public/hass-oidc-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add groups scope option & fixup features.include_groups_scope (#42)

Browse Source
This commit is contained in:
Christiaan Goossens
2025-02-15 13:25:04 +01:00
committed by GitHub
parent 29a2545396
commit d565380435
3 changed files with 19 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -63,6 +63,7 @@ With the default configuration, [a person entry](https://www.home-assistant.io/i
| `discovery_url` | `string` | Yes | | The OIDC well-known configuration URL. | | `discovery_url` | `string` | Yes | | The OIDC well-known configuration URL. |
| `display_name` | `string` | No | `"OpenID Connect (SSO)"` | The name to display on the login screen, both for the Home Assistant screen and the OIDC welcome screen. | | `display_name` | `string` | No | `"OpenID Connect (SSO)"` | The name to display on the login screen, both for the Home Assistant screen and the OIDC welcome screen. |
| `id_token_signing_alg` | `string` | No | `RS256` | The signing algorithm that is used for your id_tokens. | `id_token_signing_alg` | `string` | No | `RS256` | The signing algorithm that is used for your id_tokens.
| `groups_scope` | `string` | No | `groups` | Override the default grups scope with another scope of your choice. |
| `features.automatic_user_linking` | `boolean`| No | `false` | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login. | | `features.automatic_user_linking` | `boolean`| No | `false` | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login. |
| `features.automatic_person_creation` | `boolean` | No | `true` | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users. | | `features.automatic_person_creation` | `boolean` | No | `true` | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users. |
| `features.disable_rfc7636` | `boolean`| No | `false` | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers. | | `features.disable_rfc7636` | `boolean`| No | `false` | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers. |

17
custom_components/auth_oidc/__init__.py
View File

@@ -16,6 +16,7 @@ from .config import (
DISCOVERY_URL, DISCOVERY_URL,
DISPLAY_NAME, DISPLAY_NAME,
ID_TOKEN_SIGNING_ALGORITHM, ID_TOKEN_SIGNING_ALGORITHM,
GROUPS_SCOPE,
FEATURES, FEATURES,
CLAIMS, CLAIMS,
ROLES, ROLES,
@@ -53,12 +54,20 @@ async def async_setup(hass: HomeAssistant, config):
_LOGGER.info("Registered OIDC provider") _LOGGER.info("Registered OIDC provider")
# We only use openid, profile & groups, never email # Set the correct scopes
include_groups_scope = my_config[FEATURES].get(FEATURES_INCLUDE_GROUPS_SCOPE, True) # Always use 'openid' & 'profile' as they are specified in the OIDC spec
# All servers should support this
scope = "openid profile" scope = "openid profile"
if include_groups_scope:
scope += " groups"
# Include groups if requested (default is to include 'groups'
# as a scope for Authelia & Authentik)
features_config = my_config.get(FEATURES, {})
include_groups_scope = features_config.get(FEATURES_INCLUDE_GROUPS_SCOPE, True)
groups_scope = my_config.get(GROUPS_SCOPE, "groups")
if include_groups_scope:
scope += " " + groups_scope
# Create the OIDC client
oidc_client = oidc_client = OIDCClient( oidc_client = oidc_client = OIDCClient(
hass=hass, hass=hass,
discovery_url=my_config.get(DISCOVERY_URL), discovery_url=my_config.get(DISCOVERY_URL),

6
custom_components/auth_oidc/config.py
View File

@@ -7,6 +7,7 @@ CLIENT_SECRET = "client_secret"
DISCOVERY_URL = "discovery_url" DISCOVERY_URL = "discovery_url"
DISPLAY_NAME = "display_name" DISPLAY_NAME = "display_name"
ID_TOKEN_SIGNING_ALGORITHM = "id_token_signing_alg" ID_TOKEN_SIGNING_ALGORITHM = "id_token_signing_alg"
GROUPS_SCOPE = "groups_scope"
FEATURES = "features" FEATURES = "features"
FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking" FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking"
FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation" FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation"
@@ -42,6 +43,9 @@ CONFIG_SCHEMA = vol.Schema(
# Should we enforce a specific signing algorithm on the id tokens? # Should we enforce a specific signing algorithm on the id tokens?
# Defaults to RS256/RSA-pubkey # Defaults to RS256/RSA-pubkey
vol.Optional(ID_TOKEN_SIGNING_ALGORITHM): vol.Coerce(str), vol.Optional(ID_TOKEN_SIGNING_ALGORITHM): vol.Coerce(str),
# String value to allow changing the groups scope
# Defaults to 'groups' which is used by Authelia and Authentik
vol.Optional(GROUPS_SCOPE, default="groups"): vol.Coerce(str),
# Which features should be enabled/disabled? # Which features should be enabled/disabled?
# Optional, defaults to sane/secure defaults # Optional, defaults to sane/secure defaults
vol.Optional(FEATURES): vol.Schema( vol.Optional(FEATURES): vol.Schema(
@@ -57,7 +61,7 @@ CONFIG_SCHEMA = vol.Schema(
# Feature flag to disable PKCE to support OIDC servers that do not # Feature flag to disable PKCE to support OIDC servers that do not
# allow additional parameters and don't support RFC 7636 # allow additional parameters and don't support RFC 7636
vol.Optional(FEATURES_DISABLE_PKCE): vol.Coerce(bool), vol.Optional(FEATURES_DISABLE_PKCE): vol.Coerce(bool),
# Make a bool which activates and deactivates scope 'groups' # Boolean which activates and deactivates scope 'groups'
vol.Optional( vol.Optional(
FEATURES_INCLUDE_GROUPS_SCOPE, default=True FEATURES_INCLUDE_GROUPS_SCOPE, default=True
): vol.Coerce(bool), ): vol.Coerce(bool),