Indeed. What’s more appalling is that there are contributions in this feature request, only for it to be turned down. I do hope this gets more attention.
6 Likes
Also baffled by the resistence to this feature. Home Assistant has no reason to be a special security snowflake.
5 Likes
Just my five cents, but I don’t want to manage auth in Home Assistant at all, I want to keep all authn and authz to my dedicated solution for authentication and authorization.
Not everyone is running an enterprise grade home lab, but it would be nice to in HA have integrated:
- passkey support
- with some smart check that you have a proper dns-name configured, else the technically unaware user is going to run into trouble later on
- passwordless login as well
- if you want more fine grained control, lets say webauthn attestation verifications, run your own authentication
- this is enough for “most people”
- external auth support
- OIDC preferably
- SAML works but is cumbersome in comparison
- external provisioning support
- there are cases for enterprise-grade scenarios where “provision at log on” is lacking, i.e. creating a user when first authenticated through OIDC, such as user removal
- preferably SCIM
- LDAP works, but the world would be a better place with less LDAP in it
Currently I’m running several Home Assistant instances, where those who need third party auth are going through apache for ssl-termination and auth (I think I’m using GitHub - OpenIDC/mod_auth_openidc: OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x), and Home Assistant blindly trusting all http-sessions that come through.
4 Likes
Hi,
I’m here just to drop my 2 cents. I have 20+ services on my home network (home assistant, local drive, jellyfin, grocy, etc) so I really need to authenticate just once and keep my authentication across all the services. Currently, I’m using authalia and Caddy as authentication layer and reverse proxy layer and they works great. All my service are under them, except for home assistant. HA is under the reverse proxy, and I tried to use the header-auth custom component but this is, precisely, a custom component and it doesn’t work with the app, leaving the home assistant outside the protection layer. I think this is a serious problem that needs to be adressed.
EDIT:
I forgot to mention this: I’m more into the microservices philosophy, so for me the home assistant with two factor authentication or complex auth flow is not the correct way. Just have the auth header or the OIDC full working and let a proper authentication system (Authalia, Authentik, cloudFlare, home assistant Cloud maybe?, etc) manage the auth flow is the correct way. Each service need to do what they do best, and only that.
2 Likes
@frenck OIDC auth seems to be a trivial request, we are told to discuss this on the forums, yet the Home Assistant Devs aren’t joining in on the discussion. Can you guys please give us some indication of whether this is going to be progressed or not and if not, why not? The lack of action or discussion from the devs on this topic is really odd.
2 Likes
Please don’t tag people to bring them into this conversation. He has not been involved in this topic at all.
The current state is: It’s years worth of work to add this exactly how its described in the WTH RBAC thread (and this thread), its unlikely to happen anytime soon. The roadmap also has hints that things are being looked at. However I would not expect the level of control that both of these threads are requesting.
2 Likes
Where is OIDC work this hinted? All that I can see in the linked article is 2FA for Nabu Casa accounts and is completely irrelevant for this discussion.
I can understand the general frustration with no feedback from the devs, and given frenck was the dev who directed this feature request to the forum in the first place mentioning him isn’t completely out of the blue nor unreasonable. Especially after multiple attempts at community contribution to the issue and no further dev interaction for over 2 years.
1 Like
Many feature requests have no feedback from the devs, this is no different than those other requests. I understand the frustration, however there never has been any guarantee that a feature request or WTH will be implemented.
And fyi
He has not posted in this thread, he is not part of the conversation. Don’t tag him, it’s as simple as that.
1 Like
I’m still interested where you think single sign on is hinted in the roadmap? I haven’t been able to find anything.
I see, unfortunately RBAC isn’t Single sign on.
Well I guess we can only hope it’s considered given all the community contributions have been rejected thus far.
1 Like
I know it’s not the same, however these 2 items are typically linked together. It’s anybodies guess what that means.
1 Like
I wonder if that’s still planned for 2024
HA is currently still on now. Next will likely transition into Now at the start of 2025
Seems to me like like the smallest, simplest thing to do here is for the Core Team to entertain reasonable additions to the authentication system and frontend which only provide the necessary integration points for third-party developers to then create their own external authentication integrations (ie. via HACS), rather than burn years of time they don’t have trying to deliver a solution the Community is already offering to develop.
In the best case, perhaps a particular integration proves to be stable enough that it becomes eligible for inclusion in the Core (as is currently a very popular path for many integrations). However because there’s currently no way to integrate it’s a non-starter.
Authentication providers are enabled in YAML, so it still requires some level of thought on the part of the Installation owner (rather than being something they could accidentally enable by installing something they don’t fully understand).
Alas, it also seems the Core team are simply too risk-averse to take on any extensions to the Core in respect to Authentication, which is a real shame.
7 Likes
That’ 's exactly the same for me! Dont stuff HA with auth feature, but add Just make it working with a decent OIDC systeem like Authentik or Keycloack
3 Likes