The burnt orange block (2nd row, 3rd column).
Now that 2024 is over not sure they implemented any of this.
The date is when this the roadmap was published â not a deadline. Itâs in the next block. Just be patient. There are many, many things to consider.
2 Likes
Itâs an unfortunate fact of human nature to want something NOW, no matter how long it will take to implement and what other things will have to happen for the feature they want to reach them.
Reading through the rest of the post that only refers to ACLâs with no mention of SSO or any other auth changes. At this point I highly doubt we will see any progress on this unfortunately, past core dev comments on pull requests suggests they are not enthusiastic about providing any support for enabling it.
Thatâs where I disagree, and I suspect they would as well. Just adding SSO without also adding access control does nothing to improve the privacy of the system. They nay not have wanted to do it at that time, since they knew they would be adding the stuff thatâs in the roadmap, and they probably want to build the SSO on top of any RBAC they aput in, which is how I would do it.
1 Like
Out of the hundreds of things they could put on a roadmap, they put this on. Given all the scrutiny this leads to, do you really think your comment make sense?
This is very likely a very complex change (beyond SSO), since HA wasnât designed from the ground up with this in mind. Others have mentioned this too. Plus, there are varying requirements and expectations. No doubt there will be moaning and groaning after whatever first iteration they implement.
All Iâm saying is: Keep an open mind.
1 Like
do you really think your comment make sense?
Yes, as mentioned before I believe it is very telling that SSO is not called out and only ACLâs explicitly are. Given past comments regarding authentication changes being a burden the devs donât want to maintain I have little to no hope they will be addressing this issue at all.
Remember some of the issues and rejected pull requests for SSO go all the way beck to 2019.
Edit: You can see this attitude to auth changes outlined in this pull request comment as recently as last year around the time of the roadmap. There appears to be little to no apatite to facilitate anything beyond username/password outside Nabu Casaâs cloud offerings.
Edit 2: Another recent auth rejection
authentication code is currently frozen [âŚ] The current implementation is reviewed and tested by pen-testers to ensure we have no gaps.
Edit 3: In response to @christiaangoossens request for info re potentially helpful auth flow changes for his custom integration this comment doesnât raise too many hopes
Please note, custom integrations are not supported by this project.
You picked the wrong parts to quote from that last PR
We [âŚ] are also looking at how we can improve the situation. We will share more substantial information once we have it. So keep tuned.
and
PS: This is not a bad thing, it means we have direction for a better plan.
I do understand the hesitation to touch the auth stack: we are talking about a lot of instances which are being exposed to the internet, with serious consequences if there was a bug in authentication.
2 Likes
Yep. This shows that, whatever their personal feelings on the topic, they have acknowledged that the community wants this and are working on it.
I really hope for better OIDC support in Home Assistant !
Iâm using Authentik all over my Homelab and HASS is the only application that gives me issues with forward auth on mobile device.
2 Likes