Using Home Assistant to authenticate external apps?

Is it possible to use Home Assistant’s authentication mechanism to authenticate other applications? I have a few non-hass automation applications (Blue Iris, Grafana, etc) that are exposed on subdomains of my install, and I’d like to be able to include them in iframes/panels in my UI without requiring a second login. I had previously used oauth_proxy, but ever since I switched to the Android app, Android’s restrictions about webviews showing external sites prevent me from redirecting to the oauth provider.

What I’d like to do is instead use nginx’s auth_request directive to tell nginx to just ask Home Assistant if the user is currently logged in, and redirect to the login page if not. However, since communication from Lovelace (whether in browser or in-app) appears to happen via websocket, so whatever credentials are passed to an auth_request (if any) aren’t in a format that the REST API can understand.

I’m looking for any solution that satisfies the constraints:

  1. Works in both the browser and the app
  2. Only requires authentication once for both HA and non-HA applications
  3. Is still relatively secure

Right now I’ve gotten close by running a hacky CGI script next to my HA instance which accepts HTTP Basic credentials and checks them against the HA install, which only requires users to remember one set of credentials but still requires them to enter it twice.

Hoping someone can help me make the whole process a little more seamless :slight_smile:

2 Likes