diff --git a/custom_components/auth_oidc/__init__.py b/custom_components/auth_oidc/__init__.py index 35c0cf6..22e8c05 100644 --- a/custom_components/auth_oidc/__init__.py +++ b/custom_components/auth_oidc/__init__.py @@ -28,6 +28,7 @@ from .config import ( ROLES, NETWORK, FEATURES_INCLUDE_GROUPS_SCOPE, + FEATURES_DEFAULT_REDIRECT, FEATURES_FORCE_HTTPS, REQUIRED_SCOPES, ) @@ -43,6 +44,7 @@ from .endpoints import ( OIDCDeviceSSE, ) from .tools.oidc_client import OIDCClient +from .tools.types import OIDCWelcomeOptions from .provider import OpenIDAuthProvider _LOGGER = logging.getLogger(__name__) @@ -146,6 +148,7 @@ async def _setup_oidc_provider(hass: HomeAssistant, my_config: dict, display_nam name = re.sub(r"[^A-Za-z0-9 _\-\(\)]", "", name) force_https = features_config.get(FEATURES_FORCE_HTTPS, False) + default_redirect = features_config.get(FEATURES_DEFAULT_REDIRECT, False) await hass.http.async_register_static_paths( [ @@ -158,7 +161,15 @@ async def _setup_oidc_provider(hass: HomeAssistant, my_config: dict, display_nam ) hass.http.register_view( - OIDCWelcomeView(provider, name, force_https, has_other_auth_providers) + OIDCWelcomeView( + provider, + OIDCWelcomeOptions( + name=name, + force_https=force_https, + has_other_auth_providers=has_other_auth_providers, + prefers_skipping=default_redirect, + ), + ) ) hass.http.register_view(OIDCDeviceSSE(provider)) hass.http.register_view(OIDCRedirectView(oidc_client, provider, force_https)) diff --git a/custom_components/auth_oidc/config/const.py b/custom_components/auth_oidc/config/const.py index 4f2fda8..b269e8a 100644 --- a/custom_components/auth_oidc/config/const.py +++ b/custom_components/auth_oidc/config/const.py @@ -27,6 +27,7 @@ FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation" FEATURES_DISABLE_PKCE = "disable_rfc7636" FEATURES_INCLUDE_GROUPS_SCOPE = "include_groups_scope" FEATURES_FORCE_HTTPS = "force_https" +FEATURES_DEFAULT_REDIRECT = "default_redirect" CLAIMS = "claims" CLAIMS_DISPLAY_NAME = "display_name" CLAIMS_USERNAME = "username" diff --git a/custom_components/auth_oidc/config/schema.py b/custom_components/auth_oidc/config/schema.py index e7b9b9c..c289048 100644 --- a/custom_components/auth_oidc/config/schema.py +++ b/custom_components/auth_oidc/config/schema.py @@ -15,6 +15,7 @@ from .const import ( FEATURES_DISABLE_PKCE, FEATURES_INCLUDE_GROUPS_SCOPE, FEATURES_FORCE_HTTPS, + FEATURES_DEFAULT_REDIRECT, CLAIMS, CLAIMS_DISPLAY_NAME, CLAIMS_USERNAME, @@ -75,6 +76,13 @@ CONFIG_SCHEMA = vol.Schema( vol.Optional(FEATURES_FORCE_HTTPS, default=False): vol.Coerce( bool ), + # Welcome page will be skipped automatically if there are no + # other auth providers. + # This flag enables this behavior regardless of the amount + # of other auth providers. + vol.Optional( + FEATURES_DEFAULT_REDIRECT, default=False + ): vol.Coerce(bool), } ), # Determine which specific claims will be used from the id_token diff --git a/custom_components/auth_oidc/endpoints/welcome.py b/custom_components/auth_oidc/endpoints/welcome.py index ea8a6d2..5ed2ead 100644 --- a/custom_components/auth_oidc/endpoints/welcome.py +++ b/custom_components/auth_oidc/endpoints/welcome.py @@ -8,6 +8,7 @@ from aiohttp import web from homeassistant.components.http import HomeAssistantView from ..tools.helpers import error_response, get_url, template_response from ..provider import OpenIDAuthProvider +from ..tools.types import OIDCWelcomeOptions PATH = "/auth/oidc/welcome" @@ -20,16 +21,13 @@ class OIDCWelcomeView(HomeAssistantView): name = "auth:oidc:welcome" def __init__( - self, - oidc_provider: OpenIDAuthProvider, - name: str, - force_https: bool, - has_other_auth_providers: bool, + self, oidc_provider: OpenIDAuthProvider, options: OIDCWelcomeOptions ) -> None: self.oidc_provider = oidc_provider - self.name = name - self.force_https = force_https - self.has_other_auth_providers = has_other_auth_providers + self.name = options.get("name") + self.force_https = options.get("force_https") + self.has_other_auth_providers = options.get("has_other_auth_providers") + self.prefers_skipping = options.get("prefers_skipping") async def _process_url(self, redirect_uri: str) -> List[str, bool]: """Processes the redirect URI to determine if we need setTokens and if this is mobile.""" @@ -108,7 +106,9 @@ class OIDCWelcomeView(HomeAssistantView): # If this is the only provider and we are on desktop, # automatically go through the OIDC login - if not is_mobile and not self.has_other_auth_providers: + if not is_mobile and ( + not self.has_other_auth_providers or self.prefers_skipping + ): raise web.HTTPFound( location=get_url("/auth/oidc/redirect", self.force_https), headers=cookie_header, diff --git a/custom_components/auth_oidc/tools/types.py b/custom_components/auth_oidc/tools/types.py index e302aef..40be625 100644 --- a/custom_components/auth_oidc/tools/types.py +++ b/custom_components/auth_oidc/tools/types.py @@ -39,3 +39,19 @@ class OIDCState(dict): # IP address ip_address: str | None + + +class OIDCWelcomeOptions(dict): + """Options for the welcome screen""" + + # User friendly SSO name to display + name: str + + # Does the user force HTTPS on all generated URLs? + force_https: bool + + # Has the user registered any other auth providers? + has_other_auth_providers: bool + + # Does the user prefer to skip the welcome screen? + prefers_skipping: bool diff --git a/docs/configuration.md b/docs/configuration.md index 33245cd..1cf6db5 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -78,6 +78,19 @@ auth_oidc: This will show the provider on the login screen as: "Login with Example". +### Skipping the welcome screen +If you would like to skip the welcome screen, you can either enable the `features.default_redirect` feature, or [disable the Home Assistant auth provider](https://github.com/christiaangoossens/hass-oidc-auth/discussions/67). + +If you want to keep the default login (backup login) enabled, but still skip the welcome screen by default, you can configure the following yaml: + +```yaml +auth_oidc: + features: + default_redirect: true +``` + +If you have this feature enabled and you would like to use the backup login, make sure to append `?skip_oidc_redirect=true` to your login URL. For example, if your HA is at `https://ha.example.com`, you can go to `https://ha.example.com/?skip_oidc_redirect=true` to see the HA username/password login screen. + ### Forcing HTTPS First check if you are setting the header `X-Forwarded-Proto` in your proxy and if the [proxy settings for Home Assistant](https://www.home-assistant.io/integrations/http/#use_x_forwarded_for) are configured correctly. You should also check if IP addresses in your logs actually match the origin IP (instead of proxy IP). If you cannot find any mistakes, you may use the following config option to force HTTPS regardless: @@ -161,6 +174,7 @@ Here's a table of all options that you can set: | `features.disable_rfc7636` | `boolean`| No | `false` | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers. | | `features.include_groups_scope` | `boolean` | No | `true` | Include the 'groups' scope in the OIDC request. Set to `false` to exclude it. | | `features.force_https` | `boolean` | No | `false` | Set to `true` to force all URLs generated to use `https` instead of automatically determining based on the request scheme or `X-Forwarded-Proto`. | +| `features.default_redirect` | `boolean` | No | `false` | Set to `true` to always skip the welcome screen (on desktop), regardless of if there are any other auth providers registered. | | `claims.display_name` | `string` | No | `name` | The claim to use to obtain the display name. | `claims.username` | `string` | No | `preferred_username` | The claim to use to obtain the username. | `claims.groups` | `string` | No | `groups` | The claim to use to obtain the user's group(s). | diff --git a/tests/test_hass_webserver.py b/tests/test_hass_webserver.py index d6761f7..eb114e8 100644 --- a/tests/test_hass_webserver.py +++ b/tests/test_hass_webserver.py @@ -4,7 +4,12 @@ import base64 import os from urllib.parse import parse_qs, quote, unquote, urlparse, urlencode from unittest.mock import AsyncMock, MagicMock, patch -from auth_oidc.config.const import DISCOVERY_URL, CLIENT_ID +from auth_oidc.config.const import ( + DISCOVERY_URL, + CLIENT_ID, + FEATURES, + FEATURES_DEFAULT_REDIRECT, +) from pytest_homeassistant_custom_component.typing import ClientSessionGenerator import pytest @@ -98,6 +103,28 @@ async def test_redirect_page_registration( assert resp2.status == 302 +@pytest.mark.asyncio +async def test_welcome_page_default_redirect( + hass: HomeAssistant, hass_client: ClientSessionGenerator +): + """Test that the welcome page returns a redirect when default_redirect is preferred.""" + + mock_config = { + DOMAIN: { + CLIENT_ID: "dummy", + DISCOVERY_URL: "https://example.com/.well-known/openid-configuration", + FEATURES: {FEATURES_DEFAULT_REDIRECT: True}, + } + } + + result = await async_setup_component(hass, DOMAIN, mock_config) + assert result + + client = await hass_client() + resp = await client.get("/auth/oidc/welcome", allow_redirects=False) + assert resp.status == 302 + + @pytest.mark.asyncio async def test_welcome_rejects_invalid_encoded_redirect_uri( hass: HomeAssistant, hass_client: ClientSessionGenerator