Reading Frencks response in the github issue, it seemed pretty reasonable for the most part regarding OIDC/SAML/LDAP. Those all require more architecture than 99% of people are willing to maintain.
That said, I dont agree with his take on webauthn. I think webauthn should 100% be implemented into Home Assistant’s frontend. Ironically, you can even use it to sign into the forums here… Everyone is burnt out on password auth, and its objectively less secure. A big factor in taking control of your smart home should be properly securing it, as well as reducing UI friction. Webauthn helps in both of these areas.
I too run my own instance of Authentik to provide access to all my internal services… Having HA rolled into it would be great, as it is currently the only user-facing application that does need seperate accounts.
In 2024, Home Assistant sticks out like a sore thumb among FOSS projects for its lack of modern authentication and authorization.
We’re talking about access to our lights, cameras, security systems, locks, appliances, and countless other devices. Security must be paramount. It’s not sexy but it’s super important.
Please make it a core priority to implement these modern security standards in 2024!
Really good write up.
OIDC is not just for enterprise. I self-host 50+ services and configure OIDC or a auth proxy for most services with keycloak to have SSO & MFA.
+1 from me too. Sad to see so many MRs go to waste, but in all fairness, they should probably be external plugins anyway. What can be done to allow external authentication plugins properly?
Home Assistant already supports oAuth2 but with it’s built in identity provider.
It’s all about opening it up to other iDPs, which annoyingly is what they don’t want to do…
This is now the Sixth top voted feature request making the comment from balloob about this feature being “extremely edge case” well and truly refuted. It would be nice if we could have some official feedback regarding this request now.
Hi everyone i would really like to get open id SSO running for hass so have decided have a crack at it in the next month or so. im planning on maintaining a fork of hass based on the current release and will rebase every-time a new release is made.
if people are keen for this chuck a like on this message. when i have a working version i will chuck it here. i may see if i can get BeryJu to have a check over when i am done. he is the creator of authentik and hass-auth-header.
plan to look at these prs
im hopping if i can get a stable version running that people use hass will eventually add it into core
This would enable multiple Authentication plugins to be made and maintained by the community like the OpenID Connect plugin @christiaangoossens started to work on.
It’s just a shame there hasn’t been comment from the core maintainers regarding this approach specifically.
To chime in after this long time: I feel like this (@dugite-code) is the only solution left. I don’t mind the maintainers lack of enthusiasm to build it themselves, but the main feature request remains the same:
Dear maintainers,
Please add the necessary support to Home Assistant to create an authentication component that can:
Register a button in the normal auth UI
Redirect the user away through multiple steps, both on the web and in the Android and iOS apps, either through the native browser or an in app Browser Tab
End its interaction by telling Home Assistant which user email/id needs to be signed in
While this isn’t 100% what we want I was able to use the command line auth provider with a python script to connect to authelia and add duo authentication. For anyone interested this is a possible route in the interim.
I didn’t even know this was possible. But use with caution of course.
Kind of weird though that this is supported but adding oidc isn’t good or easy?
I was quite shocked when I noticed that HA does not support any modern authentication system.
+1 for OIDC.
Looking at the PRs and the comments it looks like they are actively blocking any movement into that direction.
I wonder if there is any business-bulls**t reason behind that. I just can’t see any good reason for not allowing users to have the freedom of choice for simple (build-in) security vs advanced configurable external security.
The lack of OIDC support and refusal to implement/consider PR’s is what caused me to drop my Nabu Casa subscription. I don’t need or use the cloud services, but was happy to contribute for development purposes.