Read the post before trying to trash.
Local SSO! Meaning authentik/authelia type of SSO. If social login is something a user wants, then that should be ok too.
You can decide what you want to do, but there is a strong demand for an additional oidc
Respectfully, you can’t safely address one without at least studying the effects of the other. What I mean is, you have to plan for OIDC when doing the local user authentication portion of Role Based Access Control because you would want it to work the same whether the authentication was on the Home Assistant device (PC, Raspberry Pi, VM) as it it was being done through whatever SSO provider an end user wants to install and configure.
For obvious reasons - I concur. At this level of maturity HA should at least have the conversation about RBAC and support for modern authentication.
I hope that at some points devs that were so eager to close the PRs and redirect the discussion here will actually participate.
The reasons these type of requests get shut down by devs do not make sense to me. Setting up HA, keeping it up to date, playing with yaml files, troubleshooting, creating automations and nice UI for your dashboard are not exactly an average home user things.
Home assistant is not exactly a system I would recommend to my grandpa anyway.
2 Likes
Being a member dev of home assistant who also implemented OIDC for HA previously (spent quite some time). It is also unclear to me why some of the core team member actively refuse to accept OIDC and webauth.
Anyway count me in on the people who want this.
1 Like
Would you be willing to try to push this effort again?
I think their biggest concerns were additional security burden (although commandline auth also introduces that) and making sure someone removed from the Idp is unable to login to home assistant which is possible to do and the whole point of an idp.
I have very little time nowadays to spend on larger HA projects. So sadly no.
Okay, here’s a little Christmas gift for all of you waiting on this. I’ve restarted initial work on this again over at GitHub - christiaangoossens/hass-oidc-auth: OpenID Connect authentication provider for Home Assistant.
The initial v0.1.0-pre-alpha is already live over there and you can use it in HACS. Please only do so in a development/testing setting for now.
For this release, please make sure you have Authentik (or any other OIDC provider) configured to use a signing key (RSA) and create a public client to get the client_id and discovery URL. Then fill them in to your HA config.
You should now be able to go to http://ha.local:8123/auth/oidc/welcome (or whatever your HA base URL is + /auth/oidc/welcome) to login. The code you obtain there should be filled in to the normal login UI (if you have the correct provider, you should only see one field).
Please note this is only a proof of concept for now, but with the state SSO was in for HA, I think it’s a major milestone in the right direction.
If you have any feedback, you can leave it in the discussions on that repository: christiaangoossens/hass-oidc-auth · Discussions · GitHub. I know the UI looks crap right now, don’t tell me 
@elupus If this makes it easier for you to join again, feel free to contact me to discuss.
Final note: I have my notifications off for this tread on the Home Assistant Community as it got a bit spammy. If you need me, please make an issue or discussion over on Github. Please don’t spam me over there either, but it’s nice to see if you are happy with this.
7 Likes
I’ll see if I can dig out a Raspberry Pi to install Authentik on, since I don’t currently have an active SSO setup here. Yeah, I might not want to use it for philosophical reasons, but that doesn’t mean I don’t agree that people should have the option to if they want to use it.