Fixes Home Assistant error about re-creating HTTP sessions (#22 )

* Bump to 0.5.1 * Prevent HA errors about HTTP session left open
feat: enable verification of certs via network.tls_verify and private CA chains with network.tls_ca_path (#16 )
2025-01-12 12:43:41 +01:00 · 2025-01-06 10:09:30 +01:00 · 2025-01-05 22:24:48 +01:00 · 2025-01-01 16:28:48 +01:00 · 2024-12-31 16:54:39 +01:00 · 2024-12-28 21:37:00 +01:00
22 changed files with 1056 additions and 222 deletions
--- a/.pylintrc
+++ b/.pylintrc
@@ -308,7 +308,7 @@ max-locals=15
 max-parents=7
 # Maximum number of positional arguments for function / method.
-max-positional-arguments=5
+#max-positional-arguments=5
 # Maximum number of public methods for a class (see R0904).
 max-public-methods=20
@@ -439,7 +439,9 @@ disable=raw-checker-failed,
        use-symbolic-message-instead,
        use-implicit-booleaness-not-comparison-to-string,
        use-implicit-booleaness-not-comparison-to-zero,
-        relative-beyond-top-level
+        relative-beyond-top-level,
        # Allow keeping TODOs in the code
        fixme
 # Enable the message, report, category or checker with the given id(s). You can
 # either give multiple identifier separated by comma (,) or put this option
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 # OIDC Auth for Home Assistant
 > [!CAUTION]
-> This is a pre-alpha release. I give no guarantees about code quality, error handling or security at this stage. Please treat this repo as a proof of concept for now and only use it on development HA installs.
+> This is an alpha release. I give no guarantees about code quality, error handling or security at this stage. Use at your own risk.
-Provides an OIDC implementation for Home Assistant.
+Provides an OpenID Connect (OIDC) implementation for Home Assistant through a custom component/integration. Through this integration, you can create an SSO (single-sign-on) environment within your self-hosted application stack / homelab.
 ### Background
 If you would like to read the background/open letter that lead to this component, please see https://community.home-assistant.io/t/open-letter-for-improving-home-assistants-authentication-system-oidc-sso/494223. It is currently one of the most upvoted feature requests for Home Assistant.
@@ -28,20 +28,88 @@ Register your client with your OIDC Provider (e.g. Authentik/Authelia) as a publ
 For example:
 ```yaml
 auth_oidc:
-   client_id: "someValueForTheClientId"
+    client_id: "someValueForTheClientId"
-   discovery_url: "https://example.com/application/o/application/.well-known/openid-configuration"
+    discovery_url: "https://example.com/application/o/application/.well-known/openid-configuration"
 ```
-Afterwards, restart Home Assistant.
+Afterwards, restart Home Assistant. 
 You can find all possible configuration options below.
 ### Login
 You should now be able to see a second option on your login screen ("OpenID Connect (SSO)"). It provides you with a single input field.
-Sadly, the user experience is pretty poor right now. Go to `/auth/oidc/welcome` (for example `https://hass.io/auth/oidc/welcome`, replace the URL with your Home Assistant URL) and follow the prompts provided to login, then copy the code into the input field from before. You should now login automatically with your username from SSO.
+To start, go to one of to one of these URLs (you may also set these as application URLs in your OIDC Provider):
 - `/auth/oidc/welcome` (if you would like a nice welcome screen for your users)
 - `/auth/oidc/redirect` (if you would like to just redirect them without a welcome screen)
 So, for example, you may start at http://homeassistant.local:8123/auth/oidc/welcome.
 > [!TIP]
 > You can use a different device to login instead. Open the `/auth/oidc/welcome` link on device A and then type the obtained code into the normal HA login on device B (can also be the mobile app) to login.
 > [!TIP]
 > For a seamless user experience, configure a new domain on your proxy to redirect to the `/auth/oidc/welcome` path or configure that path on your homelab dashboard or in Authentik. Users will then always start on the OIDC welcome page, which will allow them to visit the dashboard if they are already logged in.
 With the default configuration, [a person entry](https://www.home-assistant.io/integrations/person/) will be created for every new OIDC user logging in. New OIDC users will get their own fresh user, linked to their persistent ID (subject) at the OpenID Connect provider. You may change your name, username or email at the provider and still have the same Home Assistant user profile.
 ### Configuration Options
 | Option                      | Type     | Required | Default             | Description                                                                                             |
 |-----------------------------|----------|----------|----------------------|---------------------------------------------------------------------------------------------------------|
 | `client_id`                 | `string` | Yes      |                      | The Client ID as registered with your OpenID Connect provider.                                        |
 | `client_secret`            | `string` | No       |                      | The Client Secret for enabling confidential client mode.                                             |
 | `discovery_url`            | `string` | Yes      |                      | The OIDC well-known configuration URL.                                                                |
 | `display_name`              | `string` | No       | `"OpenID Connect (SSO)"` | The name to display on the login screen, both for the Home Assistant screen and the OIDC welcome screen.                                                                |
 | `id_token_signing_alg`       | `string` | No       | `RS256`              | The signing algorithm that is used for your id_tokens.
 | `features.automatic_user_linking`   | `boolean`| No       | `false`          | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login.     |
 | `features.automatic_person_creation` | `boolean` | No       | `true`          | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users.                                            |
 | `features.disable_rfc7636`  | `boolean`| No       | `false`         | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers.                                    |
 | `claims.display_name`      | `string` | No       | `name`                     | The claim to use to obtain the display name.
 | `claims.username`         | `string` | No       | `preferred_username`                     | The claim to use to obtain the username.
 | `claims.groups`            | `string` | No       | `groups`                     | The claim to use to obtain the user's group(s). |
 | `roles.admin`            | `string` | No       | `admins`                     | Group name to require for users to get the 'admin' role in Home Assistant. Defaults to 'admins', the default group name for admins in Authentik. Doesn't do anything if no groups claim is found in your token. |
 | `roles.user`            | `string` | No       |                     | Group name to require for users to get the 'user' role in Home Assistant. Defaults to giving all users this role, unless configured. |
 | `network.tls_verify`         | `boolean` | No       | `true`                     | Verify TLS certificate. You may want to set this set to `false` when testing locally. |
 | `network.tls_ca_path`            | `string` | No       |                       | Path to file containing a private certificate authority chain. |
 #### Example: Migrating from HA username/password users to OIDC users
 If you already have users created within Home Assistant and would like to re-use the current user profile for your OIDC login, you can (temporarily) enable `features.automatic_user_linking`, with the following config (example):
 ```yaml
 auth_oidc:
    client_id: "someValueForTheClientId"
    discovery_url: "https://example.com/application/o/application/.well-known/openid-configuration"
    features:
        automatic_user_linking: true
 ```
 Upon login, OIDC users will then automatically be linked to the HA user with the same username.
 > [!IMPORTANT]
 > It's recommended to only enable this temporarily as it may pose a security risk. Any OIDC user with a username corresponding to a user in Home Assistant can get access to that user, and it's existing rights (admin), even if MFA is currently enabled for that account. After you have migrated your users (and linked OIDC to all existing accounts) you can disable the feature and keep using the linked users.
 #### Example: Using a private certificate authority
 If you use a private certificate authority to secure your OIDC provider (e.g. Keycloak), your CA must be able to be used by this component. Otherwise you will receive a certificate error (`[SSL: CERTIFICATE_VERIFY_FAILED]`) when connecting to the OIDC provider.
 You can either make the CA known to the entire operating system or configure only this component to use the CA. If you only want to let this component know your CA, you can specify it via `network.tls_ca_path`:
 ```yaml
 auth_oidc:
    network:
        tls_ca_path: /path/to/private-ca.pem
 ```
 If you want to deactivate the validation of the certificates for test purposes, you can do this via `network.tls_verify: false`:
 ```yaml
 auth_oidc:
    network:
        tls_verify: false
 ```
 In productive use, however, you should set `network.tls_verify` to `true`.
 ## Development
 This project uses the Rye package manager for development. You can find installation instructions here: https://rye.astral.sh/guide/installation/.
 Start by installing the dependencies using `rye sync` and then point your editor towards the environment created in the `.venv` directory.
@@ -55,20 +123,20 @@ Currently, this is a pre-alpha, so I welcome issues but I cannot guarantee I can
 - [X] Basic flow
 - [X] Implement a final link back to the main page from the finish page
- [ ] Improve welcome screen UI, should render a simple centered Tailwind UI instructing users that you should login externally to obtain a code.
+- [X] Improve welcome screen UI, should render a simple centered Tailwind UI instructing users that you should login externally to obtain a code.
- [ ] Improve finish screen UI, showing the code clearly with a copy button and instructions to paste it into Home Assistant.
+- [X] Improve finish screen UI, showing the code clearly with instructions to paste it into Home Assistant.
- [ ] Implement error handling on top of this proof of concept (discovery, JWKS, OIDC)
+- [X] Implement error handling on top of this proof of concept (discovery, JWKS, OIDC)
- [ ] Make id_token claim used for the group (admin/user) configurable
+- [X] Make id_token claim used for the group (admin/user) configurable
- [ ] Make id_token claim used for the username configurable
+- [X] Make id_token claim used for the username configurable
- [ ] Make id_token claim used for the name configurable
+- [X] Make id_token claim used for the name configurable
 - [ ] Add instructions on how to deploy this with Authentik & Authelia
 - [X] Configure Github Actions to automatically lint and build the package
 - [ ] Configure Dependabot for automatic updates
 - [ ] Configure tests
- [ ] Consider use of setup UI instead of YAML
+- [ ] Consider use of setup UI instead of YAML (see https://github.com/christiaangoossens/hass-oidc-auth/discussions/6)
-Currently impossible TODOs (waiting for assistance from HA devs, not possible without forking HA frontend & apps right now):
+Currently waiting on HA feature additions:
 - [ ] Update the HA frontend code to allow a redirection to be requested from an auth provider instead of manually opening welcome page (possibly after https://github.com/home-assistant/frontend/pull/23204)
 - [ ] Implement this redirection logic to open a new tab on desktop (#23204 uses popup)
- [ ] Implement this redirection logic to open a Android Custom Tab (Android) / SFSafariViewController (iOS), instead of opening the link in the HA webview
+- [ ] Implement this redirection logic to open a Android Custom Tab (Android) / SFSafariViewController (iOS), instead of opening the link in the HA webview
--- a/custom_components/auth_oidc/init.py
+++ b/custom_components/auth_oidc/init.py
@@ -3,9 +3,27 @@
 import logging
 from typing import OrderedDict
 import voluptuous as vol
 from homeassistant.core import HomeAssistant
 # Import and re-export config schema explictly
 # pylint: disable=useless-import-alias
 from .config import (
    CONFIG_SCHEMA as CONFIG_SCHEMA,
    DOMAIN,
    DEFAULT_TITLE,
    CLIENT_ID,
    CLIENT_SECRET,
    DISCOVERY_URL,
    DISPLAY_NAME,
    ID_TOKEN_SIGNING_ALGORITHM,
    FEATURES,
    CLAIMS,
    ROLES,
    NETWORK,
 )
 # pylint: enable=useless-import-alias
 from .endpoints.welcome import OIDCWelcomeView
 from .endpoints.redirect import OIDCRedirectView
 from .endpoints.finish import OIDCFinishView
@@ -14,52 +32,50 @@ from .endpoints.callback import OIDCCallbackView
 from .oidc_client import OIDCClient
 from .provider import OpenIDAuthProvider
 DOMAIN = "auth_oidc"
 _LOGGER = logging.getLogger(__name__)
 CONFIG_SCHEMA = vol.Schema(
    {
        DOMAIN: vol.Schema(
            {
                vol.Required("client_id"): vol.Coerce(str),
                vol.Optional("client_secret"): vol.Coerce(str),
                vol.Required("discovery_url"): vol.Coerce(str),
            }
        )
    },
    extra=vol.ALLOW_EXTRA,
 )
 async def async_setup(hass: HomeAssistant, config):
    """Add the OIDC Auth Provider to the providers in Home Assistant"""
    my_config = config[DOMAIN]
    providers = OrderedDict()
    # Use private APIs until there is a real auth platform
    # pylint: disable=protected-access
-    provider = OpenIDAuthProvider(
+    provider = OpenIDAuthProvider(hass, hass.auth._store, my_config)
        hass,
        hass.auth._store,
        config[DOMAIN],
    )
    providers[(provider.type, provider.id)] = provider
    providers.update(hass.auth._providers)
    hass.auth._providers = providers
    # pylint: enable=protected-access
-    _LOGGER.debug("Added OIDC provider for Home Assistant")
+    _LOGGER.info("Registered OIDC provider")
-    # Define some fields
+    # We only use openid, profile & groups, never email
-    discovery_url: str = config[DOMAIN]["discovery_url"]
+    scope = "openid profile groups"
    client_id: str = config[DOMAIN]["client_id"]
    scope: str = "openid profile email"
-    oidc_client = oidc_client = OIDCClient(discovery_url, client_id, scope)
+    oidc_client = oidc_client = OIDCClient(
        hass=hass,
        discovery_url=my_config.get(DISCOVERY_URL),
        client_id=my_config.get(CLIENT_ID),
        scope=scope,
        client_secret=my_config.get(CLIENT_SECRET),
        id_token_signing_alg=my_config.get(ID_TOKEN_SIGNING_ALGORITHM),
        features=my_config.get(FEATURES, {}),
        claims=my_config.get(CLAIMS, {}),
        roles=my_config.get(ROLES, {}),
        network=my_config.get(NETWORK, {}),
    )
-    hass.http.register_view(OIDCWelcomeView())
+    # Register the views
    name = config[DOMAIN].get(DISPLAY_NAME, DEFAULT_TITLE)
    hass.http.register_view(OIDCWelcomeView(name))
    hass.http.register_view(OIDCRedirectView(oidc_client))
    hass.http.register_view(OIDCCallbackView(oidc_client, provider))
    hass.http.register_view(OIDCFinishView())
    _LOGGER.info("Registered OIDC views")
    return True
--- a/custom_components/auth_oidc/config.py
+++ b/custom_components/auth_oidc/config.py
@@ -0,0 +1,102 @@
 """Config schema and constants."""
 import voluptuous as vol
 CLIENT_ID = "client_id"
 CLIENT_SECRET = "client_secret"
 DISCOVERY_URL = "discovery_url"
 DISPLAY_NAME = "display_name"
 ID_TOKEN_SIGNING_ALGORITHM = "id_token_signing_alg"
 FEATURES = "features"
 FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking"
 FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation"
 FEATURES_DISABLE_PKCE = "disable_rfc7636"
 CLAIMS = "claims"
 CLAIMS_DISPLAY_NAME = "display_name"
 CLAIMS_USERNAME = "username"
 CLAIMS_GROUPS = "groups"
 ROLES = "roles"
 ROLE_ADMINS = "admin"
 ROLE_USERS = "user"
 NETWORK = "network"
 NETWORK_TLS_VERIFY = "tls_verify"
 NETWORK_TLS_CA_PATH = "tls_ca_path"
 DEFAULT_TITLE = "OpenID Connect (SSO)"
 DOMAIN = "auth_oidc"
 CONFIG_SCHEMA = vol.Schema(
    {
        DOMAIN: vol.Schema(
            {
                # Required client ID as registered with the OIDC provider
                vol.Required(CLIENT_ID): vol.Coerce(str),
                # Optional Client Secret to enable confidential client mode
                vol.Optional(CLIENT_SECRET): vol.Coerce(str),
                # Which OIDC well-known URL should we use?
                vol.Required(DISCOVERY_URL): vol.Coerce(str),
                # Which name should be shown on the login screens?
                vol.Optional(DISPLAY_NAME): vol.Coerce(str),
                # Should we enforce a specific signing algorithm on the id tokens?
                # Defaults to RS256/RSA-pubkey
                vol.Optional(ID_TOKEN_SIGNING_ALGORITHM): vol.Coerce(str),
                # Which features should be enabled/disabled?
                # Optional, defaults to sane/secure defaults
                vol.Optional(FEATURES): vol.Schema(
                    {
                        # Automatically links users to the HA user based on OIDC username claim
                        # See provider.py for explanation
                        vol.Optional(FEATURES_AUTOMATIC_USER_LINKING): vol.Coerce(bool),
                        # Automatically creates a person entry for your new OIDC user
                        # See provider.py for explanation
                        vol.Optional(FEATURES_AUTOMATIC_PERSON_CREATION): vol.Coerce(
                            bool
                        ),
                        # Feature flag to disable PKCE to support OIDC servers that do not
                        # allow additional parameters and don't support RFC 7636
                        vol.Optional(FEATURES_DISABLE_PKCE): vol.Coerce(bool),
                    }
                ),
                # Determine which specific claims will be used from the id_token
                # Optional, defaults to most common claims
                vol.Optional(CLAIMS): vol.Schema(
                    {
                        # Which claim should we use to obtain the display name from OIDC?
                        vol.Optional(CLAIMS_DISPLAY_NAME): vol.Coerce(str),
                        # Which claim should we use to obtain the username from OIDC?
                        vol.Optional(CLAIMS_USERNAME): vol.Coerce(str),
                        # Which claim should we use to obtain the group(s) from OIDC?
                        vol.Optional(CLAIMS_GROUPS): vol.Coerce(str),
                    }
                ),
                # Determine which specific group values will be mapped to which roles
                # Optional, defaults user = null, admin = 'admins'
                # If user role is set, users that do not have either will be rejected!
                vol.Optional(ROLES): vol.Schema(
                    {
                        # Which group name should we use to assign the user role?
                        vol.Optional(ROLE_USERS): vol.Coerce(str),
                        # What group name should we use to assign the admin role?
                        # Defaults to admins
                        vol.Optional(ROLE_ADMINS): vol.Coerce(str),
                    }
                ),
                # Network options
                vol.Optional(NETWORK): vol.Schema(
                    {
                        # Verify x509 certificates provided when starting TLS connections
                        vol.Optional(NETWORK_TLS_VERIFY, default=True): vol.Coerce(
                            bool
                        ),
                        # Load custom certificate chain for private CAs
                        vol.Optional(NETWORK_TLS_CA_PATH): vol.Coerce(str),
                    }
                ),
            }
        )
    },
    # Any extra fields should not go into our config right now
    # You may set them for upgrading etc
    extra=vol.REMOVE_EXTRA,
 )
--- a/custom_components/auth_oidc/endpoints/callback.py
+++ b/custom_components/auth_oidc/endpoints/callback.py
@@ -4,7 +4,7 @@ from homeassistant.components.http import HomeAssistantView
 from aiohttp import web
 from ..oidc_client import OIDCClient
 from ..provider import OpenIDAuthProvider
-from ..helpers import get_url
+from ..helpers import get_url, get_view
 PATH = "/auth/oidc/callback"
@@ -30,21 +30,37 @@ class OIDCCallbackView(HomeAssistantView):
        state = params.get("state")
        if not (code and state):
-            return web.Response(
+            view_html = await get_view(
-                headers={"content-type": "text/html"},
+                "error",
-                text="<h1>Error</h1><p>Missing code or state parameter</p>",
+                {
                    "error": "Missing code or state parameter.",
                },
            )
            return web.Response(text=view_html, content_type="text/html")
        redirect_uri = get_url("/auth/oidc/callback")
        user_details = await self.oidc_client.async_complete_token_flow(
            redirect_uri, code, state
        )
        if user_details is None:
-            return web.Response(
+            view_html = await get_view(
-                headers={"content-type": "text/html"},
+                "error",
-                text="<h1>Error</h1><p>Failed to get user details, see console.</p>",
+                {
                    "error": "Failed to get user details, "
                    + "see Home Assistant logs for more information.",
                },
            )
            return web.Response(text=view_html, content_type="text/html")
        if user_details.get("role") == "invalid":
            view_html = await get_view(
                "error",
                {
                    "error": "User is not in the correct group to access Home Assistant, "
                    + "contact your administrator!",
                },
            )
            return web.Response(text=view_html, content_type="text/html")
        code = await self.oidc_provider.async_save_user_info(user_details)
        return web.HTTPFound(get_url("/auth/oidc/finish?code=" + code))
--- a/custom_components/auth_oidc/endpoints/finish.py
+++ b/custom_components/auth_oidc/endpoints/finish.py
@@ -2,8 +2,7 @@
 from homeassistant.components.http import HomeAssistantView
 from aiohttp import web
-
+from ..helpers import get_view
 from ..helpers import get_url
 PATH = "/auth/oidc/finish"
@@ -16,23 +15,40 @@ class OIDCFinishView(HomeAssistantView):
    name = "auth:oidc:finish"
    async def get(self, request: web.Request) -> web.Response:
        """Show the finish screen to allow the user to view their code."""
        code = request.query.get("code")
        if not code:
            view_html = await get_view(
                "error",
                {"error": "Missing code to show the finish screen."},
            )
            return web.Response(text=view_html, content_type="text/html")
        view_html = await get_view("finish", {"code": code})
        return web.Response(text=view_html, content_type="text/html")
    async def post(self, request: web.Request) -> web.Response:
        """Receive response."""
-        code = request.query.get("code", "FAIL")
+        # Get code from the message body
-        link = get_url("/")
+        data = await request.post()
        code = data.get("code")
-        return web.Response(
+        if not code:
            return web.Response(text="No code received", status=500)
        # Return redirect to the main page for sign in with a cookie
        return web.HTTPFound(
            location="/",
            headers={
-                "content-type": "text/html",
+                # Set a cookie to enable autologin on only the specific path used
                # for the POST request, with all strict parameters set
                # This cookie should not be read by any Javascript or any other paths.
                # It can be really short lifetime as we redirect immediately (5 seconds)
                "set-cookie": "auth_oidc_code="
                + code
-                + "; Path=/auth/login_flow; SameSite=Strict; HttpOnly; Max-Age=300",
+                + "; Path=/auth/login_flow; SameSite=Strict; HttpOnly; Max-Age=5",
            },
            text=f"<h1>Done!</h1><p>Your code is: <b>{code}</b></p>"
            + "<p>Please return to the Home Assistant login "
            + "screen (or your mobile app) and fill in this code into the single login field. "
            + "It should be visible if you "
            + "select 'Login with OpenID Connect (SSO)'.</p><p><a href='"
            + link
            + "'>Click here to login automatically (on desktop).</a></p>",
        )
--- a/custom_components/auth_oidc/endpoints/redirect.py
+++ b/custom_components/auth_oidc/endpoints/redirect.py
@@ -5,7 +5,7 @@ from aiohttp import web
 from homeassistant.components.http import HomeAssistantView
 from ..oidc_client import OIDCClient
-from ..helpers import get_url
+from ..helpers import get_url, get_view
 PATH = "/auth/oidc/redirect"
@@ -29,10 +29,11 @@ class OIDCRedirectView(HomeAssistantView):
        if auth_url:
            return web.HTTPFound(auth_url)
-        return web.Response(
+        view_html = await get_view(
-            headers={"content-type": "text/html"},
+            "error",
-            text="<h1>Plugin is misconfigured, discovery could not be obtained</h1>",
+            {"error": "Integration is misconfigured, discovery could not be obtained."},
        )
        return web.Response(text=view_html, content_type="text/html")
    async def post(self, request: web.Request) -> web.Response:
        """POST"""
--- a/custom_components/auth_oidc/endpoints/welcome.py
+++ b/custom_components/auth_oidc/endpoints/welcome.py
@@ -2,6 +2,7 @@
 from aiohttp import web
 from homeassistant.components.http import HomeAssistantView
 from ..helpers import get_view
 PATH = "/auth/oidc/welcome"
@@ -13,10 +14,10 @@ class OIDCWelcomeView(HomeAssistantView):
    url = PATH
    name = "auth:oidc:welcome"
    def __init__(self, name: str) -> None:
        self.name = name
    async def get(self, _: web.Request) -> web.Response:
        """Receive response."""
-
+        view_html = await get_view("welcome", {"name": self.name})
-        return web.Response(
+        return web.Response(text=view_html, content_type="text/html")
            headers={"content-type": "text/html"},
            text="<h1>OIDC Login</h1><p><a href='/auth/oidc/redirect'>Login with OIDC</a></p>",
        )
--- a/custom_components/auth_oidc/helpers.py
+++ b/custom_components/auth_oidc/helpers.py
@@ -1,6 +1,7 @@
 """Helper functions for the integration."""
 from homeassistant.components import http
 from .views.loader import AsyncTemplateRenderer
 def get_url(path: str) -> str:
@@ -10,3 +11,12 @@ def get_url(path: str) -> str:
    base_uri = str(req.url).split("/auth", 2)[0]
    return f"{base_uri}{path}"
 async def get_view(template: str, parameters: dict | None = None) -> str:
    """Returns the generated HTML of the requested view."""
    if parameters is None:
        parameters = {}
    renderer = AsyncTemplateRenderer()
    return await renderer.render_template(f"{template}.html", **parameters)
--- a/custom_components/auth_oidc/manifest.json
+++ b/custom_components/auth_oidc/manifest.json
@@ -14,7 +14,10 @@
  "iot_class": "calculated",
  "issue_tracker": "https://github.com/christiaangoossens/hass-oidc-auth/issues",
  "requirements": [
-    "python-jose>=3.3.0"
+    "python-jose>=3.3.0",
    "aiofiles>=24.1.0",
    "jinja2>=3.1.4",
    "bcrypt>=4.2.0"
  ],
-  "version": "0.2.0"
+  "version": "0.5.1"
 }
--- a/custom_components/auth_oidc/oidc_client.py
+++ b/custom_components/auth_oidc/oidc_client.py
@@ -5,9 +5,24 @@ import logging
 import os
 import base64
 import hashlib
 import ssl
 from typing import Optional
 from functools import partial
 import aiohttp
 from jose import jwt, jwk
 from homeassistant.core import HomeAssistant
 from .types import UserDetails
 from .config import (
    FEATURES_DISABLE_PKCE,
    CLAIMS_DISPLAY_NAME,
    CLAIMS_USERNAME,
    CLAIMS_GROUPS,
    ROLE_ADMINS,
    ROLE_USERS,
    NETWORK_TLS_VERIFY,
    NETWORK_TLS_CA_PATH,
 )
 _LOGGER = logging.getLogger(__name__)
@@ -32,24 +47,106 @@ class OIDCStateInvalid(OIDCClientException):
    "Raised when the state for your request cannot be matched against a stored state."
 class OIDCIdTokenSigningAlgorithmInvalid(OIDCTokenResponseInvalid):
    "Raised when the id_token is signed with the wrong algorithm, adjust your config accordingly."
 # pylint: disable=too-many-instance-attributes
 class OIDCClient:
    """OIDC Client implementation for Python, including PKCE."""
    # Flows stores the state, code_verifier and nonce of all current flows.
    flows = {}
-    def __init__(self, discovery_url: str, client_id: str, scope: str):
+    # HTTP session to be used
    http_session: aiohttp.ClientSession = None
    def __init__(
        self,
        hass: HomeAssistant,
        discovery_url: str,
        client_id: str,
        scope: str,
        **kwargs: str,
    ):
        self.hass = hass
        self.discovery_url = discovery_url
        self.discovery_document = None
        self.client_id = client_id
        self.scope = scope
        # Optional parameters
        self.client_secret = kwargs.get("client_secret")
        # Default id_token_signing_alg to RS256 if not specified
        self.id_token_signing_alg = kwargs.get("id_token_signing_alg")
        if self.id_token_signing_alg is None:
            self.id_token_signing_alg = "RS256"
        features = kwargs.get("features")
        claims = kwargs.get("claims")
        roles = kwargs.get("roles")
        network = kwargs.get("network")
        self.disable_pkce = features.get(FEATURES_DISABLE_PKCE, False)
        self.display_name_claim = claims.get(CLAIMS_DISPLAY_NAME, "name")
        self.username_claim = claims.get(CLAIMS_USERNAME, "preferred_username")
        self.groups_claim = claims.get(CLAIMS_GROUPS, "groups")
        self.user_role = roles.get(ROLE_USERS, None)
        self.admin_role = roles.get(ROLE_ADMINS, "admins")
        self.tls_verify = network.get(NETWORK_TLS_VERIFY, True)
        self.tls_ca_path = network.get(NETWORK_TLS_CA_PATH)
    def __del__(self):
        """Cleanup the HTTP session."""
        # HA never seems to run this, but it's good practice to close the session
        if self.http_session:
            _LOGGER.debug("Closing HTTP session")
            self.http_session.close()
    def _base64url_encode(self, value: str) -> str:
        """Uses base64url encoding on a given string"""
        return base64.urlsafe_b64encode(value).rstrip(b"=").decode("utf-8")
    def _generate_random_url_string(self, length: int = 16) -> str:
        """Generates a random URL safe string (base64_url encoded)"""
        return self._base64url_encode(os.urandom(length))
    async def _get_http_session(self) -> aiohttp.ClientSession:
        """Create or get the existing client session with custom networking/TLS options"""
        if self.http_session is not None:
            return self.http_session
        _LOGGER.debug(
            "Creating HTTP session provider with options: "
            + "verify certificates: %r, custom CA file: %s",
            self.tls_verify,
            self.tls_ca_path,
        )
        tcp_connector_args = {"verify_ssl": self.tls_verify}
        if self.tls_ca_path:
            # Move to hass' executor to prevent blocking code inside non-blocking method
            ssl_context = await self.hass.loop.run_in_executor(
                None, partial(ssl.create_default_context, cafile=self.tls_ca_path)
            )
            tcp_connector_args["ssl"] = ssl_context
        self.http_session = aiohttp.ClientSession(
            connector=aiohttp.TCPConnector(**tcp_connector_args)
        )
        return self.http_session
    async def _fetch_discovery_document(self):
        """Fetches discovery document from the given URL."""
        try:
-            async with aiohttp.ClientSession() as session:
+            session = await self._get_http_session()
-                async with session.get(self.discovery_url) as response:
+
-                    response.raise_for_status()
+            async with session.get(self.discovery_url) as response:
-                    return await response.json()
+                response.raise_for_status()
                return await response.json()
        except aiohttp.ClientResponseError as e:
            if e.status == 404:
                _LOGGER.warning(
@@ -59,6 +156,163 @@ class OIDCClient:
                _LOGGER.warning("Error: %s - %s", e.status, e.message)
            raise OIDCDiscoveryInvalid from e
    async def _get_jwks(self, jwks_uri):
        """Fetches JWKS from the given URL."""
        try:
            session = await self._get_http_session()
            async with session.get(jwks_uri) as response:
                response.raise_for_status()
                return await response.json()
        except aiohttp.ClientResponseError as e:
            _LOGGER.warning("Error fetching JWKS: %s - %s", e.status, e.message)
            raise OIDCJWKSInvalid from e
    async def _make_token_request(self, token_endpoint, query_params):
        """Performs the token POST call"""
        try:
            session = await self._get_http_session()
            async with session.post(token_endpoint, data=query_params) as response:
                response.raise_for_status()
                return await response.json()
        except aiohttp.ClientResponseError as e:
            if e.status == 400:
                _LOGGER.warning(
                    "Error: Token could not be obtained (Bad Request), "
                    + "did you forget the client_secret?"
                )
            else:
                _LOGGER.warning(
                    "Unexpected error exchanging token: %s - %s", e.status, e.message
                )
            raise OIDCTokenResponseInvalid from e
    async def _parse_id_token(
        self, id_token: str, access_token: str | None
    ) -> Optional[dict]:
        """Parses the ID token into a dict containing token contents."""
        if self.discovery_document is None:
            self.discovery_document = await self._fetch_discovery_document()
        jwks_uri = self.discovery_document["jwks_uri"]
        jwks_data = await self._get_jwks(jwks_uri)
        try:
            # Obtain the id_token header
            unverified_header = jwt.get_unverified_header(id_token)
            if not unverified_header:
                _LOGGER.warning("Could not get header from received id_token.")
                return None
            # Obtain the signing algorithm from the header of the id_token
            alg = unverified_header.get("alg")
            if alg != self.id_token_signing_alg:
                # Verify that it matches our requested algorithm
                _LOGGER.warning(
                    "ID Token received signed with the wrong algorithm: %s, expected %s",
                    alg,
                    self.id_token_signing_alg,
                )
                raise OIDCIdTokenSigningAlgorithmInvalid()
            # OpenID Connect Core 1.0 Section 3.1.3.7.8
            # If the JWT alg Header Parameter uses a MAC based algorithm
            # such as HS256, HS384, or HS512, the octets of the UTF-8 [RFC3629]
            # representation of the client_secret corresponding to the client_id
            # contained in the aud (audience) Claim are used as the key to
            # validate the signature.
            if alg.startswith("HS"):
                if not self.client_secret:
                    _LOGGER.warning(
                        "ID Token signed with HMAC algorithm, but no client_secret provided."
                    )
                    raise OIDCIdTokenSigningAlgorithmInvalid()
                jwk_obj = jwk.construct(
                    {
                        "kty": "oct",
                        "k": base64.urlsafe_b64encode(
                            self.client_secret.encode()
                        ).decode(),
                        "alg": alg,
                    }
                )
            else:
                # TODO: Deal with cases where kid is not specified (just take the first key?)
                # Obtain the kid (Key ID) from the header of the id_token
                kid = unverified_header.get("kid")
                if not kid:
                    _LOGGER.warning("JWT does not have kid (Key ID)")
                    return None
                # Get the correct key
                signing_key = None
                for key in jwks_data["keys"]:
                    if key["kid"] == kid:
                        signing_key = key
                        break
                if not signing_key:
                    _LOGGER.warning("Could not find matching key with kid: %s", kid)
                    return None
                # Construct the JWK from the RSA key
                jwk_obj = jwk.construct(signing_key)
            # Verify the token
            decoded_token = jwt.decode(
                id_token,
                jwk_obj,
                # OpenID Connect Core 1.0 Section 3.1.3.7.6
                # The Client MUST validate the signature of all other ID Tokens
                # according to JWS [JWS] using the algorithm specified in the JWT
                # alg Header Parameter.
                algorithms=[self.id_token_signing_alg],
                # OpenID Connect Core 1.0 Section 3.1.3.7.3
                # The Client MUST validate that the aud (audience) Claim contains
                # its client_id value registered at the Issuer identified by the
                # iss (issuer) Claim as an audience.
                audience=self.client_id,
                # OpenID Connect Core 1.0 Section 3.1.3.7.2
                # The Issuer Identifier for the OpenID Provider MUST exactly
                # match the value of the iss (issuer) Claim.
                issuer=self.discovery_document["issuer"],
                access_token=access_token,
                options={
                    # Verify everything if present
                    "verify_signature": True,
                    "verify_aud": True,
                    "verify_iat": True,
                    "verify_exp": True,
                    "verify_nbf": True,
                    "verify_iss": True,
                    "verify_sub": True,
                    "verify_jti": True,
                    "verify_at_hash": True,
                    # OpenID Connect Core 1.0 Section 3.1.3.7.3
                    "require_aud": True,
                    # OpenID Connect Core 1.0 Section 3.1.3.7.10
                    "require_iat": True,
                    # OpenID Connect Core 1.0 Section 3.1.3.7.9
                    "require_exp": True,
                    # OpenID Connect Core 1.0 Section 3.1.3.7.2
                    "require_iss": True,
                    # We need the sub as it's used to identify the user
                    "require_sub": True,
                    # Other values, not required.
                    "require_nbf": False,
                    "require_jti": False,
                    "require_at_hash": False,
                    "leeway": 5,
                },
            )
            return decoded_token
        except jwt.JWTError as e:
            _LOGGER.warning("JWT Verification failed: %s", e)
            return None
    async def async_get_authorization_url(self, redirect_uri: str) -> Optional[str]:
        """Generates the authorization URL for the OIDC flow."""
        try:
@@ -67,22 +321,14 @@ class OIDCClient:
            auth_endpoint = self.discovery_document["authorization_endpoint"]
-            # Generate the necessary PKCE parameters, nonce & state
+            # Generate random nonce & state
-            code_verifier = (
+            nonce = self._generate_random_url_string()
-                base64.urlsafe_b64encode(os.urandom(32)).rstrip(b"=").decode("utf-8")
+            state = self._generate_random_url_string()
-            )
+
-            code_challenge = (
+            # Generate PKCE (RFC 7636) parameters
-                base64.urlsafe_b64encode(
+            code_verifier = self._generate_random_url_string(32)
-                    hashlib.sha256(code_verifier.encode("utf-8")).digest()
+            code_challenge = self._base64url_encode(
-                )
+                hashlib.sha256(code_verifier.encode("utf-8")).digest()
                .rstrip(b"=")
                .decode("utf-8")
            )
            nonce = (
                base64.urlsafe_b64encode(os.urandom(16)).rstrip(b"=").decode("utf-8")
            )
            state = (
                base64.urlsafe_b64encode(os.urandom(16)).rstrip(b"=").decode("utf-8")
            )
            # Save all of them for later verification
@@ -95,92 +341,27 @@ class OIDCClient:
                "redirect_uri": redirect_uri,
                "scope": self.scope,
                "state": state,
                # Nonce is always set in accordance with OpenID Connect Core 1.0
                "nonce": nonce,
                "code_challenge": code_challenge,
                "code_challenge_method": "S256",
            }
            # We always want to use PKCE (RFC 7636), unless it's disabled for compatibility.
            # PKCE is the recommended method of securing the authorization code grant
            # for public clients as much as possible.
            # (see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-7.5.1)
            if not self.disable_pkce:
                query_params["code_challenge"] = code_challenge
                query_params["code_challenge_method"] = "S256"
            url = f"{auth_endpoint}?{urllib.parse.urlencode(query_params)}"
            return url
        except OIDCClientException as e:
            _LOGGER.warning("Error generating authorization URL: %s", e)
            return None
    async def _make_token_request(self, token_endpoint, query_params):
        try:
            async with aiohttp.ClientSession() as session:
                async with session.post(token_endpoint, data=query_params) as response:
                    response.raise_for_status()
                    return await response.json()
        except aiohttp.ClientResponseError as e:
            _LOGGER.warning("Error exchanging token: %s - %s", e.status, e.message)
            raise OIDCTokenResponseInvalid from e
    async def _get_jwks(self, jwks_uri):
        """Fetches JWKS from the given URL."""
        try:
            async with aiohttp.ClientSession() as session:
                async with session.get(jwks_uri) as response:
                    response.raise_for_status()
                    return await response.json()
        except aiohttp.ClientResponseError as e:
            _LOGGER.warning("Error fetching JWKS: %s - %s", e.status, e.message)
            raise OIDCJWKSInvalid from e
    async def _parse_id_token(self, id_token: str):
        if self.discovery_document is None:
            self.discovery_document = await self._fetch_discovery_document()
        # Parse the id token to obtain the relevant details
        # Use python-jose
        jwks_uri = self.discovery_document["jwks_uri"]
        jwks_data = await self._get_jwks(jwks_uri)
        try:
            unverified_header = jwt.get_unverified_header(id_token)
            if not unverified_header:
                print("Could not parse JWT Header")
                return None
            kid = unverified_header.get("kid")
            if not kid:
                print("JWT does not have kid (Key ID)")
                return None
            # Get the correct key
            rsa_key = None
            for key in jwks_data["keys"]:
                if key["kid"] == kid:
                    rsa_key = key
                    break
            if not rsa_key:
                print(f"Could not find matching key with kid:{kid}")
                return None
            # Construct the JWK
            jwk_obj = jwk.construct(rsa_key)
            # Verify the token
            decoded_token = jwt.decode(
                id_token,
                jwk_obj,
                algorithms=["RS256"],  # Adjust if your algorithm is different
                audience=self.client_id,
                issuer=self.discovery_document["issuer"],
            )
            return decoded_token
        except jwt.JWTError as e:
            print(f"JWT Verification failed: {e}")
            return None
        return None
    async def async_complete_token_flow(
        self, redirect_uri: str, code: str, state: str
-    ) -> dict[str, str | dict]:
+    ) -> Optional[UserDetails]:
        """Completes the OIDC token flow to obtain a user's details."""
        try:
@@ -188,7 +369,6 @@ class OIDCClient:
                raise OIDCStateInvalid
            flow = self.flows[state]
            code_verifier = flow["code_verifier"]
            if self.discovery_document is None:
                self.discovery_document = await self._fetch_discovery_document()
@@ -201,27 +381,83 @@ class OIDCClient:
                "client_id": self.client_id,
                "code": code,
                "redirect_uri": redirect_uri,
                "code_verifier": code_verifier,
            }
            # Send the client secret if we have one
            if self.client_secret is not None:
                query_params["client_secret"] = self.client_secret
            # If we disable PKCE, don't send the code verifier
            if not self.disable_pkce:
                query_params["code_verifier"] = flow["code_verifier"]
            # Exchange the code for a token
            token_response = await self._make_token_request(
                token_endpoint, query_params
            )
            id_token = token_response.get("id_token")
            access_token = token_response.get("access_token")
            # Parse the id token to obtain the relevant details
-            id_token = await self._parse_id_token(id_token)
+            # Access token is supplied to check at_hash if present
            id_token = await self._parse_id_token(id_token, access_token)
-            # Verify nonce
+            if id_token is None:
                _LOGGER.warning("ID token could not be parsed!")
                return None
            # OpenID Connect Core 1.0 Section 3.1.3.7.11
            # If a nonce value was sent in the Authentication Request,
            # a nonce Claim MUST be present and its value checked to verify
            # that it is the same value as the one that was sent in the Authentication Request.
            if id_token.get("nonce") != flow["nonce"]:
                _LOGGER.warning("Nonce mismatch!")
                return None
-            return {
+            # TODO: If the configured claims are not present in id_token, we should fetch userinfo
-                "name": id_token.get("name"),
+
-                "username": id_token.get("preferred_username"),
+            # Get and parse groups (to check if it's an array)
-                "groups": id_token.get("groups"),
+            groups = id_token.get(self.groups_claim, [])
            if not isinstance(groups, list):
                _LOGGER.warning("Groups claim is not a list, using empty list instead.")
                groups = []
            # Assign role if user has the required groups
            role = "invalid"
            if self.user_role in groups or self.user_role is None:
                role = "system-users"
            if self.admin_role in groups:
                role = "system-admin"
            # Create a user details dict based on the contents of the id_token & userinfo
            data: UserDetails = {
                # Subject Identifier. A locally unique and never reassigned identifier within the
                # Issuer for the End-User, which is intended to be consumed by the Client
                # Only unique per issuer, so we combine it with the issuer and hash it.
                # This might allow multiple OIDC providers to be used with this integration.
                "sub": hashlib.sha256(
                    f"{self.discovery_document['issuer']}.{id_token.get('sub')}".encode(
                        "utf-8"
                    )
                ).hexdigest(),
                # Display name, configurable
                "display_name": id_token.get(self.display_name_claim),
                # Username, configurable
                "username": id_token.get(self.username_claim),
                # Role
                "role": role,
            }
            # Log which details were obtained for debugging
            # Also log the original subject identifier such that you can look it up in your provider
            _LOGGER.debug(
                "Obtained user details from OIDC provider: %s (issuer subject: %s)",
                data,
                id_token.get("sub"),
            )
            return data
        except OIDCClientException as e:
            _LOGGER.warning("Error completing token flow: %s", e)
            return None
--- a/custom_components/auth_oidc/provider.py
+++ b/custom_components/auth_oidc/provider.py
@@ -6,6 +6,8 @@ import logging
 from typing import Dict, Optional
 import asyncio
 import bcrypt
 from homeassistant.auth import EVENT_USER_ADDED
 from homeassistant.auth.providers import (
    AUTH_PROVIDERS,
    AuthProvider,
@@ -13,15 +15,29 @@ from homeassistant.auth.providers import (
    AuthFlowResult,
    Credentials,
    UserMeta,
    User,
    AuthStore,
 )
-from homeassistant.components import http
+from homeassistant.const import CONF_ID, CONF_NAME, CONF_TYPE
 from homeassistant.core import HomeAssistant, callback
 from homeassistant.components import http, person
 from homeassistant.exceptions import HomeAssistantError
 import voluptuous as vol
 from .config import (
    FEATURES,
    FEATURES_AUTOMATIC_USER_LINKING,
    FEATURES_AUTOMATIC_PERSON_CREATION,
    DEFAULT_TITLE,
 )
 from .stores.code_store import CodeStore
 from .types import UserDetails
 _LOGGER = logging.getLogger(__name__)
 PROVIDER_TYPE = "auth_oidc"
 HASS_PROVIDER_TYPE = "homeassistant"
 class InvalidAuthError(HomeAssistantError):
    """Raised when submitting invalid authentication."""
@@ -32,23 +48,44 @@ class OpenIDAuthProvider(AuthProvider):
    """Allow access to users based on login with an external
    OpenID Connect Identity Provider (IdP)."""
    DEFAULT_TITLE = "OpenID Connect (SSO)"
    @property
    def type(self) -> str:
        return "auth_oidc"
    @property
    def support_mfa(self) -> bool:
        return False
-    def __init__(self, *args, **kwargs):
+    def __init__(self, hass: HomeAssistant, store: AuthStore, config: dict[str, str]):
        """Initialize the OpenIDAuthProvider."""
-        super().__init__(*args, **kwargs)
+        super().__init__(
-        self._user_meta = {}
+            hass,
            store,
            {
                # Currently register as default, might be used when we have multiple OIDC providers
                CONF_ID: "default",
                # Name displayed in the UI
                CONF_NAME: config.get("display_name", DEFAULT_TITLE),
                # Type
                CONF_TYPE: PROVIDER_TYPE,
            },
        )
        self._user_meta: dict[UserDetails] = {}
        self._code_store: CodeStore | None = None
        self._init_lock = asyncio.Lock()
        features = config.get(
            FEATURES,
            {},
        )
        # Link users automatically?
        # False by default to always make new accounts for OIDC users
        # Turn this on to migrate from HA accounts to OIDC
        self.user_linking = features.get(FEATURES_AUTOMATIC_USER_LINKING, False)
        # Create person entries automatically?
        # True by default to create a person for each new user (just like normal HA)
        # Turn this off if you don't want OIDC to interfere more than necessary
        self.create_persons = features.get(FEATURES_AUTOMATIC_PERSON_CREATION, True)
    async def async_initialize(self) -> None:
        """Initialize the auth provider."""
@@ -64,8 +101,11 @@ class OpenIDAuthProvider(AuthProvider):
            self._code_store = store
            self._user_meta = {}
-    async def async_retrieve_username(self, code: str) -> Optional[str]:
+        # Listen for user creation events
-        """Retrieve user from the code, return username and save meta
+        self.hass.bus.async_listen(EVENT_USER_ADDED, self.async_user_created)
    async def async_get_subject(self, code: str) -> Optional[str]:
        """Retrieve user from the code, return subject and save meta
        for later use with this provider instance."""
        if self._code_store is None:
            await self.async_initialize()
@@ -75,9 +115,9 @@ class OpenIDAuthProvider(AuthProvider):
        if user_data is None:
            return None
-        username = user_data["username"]
+        sub = user_data["sub"]
-        self._user_meta[username] = user_data
+        self._user_meta[sub] = user_data
-        return username
+        return sub
    async def async_save_user_info(self, user_info: dict[str, dict | str]) -> str:
        """Save user info and return a code."""
@@ -87,6 +127,77 @@ class OpenIDAuthProvider(AuthProvider):
        return await self._code_store.async_generate_code_for_userinfo(user_info)
    async def _async_find_user_by_username(self, username: str) -> Optional[User]:
        """Find a user by username."""
        users = await self.store.async_get_users()
        for user in users:
            # System generated users don't have usernames and aren't our target here
            if user.system_generated:
                continue
            # Check if we have a homeassistant credential with the provided username
            for credential in user.credentials:
                if (
                    credential.auth_provider_type == HASS_PROVIDER_TYPE
                    and credential.data.get("username") == username
                ):
                    return user
        return None
    # ====
    # Handler for user created and related functions (person creation)
    # ====
    @callback
    async def async_user_created(self, event) -> None:
        """Handle the user created event."""
        user_id = event.data["user_id"]
        user = await self.store.async_get_user(user_id)
        # Get the first credential, if it's not ours, return
        if not user.credentials or len(user.credentials) == 0:
            return
        credential = user.credentials[0]
        if not (
            credential.auth_provider_type == self.type
            and credential.auth_provider_id == self.id
        ):
            # Not mine, return
            return
        # Audit log the user creation
        _LOGGER.info(
            "User was created for first OIDC sign in: %s from subject %s",
            user.id,
            credential.data["sub"],
        )
        # If person creation is enabled, add a person for this user
        if self.create_persons:
            user_meta = await self.async_user_meta_for_credentials(credential)
            await self.async_create_person(user, user_meta.name)
    async def async_create_person(self, user: User, name: str) -> None:
        """Create a person for the user."""
        _LOGGER.info("Automatically creating person for new user %s", user.id)
        # Create a person for the user
        try:
            await person.async_create_person(
                hass=self.hass,
                name=name,
                user_id=user.id,
            )
        # Catch all, we don't want to fail here
        # pylint: disable=broad-exception-caught
        except Exception:
            _LOGGER.warning(
                "Requested automatic person creation, but person creation failed."
            )
        # pylint: enable=broad-exception-caught
    # ====
    # Required functions for Home Assistant Auth Providers
    # ====
@@ -99,13 +210,43 @@ class OpenIDAuthProvider(AuthProvider):
        self, flow_result: dict[str, str]
    ) -> Credentials:
        """Get credentials based on the flow result."""
-        username = flow_result["username"]
+        sub = flow_result["sub"]
        meta = self._user_meta.get(sub)
        # Audit logging for the login that is about to occur
        _LOGGER.info(
            "Logged in user through OIDC: %s, %s", meta["sub"], meta["display_name"]
        )
        # Iterate over previously created credentials to find one with the same sub
        for credential in await self.async_credentials():
-            if credential.data["username"] == username:
+            # When logging in again, use the subject to check if the credential exist
            # OpenID spec says that sub is the only claim we can rely on, as username
            # might change over time.
            if credential.data.get("sub") == sub:
                return credential
-        # Create new credentials.
+        # If no credential was found, create a new one
-        return self.async_create_credentials({"username": username})
+        # Username cannot be supplied here as it won't be shown by Home Assistant regardless
        # Source: homeassistant/components/config/auth.py, line 162
        credential = self.async_create_credentials({"sub": sub})
        # If we have user linking enabled, try to link the user here
        if self.user_linking:
            user = await self._async_find_user_by_username(meta["username"])
            if user is not None:
                _LOGGER.info(
                    "User already exists, adding credential for "
                    + "OIDC to existing user with username '%s'.",
                    meta["username"],
                )
                # Link the credential to the existing user
                # Will set the credential isNew = false
                await self.store.async_link_user(user, credential)
        # If the credential is new, HA will automatically create a new user for us
        return credential
    async def async_user_meta_for_credentials(
        self, credentials: Credentials
@@ -114,15 +255,16 @@ class OpenIDAuthProvider(AuthProvider):
        Currently, supports name, is_active, group and local_only.
        """
        meta = self._user_meta.get(credentials.data["username"], {})
        groups = meta.get("groups", [])
-        group = "system-admin" if "admins" in groups else "system-users"
+        sub = credentials.data["sub"]
        meta = self._user_meta.get(sub, {})
        role = meta.get("role")
        return UserMeta(
-            name=meta.get("name"),
+            name=meta.get("display_name"),
            is_active=True,
-            group=group,
+            group=role,
-            local_only="true",
+            local_only=False,
        )
@@ -130,12 +272,19 @@ class OpenIdLoginFlow(LoginFlow):
    """Handler for the login flow."""
    async def _finalize_user(self, code: str) -> AuthFlowResult:
-        username = await self._auth_provider.async_retrieve_username(code)
+        # Verify a dummy hash to make it last a bit longer
-        if username:
+        # as security measure (limits the amount of attempts you have in 5 min)
-            _LOGGER.info("Logged in user: %s", username)
+        # Similar to what the HomeAssistant auth provider does
        dummy = b"$2b$12$CiuFGszHx9eNHxPuQcwBWez4CwDTOcLTX5CbOpV6gef2nYuXkY7BO"
        bcrypt.checkpw(b"foo", dummy)
        # Actually look up the auth provider after,
        # this doesn't take a lot of time (regardless of it's in there or not)
        sub = await self._auth_provider.async_get_subject(code)
        if sub:
            return await self.async_finish(
                {
-                    "username": username,
+                    "sub": sub,
                }
            )
--- a/custom_components/auth_oidc/stores/code_store.py
+++ b/custom_components/auth_oidc/stores/code_store.py
@@ -8,6 +8,8 @@ from typing import cast, Optional
 from homeassistant.helpers.storage import Store
 from homeassistant.core import HomeAssistant
 from ..types import UserDetails
 STORAGE_VERSION = 1
 STORAGE_KEY = "auth_provider.auth_oidc.codes"
@@ -18,7 +20,7 @@ class CodeStore:
    def __init__(self, hass: HomeAssistant) -> None:
        """Initialize the user data store."""
        self.hass = hass
-        self._store = Store[dict[str, dict[str, dict | str]]](
+        self._store = Store[dict[str, UserDetails]](
            hass, STORAGE_VERSION, STORAGE_KEY, private=True, atomic_writes=True
        )
        self._data: dict[str, dict[str, dict | str]] | None = None
@@ -26,7 +28,7 @@ class CodeStore:
    async def async_load(self) -> None:
        """Load stored data."""
        if (data := await self._store.async_load()) is None:
-            data = cast(dict[str, dict[str, dict | str]], {})
+            data = cast(dict[str, UserDetails], {})
        self._data = data
    async def async_save(self) -> None:
@@ -38,9 +40,7 @@ class CodeStore:
        """Generate a random six-digit code."""
        return "".join(random.choices(string.digits, k=6))
-    async def async_generate_code_for_userinfo(
+    async def async_generate_code_for_userinfo(self, user_info: UserDetails) -> str:
        self, user_info: dict[str, dict | str]
    ) -> str:
        """Generates a one time code and adds it to the database for 5 minutes."""
        if self._data is None:
            raise RuntimeError("Data not loaded")
@@ -57,9 +57,7 @@ class CodeStore:
        await self.async_save()
        return code
-    async def receive_userinfo_for_code(
+    async def receive_userinfo_for_code(self, code: str) -> Optional[UserDetails]:
        self, code: str
    ) -> Optional[dict[str, dict | str]]:
        """Retrieve user info based on the code."""
        if self._data is None:
            raise RuntimeError("Data not loaded")
--- a/custom_components/auth_oidc/types.py
+++ b/custom_components/auth_oidc/types.py
@@ -0,0 +1,18 @@
 """Generic data types"""
 # Dict class to give a type to the user details
 from typing import Literal
 class UserDetails(dict):
    """User details representation"""
    # User subject, persistent identifier
    sub: str
    # Full name of the user for display purposes
    display_name: str
    # Preferred username for the user, will be used when first generating the account
    # or to link the account on first login
    username: str
    # Home Assistant role to assign to this user
    role: Literal["system-admin", "system-users", "invalid"]
--- a/custom_components/auth_oidc/views/loader.py
+++ b/custom_components/auth_oidc/views/loader.py
@@ -0,0 +1,62 @@
 """Jinja2 Async Environment"""
 import logging
 from os import path
 from typing import Dict, Any
 from jinja2 import Environment, DictLoader
 from aiofiles.os import scandir as async_scandir
 from aiofiles import open as async_open
 _LOGGER = logging.getLogger(__name__)
 templates: Dict[str, str] = {}
 class AsyncTemplateRenderer:
    """An asynchronous template renderer that caches rendered templates."""
    def __init__(self, template_dir: str = None):
        self.template_dir = template_dir or path.join(
            path.dirname(path.abspath(__file__)), "templates"
        )
    async def fetch_templates(self) -> None:
        """Fetches all HTML files from the template directory."""
        templates.clear()
        files = await async_scandir(self.template_dir)
        for file in files:
            if file.is_dir():
                continue
            filename = file.name
            if filename.endswith(".html"):
                template_path = path.join(self.template_dir, filename)
                try:
                    _LOGGER.debug("Fetching template %s from disk", filename)
                    async with async_open(
                        template_path, mode="r", encoding="utf-8"
                    ) as f:
                        content = await f.read()
                        templates[filename] = content
                except (OSError, IOError) as e:
                    _LOGGER.warning("Error reading template file %s: %s", filename, e)
    async def render_template(self, template_name: str, **kwargs: Any) -> str:
        """Renders a template with the given parameters."""
        if not templates:
            await (
                self.fetch_templates()
            )  # If the templates haven't been fetched, fetch them
        if template_name not in templates:
            raise ValueError(f"Template '{template_name}' not found.")
        env = Environment(loader=DictLoader(templates), enable_async=True)
        template = env.get_template(template_name)
        # Render template
        rendered_output = await template.render_async(**kwargs)
        return rendered_output
--- a/custom_components/auth_oidc/views/templates/base.html
+++ b/custom_components/auth_oidc/views/templates/base.html
@@ -0,0 +1,19 @@
 <!DOCTYPE html>
 <html lang="en" class="h-full min-h-full max-h-full">
 <head>
    {% block head %}
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>{% block title %}{% endblock %}</title>
    <script src="https://cdn.tailwindcss.com"></script>
    {% endblock %}
 </head>
 <body class="bg-gray-200 flex items-center justify-center h-full">
    <div class="bg-white p-6 rounded-lg shadow-lg max-w-md">
        {% block content %}{% endblock %}
    </div>
 </body>
 </html>
--- a/custom_components/auth_oidc/views/templates/error.html
+++ b/custom_components/auth_oidc/views/templates/error.html
@@ -0,0 +1,16 @@
 {% extends "base.html" %}
 {% block title %}Oops!{% endblock %}
 {% block head %}
 {{ super() }}
 {% endblock %}
 {% block content %}
 <div class="text-center">
    <h1 class="text-2xl font-bold mb-4">Login failed.</h1>
    <p class="mb-4">{{ error }}</p>
    <div class="my-6">
        <a href='/auth/oidc/redirect'
            class="w-full py-2 px-4 bg-blue-500 text-white font-semibold rounded-lg shadow-md hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-400 focus:ring-opacity-75">Try
            again</a>
    </div>
 </div>
 {% endblock %}
--- a/custom_components/auth_oidc/views/templates/finish.html
+++ b/custom_components/auth_oidc/views/templates/finish.html
@@ -0,0 +1,31 @@
 {% extends "base.html" %}
 {% block title %}Logged in!{% endblock %}
 {% block head %}
 {{ super() }}
 {% endblock %}
 {% block content %}
 <div class="text-center">
    <div class="my-6">
        <h2 class="text-xl font-semibold mb-6 text-gray-800">I want to login to this browser</h2>
        <form method="post">
            <input type="hidden" name="code" value="{{ code }}">
            <button type="submit"
                class="w-full py-2 px-4 bg-blue-500 text-white font-semibold rounded-lg shadow-md hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-400 focus:ring-opacity-75">
                Login to Home Assistant in this browser
            </button>
        </form>
    </div>
    <hr class="my-12">
    <div class="my-6">
        <h2 class="text-xl font-semibold mb-4 text-gray-800">I am on a mobile device</h2>
        <p class="mb-4">Your one-time code is: <b class="text-blue-600 text-xl">{{ code }}</b></p>
        <p class="mb-4 text-sm">You have 5 minutes to use this code on any device.<br />The code can only
            be used once.</p>
        <p class="mb-4 text-sm">Please type the code into your app manually. If you don't see a code input, select
            'Login with
            OpenID Connect (SSO)' first.</p>
    </div>
 </div>
 {% endblock %}
--- a/custom_components/auth_oidc/views/templates/welcome.html
+++ b/custom_components/auth_oidc/views/templates/welcome.html
@@ -0,0 +1,55 @@
 {% extends "base.html" %}
 {% block title %}OIDC Login{% endblock %}
 {% block head %}
 {{ super() }}
 {% endblock %}
 {% block content %}
 <div class="text-center">
    <div id="signed-in" class="bg-blue-100 border border-blue-400 text-blue-700 px-4 py-3 rounded relative mb-8 hidden"
        role="alert">
        <p>You seem to be logged in already.</p>
        <p><a href="/" class="text-blue-600 hover:underline hover:text-blue-700 font-bold">Open the Home Assistant
                dashboard</a></p>
    </div>
    <h1 class="text-2xl font-bold mb-4">Home Assistant</h1>
    <p class="mb-4">You have been invited to login to Home Assistant.<br />Start the login process below.</p>
    <div>
        <button id="oidc-login-btn"
            class="w-full py-2 px-4 bg-blue-500 text-white font-semibold rounded-lg shadow-md hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-400 focus:ring-opacity-75">
            Login with {{ name }}
        </button>
        <div role="status" id="loader" class="items-center justify-center flex hidden">
            <svg aria-hidden="true" class="w-10 h-10 text-gray-200 animate-spin fill-blue-600" viewBox="0 0 100 101"
                fill="none" xmlns="http://www.w3.org/2000/svg">
                <path
                    d="M100 50.5908C100 78.2051 77.6142 100.591 50 100.591C22.3858 100.591 0 78.2051 0 50.5908C0 22.9766 22.3858 0.59082 50 0.59082C77.6142 0.59082 100 22.9766 100 50.5908ZM9.08144 50.5908C9.08144 73.1895 27.4013 91.5094 50 91.5094C72.5987 91.5094 90.9186 73.1895 90.9186 50.5908C90.9186 27.9921 72.5987 9.67226 50 9.67226C27.4013 9.67226 9.08144 27.9921 9.08144 50.5908Z"
                    fill="currentColor" />
                <path
                    d="M93.9676 39.0409C96.393 38.4038 97.8624 35.9116 97.0079 33.5539C95.2932 28.8227 92.871 24.3692 89.8167 20.348C85.8452 15.1192 80.8826 10.7238 75.2124 7.41289C69.5422 4.10194 63.2754 1.94025 56.7698 1.05124C51.7666 0.367541 46.6976 0.446843 41.7345 1.27873C39.2613 1.69328 37.813 4.19778 38.4501 6.62326C39.0873 9.04874 41.5694 10.4717 44.0505 10.1071C47.8511 9.54855 51.7191 9.52689 55.5402 10.0491C60.8642 10.7766 65.9928 12.5457 70.6331 15.2552C75.2735 17.9648 79.3347 21.5619 82.5849 25.841C84.9175 28.9121 86.7997 32.2913 88.1811 35.8758C89.083 38.2158 91.5421 39.6781 93.9676 39.0409Z"
                    fill="currentFill" />
            </svg>
            <span class="sr-only">Redirecting...</span>
        </div>
    </div>
    <p class="mt-6 text-sm">After login, you will be granted a one-time code to login to any device. You may complete
        this login on your desktop or any mobile browser and then use the token for any desktop or the Home Assistant
        app.</p>
 </div>
 <script>
    // Hide the login button and show the loader when clicked
    document.getElementById('oidc-login-btn').addEventListener('click', function () {
        this.classList.add('hidden');
        document.getElementById('loader').classList.remove('hidden');
        window.location.href = '/auth/oidc/redirect';
    });
    // Show the direct login button if we already have a token
    if (localStorage.getItem('hassTokens')) {
        document.getElementById('signed-in').classList.remove('hidden');
    }
 </script>
 {% endblock %}
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
-name = "hass-auth-oidc"
+name = "hass-oidc-auth"
-version = "0.2.0"
+version = "0.5.1"
 description = "OIDC component for Home Assistant"
 authors = [
    { name = "Christiaan Goossens", email = "contact@christiaangoossens.nl" }
@@ -8,6 +8,9 @@ authors = [
 license = "MIT"
 dependencies = [
    "python-jose>=3.3.0",
    "aiofiles>=24.1.0",
    "jinja2>=3.1.4",
    "bcrypt>=4.2.0",
 ]
 readme = "README.md"
 requires-python = ">= 3.13"
--- a/requirements-dev.lock
+++ b/requirements-dev.lock
@@ -14,6 +14,8 @@ acme==3.0.1
    # via hass-nabucasa
 aiodns==3.2.0
    # via homeassistant
 aiofiles==24.1.0
    # via hass-oidc-auth
 aiohappyeyeballs==2.4.4
    # via aiohttp
 aiohasupervisor==0.2.1
@@ -60,6 +62,7 @@ audioop-lts==0.2.1
 awesomeversion==24.6.0
    # via homeassistant
 bcrypt==4.2.0
    # via hass-oidc-auth
    # via homeassistant
 bleak==0.22.3
    # via bleak-retry-connector
@@ -145,6 +148,7 @@ ifaddr==0.2.0
 isort==5.13.2
    # via pylint
 jinja2==3.1.4
    # via hass-oidc-auth
    # via homeassistant
 jmespath==1.0.1
    # via boto3
@@ -206,7 +210,7 @@ pyric==0.1.6.3
 python-dateutil==2.9.0.post0
    # via botocore
 python-jose==3.3.0
-    # via hass-oidc
+    # via hass-oidc-auth
 python-slugify==8.0.4
    # via homeassistant
 pytz==2024.2
--- a/requirements.lock
+++ b/requirements.lock
@@ -10,13 +10,21 @@
 #   universal: false
 -e file:.
 aiofiles==24.1.0
    # via hass-oidc-auth
 bcrypt==4.2.1
    # via hass-oidc-auth
 ecdsa==0.19.0
    # via python-jose
 jinja2==3.1.5
    # via hass-oidc-auth
 markupsafe==3.0.2
    # via jinja2
 pyasn1==0.6.1
    # via python-jose
    # via rsa
 python-jose==3.3.0
-    # via hass-oidc
+    # via hass-oidc-auth
 rsa==4.9
    # via python-jose
 six==1.17.0
Author	SHA1	Message	Date
Christiaan Goossens	63f5f175ee	Fixes Home Assistant error about re-creating HTTP sessions (#22 ) * Bump to 0.5.1 * Prevent HA errors about HTTP session left open	2025-01-12 12:43:41 +01:00
Schakko	bfad0418ad	feat: enable verification of certs via `network.tls_verify` and private CA chains with `network.tls_ca_path` (#16 ) Signed-off-by: Christopher Klein <ckl@dreitier.com>	2025-01-06 10:09:30 +01:00
Christiaan Goossens	00da053f50	Add configurable group names for roles (#17 )	2025-01-05 22:24:48 +01:00
Baptiste Roux	2131fe5d36	fix: group mapping (#13 )	2025-01-01 16:28:48 +01:00
Christiaan Goossens	72dbc49c6f	Slowed down code checking to prevent brute forcing (#12 )	2024-12-31 16:54:39 +01:00
Christiaan Goossens	db4c6bcade	Improved config options for OIDC (#9 ) Added many new configuration options, including claim configuration and client_secret/confidential client support. Also enables user linking & creates person entries upon first sign in.	2024-12-28 21:37:00 +01:00
Christiaan Goossens	ca83e86acb	Further UI improvements (#8 ) * Only set autosign in cookie upon clicking the button * Show an already signed in link if you already have a token	2024-12-28 15:21:37 +01:00
Christiaan Goossens	9f60e9ea9a	Update README for the alpha version	2024-12-27 17:05:49 +01:00
Christiaan Goossens	0d61861343	UI Improvements (#7 ) * Initial version with UI templates * Implement basic screens * Linting & bump to 0.3.0 * Tick off some TODOs	2024-12-27 16:52:32 +01:00
Christiaan Goossens	597d9cdf7d	Add reference to poll	2024-12-27 14:23:14 +01:00