Sorry about that. Auth has too many terminologies that are incorrectly used interchangeably. What I meant was support for an external auth provider. And dont say hass-auth-headers: im talking native auth flow integration so i can actually use the hass phone app with my sso
I could be wrong, but as far as I know, HA doesn’t have a generic way to be an identity provider. So any service you’d want to put in the sidebar or UI would either have to be an integration (custom or built-in) and implement auth with the service ad-hoc, or the service would have to allow unauthenticated access. That would work in the small, but isn’t a solution to the problem.
This idea also precludes doing things like using SSO for something outside of the HA UI. E.g. the kubectl CLI, or some other scenario where another fairly standard identity provider would work. You’d basically have to have a second identity provider for everything else outside of HA.
It should be priority nr1 to integrate OIDC and proper permissions (especially for the history and logbook pages!). Is there anyone here who could make this possible. maybe we should set up a bounty for this feature? I would pledge 50 eur right now
If I’d guess users run these systems behind firewalls for most cases, so maintainers simply don’t care about auth and don’t want to spend development time a feature that nobody going to use much
As one user commented above
HA has a pretty good security record
this is like a windows computer, connect it to internet without firewall - it gets hacked within minutes/hours
The longer this thread gets, the more clear it becomes that the home assistant team can implement OIDC but refuse to. Pull requests for this are being closed, the one I read @frenck said this issue is better discussed on the forums. Where is the development team on this thread? Past arguments have also brought up security concerns and revocation of access as needed. These should be trivial to address, several other small projects in the open source community have done so with minimal friction. My hunch is this feature would cripple home assistant cloud subscriptions in some way, making this more of a business decision.
Adding my voice to the people calling for this to be implemented. It’s absurd that I have to maintain a separate user database and security posture JUST for this application. I am honestly extremely disappointed in the developers’ reactions to the various attempts to implement this already, which doesn’t inspire confidence.
bit surprised here aswell. using authentik for most of my services now to escape google. most selfhosted services allow sso. “big” ones like nextcloud but also smaller ones like vikunja or even something simple like homarr. honestly feel like proper sso is a must have for an application this big with multiuser support. honestly a bit dumbfounded by the frenck reaction to the open letter. its a couple of years old now. maybe his stance has changed since then? feel like its an oversight to not have proper sso support in 2024 for such a huge tool as homeassistant.
A am a bit surprised thah Home assistant after all these years as such poor support for auth providers. See this post: WTH: Additional authentication methods (single sign on) It mentions ready made solutions that people have spend hours and hours on. Seems it is simply ignored after 2022?
I would love to see an OpenId Connect authentication with for example keyCloak, but not using a command line tool…
+1. Proper 2FA support and to a lesser degree SSO should be a top priority but instead it seems integrating AI is seen as more important. You’d be delusional to think securing access to your home automation shouldn’t be the absolute top priority in this day and age for a home automation system and their app ecosystem.
I was also really put off by frenck’s response to the original open letter on github. Super dismissive and condescending. Hopefully his attitude has changed since then.
Notify is supported as well (as in SMS codes, but also any other Home Assistant Notify Integration). Link below is anchored to the notify section of the MFA docs.
Personally, I’m really hoping to see the webauthn code mentioned above pulled in as an alternative to password-based login. It’s not SSO, but it could be a leap forward for both security and convenience.
Would be great to allow HA mobile apps to work when HA server is behind an authentication middleware such as authelia/authentik. I believe auth header support in apps is all that is required.
