Open letter for improving Home Assistant's Authentication system (OIDC, SSO)

This is now the Sixth top voted feature request making the comment from balloob about this feature being “extremely edge case” well and truly refuted. It would be nice if we could have some official feedback regarding this request now.

I am another user of OIDC for many self hosted services. I would love to see the ability to integrate Authentik and Home Assistant.

1 Like

Hi everyone i would really like to get open id SSO running for hass so have decided have a crack at it in the next month or so. im planning on maintaining a fork of hass based on the current release and will rebase every-time a new release is made.

if people are keen for this chuck a like on this message. when i have a working version i will chuck it here. i may see if i can get BeryJu to have a check over when i am done. he is the creator of authentik and hass-auth-header.

plan to look at these prs

im hopping if i can get a stable version running that people use hass will eventually add it into core

6 Likes

I think the ideal approach (at least for the HA maintainers based on their previous comments in pull requests) would be to continue the work @christiaangoossens started with Allow DataEntryFlowStepExternal on the login screen by christiaangoossens · Pull Request #14471 · home-assistant/frontend (github.com)

This would enable multiple Authentication plugins to be made and maintained by the community like the OpenID Connect plugin @christiaangoossens started to work on.

It’s just a shame there hasn’t been comment from the core maintainers regarding this approach specifically.

3 Likes

To chime in after this long time: I feel like this (@dugite-code) is the only solution left. I don’t mind the maintainers lack of enthusiasm to build it themselves, but the main feature request remains the same:


Dear maintainers,

Please add the necessary support to Home Assistant to create an authentication component that can:

  • Register a button in the normal auth UI
  • Redirect the user away through multiple steps, both on the web and in the Android and iOS apps, either through the native browser or an in app Browser Tab
  • End its interaction by telling Home Assistant which user email/id needs to be signed in

These features should be added to the current Auth Provider registration feature, see: GitHub - christiaangoossens/hass-oidc-auth: OpenID Connect authentication provider for Home Assistant

The community can then build either an WebAuthN, OIDC, SAML or what have you plugin ‘out-of-tree’.


Again thank you community for showing that this request is still very much alive :heart:

9 Likes

While this isn’t 100% what we want I was able to use the command line auth provider with a python script to connect to authelia and add duo authentication. For anyone interested this is a possible route in the interim.

I didn’t even know this was possible. But use with caution of course.

Kind of weird though that this is supported but adding oidc isn’t good or easy?

3 Likes

I was quite shocked when I noticed that HA does not support any modern authentication system.
+1 for OIDC.

Looking at the PRs and the comments it looks like they are actively blocking any movement into that direction.

I wonder if there is any business-bulls**t reason behind that. I just can’t see any good reason for not allowing users to have the freedom of choice for simple (build-in) security vs advanced configurable external security.

2 Likes

The lack of OIDC support and refusal to implement/consider PR’s is what caused me to drop my Nabu Casa subscription. I don’t need or use the cloud services, but was happy to contribute for development purposes.

Much smaller projects like Immich and Mealie, have seamless OIDC support that works perfectly with services like authentik.
https://github.com/immich-app/immich
https://github.com/mealie-recipes/mealie

1 Like

This is the most active feature request on this comminity forum. I am not confident with the basic authentication setting offered in Nabu Casa to something as intimate as my home and sure others feel the same. Allowing external identity providers that specialize in hardening login is a simpler approach than adding in mfa/password complexity requirements/password lifecycle/passkey/etc.

Some acknowledgement from maintainers would go a long way. I understand there are a lot of competing priorties but the community is here to help. Give us some direction to build towards!

A lot of this you can already do; it’s just not centrally located in the Settings section of the UI. In fact, the Map can be set as Admin only as of last month; look in the settings section under Dashboards. Restricting access to Views is done when creating or editing them, and as far as I can tell, you can’t edit them at all if you’re using a normal user account, nor can you even see the Settings section in the sidebar.

+1 for this. I want to use authentik to manage my users centrally.

Just wanted to add my desire for OIDC implementation as well. For now, applications run from my home server are only accessible outside my home network via VPN connection. This is fine for my family, but obviously makes it impossible to share things with friends/family. A single authentication/authorization endpoint makes it FAR simpler for me to implement security measures like fail2ban or crowdsec. I will then feel comfortable opening select services to friends and family outside my home, and dropping the need for a VPN in most cases.

This is also a way to reduce friction in using the applications at home in terms of simplifying logins across multiple apps. The primary use case is when parents or in-laws visit. Having them sign-in to each app is difficult (think HA, Jellyfin, house wiki, etc.). SSO solves this issue seamlessly EXCEPT with HA.

I’m both pleasantly surprised by the number of devs who’ve implemented OIDC as an option, and shocked at the number of large, well-known projects that aren’t even considering OIDC as an option! This seems like such an obvious choice in 2024, with thousands of examples to pull from.

The initial work is already being done by contributors to HA.

I know all the hype is around AI features right now, but frankly, SSO/OIDC is absolutely critical.

1 Like