+1 to this. All 3 of the main avenues of increased security mentioned here are important:
2FA/passkeys (vital to good security)
Support for Cloudflare Zero Trust or other upstream authenticated proxies from the iOS app
Oauth-based SSO, including local providers like Keycloak or SaaS providers like Auth0/Okta
A 0day in HA code would mean that every HA install in the world that’s exposed to the internet would be vulnerable to any number of nasties, including ransomeware, home invasion for people local to the install, stalking/doxxing when the attacker gets access to location data, etc etc. HA has a pretty good security record so far but it’s not the main focus of the devs, and offloading security to the security experts is a very good practice.
I have my own OAuth server.
Not all users are allowed to access my Home Assistant server, so using Home Assistant itself as an OAuth server is not an option.
If SSO is unsafe or something like that, then also stop the ability to log into this forum with GitHub.
+1 to this too. I host my own Zitadel instance for SSO in all my services (a dozen), Home Assistant is the only one that is not compatible. The goal of all this would be to have one and only one user management system.
Here’s multiple attempts to contribute additional security capabilities to the android companion app all rejected recently and some in the last week…
While MTLs is possible for securing remote access via Cloudflare it doesn’t help with securing local access. OIDC is the best way to secure local access and add another layer to remote access if using MTLs already or without MTLs it’s much better than the built in auth provider in terms of security.
From the founder of home assistant.
We would not need these “hacks” if there was proper OIDC support builtin to home assistant.
Reading Frencks response in the github issue, it seemed pretty reasonable for the most part regarding OIDC/SAML/LDAP. Those all require more architecture than 99% of people are willing to maintain.
That said, I dont agree with his take on webauthn. I think webauthn should 100% be implemented into Home Assistant’s frontend. Ironically, you can even use it to sign into the forums here… Everyone is burnt out on password auth, and its objectively less secure. A big factor in taking control of your smart home should be properly securing it, as well as reducing UI friction. Webauthn helps in both of these areas.
I too run my own instance of Authentik to provide access to all my internal services… Having HA rolled into it would be great, as it is currently the only user-facing application that does need seperate accounts.
In 2024, Home Assistant sticks out like a sore thumb among FOSS projects for its lack of modern authentication and authorization.
We’re talking about access to our lights, cameras, security systems, locks, appliances, and countless other devices. Security must be paramount. It’s not sexy but it’s super important.
Please make it a core priority to implement these modern security standards in 2024!
Really good write up.
OIDC is not just for enterprise. I self-host 50+ services and configure OIDC or a auth proxy for most services with keycloak to have SSO & MFA.
+1 from me too. Sad to see so many MRs go to waste, but in all fairness, they should probably be external plugins anyway. What can be done to allow external authentication plugins properly?
Home Assistant already supports oAuth2 but with it’s built in identity provider.
It’s all about opening it up to other iDPs, which annoyingly is what they don’t want to do…
This is now the Sixth top voted feature request making the comment from balloob about this feature being “extremely edge case” well and truly refuted. It would be nice if we could have some official feedback regarding this request now.