Hello first of all I would like to thanks all contributors on this such great project !
I did not took time to read the whole thread as it is definitely too long, all my apologies if I missed important information.
I am also interested in plugging an external identity provider via OIDC
If I check the current login flow on my HA freshly upgraded, I see it is already using Oauth mechanism with HA as a resource provider and as an IDP too:
So technically the step to move forward seems relatively easy and seems already planned for that purpose, did I missed any comment in this part or any thread relative to this point ?
just chiming in to say that the devs can make their lives way easier if they implement something like https://next-auth.js.org/
NextAuth has support for pretty much every SSO method you can thing of (google, github) along with self hosted options like Authentik/keycloak etc.
If NextAuth was implemented, devs would not need to worry about constantly adding some new protocol as that would happen automatically via nextauth.
I think this would seriously make a lot of users happy and also make the devs lives easier as they don’t have to maintain a large number of authentication protocols.
+1 to this. All 3 of the main avenues of increased security mentioned here are important:
2FA/passkeys (vital to good security)
Support for Cloudflare Zero Trust or other upstream authenticated proxies from the iOS app
Oauth-based SSO, including local providers like Keycloak or SaaS providers like Auth0/Okta
A 0day in HA code would mean that every HA install in the world that’s exposed to the internet would be vulnerable to any number of nasties, including ransomeware, home invasion for people local to the install, stalking/doxxing when the attacker gets access to location data, etc etc. HA has a pretty good security record so far but it’s not the main focus of the devs, and offloading security to the security experts is a very good practice.
I have my own OAuth server.
Not all users are allowed to access my Home Assistant server, so using Home Assistant itself as an OAuth server is not an option.
If SSO is unsafe or something like that, then also stop the ability to log into this forum with GitHub.
+1 to this too. I host my own Zitadel instance for SSO in all my services (a dozen), Home Assistant is the only one that is not compatible. The goal of all this would be to have one and only one user management system.
Here’s multiple attempts to contribute additional security capabilities to the android companion app all rejected recently and some in the last week…
While MTLs is possible for securing remote access via Cloudflare it doesn’t help with securing local access. OIDC is the best way to secure local access and add another layer to remote access if using MTLs already or without MTLs it’s much better than the built in auth provider in terms of security.
From the founder of home assistant.
We would not need these “hacks” if there was proper OIDC support builtin to home assistant.
Reading Frencks response in the github issue, it seemed pretty reasonable for the most part regarding OIDC/SAML/LDAP. Those all require more architecture than 99% of people are willing to maintain.
That said, I dont agree with his take on webauthn. I think webauthn should 100% be implemented into Home Assistant’s frontend. Ironically, you can even use it to sign into the forums here… Everyone is burnt out on password auth, and its objectively less secure. A big factor in taking control of your smart home should be properly securing it, as well as reducing UI friction. Webauthn helps in both of these areas.
I too run my own instance of Authentik to provide access to all my internal services… Having HA rolled into it would be great, as it is currently the only user-facing application that does need seperate accounts.
In 2024, Home Assistant sticks out like a sore thumb among FOSS projects for its lack of modern authentication and authorization.
We’re talking about access to our lights, cameras, security systems, locks, appliances, and countless other devices. Security must be paramount. It’s not sexy but it’s super important.
Please make it a core priority to implement these modern security standards in 2024!
Really good write up.
OIDC is not just for enterprise. I self-host 50+ services and configure OIDC or a auth proxy for most services with keycloak to have SSO & MFA.
+1 from me too. Sad to see so many MRs go to waste, but in all fairness, they should probably be external plugins anyway. What can be done to allow external authentication plugins properly?