I could be wrong, but as far as I know, HA doesn’t have a generic way to be an identity provider. So any service you’d want to put in the sidebar or UI would either have to be an integration (custom or built-in) and implement auth with the service ad-hoc, or the service would have to allow unauthenticated access. That would work in the small, but isn’t a solution to the problem.
This idea also precludes doing things like using SSO for something outside of the HA UI. E.g. the kubectl CLI, or some other scenario where another fairly standard identity provider would work. You’d basically have to have a second identity provider for everything else outside of HA.
It should be priority nr1 to integrate OIDC and proper permissions (especially for the history and logbook pages!). Is there anyone here who could make this possible. maybe we should set up a bounty for this feature? I would pledge 50 eur right now
If I’d guess users run these systems behind firewalls for most cases, so maintainers simply don’t care about auth and don’t want to spend development time a feature that nobody going to use much
As one user commented above
HA has a pretty good security record
this is like a windows computer, connect it to internet without firewall - it gets hacked within minutes/hours
The longer this thread gets, the more clear it becomes that the home assistant team can implement OIDC but refuse to. Pull requests for this are being closed, the one I read @frenck said this issue is better discussed on the forums. Where is the development team on this thread? Past arguments have also brought up security concerns and revocation of access as needed. These should be trivial to address, several other small projects in the open source community have done so with minimal friction. My hunch is this feature would cripple home assistant cloud subscriptions in some way, making this more of a business decision.
Adding my voice to the people calling for this to be implemented. It’s absurd that I have to maintain a separate user database and security posture JUST for this application. I am honestly extremely disappointed in the developers’ reactions to the various attempts to implement this already, which doesn’t inspire confidence.
bit surprised here aswell. using authentik for most of my services now to escape google. most selfhosted services allow sso. “big” ones like nextcloud but also smaller ones like vikunja or even something simple like homarr. honestly feel like proper sso is a must have for an application this big with multiuser support. honestly a bit dumbfounded by the frenck reaction to the open letter. its a couple of years old now. maybe his stance has changed since then? feel like its an oversight to not have proper sso support in 2024 for such a huge tool as homeassistant.
A am a bit surprised thah Home assistant after all these years as such poor support for auth providers. See this post: WTH: Additional authentication methods (single sign on) It mentions ready made solutions that people have spend hours and hours on. Seems it is simply ignored after 2022?
I would love to see an OpenId Connect authentication with for example keyCloak, but not using a command line tool…
+1. Proper 2FA support and to a lesser degree SSO should be a top priority but instead it seems integrating AI is seen as more important. You’d be delusional to think securing access to your home automation shouldn’t be the absolute top priority in this day and age for a home automation system and their app ecosystem.
I was also really put off by frenck’s response to the original open letter on github. Super dismissive and condescending. Hopefully his attitude has changed since then.
Notify is supported as well (as in SMS codes, but also any other Home Assistant Notify Integration). Link below is anchored to the notify section of the MFA docs.
Personally, I’m really hoping to see the webauthn code mentioned above pulled in as an alternative to password-based login. It’s not SSO, but it could be a leap forward for both security and convenience.
Would be great to allow HA mobile apps to work when HA server is behind an authentication middleware such as authelia/authentik. I believe auth header support in apps is all that is required.
I’ve just implemented SSO across 90% of my selfhosted services and I find it absolutely unbelievable that so many smaller projects like Audiobookshelf, FreshRSS, Mealie, Stirling PDF, Immich, Ryot,… implement this absolutely perfectly…
Yet Home Assistant, by far the most actively developed service I use does not support this, even though many people have tried to implement this and got rejected because they consider the user base for this “negligible”, even though this is the third highest voted open feature request…
Indeed. What’s more appalling is that there are contributions in this feature request, only for it to be turned down. I do hope this gets more attention.
Just my five cents, but I don’t want to manage auth in Home Assistant at all, I want to keep all authn and authz to my dedicated solution for authentication and authorization.
Not everyone is running an enterprise grade home lab, but it would be nice to in HA have integrated:
passkey support
with some smart check that you have a proper dns-name configured, else the technically unaware user is going to run into trouble later on
passwordless login as well
if you want more fine grained control, lets say webauthn attestation verifications, run your own authentication
this is enough for “most people”
external auth support
OIDC preferably
SAML works but is cumbersome in comparison
external provisioning support
there are cases for enterprise-grade scenarios where “provision at log on” is lacking, i.e. creating a user when first authenticated through OIDC, such as user removal
preferably SCIM
LDAP works, but the world would be a better place with less LDAP in it