Solved in 0.91 - Workaround to skip authentication default user on trusted network / Trusted network without authentication

Configuration
1

Scenario: Raspberry Pi loaded with Raspbian Stretch desktop, Home Assistant (~0.72 rev, pre Authentication Providers) running in a python virtual environment. The pi is connected to a wall mounted display via HDMI with no user input devices.

On Home Assistant load an automation is called, which runs a shell command to open the Home Assistant frontend (localhost) in chromium-browser’s incognito mode, as localhost is in the HTTP Trusted Networks is skips any login screens and loads the main interface.
However, this is broken since @awarecan added Add trusted networks auth provider #15812

Issue: Cannot find a workaround to automatically login / skip the login screen.

Ideas: I have the following ideas and any feedback would be greatly appreciated:

  1. Wait and see if someone introduces an “Option to use a default user on trusted network authentication”.

  2. Bodge-it / Browser Automation: As I have full control of the Pi from Home Assistant, I could use some sort of script automation to click "trusted network" and then a user from command line.

  3. Some undocumented method of passing the selected user in the URL to avoid using the login form.

  4. Hope someone can kindly implement what @elupus said in https://github.com/home-assistant/home-assistant/pull/21111#issuecomment-464605331 map a user to an trusted network
    E.G.

192.168.1.1/32:
    mapped_user: pete
192.168.1.2/32:
    mapped_user: dave
192.168.1.3/32:
    mapped_user_from_proxy: true

Any feedback or ideas would be really appreciated.

2

Already in just released 0.91.

You can close this post :smile:

1 Like
3

You can check the beta document here: https://rc.home-assistant.io/docs/authentication/providers/#skip-login-page-examples just in case the main document has not updated yet.

1 Like
4

Was just about to post similar: https://github.com/home-assistant/home-assistant/pull/22478

You need the bypass login feature. Imho a bit scary that it’s global, not per subnet but should usually work.

The map from proxy is not in that change thou, but your case should be fine.

5

Pull Request is always welcome :blush:

6

That’s fabulous, you are a star! :smile:
Post marked as solved.

7

Would have been easier if you accepted my que to make the subnets a dict instead of list. Then the trusted_users would not have needed to duplicate subnets, nor would a per subnet ignore option.

At some point I might though. Getting pulls through reviews are at the moment too much of a pain. Too many redesigns and unrelated changes that get tacked on just since somebody is touching the code (I know the need from project perspective though, many times been in the other side on xbmc/kodi)

1 Like
8

It’s funny you should say that, I did read your original discussions with interest.

9

That was just a design choice, no right or wrong there.

Going through code review process will benefit both reviewer and reviewee (is that even a word?). I learnt a lot from our fabulous reviewers.

10

@awarecan , Any idea how I could hide the " Do you want to save this login?" dialog when logging in via

allow_bypass_login: true

For a display with no user input this masks some of the screen. Note, I’m running incognito.

11

No such way.

12

I suppose I could try to edit the CSS, perhaps as a theme? Do you think that would work?

13

Couldn’t you also run a VNC Server on start?

14

Not sure how that would help?

15

Sorry, missed the inkognito mode.
But without it you could save the login and refresh the Browser on UI changes.

16

Thanks for the idea, but this is a wall mounted display with no user input. I could VNC in to click the button, but for the 10 displays I’m running this would be impracticable, plus I run incognito to avoid chrome asking to restore my last pages, etc.

I’m thinking I should be able to “break” the code which shows the “save my login” to stop it showing.

I.E. Diable home-assistant-polymer/src/dialogs/ ha-store-auth-card.js

If I can use a .js file to look for and then resize “ha-store-auth-card” to 1x1 pixels, it would achieve my problem. I could even link it to the autologin wall display user to only use that “theme”, so other users will still see the box.

17

I’m starting chrome from a script with sed commands to avoid this.

sed -i 's/"exited_cleanly":false/"exited_cleanly":true/' ~/.config/google-chrome/Default/Preferences
sed -i 's/"exit_type":"Crashed"/"exit_type":"None"/' ~/.config/google-chrome/Default/Preferences
rm -r ~/.cache/google-chrome
gnome-terminal -x google-chrome --kiosk http://192.168.77.67:8123/lovelace/tpad_home

maybe one problem less.

1 Like
18

Nice, might give that a go :slight_smile:
My current:

start_chromium: /usr/bin/sudo -u pi DISPLAY=":0.0" chromium-browser --incognito --allow-insecure-localhost --noerrdialogs --disable-infobars --start-fullscreen --force-device-scale-factor={{ states.sensor.chrome_zoom_value.state }} "https://localhost/"

19

Ah, this only works until I restart home assistant, then it asks for the password again. Perhaps I need to automate pressing the “not now” button…

20

Final answer?

Since introducing this authentication system I’ve seen several posts flat out telling people who asked that there was no way to skip the login. Now with 0.91 we can skip the login only to save the login?

Personally I don’t trust anyone other than myself to handle authentication with any services that allow anything publicly into my home and have decided to secure my network as I see fit. While I understand the need for security for 90% of the users deploying home-assistant, its always been a bit of an annoyance to have to login twice with any type of SSO. Are there at least any plans or discussions around disabling a dialogue to save a login that is being bypassed?