public/hass-oidc-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: public:v0.4.0-alpha
Branches Tags
public:main
public:v1.0.2 public:v1.0.1 public:v1.0.0-rc3 public:v1.0.0-rc2 public:v1.0.0-rc1 public:v0.6.5-alpha public:v0.6.3-alpha public:v0.6.2-alpha public:v0.6.1-alpha public:v0.6.0-alpha public:v0.5.1-alpha public:v0.5.0-alpha public:v0.4.1-alpha public:v0.4.0-alpha public:v0.3.0-pre-alpha public:v0.2.0-pre-alpha public:v0.1.0-pre-alpha
...
compare: public:v0.6.5-alpha
Branches Tags
public:main
public:v1.0.2 public:v1.0.1 public:v1.0.0-rc3 public:v1.0.0-rc2 public:v1.0.0-rc1 public:v0.6.5-alpha public:v0.6.3-alpha public:v0.6.2-alpha public:v0.6.1-alpha public:v0.6.0-alpha public:v0.5.1-alpha public:v0.5.0-alpha public:v0.4.1-alpha public:v0.4.0-alpha public:v0.3.0-pre-alpha public:v0.2.0-pre-alpha public:v0.1.0-pre-alpha

44 Commits
v0.4.0-alp ... v0.6.5-alp

Author SHA1 Message Date
Christiaan Goossens
4e77b321fd Bump to 0.6.5 2026-02-06 12:41:03 +01:00
Christiaan Goossens
b688cc872f Detect misconfiguration on downgrade 2026-02-06 11:54:04 +01:00
Christiaan Goossens
2dea5c6b58 Reset min required HA 2026-02-06 11:44:41 +01:00
Christiaan Goossens
5465c1d213 Run correct workflows 2026-02-06 11:42:14 +01:00
Christiaan Goossens
759ea57bc8 Bump versions & dep maintenance 2026-02-06 11:40:37 +01:00
Andrew Garrett
a0e833ba69 Enable Jinja2 autoescaping (#200) 
- Enable Jinja2 autoescape by default in the template environment.
- Use json.dumps to safely inject sso_name into JavaScript context.
- Fix linting issue (line too long) in injected_auth_page.py.
- Update tests to verify escaping and safe injection.

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: werdnum <271070+werdnum@users.noreply.github.com>
 2026-02-06 11:38:01 +01:00
Tricked
9bf2372b7e Use tailwind cli to compile css instead of tailwind cdn (#132) 
* implement feature
* use npm instead of cli
 2026-02-06 11:36:16 +01:00
Christiaan Goossens
653c716ea8 Fix 500 on redirect path (#201) 
* Fix 500 on redirect path

Co-authored-by: anntnzrb <anntnzrb@proton.me>
 2026-02-06 11:30:27 +01:00
Christiaan Goossens
f53c16b20e Fix manifest json requirements (#152) 2026-02-06 11:26:02 +01:00
Christiaan Goossens
d54046245f Migrate to joserfc, remove python-jose (#150) 2026-02-06 11:25:49 +01:00
Christiaan Goossens
951f85816d Update doc URL 2025-08-30 13:20:27 +02:00
Christiaan Goossens
99603b4b25 Fix merge mistakes 2025-08-30 13:12:03 +02:00
Christiaan Goossens
6d32757829 Bump version to 0.6.3 2025-08-30 13:08:53 +02:00
renovate[bot]
833360a66d chore(deps): update dependency homeassistant to v2025 (#115) 
* chore(deps): update dependency homeassistant to v2025

* Fix python version req

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Christiaan Goossens <contact@christiaangoossens.nl>
 2025-08-30 13:06:17 +02:00
Christiaan Goossens
c821ac19f7 Fix renovate matcher (#116) 2025-08-30 13:06:17 +02:00
renovate[bot]
e601a63a3d chore(deps): update python docker tag to v3.13.7 (#111) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-08-30 13:06:17 +02:00
Christiaan Goossens
17a96da715 Switch to the newer uv package manager (#114) 2025-08-30 13:06:17 +02:00
renovate[bot]
11b29f2f3b chore(deps): update actions/checkout action to v5 (#112) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-08-30 13:06:17 +02:00
Evan Zhang
b1519b865d Persist OIDC logins on HTTP refresh (#105) 
This relates to #70, where refreshing the webpage causes the user to
need to login again, due to homeassistant not storing the user's session
token `hassTokens`.
 2025-08-30 13:06:17 +02:00
Rolf-M
7a31b10d0e Update microsoft-entra.md (#96) 
* Update microsoft-entra.md

Added configuration for role assignement with entra app-registration

* Update microsoft-entra.md

---------

Co-authored-by: Christiaan Goossens <9487666+christiaangoossens@users.noreply.github.com>
 2025-08-30 13:06:17 +02:00
Christiaan Goossens
a6955e64a0 Add docs on disabling registration (#93) 2025-08-30 13:06:17 +02:00
Christiaan Goossens
c217e46909 Allow forcing HTTPS in URL generation (#92) 
* Force HTTPS feature
* Add docs
 2025-08-30 13:06:17 +02:00
Christiaan Goossens
f614092af2 Add reference to searching in HACS (#90) 2025-08-30 13:04:16 +02:00
Christiaan Goossens
4f29740fa0 remove brands ignore (#87) 2025-08-30 13:04:16 +02:00
Seth
b4d5d7f2bf Add Additional Scopes to Maximize Functionality from Custom idP (#80) 
* add additional scopes to config schema

Keep original groups setting for backwards compatibility.

* fix weird text issue

* Add support for additional scopes in OIDC setup

* fix compile error

* Update documentation to include description of additional oidc scopes

* clarify documentation
 2025-07-09 09:55:37 +02:00
Christiaan Goossens
cb4d72a148 Update README.md (#75) 2025-06-22 12:32:10 +02:00
Christiaan Goossens
be59c415a0 Add link to Github post for Feature Request (#74) 2025-06-22 12:29:08 +02:00
Christiaan Goossens
ccd5fb2459 Cleanup the provider docs with new additions (#73) 2025-06-15 13:52:33 +02:00
fruzitent
fbc47d11ef docs(kanidm): add kanidm.md (#69) 2025-06-15 12:54:43 +02:00
Merlijn
881a6cb0be chore: use 2 space yaml (#61) 
and make clear that other id token signing algs are possible
 2025-04-04 11:56:51 +02:00
Christiaan Goossens
178cd4df49 Fix issue in Authelia docs (#56) 2025-03-03 17:49:46 +01:00
Martin Lavén
de321c8817 Pocket ID instructions (#55) 
* Update pocket-id.md

Updated Public client configuration for Pocket ID

* Update pocket-id.md

Fixed formatting

* Update pocket-id.md

Updated Home Assistant URL and fixed formatting even more.

* Update pocket-id.md

continue to fix formatting

* Update pocket-id.md

* Update pocket-id.md

Found the preview button :-) Hopefully last formatting commit.

* Update pocket-id.md

Added Confidential client configuration

* Update pocket-id.md

Fixed some formatting again
 2025-03-03 17:44:32 +01:00
Christiaan Goossens
aaa977781c Bump to 0.6.2 (#53) 2025-02-21 19:46:59 +01:00
Christiaan Goossens
1fc4e0f21a Fetch userinfo to supplement id_token claims (#50) 
Fetches the userinfo endpoint whenever available to supplement the id_token claims.

---------

Co-authored-by: Luca Olivetti <luca@ventoso.org>
 2025-02-17 22:55:11 +01:00
Christiaan Goossens
6e56311176 Fix compatibility with Microsoft Entra ID (#48) 
* Fixes necessary for Entra ID

* Better error

* Bump 0.6.1

* Also bump manifest

* Linting
 2025-02-16 11:29:24 +01:00
Christiaan Goossens
f24519787b Change documentation to a better format (#25) 
Added new documentation style, added Authentik & Authelia examples. THank you Hendrik & Ivan!

---------

Co-authored-by: Hendrik Sievers <89412959+hendrik1120@users.noreply.github.com>
Co-authored-by: Ivan Vasquez <ivanvasquezp@outlook.com>
 2025-02-15 14:18:20 +01:00
Christiaan Goossens
d565380435 Add groups scope option & fixup features.include_groups_scope (#42) 2025-02-15 13:25:04 +01:00
Tom Kölsch
29a2545396 Add feature toggle to disable groups scope (#39) 
* Update README.md

Ad two to dos:
- bool for scopes
- "groups" scope configurable

* Update README.md

- Add scope bool to configuration options

* Final Update for making scope "groups" optinal

README:
Add scope bool to configuration options
Add two to dos:

bool for scopes
"groups" scope configurable

config:
Make scope "groups" a feature which can be deactivated

init:
Make the feature for the groups bool working in the scope variable

* Remove double description

* Update config.py
 2025-02-14 19:03:14 +01:00
renovate[bot]
b39a65ff74 chore: Configure Renovate (#23) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Christiaan Goossens <contact@christiaangoossens.nl>
 2025-01-12 13:32:39 +01:00
Christiaan Goossens
63f5f175ee Fixes Home Assistant error about re-creating HTTP sessions (#22) 
* Bump to 0.5.1

* Prevent HA errors about HTTP session left open
 2025-01-12 12:43:41 +01:00
Schakko
bfad0418ad feat: enable verification of certs via network.tls_verify and private CA chains with network.tls_ca_path (#16) 
Signed-off-by: Christopher Klein <ckl@dreitier.com>
 2025-01-06 10:09:30 +01:00
Christiaan Goossens
00da053f50 Add configurable group names for roles (#17) 2025-01-05 22:24:48 +01:00
Baptiste Roux
2131fe5d36 fix: group mapping (#13) 2025-01-01 16:28:48 +01:00
Christiaan Goossens
72dbc49c6f Slowed down code checking to prevent brute forcing (#12) 2024-12-31 16:54:39 +01:00
44 changed files with 4649 additions and 573 deletions
Expand all files Collapse all files

7
.github/workflows/hacs.yaml vendored
View File

@@ -5,6 +5,7 @@ on:
push:
branches:
- main
- release/*
pull_request:
schedule:
- cron: "0 0 * * *"
@@ -13,10 +14,8 @@ jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: HACS validation
uses: hacs/action@main
uses: hacs/action@22.5.0
with:
category: "integration"
ignore: brands

3
.github/workflows/hassfest.yaml vendored
View File

@@ -5,6 +5,7 @@ on:
push:
branches:
- main
- release/*
pull_request:
schedule:
- cron: "0 0 * * *"
@@ -13,5 +14,5 @@ jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: home-assistant/actions/hassfest@master

17
.github/workflows/lint.yaml vendored
View File

@@ -5,16 +5,21 @@ on:
push:
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install the latest version of rye
uses: eifinger/setup-rye@v4
- uses: actions/checkout@v5
- name: "Set up Python"
uses: actions/setup-python@v5
with:
python-version-file: ".python-version"
- name: Install the latest version of uv
uses: astral-sh/setup-uv@v6
with:
enable-cache: true
- name: Sync dependencies
run: rye sync
- name: Lint (pylint/rye lint)
run: rye run check
run: scripts/sync
- name: Lint (pylint/ruff lint)
run: scripts/check

5
.gitignore vendored
View File

@@ -108,3 +108,8 @@ dmypy.json
config/
.venv
.pytest_logs.log
node_modules

2
.python-version
View File

@@ -1 +1 @@
3.13.1
3.14.2

128
CODE_OF_CONDUCT.md Normal file
View File

@@ -0,0 +1,128 @@
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, religion, or sexual identity
and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the
overall community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or
advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email
address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
contact@christiaangoossens.nl (email).
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series
of actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or
permanent ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within
the community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.0, available at
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by [Mozilla's code of conduct
enforcement ladder](https://github.com/mozilla/diversity).
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see the FAQ at
https://www.contributor-covenant.org/faq. Translations are available at
https://www.contributor-covenant.org/translations.

119
CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,119 @@
# Contribution Guide
Contibutions are very welcome!
## Non-code contributions
If you are not a programmer, you can still contribute by:
- Adding discussion items over at the [Discussions page](https://github.com/christiaangoossens/hass-oidc-auth/discussions) if you have a question, feature idea or a setup you would like to show off.
- Helping others in issues and discussion posts.
- Voting on polls and providing input.
- If you want to, contributing financially through [Github Sponsors](https://github.com/sponsors/christiaangoossens)
## Code contributions
You may also submit Pull Requests (PRs) to add features yourself! You can find a list that we are currently working on below. Please note that workflows will be run on your pull request and a pull request will only be merged when all checks pass and a review has been conducted (together with a manual test).
### Development
This project uses the uv package manager for development. You can find installation instructions here: https://docs.astral.sh/uv/getting-started/installation/. Start by installing the dependencies using `uv sync` and then point your editor towards the environment created in the .venv directory.
You can then run Home Assistant and put the `custom_components/auth_oidc` directory in your HA `config` folder.
#### Other useful commands
Some useful scripts are in the `scripts` directory. If you run Linux (or WSL under Windows), you can run these directly:
- `scripts/check` will check your Python files for linting errors
- `scripts/fix` will fix some formatting mistakes automatically
You can also run these commands manually on Windows:
##### Compiling css
To compile tailwind css styles for the pages you need the NodeJS and NPM installed.
You can run the `npm run css` script to generate the css once and you can run the `npm run css:watch` to recompile the css every time the templates change
##### Check
```
uv run ruff check
uv run ruff format --check
uv run pylint custom_components
```
##### Fix
```
uv run ruff check --fix
uv run ruff format
```
### Docker Compose Development Environment
You can also use the following Docker Compose configuration to automatically start up the latest HA release with the `auth_oidc` integration:
```
services:
homeassistant:
container_name: homeassistant
image: "ghcr.io/home-assistant/home-assistant:stable"
volumes:
- ./config:/config
- ./custom_components/auth_oidc:/config/custom_components/auth_oidc
- /etc/localtime:/etc/localtime:ro
ports:
- 8123:8123
```
# Found a security issue?
Please see [SECURITY.md](./SECURITY.md) for more information on how to submit your security issue securely. You can find previously found vulnerablities and their corresponding security advisories at the [Security Advisories page](https://github.com/christiaangoossens/hass-oidc-auth/security/advisories).
# Roadmap
The following features are on the roadmap:
## Better user experience
*Copied from https://github.com/christiaangoossens/hass-oidc-auth/issues/19*
Current status on the user experience:
- I cannot change the login screen as all of this is hard coded in the frontend code. So, I am stuck with the title of "Just checking" and without any description or even a title for the input box. Changing this would require a PR on the Home Assistant frontend repository.
- If anyone can refactor their code to allow integrations (Auth Providers) to send custom translations to the frontend when sending the form (here: [custom_components/auth_oidc/provider.py, line 302](https://github.com/christiaangoossens/hass-oidc-auth/blob/main/custom_components/auth_oidc/provider.py#L302)), such that I can send custom translation keys for the title (instead of just using the `mfa` version), description and input label, I would be very happy to accept a PR here as well that accomplishes that.
- Bonus points if it uses the same translation system you would use for any normal setup/config flow in the UI.
- Extra bonus points if we can add a button or link besides it that allows for opening the start of the OIDC flow there too, within the description for instance.
- I cannot redirect you to the start of the OIDC process yet, both on mobile and on desktop. Whenever [the PR](https://github.com/home-assistant/frontend/pull/23204) gets merged and a Home Assistant version that's includes the PR is released (or planned), I will hopefully be able to get something like that to work on desktop.
- It likely will not work on mobile, as the PR that's now approved only does it for desktop, I tested mobile with that code 2 years ago and it didn't work. I will contact someone on the Android team to see if we can make that happen too at some point.
- Mobile will need to open the `window.open` call using Android Custom Tab (Android) / SFSafariViewController (iOS) instead of the normal webview. It seems that external links didn't work at all when I tried it.
PR's that improve the user experience are welcome, but they should be stable and preferably hack as little as possible.
## Tests
The project still needs the following automated tests on every PR:
- Spin up Home Assistant (both the required version from the `hacs.json` and the latest version) and verify that it starts up with no warnings or errors
- Normal pytest unit testing (https://developers.home-assistant.io/docs/development_testing/)
- You might be able to re-use some unit tests from the original implementation by @elupus: https://github.com/home-assistant/core/pull/32926 or from it's inspired work by @allenporter: https://github.com/allenporter/home-assistant-openid-auth-provider/tree/main/tests
- Integration test that performs an automatic run-through of an entire flow with an example/mocked OIDC provider, either in Python code or using an external tool (such as Playwright)
Together, these should test the following:
- The integration registers correctly without any errors (spin-up test)
- The integration works with both the minimum HA version as well as the latest HA version (spin-up test)
- Configuration can be set without any errors (unit test)
- Configuration has the correct effects (unit test)
- Code works correctly on its own (unit test)
- Full flow is functional and displays as expected, including integration with an external OIDC provider (integration test)
Preferably, we run all tests on every PR to make manual testing unnecessary.
## Better configuration experience
As a conclusion to the poll (https://github.com/christiaangoossens/hass-oidc-auth/discussions/6), it seems that the best option would be to keep the current YAML configuration for advanced uses and add a UI configuration for the common providers.
I planned for the following user flow:
1. Add integration in the HA UI
2. Get config dialog with a selector for which OIDC provider you are using
3. Preconfigure claim configuration using the chosen provider
4. Have user input client id & discovery URL with an instruction to configure as public client
5. (Optionally) allow users to choose confidential client and input client secret
6. Check these fields by requesting the discovery, JWKS
7. Ask user if they want to enable groups and allow them to input the correct group name for both roles
8. (Optionally) allow users to enable user linking, explain the issues to them with leaving it enabled and allow disabling later
9. Inform users that advanced options are only available in YAML, such as networking settings or specific claim configurations
10. Have the user perform one login to check that all the fields are correct, just as any OAuth2 integration would, preferably using our oidc_provider
11. Save the integration and request restart to enable it (if necessary)
While I welcome adding configuration by UI, it's not at the top of my priority list. Ask me in the PR if you have any other suggestions and don't forget to add tests for this too. Existing YAML configuration should also remain unaffected, whenever possible.

1
FUNDING.yml Normal file
View File

@@ -0,0 +1 @@
github: christiaangoossens

2
LICENSE → LICENSE.md
View File

@@ -1,4 +1,4 @@
Copyright 2024 Christiaan Goossens
Copyright 2024-2025 Christiaan Goossens
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

172
README.md
View File

@@ -1,4 +1,45 @@
# OIDC Auth for Home Assistant
<!-- Based on the Best-README-template from https://github.com/christiaangoossens/hass-oidc-auth -->
<a id="readme-top"></a>
<div align="center">
[![Stargazers][stars-shield]][stars-url]
[![Issues][issues-shield]][issues-url]
[![Contributors][contributors-shield]][contributors-url]
[![Forks][forks-shield]][forks-url]
[![MIT License][license-shield]][license-url]
</div>
<!-- PROJECT LOGO -->
<br />
<div align="center">
<a href="https://github.com/christiaangoossens/hass-oidc-auth/">
<img src="logo.png" alt="Logo" width="80" height="80">
</a>
<h3 align="center">OpenID Connect for Home Assistant</h3>
<p align="center">
OpenID Connect (OIDC) implementation for Home Assistant through a custom component/integration
<br />
<br />
<a href="./docs/usage.md">Usage Guide</a>
&middot;
<a href="./docs/configuration.md">Configuration Guide</a>
&middot;
<a href="./CONTRIBUTING.md">Contribution Guide</a>
<br />
<br />
<a href="https://github.com/christiaangoossens/hass-oidc-auth/discussions?discussions_q=is%3Aopen+category%3AAnnouncements+category%3APolls">Announcements & Polls</a>
&middot;
<a href="https://github.com/christiaangoossens/hass-oidc-auth/issues">Issues</a>
&middot;
<a href="https://github.com/christiaangoossens/hass-oidc-auth/discussions/categories/q-a">Questions</a>
&middot;
<a href="https://github.com/christiaangoossens/hass-oidc-auth/discussions/categories/ideas">Feature Requests</a>
</p>
</div>
> [!CAUTION]
> This is an alpha release. I give no guarantees about code quality, error handling or security at this stage. Use at your own risk.
@@ -6,113 +47,60 @@
Provides an OpenID Connect (OIDC) implementation for Home Assistant through a custom component/integration. Through this integration, you can create an SSO (single-sign-on) environment within your self-hosted application stack / homelab.
### Background
If you would like to read the background/open letter that lead to this component, please see https://community.home-assistant.io/t/open-letter-for-improving-home-assistants-authentication-system-oidc-sso/494223. It is currently one of the most upvoted feature requests for Home Assistant.
If you would like to read the background/open letter that lead to this component, you can find the original post at https://community.home-assistant.io/t/open-letter-for-improving-home-assistants-authentication-system-oidc-sso/494223. It is currently one of the most upvoted feature requests for Home Assistant.
## How to use
### Installation
> [!TIP]
> If you support the addition of this feature to the Home Assistant core, please upvote https://github.com/orgs/home-assistant/discussions/48. It's the successor of the Home Assistant Community post mentioned above (with almost 900 upvotes).
Add this repository to [HACS](https://hacs.xyz/).
## Installation guide
1. Add this repository to [HACS](https://hacs.xyz/) (or search for "OpenID Connect" in HACS).
[![Open your Home Assistant instance and open a repository inside the Home Assistant Community Store.](https://my.home-assistant.io/badges/hacs_repository.svg)](https://my.home-assistant.io/redirect/hacs_repository/?owner=christiaangoossens&repository=hass-oidc-auth&category=Integration)
Update your `configuration.yaml` file with
2. Add the YAML configuration that matches your OIDC provider to `configuration.yaml`. See the [Configuration Guide](./docs/configuration.md) for more details or pick your OIDC provider below:
| <img src="https://goauthentik.io/img/icon_top_brand_colour.svg" width="100"> | <img src="https://www.authelia.com/images/branding/logo-cropped.png" width="100"> | <img src="https://github.com/user-attachments/assets/4ceb2708-9f29-4694-b797-be833efce17d" width="100"> |
|:-----------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------------------------------------------------------------:|
| [Authentik](./docs/provider-configurations/authentik.md) | [Authelia](./docs/provider-configurations/authelia.md) | [Pocket ID](./docs/provider-configurations/pocket-id.md) |
By default, the integration assumes you configure Home Assistant as a **public client** and thus only specify the `client_id` and no `client_secret`. For example, your configuration might look like:
```yaml
auth_oidc:
client_id: ""
discovery_url: ""
client_id: "example"
discovery_url: "https://example.com/.well-known/openid-configuration"
```
Register your client with your OIDC Provider (e.g. Authentik/Authelia) as a public client and get the client_id. Then, use the obtained client_id and discovery URLs to fill the fields in `configuration.yaml`.
When registering Home Assistant at your OIDC provider, use `<your HA URL>/auth/oidc/callback` as the callback URL and select 'public client'. You should now get the `client_id` and `issuer_url` or `discovery_url` to fill in.
For example:
```yaml
auth_oidc:
client_id: "someValueForTheClientId"
discovery_url: "https://example.com/application/o/application/.well-known/openid-configuration"
```
3. Restart Home Assistant
Afterwards, restart Home Assistant.
4. Login through the OIDC Welcome URL at `<your HA URL>/auth/oidc/welcome`. You will have to go there manually for now. For example, it might be located at http://homeassistant.local:8123/auth/oidc/welcome.
You can find all possible configuration options below.
More (detailed) usage instructions can be found in the [Usage Guide](./docs/usage.md).
### Login
You should now be able to see a second option on your login screen ("OpenID Connect (SSO)"). It provides you with a single input field.
## Contributions
Contibutions are very welcome! If you program in Python or have worked with Home Assistant integrations before, please try to contribute. A list of requested contributions/future goals is in the [Contribution Guide](./CONTRIBUTING.md).
To start, go to one of to one of these URLs (you may also set these as application URLs in your OIDC Provider):
- `/auth/oidc/welcome` (if you would like a nice welcome screen for your users)
- `/auth/oidc/redirect` (if you would like to just redirect them without a welcome screen)
Please see the [Contribution Guide](./CONTRIBUTING.md) for more information.
So, for example, you may start at http://homeassistant.local:8123/auth/oidc/welcome.
### Found a security issue?
Please see [SECURITY.md](./SECURITY.md) for more information on how to submit your security issue securely. You can find previously found vulnerablities and their corresponding security advisories at the [Security Advisories page](https://github.com/christiaangoossens/hass-oidc-auth/security/advisories).
> [!TIP]
> You can use a different device to login instead. Open the `/auth/oidc/welcome` link on device A and then type the obtained code into the normal HA login on device B (can also be the mobile app) to login.
> [!TIP]
> For a seamless user experience, configure a new domain on your proxy to redirect to the `/auth/oidc/welcome` path or configure that path on your homelab dashboard or in Authentik. Users will then always start on the OIDC welcome page, which will allow them to visit the dashboard if they are already logged in.
## License
Distributed under the MIT license with no warranty. You are fully liable for configuring this integration correctly to keep your Home Assistant installation secure. Use at your own risk. The full license can be found in [LICENSE.md](./LICENSE.md)
With the default configuration, [a person entry](https://www.home-assistant.io/integrations/person/) will be created for every new OIDC user logging in. New OIDC users will get their own fresh user, linked to their persistent ID (subject) at the OpenID Connect provider. You may change your name, username or email at the provider and still have the same Home Assistant user profile.
### Configuration Options
| Option | Type | Required | Default | Description |
|-----------------------------|----------|----------|----------------------|---------------------------------------------------------------------------------------------------------|
| `client_id` | `string` | Yes | | The Client ID as registered with your OpenID Connect provider. |
| `client_secret` | `string` | No | | The Client Secret for enabling confidential client mode. |
| `discovery_url` | `string` | Yes | | The OIDC well-known configuration URL. |
| `display_name` | `string` | No | `"OpenID Connect (SSO)"` | The name to display on the login screen, both for the Home Assistant screen and the OIDC welcome screen. |
| `id_token_signing_alg` | `string` | No | `RS256` | The signing algorithm that is used for your id_tokens.
| `features.automatic_user_linking` | `boolean`| No | `false` | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login. |
| `features.automatic_person_creation` | `boolean` | No | `true` | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users. |
| `features.disable_rfc7636` | `boolean`| No | `false` | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers. |
| `claims.display_name` | `string` | No | `name` | The claim to use to obtain the display name.
| `claims.username` | `string` | No | `preferred_username` | The claim to use to obtain the username.
| `claims.groups` | `string` | No | `groups` | The claim to use to obtain the user's group(s). |
#### Example: Migrating from HA username/password users to OIDC users
If you already have users created within Home Assistant and would like to re-use the current user profile for your OIDC login, you can (temporarily) enable `features.automatic_user_linking`, with the following config (example):
```yaml
auth_oidc:
client_id: "someValueForTheClientId"
discovery_url: "https://example.com/application/o/application/.well-known/openid-configuration"
features:
automatic_user_linking: true
```
Upon login, OIDC users will then automatically be linked to the HA user with the same username.
> [!IMPORTANT]
> It's recommended to only enable this temporarily as it may pose a security risk. Any OIDC user with a username corresponding to a user in Home Assistant can get access to that user, and it's existing rights (admin), even if MFA is currently enabled for that account. After you have migrated your users (and linked OIDC to all existing accounts) you can disable the feature and keep using the linked users.
## Development
This project uses the Rye package manager for development. You can find installation instructions here: https://rye.astral.sh/guide/installation/.
Start by installing the dependencies using `rye sync` and then point your editor towards the environment created in the `.venv` directory.
### Help wanted
If you have any tips or would like to contribute, send me a message. You are also welcome to contribute a PR to fix any of the TODOs.
Currently, this is a pre-alpha, so I welcome issues but I cannot guarantee I can fix them (at least within a reasonable time). Please turn on watch for this repository to remain updated. When the component is in a beta stage, issues will likely get fixed more frequently.
### TODOs
- [X] Basic flow
- [X] Implement a final link back to the main page from the finish page
- [X] Improve welcome screen UI, should render a simple centered Tailwind UI instructing users that you should login externally to obtain a code.
- [X] Improve finish screen UI, showing the code clearly with instructions to paste it into Home Assistant.
- [X] Implement error handling on top of this proof of concept (discovery, JWKS, OIDC)
- [X] Make id_token claim used for the group (admin/user) configurable
- [X] Make id_token claim used for the username configurable
- [X] Make id_token claim used for the name configurable
- [ ] Add instructions on how to deploy this with Authentik & Authelia
- [X] Configure Github Actions to automatically lint and build the package
- [ ] Configure Dependabot for automatic updates
- [ ] Configure tests
- [ ] Consider use of setup UI instead of YAML (see https://github.com/christiaangoossens/hass-oidc-auth/discussions/6)
Currently waiting on HA feature additions:
- [ ] Update the HA frontend code to allow a redirection to be requested from an auth provider instead of manually opening welcome page (possibly after https://github.com/home-assistant/frontend/pull/23204)
- [ ] Implement this redirection logic to open a new tab on desktop (#23204 uses popup)
- [ ] Implement this redirection logic to open a Android Custom Tab (Android) / SFSafariViewController (iOS), instead of opening the link in the HA webview
<!-- MARKDOWN LINKS & IMAGES -->
<!-- https://www.markdownguide.org/basic-syntax/#reference-style-links -->
[contributors-shield]: https://img.shields.io/github/contributors/christiaangoossens/hass-oidc-auth.svg?style=for-the-badge
[contributors-url]: https://github.com/christiaangoossens/hass-oidc-auth/graphs/contributors
[forks-shield]: https://img.shields.io/github/forks/christiaangoossens/hass-oidc-auth.svg?style=for-the-badge
[forks-url]: https://github.com/christiaangoossens/hass-oidc-auth/network/members
[stars-shield]: https://img.shields.io/github/stars/christiaangoossens/hass-oidc-auth.svg?style=for-the-badge
[stars-url]: https://github.com/christiaangoossens/hass-oidc-auth/stargazers
[issues-shield]: https://img.shields.io/github/issues/christiaangoossens/hass-oidc-auth.svg?style=for-the-badge
[issues-url]: https://github.com/christiaangoossens/hass-oidc-auth/issues
[license-shield]: https://img.shields.io/github/license/christiaangoossens/hass-oidc-auth.svg?style=for-the-badge
[license-url]: https://github.com/christiaangoossens/hass-oidc-auth/blob/master/LICENSE.txt

15
SECURITY.md Normal file
View File

@@ -0,0 +1,15 @@
# Reporting Security Issues
With the nature of the integration, security issues and bugs are taken very seriously. I appreciate your efforts to responsibly disclose your findings and I will acknowledge your finding in the security advisory and release notes of the release that fixes your vulnerability. Together, we will keep the Home Assistant community safe.
To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/christiaangoossens/hass-oidc-auth/security/advisories/new) tab. **Do not make a public issue for your security vulnerability!**
I (@christiaangoossens) will review security advisories regularly and send you a response indicating next steps in handling your report. This might include fixing the vulnerability before disclosing its nature, or working together in a private branch on a fix.
Please note that this repository is maintained on a volunteer basis, I will try to respond quickly, but no guarantees.
If your bug has to do with a third party package, please have it fixed there first, such that we can include a fixed version in an update of hass-oidc-auth.
If you found a security vulnerability in Home Assistant itself, please report it at https://www.home-assistant.io/security/
## Non qualifying vulnerabities
Some vulnerabilities do not qualify for fixing in a security patch. The Home Assistant team has made a list of them over at https://www.home-assistant.io/security/#non-qualifying-vulnerabilities.

52
custom_components/auth_oidc/__init__.py
View File

@@ -4,6 +4,7 @@ import logging
from typing import OrderedDict
from homeassistant.core import HomeAssistant
from homeassistant.components.http import StaticPathConfig
# Import and re-export config schema explictly
# pylint: disable=useless-import-alias
@@ -16,8 +17,14 @@ from .config import (
DISCOVERY_URL,
DISPLAY_NAME,
ID_TOKEN_SIGNING_ALGORITHM,
GROUPS_SCOPE,
ADDITIONAL_SCOPES,
FEATURES,
CLAIMS,
ROLES,
NETWORK,
FEATURES_INCLUDE_GROUPS_SCOPE,
FEATURES_FORCE_HTTPS,
)
# pylint: enable=useless-import-alias
@@ -35,6 +42,13 @@ _LOGGER = logging.getLogger(__name__)
async def async_setup(hass: HomeAssistant, config):
"""Add the OIDC Auth Provider to the providers in Home Assistant"""
if DOMAIN not in config:
_LOGGER.warning(
"Setup was triggered, but no configuration was found. "
+ "Did you downgrade from 0.7+ without deleting the OIDC UI configuration?"
)
return False
my_config = config[DOMAIN]
providers = OrderedDict()
@@ -50,10 +64,29 @@ async def async_setup(hass: HomeAssistant, config):
_LOGGER.info("Registered OIDC provider")
# We only use openid & profile, never email
# Set the correct scopes
# Always use 'openid' & 'profile' as they are specified in the OIDC spec
# All servers should support this
scope = "openid profile"
# Include groups if requested (default is to include 'groups'
# as a scope for Authelia & Authentik)
features_config = my_config.get(FEATURES, {})
include_groups_scope = features_config.get(FEATURES_INCLUDE_GROUPS_SCOPE, True)
groups_scope = my_config.get(GROUPS_SCOPE, "groups")
if include_groups_scope:
scope += " " + groups_scope
# Add additional scopes if configured
additional_scopes = my_config.get(ADDITIONAL_SCOPES, [])
if additional_scopes:
# Ensure we have a space before adding additional scopes
if scope:
scope += " "
scope += " ".join(additional_scopes)
# Create the OIDC client
oidc_client = oidc_client = OIDCClient(
hass=hass,
discovery_url=my_config.get(DISCOVERY_URL),
client_id=my_config.get(CLIENT_ID),
scope=scope,
@@ -61,16 +94,29 @@ async def async_setup(hass: HomeAssistant, config):
id_token_signing_alg=my_config.get(ID_TOKEN_SIGNING_ALGORITHM),
features=my_config.get(FEATURES, {}),
claims=my_config.get(CLAIMS, {}),
roles=my_config.get(ROLES, {}),
network=my_config.get(NETWORK, {}),
)
# Register the views
name = config[DOMAIN].get(DISPLAY_NAME, DEFAULT_TITLE)
force_https = features_config.get(FEATURES_FORCE_HTTPS, False)
hass.http.register_view(OIDCWelcomeView(name))
hass.http.register_view(OIDCRedirectView(oidc_client))
hass.http.register_view(OIDCCallbackView(oidc_client, provider))
hass.http.register_view(OIDCRedirectView(oidc_client, force_https))
hass.http.register_view(OIDCCallbackView(oidc_client, provider, force_https))
hass.http.register_view(OIDCFinishView())
await hass.http.async_register_static_paths(
[
StaticPathConfig(
"/auth/oidc/static/style.css",
hass.config.path("custom_components/auth_oidc/static/style.css"),
cache_headers=False,
),
]
)
_LOGGER.info("Registered OIDC views")
return True

48
custom_components/auth_oidc/config.py
View File

@@ -7,14 +7,25 @@ CLIENT_SECRET = "client_secret"
DISCOVERY_URL = "discovery_url"
DISPLAY_NAME = "display_name"
ID_TOKEN_SIGNING_ALGORITHM = "id_token_signing_alg"
GROUPS_SCOPE = "groups_scope"
ADDITIONAL_SCOPES = "additional_scopes"
FEATURES = "features"
FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking"
FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation"
FEATURES_DISABLE_PKCE = "disable_rfc7636"
FEATURES_INCLUDE_GROUPS_SCOPE = "include_groups_scope"
FEATURES_FORCE_HTTPS = "force_https"
CLAIMS = "claims"
CLAIMS_DISPLAY_NAME = "display_name"
CLAIMS_USERNAME = "username"
CLAIMS_GROUPS = "groups"
ROLES = "roles"
ROLE_ADMINS = "admin"
ROLE_USERS = "user"
NETWORK = "network"
NETWORK_TLS_VERIFY = "tls_verify"
NETWORK_TLS_CA_PATH = "tls_ca_path"
DEFAULT_TITLE = "OpenID Connect (SSO)"
@@ -34,6 +45,12 @@ CONFIG_SCHEMA = vol.Schema(
# Should we enforce a specific signing algorithm on the id tokens?
# Defaults to RS256/RSA-pubkey
vol.Optional(ID_TOKEN_SIGNING_ALGORITHM): vol.Coerce(str),
# String value to allow changing the groups scope
# Defaults to 'groups' which is used by Authelia and Authentik
vol.Optional(GROUPS_SCOPE, default="groups"): vol.Coerce(str),
# Additional scopes to request from the OIDC provider
# Optional, this field is unnecessary if you only use the openid and profile scopes.
vol.Optional(ADDITIONAL_SCOPES, default=[]): vol.Coerce(list[str]),
# Which features should be enabled/disabled?
# Optional, defaults to sane/secure defaults
vol.Optional(FEATURES): vol.Schema(
@@ -49,6 +66,14 @@ CONFIG_SCHEMA = vol.Schema(
# Feature flag to disable PKCE to support OIDC servers that do not
# allow additional parameters and don't support RFC 7636
vol.Optional(FEATURES_DISABLE_PKCE): vol.Coerce(bool),
# Boolean which activates and deactivates scope 'groups'
vol.Optional(
FEATURES_INCLUDE_GROUPS_SCOPE, default=True
): vol.Coerce(bool),
# Force HTTPS on all generated URLs (like redirect_uri)
vol.Optional(FEATURES_FORCE_HTTPS, default=False): vol.Coerce(
bool
),
}
),
# Determine which specific claims will be used from the id_token
@@ -63,6 +88,29 @@ CONFIG_SCHEMA = vol.Schema(
vol.Optional(CLAIMS_GROUPS): vol.Coerce(str),
}
),
# Determine which specific group values will be mapped to which roles
# Optional, defaults user = null, admin = 'admins'
# If user role is set, users that do not have either will be rejected!
vol.Optional(ROLES): vol.Schema(
{
# Which group name should we use to assign the user role?
vol.Optional(ROLE_USERS): vol.Coerce(str),
# What group name should we use to assign the admin role?
# Defaults to admins
vol.Optional(ROLE_ADMINS): vol.Coerce(str),
}
),
# Network options
vol.Optional(NETWORK): vol.Schema(
{
# Verify x509 certificates provided when starting TLS connections
vol.Optional(NETWORK_TLS_VERIFY, default=True): vol.Coerce(
bool
),
# Load custom certificate chain for private CAs
vol.Optional(NETWORK_TLS_CA_PATH): vol.Coerce(str),
}
),
}
)
},

22
custom_components/auth_oidc/endpoints/callback.py
View File

@@ -17,10 +17,14 @@ class OIDCCallbackView(HomeAssistantView):
name = "auth:oidc:callback"
def __init__(
self, oidc_client: OIDCClient, oidc_provider: OpenIDAuthProvider
self,
oidc_client: OIDCClient,
oidc_provider: OpenIDAuthProvider,
force_https: bool,
) -> None:
self.oidc_client = oidc_client
self.oidc_provider = oidc_provider
self.force_https = force_https
async def get(self, request: web.Request) -> web.Response:
"""Receive response."""
@@ -38,7 +42,7 @@ class OIDCCallbackView(HomeAssistantView):
)
return web.Response(text=view_html, content_type="text/html")
redirect_uri = get_url("/auth/oidc/callback")
redirect_uri = get_url("/auth/oidc/callback", self.force_https)
user_details = await self.oidc_client.async_complete_token_flow(
redirect_uri, code, state
)
@@ -52,5 +56,17 @@ class OIDCCallbackView(HomeAssistantView):
)
return web.Response(text=view_html, content_type="text/html")
if user_details.get("role") == "invalid":
view_html = await get_view(
"error",
{
"error": "User is not in the correct group to access Home Assistant, "
+ "contact your administrator!",
},
)
return web.Response(text=view_html, content_type="text/html")
code = await self.oidc_provider.async_save_user_info(user_details)
return web.HTTPFound(get_url("/auth/oidc/finish?code=" + code))
return web.HTTPFound(
get_url("/auth/oidc/finish?code=" + code, self.force_https)
)

6
custom_components/auth_oidc/endpoints/finish.py
View File

@@ -41,14 +41,14 @@ class OIDCFinishView(HomeAssistantView):
# Return redirect to the main page for sign in with a cookie
return web.HTTPFound(
location="/",
location="/?storeToken=true",
headers={
# Set a cookie to enable autologin on only the specific path used
# for the POST request, with all strict parameters set
# This cookie should not be read by any Javascript or any other paths.
# It can be really short lifetime as we redirect immediately (15 seconds)
# It can be really short lifetime as we redirect immediately (5 seconds)
"set-cookie": "auth_oidc_code="
+ code
+ "; Path=/auth/login_flow; SameSite=Strict; HttpOnly; Max-Age=15",
+ "; Path=/auth/login_flow; SameSite=Strict; HttpOnly; Max-Age=5",
},
)

10
custom_components/auth_oidc/endpoints/redirect.py
View File

@@ -17,17 +17,21 @@ class OIDCRedirectView(HomeAssistantView):
url = PATH
name = "auth:oidc:redirect"
def __init__(self, oidc_client: OIDCClient) -> None:
def __init__(self, oidc_client: OIDCClient, force_https: bool) -> None:
self.oidc_client = oidc_client
self.force_https = force_https
async def get(self, _: web.Request) -> web.Response:
"""Receive response."""
redirect_uri = get_url("/auth/oidc/callback")
try:
redirect_uri = get_url("/auth/oidc/callback", self.force_https)
auth_url = await self.oidc_client.async_get_authorization_url(redirect_uri)
if auth_url:
return web.HTTPFound(auth_url)
raise web.HTTPFound(auth_url)
except RuntimeError:
pass
view_html = await get_view(
"error",

4
custom_components/auth_oidc/helpers.py
View File

@@ -4,12 +4,14 @@ from homeassistant.components import http
from .views.loader import AsyncTemplateRenderer
def get_url(path: str) -> str:
def get_url(path: str, force_https: bool) -> str:
"""Returns the requested path appended to the current request base URL."""
if (req := http.current_request.get()) is None:
raise RuntimeError("No current request in context")
base_uri = str(req.url).split("/auth", 2)[0]
if force_https:
base_uri = base_uri.replace("http://", "https://")
return f"{base_uri}{path}"

11
custom_components/auth_oidc/manifest.json
View File

@@ -9,14 +9,15 @@
"auth",
"http"
],
"documentation": "https://github.com/christiaangoossens/hass-oidc-auth",
"documentation": "https://github.com/christiaangoossens/hass-oidc-auth/blob/v0.6.4-alpha/docs/configuration.md",
"integration_type": "service",
"iot_class": "calculated",
"issue_tracker": "https://github.com/christiaangoossens/hass-oidc-auth/issues",
"requirements": [
"python-jose>=3.3.0",
"aiofiles>=24.1.0",
"jinja2>=3.1.4"
"aiofiles",
"jinja2",
"bcrypt",
"joserfc"
],
"version": "0.4.0"
"version": "0.6.5"
}

293
custom_components/auth_oidc/oidc_client.py
View File

@@ -5,9 +5,12 @@ import logging
import os
import base64
import hashlib
import ssl
from typing import Optional
from functools import partial
import aiohttp
from jose import jwt, jwk
from joserfc import jwt, jwk, jws, errors as joserfc_errors
from homeassistant.core import HomeAssistant
from .types import UserDetails
from .config import (
@@ -15,6 +18,10 @@ from .config import (
CLAIMS_DISPLAY_NAME,
CLAIMS_USERNAME,
CLAIMS_GROUPS,
ROLE_ADMINS,
ROLE_USERS,
NETWORK_TLS_VERIFY,
NETWORK_TLS_CA_PATH,
)
_LOGGER = logging.getLogger(__name__)
@@ -40,10 +47,27 @@ class OIDCStateInvalid(OIDCClientException):
"Raised when the state for your request cannot be matched against a stored state."
class OIDCUserinfoInvalid(OIDCClientException):
"Raised when the user info is invalid or cannot be obtained."
class OIDCIdTokenSigningAlgorithmInvalid(OIDCTokenResponseInvalid):
"Raised when the id_token is signed with the wrong algorithm, adjust your config accordingly."
class HTTPClientError(aiohttp.ClientResponseError):
"Raised when the HTTP client encounters not OK (200) status code."
body: str
def __init__(self, *args, **kwargs):
self.body = kwargs.pop("body")
super().__init__(*args, **kwargs)
def __str__(self):
return f"{self.status} ({self.message}) with response body: {self.body}"
# pylint: disable=too-many-instance-attributes
class OIDCClient:
"""OIDC Client implementation for Python, including PKCE."""
@@ -51,7 +75,18 @@ class OIDCClient:
# Flows stores the state, code_verifier and nonce of all current flows.
flows = {}
def __init__(self, discovery_url: str, client_id: str, scope: str, **kwargs: str):
# HTTP session to be used
http_session: aiohttp.ClientSession = None
def __init__(
self,
hass: HomeAssistant,
discovery_url: str,
client_id: str,
scope: str,
**kwargs: str,
):
self.hass = hass
self.discovery_url = discovery_url
self.discovery_document = None
self.client_id = client_id
@@ -67,11 +102,42 @@ class OIDCClient:
features = kwargs.get("features")
claims = kwargs.get("claims")
roles = kwargs.get("roles")
network = kwargs.get("network")
self.disable_pkce: bool = features.get(FEATURES_DISABLE_PKCE)
self.disable_pkce = features.get(FEATURES_DISABLE_PKCE, False)
self.display_name_claim = claims.get(CLAIMS_DISPLAY_NAME, "name")
self.username_claim = claims.get(CLAIMS_USERNAME, "preferred_username")
self.groups_claim = claims.get(CLAIMS_GROUPS, "groups")
self.user_role = roles.get(ROLE_USERS, None)
self.admin_role = roles.get(ROLE_ADMINS, "admins")
self.tls_verify = network.get(NETWORK_TLS_VERIFY, True)
self.tls_ca_path = network.get(NETWORK_TLS_CA_PATH)
def __del__(self):
"""Cleanup the HTTP session."""
# HA never seems to run this, but it's good practice to close the session
if self.http_session:
_LOGGER.debug("Closing HTTP session")
self.http_session.close()
async def http_raise_for_status(self, response: aiohttp.ClientResponse) -> None:
"""Raises an exception if the response is not OK."""
if not response.ok:
# reason should always be not None for a started response
assert response.reason is not None
body = await response.text()
raise HTTPClientError(
response.request_info,
response.history,
status=response.status,
message=response.reason,
headers=response.headers,
body=body,
)
def _base64url_encode(self, value: str) -> str:
"""Uses base64url encoding on a given string"""
@@ -81,55 +147,97 @@ class OIDCClient:
"""Generates a random URL safe string (base64_url encoded)"""
return self._base64url_encode(os.urandom(length))
async def _get_http_session(self) -> aiohttp.ClientSession:
"""Create or get the existing client session with custom networking/TLS options"""
if self.http_session is not None:
return self.http_session
_LOGGER.debug(
"Creating HTTP session provider with options: "
+ "verify certificates: %r, custom CA file: %s",
self.tls_verify,
self.tls_ca_path,
)
tcp_connector_args = {"verify_ssl": self.tls_verify}
if self.tls_ca_path:
# Move to hass' executor to prevent blocking code inside non-blocking method
ssl_context = await self.hass.loop.run_in_executor(
None, partial(ssl.create_default_context, cafile=self.tls_ca_path)
)
tcp_connector_args["ssl"] = ssl_context
self.http_session = aiohttp.ClientSession(
connector=aiohttp.TCPConnector(**tcp_connector_args)
)
return self.http_session
async def _fetch_discovery_document(self):
"""Fetches discovery document from the given URL."""
try:
async with aiohttp.ClientSession() as session:
session = await self._get_http_session()
async with session.get(self.discovery_url) as response:
response.raise_for_status()
await self.http_raise_for_status(response)
return await response.json()
except aiohttp.ClientResponseError as e:
except HTTPClientError as e:
if e.status == 404:
_LOGGER.warning(
"Error: Discovery document not found at %s", self.discovery_url
)
else:
_LOGGER.warning("Error: %s - %s", e.status, e.message)
_LOGGER.warning("Error fetching discovery: %s", e)
raise OIDCDiscoveryInvalid from e
async def _get_jwks(self, jwks_uri):
"""Fetches JWKS from the given URL."""
try:
async with aiohttp.ClientSession() as session:
session = await self._get_http_session()
async with session.get(jwks_uri) as response:
response.raise_for_status()
await self.http_raise_for_status(response)
return await response.json()
except aiohttp.ClientResponseError as e:
_LOGGER.warning("Error fetching JWKS: %s - %s", e.status, e.message)
except HTTPClientError as e:
_LOGGER.warning("Error fetching JWKS: %s", e)
raise OIDCJWKSInvalid from e
async def _make_token_request(self, token_endpoint, query_params):
"""Performs the token POST call"""
try:
async with aiohttp.ClientSession() as session:
session = await self._get_http_session()
async with session.post(token_endpoint, data=query_params) as response:
response.raise_for_status()
await self.http_raise_for_status(response)
return await response.json()
except aiohttp.ClientResponseError as e:
except HTTPClientError as e:
if e.status == 400:
_LOGGER.warning(
"Error: Token could not be obtained (Bad Request), "
+ "did you forget the client_secret?"
"Error: Token could not be obtained (%s, %s), "
+ "did you forget the client_secret? Server returned: %s",
e.status,
e.message,
e.body,
)
else:
_LOGGER.warning(
"Unexpected error exchanging token: %s - %s", e.status, e.message
)
_LOGGER.warning("Unexpected error exchanging token: %s", e)
raise OIDCTokenResponseInvalid from e
async def _parse_id_token(
self, id_token: str, access_token: str | None
) -> Optional[dict]:
async def _get_userinfo(self, userinfo_uri, access_token):
"""Fetches userinfo from the given URL."""
try:
session = await self._get_http_session()
headers = {"Authorization": "Bearer " + access_token}
async with session.get(userinfo_uri, headers=headers) as response:
await self.http_raise_for_status(response)
return await response.json()
except HTTPClientError as e:
_LOGGER.warning("Error fetching userinfo: %s", e)
raise OIDCUserinfoInvalid from e
async def _parse_id_token(self, id_token: str) -> Optional[dict]:
"""Parses the ID token into a dict containing token contents."""
if self.discovery_document is None:
self.discovery_document = await self._fetch_discovery_document()
@@ -139,7 +247,8 @@ class OIDCClient:
try:
# Obtain the id_token header
unverified_header = jwt.get_unverified_header(id_token)
token_obj = jws.extract_compact(id_token.encode())
unverified_header = token_obj.protected
if not unverified_header:
_LOGGER.warning("Could not get header from received id_token.")
return None
@@ -168,7 +277,7 @@ class OIDCClient:
)
raise OIDCIdTokenSigningAlgorithmInvalid()
jwk_obj = jwk.construct(
jwk_obj = jwk.import_key(
{
"kty": "oct",
"k": base64.urlsafe_b64encode(
@@ -196,10 +305,14 @@ class OIDCClient:
_LOGGER.warning("Could not find matching key with kid: %s", kid)
return None
# Construct the JWK from the RSA key
jwk_obj = jwk.construct(signing_key)
# If signing_key does not have alg, set it to the one passed in the token
if "alg" not in signing_key:
signing_key["alg"] = alg
# Verify the token
# Construct the JWK from the RSA key
jwk_obj = jwk.import_key(signing_key)
# Decode the token, decode does not verify it
decoded_token = jwt.decode(
id_token,
jwk_obj,
@@ -208,48 +321,31 @@ class OIDCClient:
# according to JWS [JWS] using the algorithm specified in the JWT
# alg Header Parameter.
algorithms=[self.id_token_signing_alg],
)
# Create Claims Registry for validation
id_token_validator = jwt.JWTClaimsRegistry(
leeway=5,
# OpenID Connect Core 1.0 Section 3.1.3.7.3
# The Client MUST validate that the aud (audience) Claim contains
# its client_id value registered at the Issuer identified by the
# iss (issuer) Claim as an audience.
audience=self.client_id,
aud={"essential": True, "value": self.client_id},
# OpenID Connect Core 1.0 Section 3.1.3.7.2
# The Issuer Identifier for the OpenID Provider MUST exactly
# match the value of the iss (issuer) Claim.
issuer=self.discovery_document["issuer"],
access_token=access_token,
options={
# Verify everything if present
"verify_signature": True,
"verify_aud": True,
"verify_iat": True,
"verify_exp": True,
"verify_nbf": True,
"verify_iss": True,
"verify_sub": True,
"verify_jti": True,
"verify_at_hash": True,
# OpenID Connect Core 1.0 Section 3.1.3.7.3
"require_aud": True,
# OpenID Connect Core 1.0 Section 3.1.3.7.10
"require_iat": True,
iss={"essential": True, "value": self.discovery_document["issuer"]},
# OpenID Connect Core 1.0 Section 3.1.3.7.9
"require_exp": True,
# OpenID Connect Core 1.0 Section 3.1.3.7.2
"require_iss": True,
# We need the sub as it's used to identify the user
"require_sub": True,
# Other values, not required.
"require_nbf": False,
"require_jti": False,
"require_at_hash": False,
"leeway": 5,
},
# OpenID Connect Core 1.0 Section 3.1.3.7.10
# No need to specify exp, nbf, iat, they are in here by default
sub={"essential": True},
)
return decoded_token
except jwt.JWTError as e:
_LOGGER.warning("JWT Verification failed: %s", e)
id_token_validator.validate(decoded_token.claims)
return decoded_token.claims
except joserfc_errors.JoseError as e:
_LOGGER.warning("JWT verification failed: %s", e)
return None
async def async_get_authorization_url(self, redirect_uri: str) -> Optional[str]:
@@ -298,6 +394,57 @@ class OIDCClient:
_LOGGER.warning("Error generating authorization URL: %s", e)
return None
async def parse_user_details(self, id_token: str, access_token: str) -> UserDetails:
"""Parses the ID token and/or userinfo into user details."""
# Fetch userinfo if there is an userinfo_endpoint available
# and use the data to supply the missing values in id_token
if "userinfo_endpoint" in self.discovery_document:
userinfo_endpoint = self.discovery_document["userinfo_endpoint"]
userinfo = await self._get_userinfo(userinfo_endpoint, access_token)
# Replace missing claims in the id_token with their userinfo version
for claim in (
self.groups_claim,
self.display_name_claim,
self.username_claim,
):
if claim not in id_token and claim in userinfo:
id_token[claim] = userinfo[claim]
# Get and parse groups (to check if it's an array)
groups = id_token.get(self.groups_claim, [])
if not isinstance(groups, list):
_LOGGER.warning("Groups claim is not a list, using empty list instead.")
groups = []
# Assign role if user has the required groups
role = "invalid"
if self.user_role in groups or self.user_role is None:
role = "system-users"
if self.admin_role in groups:
role = "system-admin"
# Create a user details dict based on the contents of the id_token & userinfo
return {
# Subject Identifier. A locally unique and never reassigned identifier within the
# Issuer for the End-User, which is intended to be consumed by the Client
# Only unique per issuer, so we combine it with the issuer and hash it.
# This might allow multiple OIDC providers to be used with this integration.
"sub": hashlib.sha256(
f"{self.discovery_document['issuer']}.{id_token.get('sub')}".encode(
"utf-8"
)
).hexdigest(),
# Display name, configurable
"display_name": id_token.get(self.display_name_claim),
# Username, configurable
"username": id_token.get(self.username_claim),
# Role
"role": role,
}
async def async_complete_token_flow(
self, redirect_uri: str, code: str, state: str
) -> Optional[UserDetails]:
@@ -336,11 +483,9 @@ class OIDCClient:
)
id_token = token_response.get("id_token")
access_token = token_response.get("access_token")
# Parse the id token to obtain the relevant details
# Access token is supplied to check at_hash if present
id_token = await self._parse_id_token(id_token, access_token)
id_token = await self._parse_id_token(id_token)
if id_token is None:
_LOGGER.warning("ID token could not be parsed!")
@@ -354,26 +499,8 @@ class OIDCClient:
_LOGGER.warning("Nonce mismatch!")
return None
# TODO: If the configured claims are not present in id_token, we should fetch userinfo
# Create a user details dict based on the contents of the id_token & userinfo
data: UserDetails = {
# Subject Identifier. A locally unique and never reassigned identifier within the
# Issuer for the End-User, which is intended to be consumed by the Client
# Only unique per issuer, so we combine it with the issuer and hash it.
# This might allow multiple OIDC providers to be used with this integration.
"sub": hashlib.sha256(
f"{self.discovery_document['issuer']}.{id_token.get('sub')}".encode(
"utf-8"
)
).hexdigest(),
# Display name, configurable
"display_name": id_token.get(self.display_name_claim),
# Username, configurable
"username": id_token.get(self.username_claim),
# Groups, configurable
"groups": id_token.get(self.groups_claim),
}
access_token = token_response.get("access_token")
data = await self.parse_user_details(id_token, access_token)
# Log which details were obtained for debugging
# Also log the original subject identifier such that you can look it up in your provider
@@ -384,5 +511,5 @@ class OIDCClient:
)
return data
except OIDCClientException as e:
_LOGGER.warning("Error completing token flow: %s", e)
_LOGGER.warning("Failed to complete token flow, returning None. (%s)", e)
return None

16
custom_components/auth_oidc/provider.py
View File

@@ -6,6 +6,7 @@ import logging
from typing import Dict, Optional
import asyncio
import bcrypt
from homeassistant.auth import EVENT_USER_ADDED
from homeassistant.auth.providers import (
AUTH_PROVIDERS,
@@ -258,14 +259,11 @@ class OpenIDAuthProvider(AuthProvider):
sub = credentials.data["sub"]
meta = self._user_meta.get(sub, {})
groups = meta.get("groups", [])
# TODO: Allow setting which group is for admins
group = "system-admin" if "admins" in groups else "system-users"
role = meta.get("role")
return UserMeta(
name=meta.get("display_name"),
is_active=True,
group=group,
group=role,
local_only=False,
)
@@ -274,6 +272,14 @@ class OpenIdLoginFlow(LoginFlow):
"""Handler for the login flow."""
async def _finalize_user(self, code: str) -> AuthFlowResult:
# Verify a dummy hash to make it last a bit longer
# as security measure (limits the amount of attempts you have in 5 min)
# Similar to what the HomeAssistant auth provider does
dummy = b"$2b$12$CiuFGszHx9eNHxPuQcwBWez4CwDTOcLTX5CbOpV6gef2nYuXkY7BO"
bcrypt.checkpw(b"foo", dummy)
# Actually look up the auth provider after,
# this doesn't take a lot of time (regardless of it's in there or not)
sub = await self._auth_provider.async_get_subject(code)
if sub:
return await self.async_finish(

3
custom_components/auth_oidc/static/input.css Normal file
View File

@@ -0,0 +1,3 @@
@import "tailwindcss";
@source "../views/templates";

2
custom_components/auth_oidc/static/style.css Normal file
View File

File diff suppressed because one or more lines are too long

8
custom_components/auth_oidc/types.py
View File

@@ -1,7 +1,9 @@
"""Generic data types"""
# Dict class to give a type to the user details
from typing import Literal
class UserDetails(dict):
"""User details representation"""
@@ -12,5 +14,5 @@ class UserDetails(dict):
# Preferred username for the user, will be used when first generating the account
# or to link the account on first login
username: str
# Groups that the user has, if any are sent from the OIDC provider
groups: list[str]
# Home Assistant role to assign to this user
role: Literal["system-admin", "system-users", "invalid"]

4
custom_components/auth_oidc/views/loader.py
View File

@@ -54,7 +54,9 @@ class AsyncTemplateRenderer:
if template_name not in templates:
raise ValueError(f"Template '{template_name}' not found.")
env = Environment(loader=DictLoader(templates), enable_async=True)
env = Environment(
loader=DictLoader(templates), enable_async=True, autoescape=True
)
template = env.get_template(template_name)
# Render template

2
custom_components/auth_oidc/views/templates/base.html
View File

@@ -6,7 +6,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{% block title %}{% endblock %}</title>
<script src="https://cdn.tailwindcss.com"></script>
<link rel="stylesheet" href="/auth/oidc/static/style.css">
{% endblock %}
</head>

166
docs/configuration.md Normal file
View File

@@ -0,0 +1,166 @@
# Configuration methods
Currently, the only available configuration method is YAML in your `configuration.yaml` file. In the future, we will also add limited UI configuration for the most common configurations (Authentik, Authelia and Pocket-ID). Advanced users will need to use the YAML configuration in any case.
# YAML Configuration
For now, this integration is configured using YAML in your `configuration.yaml` file. By default, only two fields are required:
```yaml
auth_oidc:
client_id: ""
discovery_url: ""
```
The default settings assume that you configure Home Assistant as a **public client**, without a client secret. If so, you should only need to provide the `client_id` from your OIDC provider and it's discovery URL (ending in `.well-known/openid-configuration`).
You don't have to configure other settings in most cases, as they have secure defaults set. If your provider requires manually configuring the callback URL, use `<your HA URL>/auth/oidc/callback`.
## Provider Configurations
Here are some documentation links for specific providers that you may want to follow:
* [Authentik](./provider-configurations/authentik.md)
* [Authelia](./provider-configurations/authelia.md)
* [Pocket ID](./provider-configurations/pocket-id.md)
* [Kanidm](./provider-configurations/kanidm.md)
* [Microsoft Entra ID](./provider-configurations/microsoft-entra.md)
_Missing a provider? Submit your guide using a PR._
## Common Configurations
### Configuring Client Secret
If you want to configure Home Assistant as a **confidential client**, you should provide the client secret as well. An example configuration might look like this:
```yaml
auth_oidc:
client_id: ""
client_secret: !secret oidc_client_secret
discovery_url: ""
```
You should use the Home Assistant secrets helper (`!secret`) to make sure you store secrets securely. See https://www.home-assistant.io/docs/configuration/secrets/ for more information.
> [!IMPORTANT]
> Most users will not experience any benefits from using a confidential client, as using properly configured redirect URLs + PKCE already provides enough security in a home setting and using a client secret introduces the risk of it getting lost/stolen/put on the internet. Do not use a confidential setup if you don't know what you are doing.
### Configuring roles & scopes or OIDC settings
If your provider isn't listed above, you might want to configure OIDC settings yourself. Here's an example configuration for that use case:
```yaml
auth_oidc:
client_id: ""
discovery_url: ""
id_token_signing_alg: <HS256, RS256, ES256, ...>
groups_scope: <groups scope>
claims:
display_name: <display name claim from your provider>
username: <username claim from your provider>
groups: <groups claim from your provider>
roles:
admin: <group name to use for admins>
user: <group name to use for users>
```
If you configure the user role, OIDC users that have neither configured group name will be rejected! If you configure the admin role, users with that role will receive administrator rights in Home Assistant automatically upon login.
### Configuring a display name for your OIDC provider
If you would like to change the default name on the OIDC welcome screen and Home Assistant login screens from `OpenID Connect (SSO)` to your own display name, you can set the `display_name` configuration property.
```yaml
auth_oidc:
client_id: ""
discovery_url: ""
display_name: "Example"
```
This will show the provider on the login screen as: "Login with Example".
### Forcing HTTPS
First check if you are setting the header `X-Forwarded-Proto` in your proxy and if the [proxy settings for Home Assistant](https://www.home-assistant.io/integrations/http/#use_x_forwarded_for) are configured correctly. You should also check if IP addresses in your logs actually match the origin IP (instead of proxy IP). If you cannot find any mistakes, you may use the following config option to force HTTPS regardless:
```yaml
auth_oidc:
features:
force_https: true
```
### Disabling registration for new users
This integration does not allow disabling registration for new users, as there is no way to abort registration that late in the process while providing a good user experience.
You can however set both roles to groups that only contain certain users or to a non-existant group.
```yaml
auth_oidc:
roles:
user: "non_existent"
admin: "admins"
```
Note that if you put both on non-existent groups, no users will be able to login.
### Migrating from HA username/password users to OIDC users
If you already have users created within Home Assistant and would like to re-use the current user profile for your OIDC login, you can (temporarily) enable `features.automatic_user_linking`, with the following config (example):
```yaml
auth_oidc:
client_id: "someValueForTheClientId"
discovery_url: "https://example.com/application/o/application/.well-known/openid-configuration"
features:
automatic_user_linking: true
```
Upon login, OIDC users will then automatically be linked to the HA user with the same username. It's recommended to **only enable this temporarily** as it may pose a security risk. You should disable it after linking all your users, as existing links will still work if you disable it, but no new links will be created.
> [!CAUTION]
> Any OIDC user with a username corresponding to a user in Home Assistant can get access to that user and all its rights/configuration.
> [!CAUTION]
> MFA is ignored when using this setting, thus bypassing any MFA configuration the user has originally configured, as long as the username is an exact match. This is dangerous if you are not aware of it!
### Using a private certificate authority
If you use a private certificate authority to secure your OIDC provider, you must configure the root certificates of your private certificate authority. Otherwise you will get an error (`[SSL: CERTIFICATE_VERIFY_FAILED]`) when connecting to the OIDC provider.
You can either make the CA known to the entire operating system or configure only this component to use the CA. If you want to only use your private CA with this integration, you can specify it via `network.tls_ca_path`:
```yaml
auth_oidc:
network:
tls_ca_path: /path/to/private-ca.pem
```
If you want to deactivate the validation of all TLS certificates for test purposes, you can do this via `network.tls_verify: false`:
```yaml
auth_oidc:
network:
tls_verify: false
```
> [!CAUTION]
> Do not disable `tls_verify` in a production setting or when your Home Assistant installation is exposed outside of your network. If disabled, man-in-the-middle attacks can be used to change the provider configuration to allow fake tokens to be used.
## All configuration Options
Here's a table of all options that you can set:
| Option | Type | Required | Default | Description |
|-----------------------------|----------|----------|----------------------|---------------------------------------------------------------------------------------------------------|
| `client_id` | `string` | Yes | | The Client ID as registered with your OpenID Connect provider. |
| `client_secret` | `string` | No | | The Client Secret for enabling confidential client mode. |
| `discovery_url` | `string` | Yes | | The OIDC well-known configuration URL. |
| `display_name` | `string` | No | `"OpenID Connect (SSO)"` | The name to display on the login screen, both for the Home Assistant screen and the OIDC welcome screen. |
| `id_token_signing_alg` | `string` | No | `RS256` | The signing algorithm that is used for your id_tokens.
| `groups_scope` | `string` | No | `groups` | Override the default grups scope with another scope of your choice. |
| `additional_scopes`|`list of strings`| No | `empty list` | Add additional scopes to request for custom identity provider configurations in addition to the automatic `openid` and `profile` scopes and the `groups_scope` configuration option |
| `features.automatic_user_linking` | `boolean`| No | `false` | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login. |
| `features.automatic_person_creation` | `boolean` | No | `true` | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users. |
| `features.disable_rfc7636` | `boolean`| No | `false` | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers. |
| `features.include_groups_scope` | `boolean` | No | `true` | Include the 'groups' scope in the OIDC request. Set to `false` to exclude it. |
| `features.force_https` | `boolean` | No | `false` | Set to `true` to force all URLs generated to use `https` instead of automatically determining based on the request scheme or `X-Forwarded-Proto`. |
| `claims.display_name` | `string` | No | `name` | The claim to use to obtain the display name.
| `claims.username` | `string` | No | `preferred_username` | The claim to use to obtain the username.
| `claims.groups` | `string` | No | `groups` | The claim to use to obtain the user's group(s). |
| `roles.admin` | `string` | No | `admins` | Group name to require for users to get the 'admin' role in Home Assistant. Defaults to 'admins', the default group name for admins in Authentik. Doesn't do anything if no groups claim is found in your token. |
| `roles.user` | `string` | No | | Group name to require for users to get the 'user' role in Home Assistant. Defaults to giving all users this role, unless configured. |
| `network.tls_verify` | `boolean` | No | `true` | Verify TLS certificate. You may want to set this set to `false` when testing locally. |
| `network.tls_ca_path` | `string` | No | | Path to file containing a private certificate authority chain. |

69
docs/provider-configurations/authelia.md Normal file
View File

@@ -0,0 +1,69 @@
# Authelia
## Public client configuration
> [!NOTE]
> This configuration strictly requires a HTTPS redirect uri.
Authelia `configuration.yml`
```yaml
identity_providers:
oidc:
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
- client_id: 'homeassistant'
client_name: 'Home Assistant'
public: true
require_pkce: true
pkce_challenge_method: 'S256'
authorization_policy: 'two_factor'
redirect_uris:
- 'https://hass.example.com/auth/oidc/callback'
scopes:
- 'openid'
- 'profile'
- 'groups'
id_token_signed_response_alg: 'RS256'
```
Home Assistant `configuration.yaml`
```yaml
auth_oidc:
client_id: "homeassistant"
discovery_url: "https://auth.example.com/.well-known/openid-configuration"
```
## Confidential client configuration:
Authelia `configuration.yml`
```yaml
identity_providers:
oidc:
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
- client_id: 'homeassistant'
client_name: 'Home Assistant'
client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
require_pkce: true
pkce_challenge_method: 'S256'
authorization_policy: 'two_factor'
redirect_uris:
- 'https://hass.example.com/auth/oidc/callback'
scopes:
- 'openid'
- 'profile'
- 'groups'
id_token_signed_response_alg: 'RS256'
token_endpoint_auth_method: 'client_secret_post'
```
Home Assistant `configuration.yaml`
```yaml
auth_oidc:
client_id: "homeassistant"
client_secret: "insecure_secret"
discovery_url: "https://auth.example.com/.well-known/openid-configuration"
```

40
docs/provider-configurations/authentik.md Normal file
View File

@@ -0,0 +1,40 @@
# Authentik
## Public client configuration
Under construction.
## Confidential client configuration
1. From the admin interface, go to `Applications > Providers` and click on `Create`
2. Select `OAuth2/OpenID Provider` and click `Next`
3. Fill the following details:
- Name: `Home Assistant Provider`
- Authorization flow: `default-provider-authorization-explicit-consent`
- Client type: `Confidential`
- Client ID: `homeassistant`
- Client Secret: **Copy this value**
- Redirect URIs/Origins: Click on `Add entry` (You can use either DNS, Internal/External IP or localhost)
- Strict: https://hass.example.com/auth/oidc/callback
4. Click `Finish` to save the provider configuration
5. Open the created Provider
6. On the Assigned to application section click on `Create`:
- Name: `Home Assistant`
- Slug: `home-assistant`
- Provider: `Home Assistant Provider`
Then save the configuration
## Home Assistant configuration
> [!IMPORTANT]
> For HTTPS configuration make sure to have a public valid SSL certificate (i.e. LetsEncrypt), if not, use HTTP instead (more insecure) or add your Authentik CA certificate to `network.tls_ca_path`.
After installing this HACS addon, edit your `configuration.yaml` file and add:
```yaml
auth_oidc:
client_id: "homeassistant"
client_secret: "client_secret"
discovery_url: "https://auth.example.com/application/o/home-assistant/.well-known/openid-configuration"
```
Restart Home Assistant and go to https://hass.example.com/auth/oidc/welcome

145
docs/provider-configurations/kanidm.md Normal file
View File

@@ -0,0 +1,145 @@
# Kanidm
## Public client configuration
[Home Assistant](https://github.com/home-assistant/core) `/var/lib/hass/configuration.yaml`
```yaml
auth_oidc:
client_id: "homeassistant"
discovery_url: "https://idm.example.org/oauth2/openid/homeassistant/.well-known/openid-configuration"
features:
automatic_person_creation: true
id_token_signing_alg: "ES256"
roles:
admin: "homeassistant_admins@idm.example.org"
user: "idm_all_persons@idm.example.org"
```
[Kanidm](https://github.com/kanidm/kanidm)
1. Create your Kanidm account, if you don't have one already:
```shell
kanidm person create "your_username" "Your Username" --name "idm_admin"
```
2. Create a new Kanidm group for your HomeAssistant administrators (`homeassistant_admins`), and add your regular account to it:
```shell
kanidm group create "homeassistant_admins" --name "idm_admin"
kanidm group add-members "homeassistant_admins" "your_username" --name "idm_admin"
```
3. Create a new OAuth2 application configuration in Kanidm (`homeassistant`), configure the redirect URL, and scope access:
```shell
kanidm system oauth2 create-public "homeassistant" "Home Assistant" "https://hass.example.org/auth/oidc/welcome" --name "idm_admin"
kanidm system oauth2 add-redirect-url "homeassistant" "https://hass.example.org/auth/oidc/callback" --name "idm_admin"
kanidm system oauth2 update-scope-map "homeassistant" "homeassistant_users" "email" "groups" "openid" "profile" --name "idm_admin"
```
[Kanidm Provision](https://github.com/oddlama/kanidm-provision) `state.json`
```jsonc
{
"groups": {
"homeassistant_admins": {
"members": ["your_username"]
}
},
"persons": {
"your_username": {
"displayName": "Your Username"
},
},
"systems": {
"oauth2": {
"homeassistant": {
"displayName": "Home Assistant",
"originLanding": "https://hass.example.org/auth/oidc/welcome",
"originUrl": "https://hass.example.org/auth/oidc/callback",
"public": true,
"scopeMaps": {
"homeassistant_users": ["email", "groups", "openid", "profile"]
}
}
}
}
}
```
## Confidential client configuration
[Home Assistant](https://github.com/home-assistant/core) `/var/lib/hass/configuration.yaml`
```yaml
auth_oidc:
client_id: "homeassistant"
client_secret: !secret oidc_client_secret
discovery_url: "https://idm.example.org/oauth2/openid/homeassistant/.well-known/openid-configuration"
features:
automatic_person_creation: true
id_token_signing_alg: "ES256"
roles:
admin: "homeassistant_admins@idm.example.org"
user: "idm_all_persons@idm.example.org"
```
[Kanidm](https://github.com/kanidm/kanidm)
1. Create your Kanidm account, if you don't have one already:
```shell
kanidm person create "your_username" "Your Username" --name "idm_admin"
```
2. Create a new Kanidm group for your HomeAssistant administrators (`homeassistant_admins`), and add your regular account to it:
```shell
kanidm group create "homeassistant_admins" --name "idm_admin"
kanidm group add-members "homeassistant_admins" "your_username" --name "idm_admin"
```
3. Create a new OAuth2 application configuration in Kanidm (`homeassistant`), configure the redirect URL, and scope access:
```shell
kanidm system oauth2 create "homeassistant" "Home Assistant" "https://hass.example.org/auth/oidc/welcome" --name "idm_admin"
kanidm system oauth2 add-redirect-url "homeassistant" "https://hass.example.org/auth/oidc/callback" --name "idm_admin"
kanidm system oauth2 update-scope-map "homeassistant" "homeassistant_users" "email" "groups" "openid" "profile" --name "idm_admin"
```
4. Get the `homeassistant` OAuth2 client secret from Kanidm:
```shell
kanidm system oauth2 show-basic-secret "homeassistant" --name "idm_admin" | xargs echo 'oidc_client_secret: {}' | tee --append "/var/lib/hass/secrets.yaml"
```
[Kanidm Provision](https://github.com/oddlama/kanidm-provision) `state.json`
```jsonc
{
"groups": {
"homeassistant_admins": {
"members": ["your_username"]
}
},
"persons": {
"your_username": {
"displayName": "Your Username"
},
},
"systems": {
"oauth2": {
"homeassistant": {
"displayName": "Home Assistant",
"originLanding": "https://hass.example.org/auth/oidc/welcome",
"originUrl": "https://hass.example.org/auth/oidc/callback",
"scopeMaps": {
"homeassistant_users": ["email", "groups", "openid", "profile"]
}
}
}
}
}
```

51
docs/provider-configurations/microsoft-entra.md Normal file
View File

@@ -0,0 +1,51 @@
# Microsoft Entra ID
> [!WARNING]
> Microsoft Entra ID does not support public clients that are not Single Page Applications (SPA's). Therefore, you will have to use a client secret.
## Basic configuration
1. Go to app registrations in Entra ID.
2. Create a new app, use the "Web" type for the redirect URI and fill in your URL: `<ha url>/auth/oidc/callback`. Note that you either have to use localhost, or HTTPS.
3. Copy the 'Application (client) ID' on the overview page of your app and use it as your `client_id`.
4. Create the discovery URL:
- If you selected 'own tenant only' use the 'Directory (tenant) ID' on the overview page of your app and create the discovery URL using: `https://login.microsoftonline.com/<tenant id>/v2.0/.well-known/openid-configuration`.
- If you selected any Azure AD account (would not recommend this) or also personal accounts, use `https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration`.
5. Go to Certificates & Secrets and create a client secret. Make sure to copy the 'Value' and not the Secret ID. Use this value for `client_secret` in the HA config.
- Make sure to renew this secret in time. It will expire in two years.
6. Go to API Permissions and click 'Add permission'. Add the `openid` and `profile` permissions from Microsoft Graph. You can remove `User.Read`.
Now configure Home Assistant with the following:
```
auth_oidc:
client_id: < client id from the 'Application (client) ID field' >
discovery_url: < discovery URL you made in step 4 >
client_secret: < client seret from step 5 >
features:
include_groups_scope: False
```
> [!CAUTION]
> Be careful! Configuring Entra ID wrong may leave your Home Assistant install open for anyone with a Microsoft account. Please use "Single tenant" account types only. Do not enable "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)" or personal account modes without enabling the mode to only allow specific accounts first!
## Configuring user roles
If you like to configure the Home Assistant users roles based on your Entra ID settings, you have to create 2 roles within your Entra ID app registration.
Go to "App registrations" and select app roles. Create two new roles for admins and users, giving them sensible names and values (the example uses `users` and `admins`), that you will need later in your HA configuration.
<img width="1205" height="965" alt="Entra-HA-Roles" src="https://github.com/user-attachments/assets/568a1526-0607-4f88-945f-7c4f1fcc0ac2" />
Then you need to create the users and assign them a role of your choice.
Go to "Enterprise apps" chose your app registration again and select "Users and groups" within the manage section. Add users, or groups from your tenant or AD-sync and assign them a role, from the ones you created before.
<img width="1112" height="570" alt="Entra-HA-Users" src="https://github.com/user-attachments/assets/13a49cee-798b-4b53-8fee-d2792ccd7763" />
Last thing to do is to include
```
claims:
groups: "roles"
roles:
admin: "admins"
user: "users"
```
in your auth_oidc config, where the roles values correspond to the ones you chose in your Entra ID roles.
Make sure, you keep the "include_groups_scope: False" from the basic configuration, as the claim needed for Entra ID is "roles".
Newly created users will get the role assigned in Entra ID, but there is no update to user roles. A user created with user role in HA will not get the admin role, if you change the assignment later on in Entra ID.

58
docs/provider-configurations/pocket-id.md Normal file
View File

@@ -0,0 +1,58 @@
# Pocket ID
## Public client configuration
### Pocket ID configuration
1. Login to Pocket ID and go to `OIDC Clients`
2. Click on `Add OIDC Client`
3. Fill the following details:
- Name: `Home Assistant`
- Callback URLs: `<your-homeassistant-url>/auth/oidc/callback` (for example: https://hass.example.com/auth/oidc/callback)
- Click on `Public Client` (PKCE will be automatically marked when doing this)
4. Click on `Save`
5. Click on `Show more details` and note down your `Client ID` and `OIDC Discovery URL` since you will need them later.
### Home Assistant configuration
1. Add following configuration in Home Assistant's configuration.yaml:
```yaml
auth_oidc:
client_id: <The Client ID you have noted down>
discovery_url: <The OIDC Discovery URL you have noted down> (for example: https://id.example.com/.well-known/openid-configuration)
```
2. Restart Home Assistant and go to your Home Assistant OIDC URL (for example: https://hass.example.com/auth/oidc/welcome)
## Confidential client configuration
### Pocket ID configuration
1. Login to Pocket ID and go to `OIDC Clients`
2. Click on `Add OIDC Client`
3. Fill the following details:
- Name: `Home Assistant`
- Callback URLs: `<your-homeassistant-url>/auth/oidc/callback` (for example: https://hass.example.com/auth/oidc/callback)
4. Click on `Save`
5. Click on `Show more details` and note down your:
- `Client ID`
- `Client secret`
- `OIDC Discovery URL`
### Home Assistant configuration
1. Add following configuration in Home Assistant's configuration.yaml:
```yaml
auth_oidc:
client_id: <The Client ID you have noted down>
client_secret: <The Client secret you have noted down>
discovery_url: <The OIDC Discovery URL you have noted down> (for example: https://id.example.com/.well-known/openid-configuration)
```
2. Restart Home Assistant and go to your Home Assistant OIDC URL (for example: https://hass.example.com/auth/oidc/welcome)

84
docs/usage.md Normal file
View File

@@ -0,0 +1,84 @@
# How do I use the OIDC Integration for Home Assistant?
Here's a step by step guide to use the integration:
### Step 1: HACS
Install the integration through [HACS](https://hacs.xyz/). You can add it automatically using the button below, or use the Github URL and type `Integration` in the manual Custom Repository add dialog.
[![Open your Home Assistant instance and open a repository inside the Home Assistant Community Store.](https://my.home-assistant.io/badges/hacs_repository.svg)](https://my.home-assistant.io/redirect/hacs_repository/?owner=christiaangoossens&repository=hass-oidc-auth&category=Integration)
### Step 2: Configuration of the integration
The integration is currently configurable through YAML only. See the [Configuration Guide](./configuration.md) for more details or pick your OIDC provider below (additional providers are available in the Configuration Guide):
| <img src="https://goauthentik.io/img/icon_top_brand_colour.svg" width="100"> | <img src="https://www.authelia.com/images/branding/logo-cropped.png" width="100"> | <img src="https://github.com/user-attachments/assets/4ceb2708-9f29-4694-b797-be833efce17d" width="100"> |
|:-----------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------------------------------------------------------------:|
| [Authentik](./provider-configurations/authentik.md) | [Authelia](./provider-configurations/authelia.md) | [Pocket ID](./provider-configurations/pocket-id.md) |
By default, the integration assumes you configure Home Assistant as a **public client** and thus only specify the `client_id` and no `client_secret`. For example, your configuration might look like:
```yaml
auth_oidc:
client_id: "example"
discovery_url: "https://example.com/.well-known/openid-configuration"
```
When registering Home Assistant at your OIDC provider, use `<your HA URL>/auth/oidc/callback` as the callback URL and select 'public client'. You should now get the `client_id` and `issuer_url` or `discovery_url` to fill in.
### Step 3: Restart
Restart Home Assistant. You can do so by going to the Reparations/Update section in Home Assistant.
### Step 4: Go to the OIDC login screen
After restarting Home Assistant, you should now be able to get to the login screen. You can find it at `<your HA URL>/auth/oidc/welcome`. You will have to go there manually for now. For example, it might be located at http://homeassistant.local:8123/auth/oidc/welcome.
It should look like this:
![image](https://github.com/user-attachments/assets/7320b7d3-b9f9-4268-ba1f-4deb0c6805ea)
If you have configured everything correctly, you should be redirected to your OIDC Provider after clicking the button. Please login there.
You should return to a screen like this:
![image](https://github.com/user-attachments/assets/d9c305bd-4a93-4a97-ae55-dba6361d92c8)
Either click the automatic sign in button or copy the code.
This screen will give you a one-time code to login that expires in 5 minutes.
#### Step 4a: Automatic login
If you would like to login automatically, click the button. It will log you in to your user in the current browser window.
#### Step 4b: Code login
If you would like to login using the code, go to your normal Home Assistant URL without any user logged in, such as on your mobile device/wall tablet/smart watch. You will now see the following screen:
![image](https://github.com/user-attachments/assets/4ed2b408-53e4-429e-920a-7628ddbcfc02)
If you don't, you likely see:
![image](https://github.com/user-attachments/assets/80629c60-793e-4933-8b45-283234798ffb)
If so, click "OpenID Connect (SSO)" to get to the first screen. If you have configured a [display name](./configuration.md#configuring-a-display-name-for-your-oidc-provider), that will show instead.
Enter your code into the single input field:
![image](https://github.com/user-attachments/assets/f031a41c-5a85-44b8-8517-3feabaa44fd5)
Upon clicking login, you should now login.
If the code is wrong, you will see this instead:
![image](https://github.com/user-attachments/assets/317d20e4-0e10-40f7-bb68-5cf456faf87d)
#### Step 5: Logged in
You will be logged in after following this guide.
With the default configuration, [a person entry](https://www.home-assistant.io/integrations/person/) will be created for every new OIDC user logging in. New OIDC users will get their own fresh user, linked to their persistent ID (subject) at the OpenID Connect provider. You may change your name, username or email at the provider and still have the same Home Assistant user profile.
# How can I make this easier for my users?
You can link the user directly to one of these following URLs:
- `/auth/oidc/welcome` (if you would like a nice welcome screen for your users)
- `/auth/oidc/redirect` (if you would like to just redirect them without a welcome screen)
For a seamless user experience, configure a new domain on your proxy to redirect to the `/auth/oidc/welcome` path or configure that path on your homelab dashboard or in your OIDC provider (such as in the app settings in Authentik). Users will then always start on the OIDC welcome page, which will allow them to visit the dashboard if they are already logged in.
*Note: do not replace the standard path with a redirect to the OIDC screen. This breaks login with code.*

2
hacs.json
View File

@@ -2,5 +2,5 @@
"name": "OpenID Connect",
"hide_default_branch": true,
"render_readme": true,
"homeassistant": "2024.12"
"homeassistant": "2025.08"
}

BIN
logo.png Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

1123
package-lock.json generated Normal file
View File

File diff suppressed because it is too large Load Diff

11
package.json Normal file
View File

@@ -0,0 +1,11 @@
{
"name": "hass-oidc-auth",
"scripts": {
"css": "tailwindcss -i ./custom_components/auth_oidc/static/input.css -o ./custom_components/auth_oidc/static/style.css --minify",
"css:watch": "tailwindcss -i ./custom_components/auth_oidc/static/input.css -o ./custom_components/auth_oidc/static/style.css --watch --minify"
},
"dependencies": {
"@tailwindcss/cli": "^4.1.14",
"tailwindcss": "^4.1.14"
}
}

34
pyproject.toml
View File

@@ -1,29 +1,33 @@
[project]
name = "hass-oidc-auth"
version = "0.4.0"
version = "0.6.4"
description = "OIDC component for Home Assistant"
authors = [
{ name = "Christiaan Goossens", email = "contact@christiaangoossens.nl" }
]
license = "MIT"
dependencies = [
"python-jose>=3.3.0",
"aiofiles>=24.1.0",
"jinja2>=3.1.4",
"aiofiles~=25.1",
"jinja2~=3.1",
"bcrypt~=5.0",
"joserfc~=1.6.0",
]
readme = "README.md"
requires-python = ">= 3.13"
requires-python = "~=3.14.2"
[dependency-groups]
dev = [
"homeassistant~=2026.1",
"pylint~=4.0",
"ruff~=0.12",
]
[build-system]
requires = ["hatchling"]
build-backend = "hatchling.build"
[tool.rye]
[tool.uv]
managed = true
dev-dependencies = [
"homeassistant~=2024.12",
"pylint~=3.3",
]
[tool.hatch.metadata]
allow-direct-references = true
@@ -31,11 +35,5 @@ allow-direct-references = true
[tool.hatch.build.targets.wheel]
packages = ["custom_components/auth_oidc"]
[tool.rye.scripts]
check = { chain = ["check-lint", "check-fmt", "check-pylint" ] }
"check-lint" = "rye lint"
"check-fmt" = "rye fmt --check"
"check-pylint" = "pylint custom_components"
fix = { chain = ["fix-lint", "fix-fmt" ] }
"fix-lint" = "rye lint --fix"
"fix-fmt" = "rye fmt"
[tool.ruff]
target-version = "py313"

49
renovate.json Normal file
View File

@@ -0,0 +1,49 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended"
],
"schedule": [
"every weekend"
],
"vulnerabilityAlerts": {
"groupName": "vulnerabilityAlerts",
"enabled": true,
"schedule": [
"after 6am and before 6pm"
],
"prCreation": "immediate"
},
"lockFileMaintenance": {
"enabled": true
},
"packageRules": [
{
"description": "Group all GitHub Actions updates",
"matchDatasources": [
"github-actions",
"github-tags",
"github-runners"
],
"groupName": "Github Actions Updates",
"automerge": true
},
{
"description": "Version updates for Home Assistant packages",
"groupName": "Home Assistant Update",
"matchPackageNames": [
"homeassistant",
"jinja2",
"bcrypt"
],
"automerge": false
},
{
"description": "Version updates for other Python packages",
"matchDatasources": [
"pypi"
],
"automerge": false
}
]
}

285
requirements-dev.lock
View File

@@ -1,285 +0,0 @@
# generated by rye
# use `rye lock` or `rye sync` to update this lockfile
#
# last locked with the following flags:
# pre: false
# features: []
# all-features: false
# with-sources: false
# generate-hashes: false
# universal: false
-e file:.
acme==3.0.1
# via hass-nabucasa
aiodns==3.2.0
# via homeassistant
aiofiles==24.1.0
# via hass-oidc-auth
aiohappyeyeballs==2.4.4
# via aiohttp
aiohasupervisor==0.2.1
# via homeassistant
aiohttp==3.11.11
# via aiohasupervisor
# via aiohttp-cors
# via aiohttp-fast-zlib
# via hass-nabucasa
# via homeassistant
# via snitun
aiohttp-cors==0.7.0
# via homeassistant
aiohttp-fast-zlib==0.2.0
# via homeassistant
aiooui==0.1.7
# via bluetooth-adapters
aiosignal==1.3.2
# via aiohttp
aiozoneinfo==0.2.1
# via homeassistant
anyio==4.7.0
# via httpx
astral==2.2
# via homeassistant
astroid==3.3.8
# via pylint
async-interrupt==1.2.0
# via habluetooth
# via homeassistant
async-timeout==5.0.1
# via snitun
atomicwrites-homeassistant==1.4.1
# via hass-nabucasa
# via homeassistant
attrs==24.2.0
# via aiohttp
# via hass-nabucasa
# via homeassistant
# via snitun
audioop-lts==0.2.1
# via homeassistant
# via standard-aifc
awesomeversion==24.6.0
# via homeassistant
bcrypt==4.2.0
# via homeassistant
bleak==0.22.3
# via bleak-retry-connector
# via bluetooth-adapters
# via habluetooth
bleak-retry-connector==3.6.0
# via habluetooth
bluetooth-adapters==0.20.2
# via bleak-retry-connector
# via bluetooth-auto-recovery
# via habluetooth
bluetooth-auto-recovery==1.4.2
# via habluetooth
bluetooth-data-tools==1.20.0
# via habluetooth
boto3==1.35.87
# via pycognito
botocore==1.35.87
# via boto3
# via s3transfer
btsocket==0.3.0
# via bluetooth-auto-recovery
certifi==2024.12.14
# via homeassistant
# via httpcore
# via httpx
# via requests
cffi==1.17.1
# via cryptography
# via pycares
charset-normalizer==3.4.0
# via requests
ciso8601==2.3.1
# via hass-nabucasa
# via homeassistant
cryptography==43.0.1
# via acme
# via bluetooth-data-tools
# via hass-nabucasa
# via homeassistant
# via josepy
# via pyjwt
# via pyopenssl
# via securetar
# via snitun
dbus-fast==2.24.4
# via bleak
# via bleak-retry-connector
# via bluetooth-adapters
dill==0.3.9
# via pylint
ecdsa==0.19.0
# via python-jose
envs==1.4
# via pycognito
fnv-hash-fast==1.0.2
# via homeassistant
fnvhash==0.1.0
# via fnv-hash-fast
frozenlist==1.5.0
# via aiohttp
# via aiosignal
h11==0.14.0
# via httpcore
habluetooth==3.6.0
# via home-assistant-bluetooth
hass-nabucasa==0.86.0
# via homeassistant
home-assistant-bluetooth==1.13.0
# via homeassistant
homeassistant==2024.12.5
httpcore==1.0.7
# via httpx
httpx==0.27.2
# via homeassistant
idna==3.10
# via anyio
# via httpx
# via requests
# via yarl
ifaddr==0.2.0
# via homeassistant
isort==5.13.2
# via pylint
jinja2==3.1.4
# via hass-oidc-auth
# via homeassistant
jmespath==1.0.1
# via boto3
# via botocore
josepy==1.14.0
# via acme
lru-dict==1.3.0
# via homeassistant
markupsafe==3.0.2
# via jinja2
mashumaro==3.15
# via aiohasupervisor
# via webrtc-models
mccabe==0.7.0
# via pylint
multidict==6.1.0
# via aiohttp
# via yarl
orjson==3.10.12
# via aiohasupervisor
# via homeassistant
# via webrtc-models
packaging==24.2
# via homeassistant
pillow==11.0.0
# via homeassistant
platformdirs==4.3.6
# via pylint
propcache==0.2.1
# via aiohttp
# via homeassistant
# via yarl
psutil==6.1.1
# via psutil-home-assistant
psutil-home-assistant==0.0.1
# via homeassistant
pyasn1==0.6.1
# via python-jose
# via rsa
pycares==4.5.0
# via aiodns
pycognito==2024.5.1
# via hass-nabucasa
pycparser==2.22
# via cffi
pyjwt==2.10.1
# via hass-nabucasa
# via homeassistant
# via pycognito
pylint==3.3.3
pyopenssl==24.2.1
# via acme
# via homeassistant
# via josepy
pyrfc3339==2.0.1
# via acme
pyric==0.1.6.3
# via bluetooth-auto-recovery
python-dateutil==2.9.0.post0
# via botocore
python-jose==3.3.0
# via hass-oidc-auth
python-slugify==8.0.4
# via homeassistant
pytz==2024.2
# via acme
# via astral
pyyaml==6.0.2
# via homeassistant
requests==2.32.3
# via acme
# via homeassistant
# via pycognito
rsa==4.9
# via python-jose
s3transfer==0.10.4
# via boto3
securetar==2024.11.0
# via homeassistant
setuptools==75.6.0
# via acme
six==1.17.0
# via ecdsa
# via python-dateutil
sniffio==1.3.1
# via anyio
# via httpx
snitun==0.39.1
# via hass-nabucasa
sqlalchemy==2.0.36
# via homeassistant
standard-aifc==3.13.0
# via homeassistant
standard-chunk==3.13.0
# via standard-aifc
standard-telnetlib==3.13.0
# via homeassistant
text-unidecode==1.3
# via python-slugify
tomlkit==0.13.2
# via pylint
typing-extensions==4.12.2
# via homeassistant
# via mashumaro
# via sqlalchemy
tzdata==2024.2
# via aiozoneinfo
uart-devices==0.1.0
# via bluetooth-adapters
ulid-transform==1.0.2
# via homeassistant
urllib3==1.26.20
# via botocore
# via homeassistant
# via requests
usb-devices==0.4.5
# via bluetooth-adapters
# via bluetooth-auto-recovery
uv==0.5.4
# via homeassistant
voluptuous==0.15.2
# via homeassistant
# via voluptuous-openapi
# via voluptuous-serialize
voluptuous-openapi==0.0.5
# via homeassistant
voluptuous-serialize==2.6.0
# via homeassistant
webrtc-models==0.3.0
# via hass-nabucasa
# via homeassistant
yarl==1.18.3
# via aiohasupervisor
# via aiohttp
# via homeassistant

29
requirements.lock
View File

@@ -1,29 +0,0 @@
# generated by rye
# use `rye lock` or `rye sync` to update this lockfile
#
# last locked with the following flags:
# pre: false
# features: []
# all-features: false
# with-sources: false
# generate-hashes: false
# universal: false
-e file:.
aiofiles==24.1.0
# via hass-oidc-auth
ecdsa==0.19.0
# via python-jose
jinja2==3.1.5
# via hass-oidc-auth
markupsafe==3.0.2
# via jinja2
pyasn1==0.6.1
# via python-jose
# via rsa
python-jose==3.3.0
# via hass-oidc-auth
rsa==4.9
# via python-jose
six==1.17.0
# via ecdsa

4
scripts/check Executable file
View File

@@ -0,0 +1,4 @@
#! /bin/bash
uv run ruff check
uv run ruff format --check
uv run pylint custom_components

3
scripts/fix Executable file
View File

@@ -0,0 +1,3 @@
#! /bin/bash
uv run ruff check --fix
uv run ruff format

2
scripts/sync Executable file
View File

@@ -0,0 +1,2 @@
#! /bin/bash
uv sync --locked

2067
uv.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff