The longer this thread gets, the more clear it becomes that the home assistant team can implement OIDC but refuse to. Pull requests for this are being closed, the one I read @frenck said this issue is better discussed on the forums. Where is the development team on this thread? Past arguments have also brought up security concerns and revocation of access as needed. These should be trivial to address, several other small projects in the open source community have done so with minimal friction. My hunch is this feature would cripple home assistant cloud subscriptions in some way, making this more of a business decision.
Adding my voice to the people calling for this to be implemented. It’s absurd that I have to maintain a separate user database and security posture JUST for this application. I am honestly extremely disappointed in the developers’ reactions to the various attempts to implement this already, which doesn’t inspire confidence.
bit surprised here aswell. using authentik for most of my services now to escape google. most selfhosted services allow sso. “big” ones like nextcloud but also smaller ones like vikunja or even something simple like homarr. honestly feel like proper sso is a must have for an application this big with multiuser support. honestly a bit dumbfounded by the frenck reaction to the open letter. its a couple of years old now. maybe his stance has changed since then? feel like its an oversight to not have proper sso support in 2024 for such a huge tool as homeassistant.
A am a bit surprised thah Home assistant after all these years as such poor support for auth providers. See this post: WTH: Additional authentication methods (single sign on) It mentions ready made solutions that people have spend hours and hours on. Seems it is simply ignored after 2022?
I would love to see an OpenId Connect authentication with for example keyCloak, but not using a command line tool…
+1. Proper 2FA support and to a lesser degree SSO should be a top priority but instead it seems integrating AI is seen as more important. You’d be delusional to think securing access to your home automation shouldn’t be the absolute top priority in this day and age for a home automation system and their app ecosystem.
I was also really put off by frenck’s response to the original open letter on github. Super dismissive and condescending. Hopefully his attitude has changed since then.
Notify is supported as well (as in SMS codes, but also any other Home Assistant Notify Integration). Link below is anchored to the notify section of the MFA docs.
Personally, I’m really hoping to see the webauthn code mentioned above pulled in as an alternative to password-based login. It’s not SSO, but it could be a leap forward for both security and convenience.
Would be great to allow HA mobile apps to work when HA server is behind an authentication middleware such as authelia/authentik. I believe auth header support in apps is all that is required.
I’ve just implemented SSO across 90% of my selfhosted services and I find it absolutely unbelievable that so many smaller projects like Audiobookshelf, FreshRSS, Mealie, Stirling PDF, Immich, Ryot,… implement this absolutely perfectly…
Yet Home Assistant, by far the most actively developed service I use does not support this, even though many people have tried to implement this and got rejected because they consider the user base for this “negligible”, even though this is the third highest voted open feature request…
Indeed. What’s more appalling is that there are contributions in this feature request, only for it to be turned down. I do hope this gets more attention.
Just my five cents, but I don’t want to manage auth in Home Assistant at all, I want to keep all authn and authz to my dedicated solution for authentication and authorization.
Not everyone is running an enterprise grade home lab, but it would be nice to in HA have integrated:
passkey support
with some smart check that you have a proper dns-name configured, else the technically unaware user is going to run into trouble later on
passwordless login as well
if you want more fine grained control, lets say webauthn attestation verifications, run your own authentication
this is enough for “most people”
external auth support
OIDC preferably
SAML works but is cumbersome in comparison
external provisioning support
there are cases for enterprise-grade scenarios where “provision at log on” is lacking, i.e. creating a user when first authenticated through OIDC, such as user removal
preferably SCIM
LDAP works, but the world would be a better place with less LDAP in it
Hi,
I’m here just to drop my 2 cents. I have 20+ services on my home network (home assistant, local drive, jellyfin, grocy, etc) so I really need to authenticate just once and keep my authentication across all the services. Currently, I’m using authalia and Caddy as authentication layer and reverse proxy layer and they works great. All my service are under them, except for home assistant. HA is under the reverse proxy, and I tried to use the header-auth custom component but this is, precisely, a custom component and it doesn’t work with the app, leaving the home assistant outside the protection layer. I think this is a serious problem that needs to be adressed.
EDIT:
I forgot to mention this: I’m more into the microservices philosophy, so for me the home assistant with two factor authentication or complex auth flow is not the correct way. Just have the auth header or the OIDC full working and let a proper authentication system (Authalia, Authentik, cloudFlare, home assistant Cloud maybe?, etc) manage the auth flow is the correct way. Each service need to do what they do best, and only that.
@frenck OIDC auth seems to be a trivial request, we are told to discuss this on the forums, yet the Home Assistant Devs aren’t joining in on the discussion. Can you guys please give us some indication of whether this is going to be progressed or not and if not, why not? The lack of action or discussion from the devs on this topic is really odd.
Please don’t tag people to bring them into this conversation. He has not been involved in this topic at all.
The current state is: It’s years worth of work to add this exactly how its described in the WTH RBAC thread (and this thread), its unlikely to happen anytime soon. The roadmap also has hints that things are being looked at. However I would not expect the level of control that both of these threads are requesting.
Where is OIDC work this hinted? All that I can see in the linked article is 2FA for Nabu Casa accounts and is completely irrelevant for this discussion.
I can understand the general frustration with no feedback from the devs, and given frenck was the dev who directed this feature request to the forum in the first place mentioning him isn’t completely out of the blue nor unreasonable. Especially after multiple attempts at community contribution to the issue and no further dev interaction for over 2 years.