Open letter for improving Home Assistant's Authentication system (OIDC, SSO)

Indeed. What’s more appalling is that there are contributions in this feature request, only for it to be turned down. I do hope this gets more attention.

6 Likes

Also baffled by the resistence to this feature. Home Assistant has no reason to be a special security snowflake.

5 Likes

Just my five cents, but I don’t want to manage auth in Home Assistant at all, I want to keep all authn and authz to my dedicated solution for authentication and authorization.

Not everyone is running an enterprise grade home lab, but it would be nice to in HA have integrated:

  • passkey support
    • with some smart check that you have a proper dns-name configured, else the technically unaware user is going to run into trouble later on
    • passwordless login as well
    • if you want more fine grained control, lets say webauthn attestation verifications, run your own authentication
    • this is enough for “most people”
  • external auth support
    • OIDC preferably
    • SAML works but is cumbersome in comparison
  • external provisioning support
    • there are cases for enterprise-grade scenarios where “provision at log on” is lacking, i.e. creating a user when first authenticated through OIDC, such as user removal
    • preferably SCIM
    • LDAP works, but the world would be a better place with less LDAP in it

Currently I’m running several Home Assistant instances, where those who need third party auth are going through apache for ssl-termination and auth (I think I’m using GitHub - OpenIDC/mod_auth_openidc: OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x), and Home Assistant blindly trusting all http-sessions that come through.

5 Likes

Hi,
I’m here just to drop my 2 cents. I have 20+ services on my home network (home assistant, local drive, jellyfin, grocy, etc) so I really need to authenticate just once and keep my authentication across all the services. Currently, I’m using authalia and Caddy as authentication layer and reverse proxy layer and they works great. All my service are under them, except for home assistant. HA is under the reverse proxy, and I tried to use the header-auth custom component but this is, precisely, a custom component and it doesn’t work with the app, leaving the home assistant outside the protection layer. I think this is a serious problem that needs to be adressed.

EDIT:
I forgot to mention this: I’m more into the microservices philosophy, so for me the home assistant with two factor authentication or complex auth flow is not the correct way. Just have the auth header or the OIDC full working and let a proper authentication system (Authalia, Authentik, cloudFlare, home assistant Cloud maybe?, etc) manage the auth flow is the correct way. Each service need to do what they do best, and only that.

2 Likes

@frenck OIDC auth seems to be a trivial request, we are told to discuss this on the forums, yet the Home Assistant Devs aren’t joining in on the discussion. Can you guys please give us some indication of whether this is going to be progressed or not and if not, why not? The lack of action or discussion from the devs on this topic is really odd.

2 Likes

Please don’t tag people to bring them into this conversation. He has not been involved in this topic at all.

The current state is: It’s years worth of work to add this exactly how its described in the WTH RBAC thread (and this thread), its unlikely to happen anytime soon. The roadmap also has hints that things are being looked at. However I would not expect the level of control that both of these threads are requesting.

2 Likes

Where is OIDC work this hinted? All that I can see in the linked article is 2FA for Nabu Casa accounts and is completely irrelevant for this discussion.

I can understand the general frustration with no feedback from the devs, and given frenck was the dev who directed this feature request to the forum in the first place mentioning him isn’t completely out of the blue nor unreasonable. Especially after multiple attempts at community contribution to the issue and no further dev interaction for over 2 years.

1 Like

Many feature requests have no feedback from the devs, this is no different than those other requests. I understand the frustration, however there never has been any guarantee that a feature request or WTH will be implemented.

And fyi

He has not posted in this thread, he is not part of the conversation. Don’t tag him, it’s as simple as that.

1 Like

I’m still interested where you think single sign on is hinted in the roadmap? I haven’t been able to find anything.

RBAC in general is hinted at

1 Like

I see, unfortunately RBAC isn’t Single sign on.

Well I guess we can only hope it’s considered given all the community contributions have been rejected thus far.

1 Like

I know it’s not the same, however these 2 items are typically linked together. It’s anybodies guess what that means.

1 Like

I wonder if that’s still planned for 2024

HA is currently still on now. Next will likely transition into Now at the start of 2025

Seems to me like like the smallest, simplest thing to do here is for the Core Team to entertain reasonable additions to the authentication system and frontend which only provide the necessary integration points for third-party developers to then create their own external authentication integrations (ie. via HACS), rather than burn years of time they don’t have trying to deliver a solution the Community is already offering to develop.

In the best case, perhaps a particular integration proves to be stable enough that it becomes eligible for inclusion in the Core (as is currently a very popular path for many integrations). However because there’s currently no way to integrate it’s a non-starter.

Authentication providers are enabled in YAML, so it still requires some level of thought on the part of the Installation owner (rather than being something they could accidentally enable by installing something they don’t fully understand).

Alas, it also seems the Core team are simply too risk-averse to take on any extensions to the Core in respect to Authentication, which is a real shame.

7 Likes

That’ 's exactly the same for me! Dont stuff HA with auth feature, but add Just make it working with a decent OIDC systeem like Authentik or Keycloack

4 Likes

This was a great write up and I just spent 45 minutes reading the whole conversation (I have a lot of free time).

Truly a sad state of affairs when devs ask for conversations to be moved to forums just so that they can easily ignore it, and then proceed to shut down any and all initiatives in github (like the recent webauthn one), often for frankly questionable reasons (SSO apparently being enterprise-only, users allegedly not knowing what passkeys are, or something about how parents can’t navigate SSO…).

All of these are besides the point.
My parents aren’t setting up SSO, because my parents don’t even know what docker is, let alone what it means to host something somewhere.
They think a server is someone who brings you food in a restaurant.
The people implementing HA for families ARE the tech-savvies of the group, ie. the people who DO know what SSO is, and often DO have other services that DO make use of SSO providers such as the aforementioned Authelia/Authentik.

Another argument being made by devs is that they don’t want to be liable if something goes wrong (this is referenced often). This is EXACTLY the whole reason you should implement OIDC, to let other apps handle the authentication and if something goes wrong you can “blame it” on them!
No one expects HA to revolutionise the way users authenticate, all we ask is that you provide a layer (OIDC) that lets a dedicated service take charge of all the complicated authentication stuff so they can keep doing what they do best, and you can completely forget about it and focus on other things.

Fun fact: I actually implemented Authelia as an SSO/auth provider because Immich didn’t support MFA without going through OIDC, and now I guess here we are on the other end of the spectrum.

I’m just going to end up writing “+1 for OIDC support”, but it seems that at this point this is a doomed effort because the devs seem to not think this is useful and do not participate in this conversation at all or show any signs that they are reading this feedback.

I have no idea why this is not being given proper attention, but if I were to guess, I’d say that this reminds me a lot of what happened to Plex (and why a lot of users moved to Jellyfin).
Plex moved from being community focused to trying to get sources of revenue from other places than licences and started developing features towards that.
I therefore assume that the devs have other, more lucrative priorities, that will allow them to sell more nabu subscriptions.

Real shame to see such a promising project, that has depended so much on its community, be so tone deaf when it comes to the requests of its users and contributors, and I sincerely hope this kind of interaction isn’t replicated for other requests.

4 Likes

I believe that the developers are planning to do this at the same time they finish overhauling Home Assistant’s User Access control system to enable Role Based Access Control, which is another feature that people have been requesting for a while now. I’m pretty sure that’s on the Roadmap for the coming year.

2 Likes

RBAC is under consideration is awesome!

This request is one of the most active and highest voted requests on these forums. OIDC/SSO has yet to be directly acknowledged. It has been asked in Github pull requests, Github issues, this Discorse thread, questions have been asked about this feature during State of the Open Home & other live streams. This feature is clearly something the community cares about and have had no meaningful engagement from Home Assistant Foundation.

Home Assistant Foundation prioritizes the founder’s vision as shown inside of. A roadmap for Home Assistant - Home Assistant. The perspective needs shift from an individual to a community. The foundation should have guiding principles that provides the direction. Having a process to acknowledge address features/requests that reach a thresh-hold would go a long way in ensuring the community is heard and avoiding the biases the founder has publicly made.

This is a feature the community is willing to build. Please communicate with us on what is needed to start collaborating on this request.

Upvoted. At this point this is the only service I host that doesn’t support SSO in some manner, and it’s a pain in the rear to manage one set of credentials for Home Assistant and a separate set for everything else, multiplied by supporting the three other people in my household any time the credentials that work for one service don’t for another.