Open letter for improving Home Assistant's Authentication system (OIDC, SSO)

fahcsim · February 25, 2024, 2:19am

Reading Frencks response in the github issue, it seemed pretty reasonable for the most part regarding OIDC/SAML/LDAP. Those all require more architecture than 99% of people are willing to maintain.

That said, I dont agree with his take on webauthn. I think webauthn should 100% be implemented into Home Assistant’s frontend. Ironically, you can even use it to sign into the forums here… Everyone is burnt out on password auth, and its objectively less secure. A big factor in taking control of your smart home should be properly securing it, as well as reducing UI friction. Webauthn helps in both of these areas.

whitephoenix117 · March 2, 2024, 2:06am

Would also love to see OIDC implemented, I selfhost my SSO. It doesn’t go against the home assistant principles.

danktankk · March 4, 2024, 9:45am

Another vote for SSO/OIDC and/or webauthn. I self host my own solutions for these

python · March 14, 2024, 5:03am

OIDC is a must.

SpeedyFireCyclone · March 19, 2024, 3:56pm

I too run my own instance of Authentik to provide access to all my internal services… Having HA rolled into it would be great, as it is currently the only user-facing application that does need seperate accounts.

scud133 · March 27, 2024, 8:00pm

Voted +1

In 2024, Home Assistant sticks out like a sore thumb among FOSS projects for its lack of modern authentication and authorization.

We’re talking about access to our lights, cameras, security systems, locks, appliances, and countless other devices. Security must be paramount. It’s not sexy but it’s super important.

Please make it a core priority to implement these modern security standards in 2024!

xyro · March 30, 2024, 1:07pm

Really good write up.
OIDC is not just for enterprise. I self-host 50+ services and configure OIDC or a auth proxy for most services with keycloak to have SSO & MFA.

lucardcoder · April 13, 2024, 1:04pm

+1. Bring OIDC

dstensnes · April 14, 2024, 12:59pm

+1 from me too. Sad to see so many MRs go to waste, but in all fairness, they should probably be external plugins anyway. What can be done to allow external authentication plugins properly?

mateuszdrab · April 16, 2024, 7:48pm

Home Assistant already supports oAuth2 but with it’s built in identity provider.
It’s all about opening it up to other iDPs, which annoyingly is what they don’t want to do…

mkintzel · April 17, 2024, 12:57am

+1 voted - this is needed. Thank you devs for all you do!!! Please, consider again introducing external authentication.

Danny2100 · April 23, 2024, 5:42pm

So they mentioned a focus on security at state of the open home. Sounds like OIDC would certainly help in that regard…

dugite-code · April 29, 2024, 5:39am

This is now the Sixth top voted feature request making the comment from balloob about this feature being “extremely edge case” well and truly refuted. It would be nice if we could have some official feedback regarding this request now.

thewave1408 · April 29, 2024, 9:55pm

I am another user of OIDC for many self hosted services. I would love to see the ability to integrate Authentik and Home Assistant.

Night-Hunter-NF · April 29, 2024, 11:45pm

Hi everyone i would really like to get open id SSO running for hass so have decided have a crack at it in the next month or so. im planning on maintaining a fork of hass based on the current release and will rebase every-time a new release is made.

if people are keen for this chuck a like on this message. when i have a working version i will chuck it here. i may see if i can get BeryJu to have a check over when i am done. he is the creator of authentik and hass-auth-header.

plan to look at these prs

github.com/home-assistant/core

Support openid connect like authentication providers

home-assistant:dev ← elupus:openid

opened 10:13AM - 18 Mar 20 UTC

elupus

+541 -11

## Breaking change  ## Proposed change  Add support for using OAuth2/OpenId authentication providers like google, facebook ## Type of change  - [ ] Dependency upgrade - [ ] Bugfix (non-breaking change which fixes an issue) - [ ] New integration (thank you!) - [X] New feature (which adds functionality to an existing integration) - [ ] Breaking change (fix/feature causing existing functionality to break) - [ ] Code quality improvements to existing code or addition of tests ## Example entry for `configuration.yaml`:  ```yaml # Example configuration.yaml for google openid provider homeassistant: auth_providers: - type: openid name: "Google" client_id: "1234" client_secret: "4567" configuration: https://accounts.google.com/.well-known/openid-configuration emails: - "[email protected]" ``` ```yaml # Example configuration.yaml for auth0 provider supporting a multitude of underlying providers homeassistant: auth_providers: - type: openid name: "Auth0" client_id: "1234" client_secret: "4567" configuration: https://xxx.auth0.com/.well-known/openid-configuration emails: - "[email protected]" ``` ## Additional information  This requires changes in frontend to work correctly with external flows. Users are whitelisted based on their (verified) email address. That however does require the email scope of openid, which we don't really need. Also email is not really considered a "stable" identifier. That said, the link between a home assistant user and the "upstream" user is based "sub" (subject) identifer. So even if email where to change, we'd still keep the link to same home assistant user. - This PR fixes or closes issue: fixes # - This PR is related to issue: https://github.com/home-assistant/frontend/pull/5258 - Link to documentation pull request: ## Checklist  - [x] The code change is tested and works locally. - [x] Local tests pass. **Your PR cannot be merged unless tests pass** - [x] There is no commented out code in this PR. - [x] I have followed the [development checklist][dev-checklist] - [x] The code has been formatted using Black (`black --fast homeassistant tests`) - [x] Tests have been added to verify that the new code works. If user exposed functionality or configuration variables are added/changed: - [ ] Documentation added/updated for [www.home-assistant.io][docs-repository] If the code communicates with devices, web services, or third-party tools: - [ ] The [manifest file][manifest-docs] has all fields filled out correctly. Updated and included derived files by running: `python3 -m script.hassfest`. - [ ] New or updated dependencies have been added to `requirements_all.txt`. Updated by running `python3 -m script.gen_requirements_all`. - [ ] Untested files have been added to `.coveragerc`. The integration reached or maintains the following [Integration Quality Scale][quality-scale]:  - [ ] No score or internal - [ ] 🥈 Silver - [ ] 🥇 Gold - [ ] 🏆 Platinum  [dev-checklist]: https://developers.home-assistant.io/docs/en/development_checklist.html [manifest-docs]: https://developers.home-assistant.io/docs/en/creating_integration_manifest.html [quality-scale]: https://developers.home-assistant.io/docs/en/next/integration_quality_scale_index.html [docs-repository]: https://github.com/home-assistant/home-assistant.io

im hopping if i can get a stable version running that people use hass will eventually add it into core

dugite-code · April 30, 2024, 2:35am

I think the ideal approach (at least for the HA maintainers based on their previous comments in pull requests) would be to continue the work @christiaangoossens started with Allow DataEntryFlowStepExternal on the login screen by christiaangoossens · Pull Request #14471 · home-assistant/frontend (github.com)

This would enable multiple Authentication plugins to be made and maintained by the community like the OpenID Connect plugin @christiaangoossens started to work on.

It’s just a shame there hasn’t been comment from the core maintainers regarding this approach specifically.

christiaangoossens · April 30, 2024, 5:30am

To chime in after this long time: I feel like this (@dugite-code) is the only solution left. I don’t mind the maintainers lack of enthusiasm to build it themselves, but the main feature request remains the same:

Dear maintainers,

Please add the necessary support to Home Assistant to create an authentication component that can:

Register a button in the normal auth UI
Redirect the user away through multiple steps, both on the web and in the Android and iOS apps, either through the native browser or an in app Browser Tab
End its interaction by telling Home Assistant which user email/id needs to be signed in

These features should be added to the current Auth Provider registration feature, see: GitHub - christiaangoossens/hass-oidc-auth: OpenID Connect authentication provider for Home Assistant

The community can then build either an WebAuthN, OIDC, SAML or what have you plugin ‘out-of-tree’.

Again thank you community for showing that this request is still very much alive

Danny2100 · May 1, 2024, 10:41pm

While this isn’t 100% what we want I was able to use the command line auth provider with a python script to connect to authelia and add duo authentication. For anyone interested this is a possible route in the interim.

I didn’t even know this was possible. But use with caution of course.

Kind of weird though that this is supported but adding oidc isn’t good or easy?

Xyaren · May 5, 2024, 12:35pm

I was quite shocked when I noticed that HA does not support any modern authentication system.
+1 for OIDC.

Looking at the PRs and the comments it looks like they are actively blocking any movement into that direction.

I wonder if there is any business-bulls**t reason behind that. I just can’t see any good reason for not allowing users to have the freedom of choice for simple (build-in) security vs advanced configurable external security.

jmadden91 · May 14, 2024, 4:18am

The lack of OIDC support and refusal to implement/consider PR’s is what caused me to drop my Nabu Casa subscription. I don’t need or use the cloud services, but was happy to contribute for development purposes.

Much smaller projects like Immich and Mealie, have seamless OIDC support that works perfectly with services like authentik.
https://github.com/immich-app/immich
https://github.com/mealie-recipes/mealie