Hi everyone i would really like to get open id SSO running for hass so have decided have a crack at it in the next month or so. im planning on maintaining a fork of hass based on the current release and will rebase every-time a new release is made.
if people are keen for this chuck a like on this message. when i have a working version i will chuck it here. i may see if i can get BeryJu to have a check over when i am done. he is the creator of authentik and hass-auth-header.
plan to look at these prs
im hopping if i can get a stable version running that people use hass will eventually add it into core
This would enable multiple Authentication plugins to be made and maintained by the community like the OpenID Connect plugin @christiaangoossens started to work on.
It’s just a shame there hasn’t been comment from the core maintainers regarding this approach specifically.
To chime in after this long time: I feel like this (@dugite-code) is the only solution left. I don’t mind the maintainers lack of enthusiasm to build it themselves, but the main feature request remains the same:
Dear maintainers,
Please add the necessary support to Home Assistant to create an authentication component that can:
Register a button in the normal auth UI
Redirect the user away through multiple steps, both on the web and in the Android and iOS apps, either through the native browser or an in app Browser Tab
End its interaction by telling Home Assistant which user email/id needs to be signed in
While this isn’t 100% what we want I was able to use the command line auth provider with a python script to connect to authelia and add duo authentication. For anyone interested this is a possible route in the interim.
I didn’t even know this was possible. But use with caution of course.
Kind of weird though that this is supported but adding oidc isn’t good or easy?
I was quite shocked when I noticed that HA does not support any modern authentication system.
+1 for OIDC.
Looking at the PRs and the comments it looks like they are actively blocking any movement into that direction.
I wonder if there is any business-bulls**t reason behind that. I just can’t see any good reason for not allowing users to have the freedom of choice for simple (build-in) security vs advanced configurable external security.
The lack of OIDC support and refusal to implement/consider PR’s is what caused me to drop my Nabu Casa subscription. I don’t need or use the cloud services, but was happy to contribute for development purposes.
This is the most active feature request on this comminity forum. I am not confident with the basic authentication setting offered in Nabu Casa to something as intimate as my home and sure others feel the same. Allowing external identity providers that specialize in hardening login is a simpler approach than adding in mfa/password complexity requirements/password lifecycle/passkey/etc.
Some acknowledgement from maintainers would go a long way. I understand there are a lot of competing priorties but the community is here to help. Give us some direction to build towards!
A lot of this you can already do; it’s just not centrally located in the Settings section of the UI. In fact, the Map can be set as Admin only as of last month; look in the settings section under Dashboards. Restricting access to Views is done when creating or editing them, and as far as I can tell, you can’t edit them at all if you’re using a normal user account, nor can you even see the Settings section in the sidebar.
Just wanted to add my desire for OIDC implementation as well. For now, applications run from my home server are only accessible outside my home network via VPN connection. This is fine for my family, but obviously makes it impossible to share things with friends/family. A single authentication/authorization endpoint makes it FAR simpler for me to implement security measures like fail2ban or crowdsec. I will then feel comfortable opening select services to friends and family outside my home, and dropping the need for a VPN in most cases.
This is also a way to reduce friction in using the applications at home in terms of simplifying logins across multiple apps. The primary use case is when parents or in-laws visit. Having them sign-in to each app is difficult (think HA, Jellyfin, house wiki, etc.). SSO solves this issue seamlessly EXCEPT with HA.
I’m both pleasantly surprised by the number of devs who’ve implemented OIDC as an option, and shocked at the number of large, well-known projects that aren’t even considering OIDC as an option! This seems like such an obvious choice in 2024, with thousands of examples to pull from.
The initial work is already being done by contributors to HA.
I know all the hype is around AI features right now, but frankly, SSO/OIDC is absolutely critical.
I’m curious what other large well-known projects “aren’t even considering OIDC”, and wondering if they have considered it and decided it didn’t fit with their vision of what the project needed for securing access.
OIDC is a requirement for anything running on my home network. Having no way to support OIDC for a multi user system implies the project is simply not mature enough to be trusted with anything important.
This isn’t really on-topic, so I’ll keep it brief. Generally I have leaned to ONLY choosing projects that use/plan to use OIDC. So I can’t really list the apps I don’t use. But a couple of examples: Vaultwarden (and most other password managers), Photoprism (and most photo apps), Homepage (and lots of dashboards), Jellyfin (although available via 3rd party plugin). For the longest time even apps like Nextcloud didn’t have native OIDC supported by their own organization, only third-party plugins supported by individuals.
As to why, I guess you’d have to search through each app’s GitHub repo
I made an addon for authelia (I need to update config file generation)
Since authelia is lightweight it’s still “home user” friendly since HA OS can run many addons it would makes sence to get a way to manage access to individual apps or at least provide SSO with HA user credential, it can be done with ingress addons but as addon developper we doens’t allways want to add ingress auth
I’m not an app developer, so am not conversant with a lot of the behind-the-scenes linkages being discussed. However…
As a user, it still terrifies me every time I log into NabuCasa for remote access to my HASS instance, without being able to use any form of MFA. Demonstrating that anyone in the world can control my HA system, if they simply get hold of my user ID and password.
Anyone have an update on this? I know a lot of people are patiently waiting on integrating home assistant into their SSO. The fact that a project of this size STILL doesn’t have MFA support is honestly kinda shameful. I’d be willing to financially contribute to a fork if it was maintained.
Nabu Casa does not have multifactor auth, but HA does. You still need multifactor to get into HA, so that guy doesn’t understand the process. Yes it would be nice to have MFA on the cloud account, but having it won’t provide extra security for HA. It will provide extra security for your Nabu Casa account.
HA does not have SSO. SSO stands for Single Sign On, do not confuse it with MFA (mutli-factor authentication). You can turn on MFA inside each user’s configuration page.
