Read the post before trying to trash.
Local SSO! Meaning authentik/authelia type of SSO. If social login is something a user wants, then that should be ok too.
You can decide what you want to do, but there is a strong demand for an additional oidc
1 Like
Respectfully, you can’t safely address one without at least studying the effects of the other. What I mean is, you have to plan for OIDC when doing the local user authentication portion of Role Based Access Control because you would want it to work the same whether the authentication was on the Home Assistant device (PC, Raspberry Pi, VM) as it it was being done through whatever SSO provider an end user wants to install and configure.
For obvious reasons - I concur. At this level of maturity HA should at least have the conversation about RBAC and support for modern authentication.
I hope that at some points devs that were so eager to close the PRs and redirect the discussion here will actually participate.
2 Likes
There’s a survey going on… Community Survey_2024
3 Likes
The reasons these type of requests get shut down by devs do not make sense to me. Setting up HA, keeping it up to date, playing with yaml files, troubleshooting, creating automations and nice UI for your dashboard are not exactly an average home user things.
Home assistant is not exactly a system I would recommend to my grandpa anyway.
4 Likes
Being a member dev of home assistant who also implemented OIDC for HA previously (spent quite some time). It is also unclear to me why some of the core team member actively refuse to accept OIDC and webauth.
Anyway count me in on the people who want this.
4 Likes
Would you be willing to try to push this effort again?
I think their biggest concerns were additional security burden (although commandline auth also introduces that) and making sure someone removed from the Idp is unable to login to home assistant which is possible to do and the whole point of an idp.
1 Like
I have very little time nowadays to spend on larger HA projects. So sadly no.
1 Like
Okay, here’s a little Christmas gift for all of you waiting on this. I’ve restarted initial work on this again over at GitHub - christiaangoossens/hass-oidc-auth: OpenID Connect authentication provider for Home Assistant.
The initial v0.1.0-pre-alpha is already live over there and you can use it in HACS. Please only do so in a development/testing setting for now.
For this release, please make sure you have Authentik (or any other OIDC provider) configured to use a signing key (RSA) and create a public client to get the client_id and discovery URL. Then fill them in to your HA config.
You should now be able to go to http://ha.local:8123/auth/oidc/welcome (or whatever your HA base URL is + /auth/oidc/welcome) to login. The code you obtain there should be filled in to the normal login UI (if you have the correct provider, you should only see one field).
Please note this is only a proof of concept for now, but with the state SSO was in for HA, I think it’s a major milestone in the right direction.
If you have any feedback, you can leave it in the discussions on that repository: christiaangoossens/hass-oidc-auth · Discussions · GitHub. I know the UI looks crap right now, don’t tell me 
@elupus If this makes it easier for you to join again, feel free to contact me to discuss.
Final note: I have my notifications off for this tread on the Home Assistant Community as it got a bit spammy. If you need me, please make an issue or discussion over on Github. Please don’t spam me over there either, but it’s nice to see if you are happy with this.
18 Likes
I’ll see if I can dig out a Raspberry Pi to install Authentik on, since I don’t currently have an active SSO setup here. Yeah, I might not want to use it for philosophical reasons, but that doesn’t mean I don’t agree that people should have the option to if they want to use it.
Work has started on a community solution for SSO using OpenID Connect over at GitHub - christiaangoossens/hass-oidc-auth: OpenID Connect authentication provider for Home Assistant. You can install the integration using HACS.
Currently, we are in the proof of concept/pre-alpha stage. It’s not ready for your main Home Assistant setup, but feel free to follow the repository as it matures.
Please also join the community discussion on Github: christiaangoossens/hass-oidc-auth · Discussions · GitHub, to share your feature requests and opinions on polls.
Note that this open letter is still important and unsolved, as an official integration would be preferred and the community integration will have a worse user experience (as we cannot change all screens to fit our needs). So, continue to upvote it.
23 Likes
I didn’t see this post and I can add my vote to this.
I have more and more services deployed and managing passwords in a real pain. With the increase necessity to add mfa it becomes even harder to manage access. So I decided to add sso to my domain.
I am progressively deploying Authentik as my sso and would like all my services to use it.
2 Likes
In my honest opinion this should be a two-fold.
On one hand, it would be really helpfull if home assistant would start supporting tokens from any openid connect provider, instead of its own tokens.
On the other hand it can also be useful if home assistant would become an openid connect provider. For each and every reverse proxy app you can find details how to force logging in with an openid connect provider.
Then if you want to access esphome (or any other service) through a reverse proxy that manages the ssl part, it can redirect to home assistant which will then happily provide a token or require the user to login. Supporting this flow would greatly improve security. Because home assistant does not have to be hosted at the same server.
I currently use Microsoft Entra for this, which is not an option for everybody. Enabling this in HA would improve security for everybody (and would probably overload the community with all kinds of authentication questions because this stuff is hard even for professionals.)
Hey there, our lord and savior! I am rooting for you and wish I could help you, but I am lacking the coding skills. How and where can we sponsor your work? Do you have a Kofi account or something like that?
1 Like
I would like to add my voice to this in response to @frenck 's argument. I come from a family of 7, and being able to loop home assistant into my authentic setup would make my entire experience 1000 times better. With more people and services you include, you increase the issues you run into with passwords along the way. Supporting Oauth2 or OpenID Connect is the future, and I think it is in the best interest of this project to rebuild the authentication system to be more secure, more flexible, and more useful to people of all experience levels who use this software.
7 Likes
You are welcome to join discussions and development over at christiaangoossens/hass-oidc-auth · Discussions · GitHub to contribute. I will be updating the README soon to make it more usable for new users.
If you would like to contribute financially instead (please feel no obligation too, I do this for fun and usefulness to the community, not for profit), you can do so at Sponsor @christiaangoossens on GitHub Sponsors · GitHub
3 Likes
We really need this!
1 Like
It is truly baffling that HA continues to ignore this. This has been industry standard for so many years now.
9 Likes
It’s on the HA roadmap, although we don’t know in which form this would realise.
Hey I haven’t seen any mention of OIDC or other SSO on the roadmap. Only 2FA, could you point to where you’ve seen it?