christiaangoossens / hass-oidc-auth Goto Github PK
View Code? Open in Web Editor NEWOpenID Connect authentication provider for Home Assistant
License: MIT License
OpenID Connect authentication provider for Home Assistant
License: MIT License
I know it's a WIP repository, but I don't understand what problem it's trying to solve.
If you're trying to skip the HASS login page (typically by redirecting to some SSO server like Authelia), then there's no way this can work since redirection must happen before the HTTP request's body is started and it's inside the body that the authentication API requests are triggered. Even with a javascript hack trying to change window.location
to the SSO's login page, this will create a clunky user experience, where the browser load the (heavy) login page and then throw it away to load the SSO login page.
Due to the code size of HASS, I'm not sure a solution like using a reverse proxy to HASS from Authelia is a good solution either (and again, it's clunky for any automation like the mobile app or any application that's not expecting this lengthy redirect dance).
If I understand correctly what was implemented here, and HASS source code here I think this isn't the right place to act.
Typically, I think it would be better if authentication would be completely bypassed (that is, by changing HASS core behavior to an "Always authenticated" auth provider that would simply ignore authentication if some internal + external header are present) so that the login page is never requested at all.
Then the code would hook into the AuthStore class instead so it can request the OIDC provider here instead (like Authelia or any other) for the user's information, but from the server side. In case of failure (bad authentication, expired token, etc...), it would actually redirect the client (browser/mobile app) to the defined callback before any view is actually generated, so it's a real SSO process.
A mobile app or any other application that isn't expecting this redirect dance can then be bypassed since the required header won't be here, the default HASS login will trigger.
So the process would be something like:
Web: [SSO proxy] => [NGINX ] => [HASS]
/\ "X-InternalHeader: present"
Mobile: [NGINX] => [HASS]
"No specific header present"
Inside HASS, the pseudo code would do:
AlwaysValidAuthProvider:
if (X-InternalHeader present) => change AuthStore to OIDCAuthStore
else => forward to the next AuthProvider
OIDCAuthStore:
// From configuration, connect on the OIDC provider to check if a valid token is available.
// If no token found, redirect client to Authentication page (next try should succeed then)
// Else token is valid, extract information from OIDC
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.