Open letter for improving Home Assistant's Authentication system (OIDC, SSO)

+1 to this. All 3 of the main avenues of increased security mentioned here are important:

  • 2FA/passkeys (vital to good security)
  • Support for Cloudflare Zero Trust or other upstream authenticated proxies from the iOS app
  • Oauth-based SSO, including local providers like Keycloak or SaaS providers like Auth0/Okta

A 0day in HA code would mean that every HA install in the world that’s exposed to the internet would be vulnerable to any number of nasties, including ransomeware, home invasion for people local to the install, stalking/doxxing when the attacker gets access to location data, etc etc. HA has a pretty good security record so far but it’s not the main focus of the devs, and offloading security to the security experts is a very good practice.

2 Likes

Also a +1 from me.

I have my own OAuth server.
Not all users are allowed to access my Home Assistant server, so using Home Assistant itself as an OAuth server is not an option.

If SSO is unsafe or something like that, then also stop the ability to log into this forum with GitHub.

1 Like

+1 here. Hoping something moves along here, since OIDC is here to stay.

1 Like

Yup, the authentication system is based on oauth they just don’t want external IdPs.

Let’s hope this changes and when it does, it will probably open the door to small smart offices in SoHo businesses.

The user base would grow and in a way, some aspects of security could be offloaded.

+1 to this too. I host my own Zitadel instance for SSO in all my services (a dozen), Home Assistant is the only one that is not compatible. The goal of all this would be to have one and only one user management system.

Here’s multiple attempts to contribute additional security capabilities to the android companion app all rejected recently and some in the last week…

While MTLs is possible for securing remote access via Cloudflare it doesn’t help with securing local access. OIDC is the best way to secure local access and add another layer to remote access if using MTLs already or without MTLs it’s much better than the built in auth provider in terms of security.

From the founder of home assistant.

We would not need these “hacks” if there was proper OIDC support builtin to home assistant.

5 Likes

Reading Frencks response in the github issue, it seemed pretty reasonable for the most part regarding OIDC/SAML/LDAP. Those all require more architecture than 99% of people are willing to maintain.

That said, I dont agree with his take on webauthn. I think webauthn should 100% be implemented into Home Assistant’s frontend. Ironically, you can even use it to sign into the forums here… Everyone is burnt out on password auth, and its objectively less secure. A big factor in taking control of your smart home should be properly securing it, as well as reducing UI friction. Webauthn helps in both of these areas.

5 Likes

Would also love to see OIDC implemented, I selfhost my SSO. It doesn’t go against the home assistant principles.

Another vote for SSO/OIDC and/or webauthn. I self host my own solutions for these

2 Likes

OIDC is a must.

1 Like

I too run my own instance of Authentik to provide access to all my internal services… Having HA rolled into it would be great, as it is currently the only user-facing application that does need seperate accounts.

1 Like

Voted +1

In 2024, Home Assistant sticks out like a sore thumb among FOSS projects for its lack of modern authentication and authorization.

We’re talking about access to our lights, cameras, security systems, locks, appliances, and countless other devices. Security must be paramount. It’s not sexy but it’s super important.

Please make it a core priority to implement these modern security standards in 2024!

7 Likes

Really good write up.
OIDC is not just for enterprise. I self-host 50+ services and configure OIDC or a auth proxy for most services with keycloak to have SSO & MFA.

5 Likes

+1. Bring OIDC

1 Like

+1 from me too. Sad to see so many MRs go to waste, but in all fairness, they should probably be external plugins anyway. What can be done to allow external authentication plugins properly?

1 Like

Home Assistant already supports oAuth2 but with it’s built in identity provider.
It’s all about opening it up to other iDPs, which annoyingly is what they don’t want to do…

3 Likes

+1 voted - this is needed. Thank you devs for all you do!!! Please, consider again introducing external authentication.

2 Likes

So they mentioned a focus on security at state of the open home. Sounds like OIDC would certainly help in that regard…

1 Like

This is now the Sixth top voted feature request making the comment from balloob about this feature being “extremely edge case” well and truly refuted. It would be nice if we could have some official feedback regarding this request now.

I am another user of OIDC for many self hosted services. I would love to see the ability to integrate Authentik and Home Assistant.

1 Like