I know it’s not the same, however these 2 items are typically linked together. It’s anybodies guess what that means.
1 Like
I wonder if that’s still planned for 2024
HA is currently still on now. Next will likely transition into Now at the start of 2025
Seems to me like like the smallest, simplest thing to do here is for the Core Team to entertain reasonable additions to the authentication system and frontend which only provide the necessary integration points for third-party developers to then create their own external authentication integrations (ie. via HACS), rather than burn years of time they don’t have trying to deliver a solution the Community is already offering to develop.
In the best case, perhaps a particular integration proves to be stable enough that it becomes eligible for inclusion in the Core (as is currently a very popular path for many integrations). However because there’s currently no way to integrate it’s a non-starter.
Authentication providers are enabled in YAML, so it still requires some level of thought on the part of the Installation owner (rather than being something they could accidentally enable by installing something they don’t fully understand).
Alas, it also seems the Core team are simply too risk-averse to take on any extensions to the Core in respect to Authentication, which is a real shame.
7 Likes
That’ 's exactly the same for me! Dont stuff HA with auth feature, but add Just make it working with a decent OIDC systeem like Authentik or Keycloack
4 Likes
This was a great write up and I just spent 45 minutes reading the whole conversation (I have a lot of free time).
Truly a sad state of affairs when devs ask for conversations to be moved to forums just so that they can easily ignore it, and then proceed to shut down any and all initiatives in github (like the recent webauthn one), often for frankly questionable reasons (SSO apparently being enterprise-only, users allegedly not knowing what passkeys are, or something about how parents can’t navigate SSO…).
All of these are besides the point.
My parents aren’t setting up SSO, because my parents don’t even know what docker is, let alone what it means to host something somewhere.
They think a server is someone who brings you food in a restaurant.
The people implementing HA for families ARE the tech-savvies of the group, ie. the people who DO know what SSO is, and often DO have other services that DO make use of SSO providers such as the aforementioned Authelia/Authentik.
Another argument being made by devs is that they don’t want to be liable if something goes wrong (this is referenced often). This is EXACTLY the whole reason you should implement OIDC, to let other apps handle the authentication and if something goes wrong you can “blame it” on them!
No one expects HA to revolutionise the way users authenticate, all we ask is that you provide a layer (OIDC) that lets a dedicated service take charge of all the complicated authentication stuff so they can keep doing what they do best, and you can completely forget about it and focus on other things.
Fun fact: I actually implemented Authelia as an SSO/auth provider because Immich didn’t support MFA without going through OIDC, and now I guess here we are on the other end of the spectrum.
I’m just going to end up writing “+1 for OIDC support”, but it seems that at this point this is a doomed effort because the devs seem to not think this is useful and do not participate in this conversation at all or show any signs that they are reading this feedback.
I have no idea why this is not being given proper attention, but if I were to guess, I’d say that this reminds me a lot of what happened to Plex (and why a lot of users moved to Jellyfin).
Plex moved from being community focused to trying to get sources of revenue from other places than licences and started developing features towards that.
I therefore assume that the devs have other, more lucrative priorities, that will allow them to sell more nabu subscriptions.
Real shame to see such a promising project, that has depended so much on its community, be so tone deaf when it comes to the requests of its users and contributors, and I sincerely hope this kind of interaction isn’t replicated for other requests.
4 Likes
I believe that the developers are planning to do this at the same time they finish overhauling Home Assistant’s User Access control system to enable Role Based Access Control, which is another feature that people have been requesting for a while now. I’m pretty sure that’s on the Roadmap for the coming year.
2 Likes
RBAC is under consideration is awesome!
This request is one of the most active and highest voted requests on these forums. OIDC/SSO has yet to be directly acknowledged. It has been asked in Github pull requests, Github issues, this Discorse thread, questions have been asked about this feature during State of the Open Home & other live streams. This feature is clearly something the community cares about and have had no meaningful engagement from Home Assistant Foundation.
Home Assistant Foundation prioritizes the founder’s vision as shown inside of. A roadmap for Home Assistant - Home Assistant. The perspective needs shift from an individual to a community. The foundation should have guiding principles that provides the direction. Having a process to acknowledge address features/requests that reach a thresh-hold would go a long way in ensuring the community is heard and avoiding the biases the founder has publicly made.
This is a feature the community is willing to build. Please communicate with us on what is needed to start collaborating on this request.
Upvoted. At this point this is the only service I host that doesn’t support SSO in some manner, and it’s a pain in the rear to manage one set of credentials for Home Assistant and a separate set for everything else, multiplied by supporting the three other people in my household any time the credentials that work for one service don’t for another.
Read the post before trying to trash.
Local SSO! Meaning authentik/authelia type of SSO. If social login is something a user wants, then that should be ok too.
You can decide what you want to do, but there is a strong demand for an additional oidc
Respectfully, you can’t safely address one without at least studying the effects of the other. What I mean is, you have to plan for OIDC when doing the local user authentication portion of Role Based Access Control because you would want it to work the same whether the authentication was on the Home Assistant device (PC, Raspberry Pi, VM) as it it was being done through whatever SSO provider an end user wants to install and configure.
For obvious reasons - I concur. At this level of maturity HA should at least have the conversation about RBAC and support for modern authentication.
I hope that at some points devs that were so eager to close the PRs and redirect the discussion here will actually participate.
1 Like
The reasons these type of requests get shut down by devs do not make sense to me. Setting up HA, keeping it up to date, playing with yaml files, troubleshooting, creating automations and nice UI for your dashboard are not exactly an average home user things.
Home assistant is not exactly a system I would recommend to my grandpa anyway.
3 Likes
Being a member dev of home assistant who also implemented OIDC for HA previously (spent quite some time). It is also unclear to me why some of the core team member actively refuse to accept OIDC and webauth.
Anyway count me in on the people who want this.
2 Likes
Would you be willing to try to push this effort again?
I think their biggest concerns were additional security burden (although commandline auth also introduces that) and making sure someone removed from the Idp is unable to login to home assistant which is possible to do and the whole point of an idp.
I have very little time nowadays to spend on larger HA projects. So sadly no.
Okay, here’s a little Christmas gift for all of you waiting on this. I’ve restarted initial work on this again over at GitHub - christiaangoossens/hass-oidc-auth: OpenID Connect authentication provider for Home Assistant.
The initial v0.1.0-pre-alpha is already live over there and you can use it in HACS. Please only do so in a development/testing setting for now.
For this release, please make sure you have Authentik (or any other OIDC provider) configured to use a signing key (RSA) and create a public client to get the client_id and discovery URL. Then fill them in to your HA config.
You should now be able to go to http://ha.local:8123/auth/oidc/welcome (or whatever your HA base URL is + /auth/oidc/welcome) to login. The code you obtain there should be filled in to the normal login UI (if you have the correct provider, you should only see one field).
Please note this is only a proof of concept for now, but with the state SSO was in for HA, I think it’s a major milestone in the right direction.
If you have any feedback, you can leave it in the discussions on that repository: christiaangoossens/hass-oidc-auth · Discussions · GitHub. I know the UI looks crap right now, don’t tell me 
@elupus If this makes it easier for you to join again, feel free to contact me to discuss.
Final note: I have my notifications off for this tread on the Home Assistant Community as it got a bit spammy. If you need me, please make an issue or discussion over on Github. Please don’t spam me over there either, but it’s nice to see if you are happy with this.
13 Likes
I’ll see if I can dig out a Raspberry Pi to install Authentik on, since I don’t currently have an active SSO setup here. Yeah, I might not want to use it for philosophical reasons, but that doesn’t mean I don’t agree that people should have the option to if they want to use it.
Work has started on a community solution for SSO using OpenID Connect over at GitHub - christiaangoossens/hass-oidc-auth: OpenID Connect authentication provider for Home Assistant. You can install the integration using HACS.
Currently, we are in the proof of concept/pre-alpha stage. It’s not ready for your main Home Assistant setup, but feel free to follow the repository as it matures.
Please also join the community discussion on Github: christiaangoossens/hass-oidc-auth · Discussions · GitHub, to share your feature requests and opinions on polls.
Note that this open letter is still important and unsolved, as an official integration would be preferred and the community integration will have a worse user experience (as we cannot change all screens to fit our needs). So, continue to upvote it.
13 Likes