I’m fairly new to HomeAssistant however, I feel this is missing too. I have been trying to setup CloudFlare Zero Trust, with tunnels to my on-prem hosted applications (including HomeAssistant) and my own (on-prem) Authelia OIDC authenticator.
Basically, this is a layer before HomeAssistant and, works, for desktops :). Not for mobile 
- I have added my 2 cents to the HomeAssistant iOS GitHub, please upvote too :)!
I’d be a big supporter of a more flexible and standardised authentication system in HA.
There is zero security, and arguably operational, benefit to HA retaining its own silo’d authentication method.
Whereas the benefits to the user/community are many.
As an example, HA is the only app in many peoples self-hosted stacks that doesn’t allow itself to be fully integrated with other auth systems.
This needs to be implemented.
Thanks @christiaangoossens for writing this up.
As a developer myself, I understand the direction @frenck is pointing to, and the maintenance work necessary. Back in 2020 when the first PR arose OIDC and 2FA didn’t have a lot of traction, although it was starting to. Also from that point of view, I understand their past decision.
However, I want to also draw attention to being able to use 2FA with such solution. In the past years it got a lot of attention, and people understand the need for it; not only in enterprises, or in tech communities. I also see a lot of awareness and attention going towards security breaches, and people getting worried about changing passwords, and whether their important data is secure.
So starting with that, and considering one hooks up his/her entire home automation in HA, I would even argue not having 2FA can be seen as too insecure for the year we are in.
On top of that, people started using password managers more frequently due to having so many logins, and users want to have a simple way to login. Many use Facebook, Twitter, or whatever there is to federate their login, and not having to remember logins anymore.
Considering these, I totally agree with @christiaangoossens that having OIDC/2FA/SSO should be re-evaluated, and considered to be integrated, and I believe it would not only benefit a small amount of users.
As mentioned, I understand the pushback for having to maintain such an auth flow heading forward I think it would provide tremendous value to increase security and ease the use of HA on that side. However, some suggested being able to hook in authentication plugins, and although I’d love to have native OIDC authentication being implemented, it would also be very interesting to hear from @frenck and other maintainers what their thoughts around such plugins are.
In the end, if a user chooses to install such plugin, they do it consciously considering the benefits, but also disadvantages, and possible attack vectors etc. Looking at it this way, I think the user’s expectation is not relying on HA but rather the user decides to be OK with whatever expectation the plugin provides.
And if a plugin exists that would potentially break e.g. Android/iOS authentication, well. The user decides to use it and being OK with it - it’s their conscious decision.
Wouldn’t integrated support for passkeys (the next iteration of FIDO2 in a way) be even more comfortable and secure than relying on a, usually externally hosted, 3rd party for authentication?
I’m no expert, but I assume SSO requires the authenticating service to be reachable, making SSO not an option for air-gapped, or at least 100% local set ups. At least if there is no local service for authentication. But I admit, that probably most people do expose their HA instances in a way, that SSO could work.
Anyways, configuring a custom SSO provider could be pretty painful (which redirect-URI is the correct one? Client secrets? Authorization Endpoint? Discovery Endpoint? etc.). So a generic Login with GitHub (or any other popular SSO provider) probably would be what most users would use I guess. So again this requires connectivity. But if that’s missing, how are you accessing your local-focussed instance when you’re offline and the cookie has expired? There always has to be the fallback for a local-only login to fix a broken system. And if this is available, supporting additional login via SSO doesn’t add any security.
So essentially the only benefit is not having to enter credentials. And in fact, this is actually less secure, as instead of only one set of credentials (the HA-native login, which should not be disabled in my opinion), there now is a second set of credentials which also provides access (the SSO credentials).
And if all this is about the convenience of not having to enter credentials one more time, then passkeys to me seem to be an even better solution (assuming the required hardware is available). And that probably could be implemented a lot easier than the major refactorings required to allow SSO. Plus: as there is no password that could be creacked or whatever, adding this as an additional login-option wouldn’t really loosen the security.
To summarize:
On the other hand when considering passkeys:
I’m not saying supporting SSO is a bad thing - it could be useful to support oauth for other stuff. But I think it might not be worth the effort just for logging in to HA, as there is a modern alternative.
Thank you all for your input. I feel that OIDC here would be mostly for the group of users that have local SSO providers (like Authelia and Authentik) configured, not for social logins (Google, Facebook etc). Social logins to your most precious possession, your home, sounds dystopian to me. But, if you want to configure the OIDC config yourself to do so, that’s your choice.
SSO in HA is not only for 2FA, but mostly for control and self-determination. The core tenant of Home Assistant is to give control to the user to create their smart home, and for me, and possibly the many respondents here and on Reddit, also about creating/choosing security measures myself, through configuring a my own login provider with strong security methods, depending on my context (for instance home network vs external).
Currently, some responses here, read to me like they are trying to tell me that it’s wrong to request SSO, or that small groups of people wanting it makes it useless as a concept, which is very against what should be the spirit of the Home Assistant project for me. We also have integrations for very niche products because enthousiasts use them. Why do you want to tell me what I can and cannot do with my home? If I wanted that, I would have just used Homekit or Smart Things or such.
However, maintenance costs do exist and maintainers cannot pick everything up (and they shouldn’t). That’s a good reason. We should respect that for now, maintenance is hard enough as it is. However, I would welcome all support for PR’s to make it possible to create this (as an installable plugin) as people should be able to add this if they wish, as is the spirit of open source.
I am working on the side (and very slowly) on making the PR’s that I need for the frontend/backend such that an OIDC plugin can be created (for instance, allowing external redirect/callback on the login page).
For now, I am disabling my notifications here, if you need me or if you would like to help this effort, send a personal message :).
Would it be possible to make Home Assistant an OIDC identity provider? First for itself but maybe other services too. If it implements both the relaying party and identity provider, making the SSO happen for other identity providers may become possible too (with necessary scopes and claims of course).
@ju55i In my humble opinion that’s not what anyone wants to do. It would mean more work to be done and more delicate stuff to be maintained because of the possible security implications. There are projects dedicated to this topic, which is their only objective. HomeAssistant is already a pretty big project doing a lot, so implementing OIDC/OAuth2 is not something I would like to see.
Also, an OIDC/OAuth2 Provider has to be capable of identifying a user by other means (password and eventually MFA methods) in order to verify and authorize for other applications, so if OIDC gets implemented in HomeAssistant then there will be no possibilities for OIDC client implementation.
In that case you’ll have to manage your home automation AND your users permissions for possibly completely unrelated services.
Thank you @christiaangoossens. Spot-on +100. I’ve been in IT for +20 years and you’ve taught me a thing or two. Every day’s a school day!
I get the sentiment that there are many “home” users that don’t (feel they) require this functionality and therefore it’s not worth the effort. However, the old adage “a little information is a dangerous thing” is more prevalent in the Information Age than at any time in the past. There are generations of people that don’t have the first clue about IT security and are opening themselves up to all sorts of nasties, which is why it falls on a systems architect to make it as safe and idiot-proof as possible. (Remember all those WiFi access points shipped out with the same “factory” password? How many people use the same password for multiple sites? How many have checked a compromised password list? How many sites force a regular password change (even when they know their ID database has been compromised)?) I believe if the “average home user” understood the risks and IT security stopped being an afterthought, hackers would go out of business.
Consider this:
2FA shouldn’t be an option.
This isn’t the place for discussions on how well/poorly the various banks implement 2FA, but I don’t believe there’s a single bank in the world that only requires a username and password to log in. I realise we’re not leaving the door open to a vault, but with the increase of IoT devices, one could, potentially, quite literally, leave the door open to their house (or at least a “smart” burglar). Similarly to banks, when we consider what HA can do and the security implications therein, perhaps this should be turned on its head and 2FA is a requirement as opposed to an option. I’m seeing this in more and more SaaS applications.
External authentication provider.
HA is open source and with that comes the massive advantage of a worldwide pool of developers able to help out. Using industry-standard practices/solutions makes developers’ lives easier as knowledge is gained from working on other products and thus reducing the learning curve. With external IdP solutions protecting thousands of systems issues are uncovered and resolved much more quickly, benefitting all consumers.
I understand the difference between 2FA or MFA and External IdP, but I believe both points are relevant to “Improving Home Assistant’s Authentication System” and I found this post when researching integrating HA with Azure AD. I also get that many users don’t (intentionally) expose their systems to the Internet, but today, very few attacks originate externally. I would say users of Home Assistant have a desire to learn, having outgrown the likes of Samsung SmartThings or Google Home. My last thought: Many IoT devices are made as quickly and cheaply as possible. I have no idea what unintentional holes or intentional back doors are in their firmware, but I want to be empowered to do all I can to mitigate them.
OIDC would be great though but not as authentication providers. We currently have helpers for oauth 2 to use my.home-assistant.io. I would love to see this expanded to support OIDC. I have the Steam integration in mind as it uses Open ID 2 but the Oauth 2 spec.
I really would like to setup our HA to either use a SAML provider or federate to Office 365. Failing that I would settle for LDAP but would prefer the other two. I have tried to look into it before but seems impossible or a major faff. Should be baked in as options as every other service/product we use now either has SAML or OAuth support and we pump everything so our SSO 2FA login system…Except Home Assistant…
Another vote here for SSO support. I run my own IDP which does a bunch of fancy things like only supporting phishing-safe authentication methods (FIDO2 keys or Kerberos) for important applications. I’m currently working around the lack of direct SSO support with the header auth plugin and proxy authentication but this is very janky (tons of redirects).
I also currently have no good way to deal with the apps as they don’t do FIDO2 because of the webview vs custom tab issue.
Anyone here willing to work with me on an unofficial patchset to hack out the built-in OAuth2 and replace it with an external provider?
Adding my support for this as well. I maintain a few services that are used by my immediate family members. I’ve spun up an LLDAP container for simple user management, and I would love to be able to just point Home Assistant at it directly for authentication, without needing to hack on any extra scripts.
+1 for me as well. Single sign on is the future, and HA should have the option to delegate the business of authenticating users to a specialist tool!
Quoting Frenck form github
Home Assistant is aimed at a Home user, the home environment. IMHO this proposal/open letter is for feeding the enterprise smart home syndrome. I am pretty sure my dad (or any other average user of Home Assistant) isn’t using SSO to log in to his home devices.
I just have to disagree with this…
There are many people, ever expanding that are using SSO services at home, not remote ones but local ones such as a Keycloak and more recently Authentik, Every app I use regularly works with SSO or handles proxy auth better than Home Assistant (doesn’t break the mobile app), which i believe to be one of the largest open source projects on github or atleast was.
Even projects like Vikunja and the like already have SSO support.
Things like Proxmox, Vikunja, Bookstack, Nextcloud (recent) all support OpenID
And like elupus said, ESPHome isn’t likely used by “average users” but it’s still a feature I guarantee you OpenID would be added as a 3rd party implementation if the code base allowed for it, but from reading many topics it seems this isn’t possible without changes to core code.
As stated in this initial post, SSO Backends would allow for easy implementation of Webauthn and many other potential “authentication methods” in the future.
Quick progress update, I worked on it for a bit here: christiaangoossens/hass-oidc-auth: OpenID Connect authentication provider for Home Assistant (github.com). Implementing OAuth/OpenID is not the problem, I can do that and it’s very well possible (@elupus already made a basic version in the past), even as a plugin.
The problem is that the login screen has no way to redirect to some external URL properly (in a native browser view, instead of the normal HA view) and get back the callback code. The only - hacky - option is to use a popup, but I really don’t like that. In Android and iOS, the apps will also have to support opening either the native browser, a Android Custom Tab or SFSafariViewController with proper TLS support, hostname visibility and all CSS features (so Authentik also renders correctly).
However, I don’t know enough about the mobile and core code of HA to make this work and I sadly don’t have the time to find out. If anyone wants to pick that up, and make it possible to call a function for external redirect (I made a start in Allow DataEntryFlowStepExternal on the login screen by christiaangoossens · Pull Request #14471 · home-assistant/frontend (github.com), I am happy to assist you with the OIDC part.
+1 on this as well.
HA’s issue with local vs remote - those of us that are asking for this are hosting our own SSO solutions. How is it more secure to have the same password on 20 different applications at home? How convenient is it to have 20 different passwords on 20 different apps? How convenient is it to have one spot to change passwords for myself or others in my household? This is not a local vs remote issue, nor is this an enterprise use case as Authelia and Authentik are specifically written for home power users to SECURE and SIMPLIFY the locally hosted applications that we rely on every day.
The types of users that are asking for this are the users that are truly using the potential of this HA - because we understand technology and are trying to integrate it as seamlessly as possible into our lives.
I find it ironic frenck’s complaint about trying to implement webauthn in home assistant and how that failed when this PR would eliminate HA from having to deal with any auth. Just because one or a few users don’t have a need for this feature doesn’t mean there aren’t a ton more that do. This post alone, without much if any marketing is already engaging 150 users of the platform.
+1 here. While I am a little late to the party and I see some work being done on PR #14471, I felt I wanted to share another use case. HA authentication and authorization out of the box are very basic and an island. They do cover the needs of a lot of people. But there are many, many use cases uncovered.
My real life inspired example. Consider a small office where HA manages some lights, A/C units, a printer and so on. Everything else is integrated with OIDC: WiFi access, the local private wiki, the Nextcloud, the Wordpress for the public web, the local NAS… Everything. The only system that requires separate user management is HA.
In other words, I feel small offices are a very reasonable target for HA and that they require HA to be seamlessly integrable into the organization’s SSO flows.
Just my 2 cents.
I’d really like to see Passkey support added as that can be entirely self contained with zero reliance on third party infrastructure being available.
This would also be useful to facilitate signin on the various clients on mobile devices.
Passkeys have 2FA/MFA builtin as they require something you have (your device) and either something you know (your device pin/password) or something you are (biometrics).
Implimenting full WebAuthN would also add support for yubikeys.
All of this, I believe, fits into something a home user can set up once support is present.
I’m also eager to see this feature implemented.
Home Assistant is currently the only island I have as everything else is integrated into AAD - even ZoneMinder; which I had to do some header magic with 
Either way, my parents don’t like to deal with username and passwords so their phones are registered with AAD and do SSO; would be nice to see HASS also join the SSO party so that I don’t have to manually handle that for them. I also think it’s more secure - I have conditional access and 2FA enforced and no self-built system can provide the vast amount of security features well established industry solutions can.
Passkey/WebAuthN support would probably be more logical to implement anyway, since it would target a larger audience especially that Passkey is a new standard backed by Apple, Google, Microsoft…
+1 from me too.
Even if it is just to limit the amount of passwords and user accounts floating around.