantly adding some new protocol as that would happen automatically via nextauth.

I think this would seriously make a lot of users happy and also make the devs lives easier as they don’t have to maintain a large number of authentication protocols.

My vote goes to Keycloak ! HA definitely needs to support the concept of SSO…

+1 to this. All 3 of the main avenues of increased security mentioned here are important:

• 2FA/passkeys (vital to good security)
• Support for Cloudflare Zero Trust or other upstream authenticated proxies from the iOS app
• Oauth-based SSO, including local providers like Keycloak or SaaS providers like Auth0/Okta

A 0day in HA code would mean that every HA install in the world that’s exposed to the internet would be vulnerable to any number of nasties, including ransomeware, home invasion for people local to the install, stalking/doxxing when the attacker gets access to location data, etc etc. HA has a pretty good security record so far but it’s not the main focus of the devs, and offloading security to the security experts is a very good practice.

Also a +1 from me.

I have my own OAuth server.
Not all users are allowed to access my Home Assistant server, so using Home Assistant itself as an OAuth server is not an option.

If SSO is unsafe or something like that, then also stop the ability to log into this forum with GitHub.

+1 here. Hoping something moves along here, since OIDC is here to stay.

Yup, the authentication system is based on oauth they just don’t want external IdPs.

Let’s hope this changes and when it does, it will probably open the door to small smart offices in SoHo businesses.

The user base would grow and in a way, some aspects of security could be offloaded.

+1 to this too. I host my own Zitadel instance for SSO in all my services (a dozen), Home Assistant is the only one that is not compatible. The goal of all this would be to have one and only one user management system.

Here’s multiple attempts to contribute additional security capabilities to the android companion app all rejected recently and some in the last week…

While MTLs is possible for securing remote access via Cloudflare it doesn’t help with securing local access. OIDC is the best way to secure local access and add another layer to remote access if using MTLs already or without MTLs it’s much better than the built in auth provider in terms of security.

From the founder of home assistant.

We would not need these “hacks” if there was proper OIDC support builtin to home assistant.

Reading Frencks response in the github issue, it seemed pretty reasonable for the most part regarding OIDC/SAML/LDAP. Those all require more architecture than 99% of people are willing to maintain.

That said, I dont agree with his take on webauthn. I think webauthn should 100% be implemented into Home Assistant’s frontend. Ironically, you can even use it to sign into the forums here… Everyone is burnt out on password auth, and its objectively less secure. A big factor in taking control of your smart home should be properly securing it, as well as reducing UI friction. Webauthn helps in both of these areas.