Add configurable group names for roles (#17)

README.md

@@ -69,6 +69,8 @@ With the default configuration, [a person entry](https://www.home-assistant.io/i
 | `claims.display_name`      | `string` | No       | `name`                     | The claim to use to obtain the display name.
 | `claims.username`         | `string` | No       | `preferred_username`                     | The claim to use to obtain the username.
 | `claims.groups`            | `string` | No       | `groups`                     | The claim to use to obtain the user's group(s). |
+| `roles.admin`            | `string` | No       | `admins`                     | Group name to require for users to get the 'admin' role in Home Assistant. Defaults to 'admins', the default group name for admins in Authentik. Doesn't do anything if no groups claim is found in your token. |
+| `roles.user`            | `string` | No       |                     | Group name to require for users to get the 'user' role in Home Assistant. Defaults to giving all users this role, unless configured. |
 
 #### Example: Migrating from HA username/password users to OIDC users
 If you already have users created within Home Assistant and would like to re-use the current user profile for your OIDC login, you can (temporarily) enable `features.automatic_user_linking`, with the following config (example):

custom_components/auth_oidc/__init__.py

@@ -18,6 +18,7 @@ from .config import (
     ID_TOKEN_SIGNING_ALGORITHM,
     FEATURES,
     CLAIMS,
+    ROLES,
 )
 
 # pylint: enable=useless-import-alias
@@ -50,8 +51,8 @@ async def async_setup(hass: HomeAssistant, config):
 
     _LOGGER.info("Registered OIDC provider")
 
-    # We only use openid & profile, never email
+    # We only use openid, profile & groups, never email
-    scope = "openid profile"
+    scope = "openid profile groups"
 
     oidc_client = oidc_client = OIDCClient(
         discovery_url=my_config.get(DISCOVERY_URL),
@@ -61,6 +62,7 @@ async def async_setup(hass: HomeAssistant, config):
         id_token_signing_alg=my_config.get(ID_TOKEN_SIGNING_ALGORITHM),
         features=my_config.get(FEATURES, {}),
         claims=my_config.get(CLAIMS, {}),
+        roles=my_config.get(ROLES, {}),
     )
 
     # Register the views

custom_components/auth_oidc/config.py

@@ -15,6 +15,9 @@ CLAIMS = "claims"
 CLAIMS_DISPLAY_NAME = "display_name"
 CLAIMS_USERNAME = "username"
 CLAIMS_GROUPS = "groups"
+ROLES = "roles"
+ROLE_ADMINS = "admin"
+ROLE_USERS = "user"
 
 DEFAULT_TITLE = "OpenID Connect (SSO)"
 
@@ -63,6 +66,18 @@ CONFIG_SCHEMA = vol.Schema(
                         vol.Optional(CLAIMS_GROUPS): vol.Coerce(str),
                     }
                 ),
+                # Determine which specific group values will be mapped to which roles
+                # Optional, defaults user = null, admin = 'admins'
+                # If user role is set, users that do not have either will be rejected!
+                vol.Optional(ROLES): vol.Schema(
+                    {
+                        # Which group name should we use to assign the user role?
+                        vol.Optional(ROLE_USERS): vol.Coerce(str),
+                        # What group name should we use to assign the admin role?
+                        # Defaults to admins
+                        vol.Optional(ROLE_ADMINS): vol.Coerce(str),
+                    }
+                ),
             }
         )
     },

custom_components/auth_oidc/endpoints/callback.py

@@ -52,5 +52,15 @@ class OIDCCallbackView(HomeAssistantView):
             )
             return web.Response(text=view_html, content_type="text/html")
 
+        if user_details.get("role") == "invalid":
+            view_html = await get_view(
+                "error",
+                {
+                    "error": "User is not in the correct group to access Home Assistant, "
+                    + "contact your administrator!",
+                },
+            )
+            return web.Response(text=view_html, content_type="text/html")
+
         code = await self.oidc_provider.async_save_user_info(user_details)
         return web.HTTPFound(get_url("/auth/oidc/finish?code=" + code))

custom_components/auth_oidc/endpoints/finish.py

@@ -46,9 +46,9 @@ class OIDCFinishView(HomeAssistantView):
                 # Set a cookie to enable autologin on only the specific path used
                 # for the POST request, with all strict parameters set
                 # This cookie should not be read by any Javascript or any other paths.
-                # It can be really short lifetime as we redirect immediately (15 seconds)
+                # It can be really short lifetime as we redirect immediately (5 seconds)
                 "set-cookie": "auth_oidc_code="
                 + code
-                + "; Path=/auth/login_flow; SameSite=Strict; HttpOnly; Max-Age=15",
+                + "; Path=/auth/login_flow; SameSite=Strict; HttpOnly; Max-Age=5",
             },
         )

custom_components/auth_oidc/manifest.json

@@ -16,7 +16,8 @@
   "requirements": [
     "python-jose>=3.3.0",
     "aiofiles>=24.1.0",
-    "jinja2>=3.1.4"
+    "jinja2>=3.1.4",
+    "bcrypt>=4.2.0"
   ],
-  "version": "0.4.0"
+  "version": "0.4.1"
 }

custom_components/auth_oidc/oidc_client.py

@@ -15,6 +15,8 @@ from .config import (
     CLAIMS_DISPLAY_NAME,
     CLAIMS_USERNAME,
     CLAIMS_GROUPS,
+    ROLE_ADMINS,
+    ROLE_USERS,
 )
 
 _LOGGER = logging.getLogger(__name__)
@@ -67,11 +69,14 @@ class OIDCClient:
 
         features = kwargs.get("features")
         claims = kwargs.get("claims")
+        roles = kwargs.get("roles")
 
         self.disable_pkce: bool = features.get(FEATURES_DISABLE_PKCE)
         self.display_name_claim = claims.get(CLAIMS_DISPLAY_NAME, "name")
         self.username_claim = claims.get(CLAIMS_USERNAME, "preferred_username")
         self.groups_claim = claims.get(CLAIMS_GROUPS, "groups")
+        self.user_role = roles.get(ROLE_USERS, None)
+        self.admin_role = roles.get(ROLE_ADMINS, "admins")
 
     def _base64url_encode(self, value: str) -> str:
         """Uses base64url encoding on a given string"""
@@ -356,6 +361,20 @@ class OIDCClient:
 
             # TODO: If the configured claims are not present in id_token, we should fetch userinfo
 
+            # Get and parse groups (to check if it's an array)
+            groups = id_token.get(self.groups_claim, [])
+            if not isinstance(groups, list):
+                _LOGGER.warning("Groups claim is not a list, using empty list instead.")
+                groups = []
+
+            # Assign role if user has the required groups
+            role = "invalid"
+            if self.user_role in groups or self.user_role is None:
+                role = "system-users"
+
+            if self.admin_role in groups:
+                role = "system-admin"
+
             # Create a user details dict based on the contents of the id_token & userinfo
             data: UserDetails = {
                 # Subject Identifier. A locally unique and never reassigned identifier within the
@@ -371,8 +390,8 @@ class OIDCClient:
                 "display_name": id_token.get(self.display_name_claim),
                 # Username, configurable
                 "username": id_token.get(self.username_claim),
-                # Groups, configurable
+                # Role
-                "groups": id_token.get(self.groups_claim),
+                "role": role,
             }
 
             # Log which details were obtained for debugging

custom_components/auth_oidc/provider.py

@@ -6,6 +6,7 @@ import logging
 
 from typing import Dict, Optional
 import asyncio
+import bcrypt
 from homeassistant.auth import EVENT_USER_ADDED
 from homeassistant.auth.providers import (
     AUTH_PROVIDERS,
@@ -258,14 +259,11 @@ class OpenIDAuthProvider(AuthProvider):
         sub = credentials.data["sub"]
         meta = self._user_meta.get(sub, {})
 
-        groups = meta.get("groups", [])
+        role = meta.get("role")
-
-        # TODO: Allow setting which group is for admins
-        group = "system-admin" if "admins" in groups else "system-users"
         return UserMeta(
             name=meta.get("display_name"),
             is_active=True,
-            group=group,
+            group=role,
             local_only=False,
         )
 
@@ -274,6 +272,14 @@ class OpenIdLoginFlow(LoginFlow):
     """Handler for the login flow."""
 
     async def _finalize_user(self, code: str) -> AuthFlowResult:
+        # Verify a dummy hash to make it last a bit longer
+        # as security measure (limits the amount of attempts you have in 5 min)
+        # Similar to what the HomeAssistant auth provider does
+        dummy = b"$2b$12$CiuFGszHx9eNHxPuQcwBWez4CwDTOcLTX5CbOpV6gef2nYuXkY7BO"
+        bcrypt.checkpw(b"foo", dummy)
+
+        # Actually look up the auth provider after,
+        # this doesn't take a lot of time (regardless of it's in there or not)
         sub = await self._auth_provider.async_get_subject(code)
         if sub:
             return await self.async_finish(

custom_components/auth_oidc/types.py

@@ -1,7 +1,9 @@
 """Generic data types"""
 
-
 # Dict class to give a type to the user details
+from typing import Literal
+
+
 class UserDetails(dict):
     """User details representation"""
 
@@ -12,5 +14,5 @@ class UserDetails(dict):
     # Preferred username for the user, will be used when first generating the account
     # or to link the account on first login
     username: str
-    # Groups that the user has, if any are sent from the OIDC provider
+    # Home Assistant role to assign to this user
-    groups: list[str]
+    role: Literal["system-admin", "system-users", "invalid"]

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "hass-oidc-auth"
-version = "0.4.0"
+version = "0.4.1"
 description = "OIDC component for Home Assistant"
 authors = [
     { name = "Christiaan Goossens", email = "contact@christiaangoossens.nl" }
@@ -10,6 +10,7 @@ dependencies = [
     "python-jose>=3.3.0",
     "aiofiles>=24.1.0",
     "jinja2>=3.1.4",
+    "bcrypt>=4.2.0",
 ]
 readme = "README.md"
 requires-python = ">= 3.13"

requirements-dev.lock

@@ -62,6 +62,7 @@ audioop-lts==0.2.1
 awesomeversion==24.6.0
     # via homeassistant
 bcrypt==4.2.0
+    # via hass-oidc-auth
     # via homeassistant
 bleak==0.22.3
     # via bleak-retry-connector

requirements.lock

@@ -12,6 +12,8 @@
 -e file:.
 aiofiles==24.1.0
     # via hass-oidc-auth
+bcrypt==4.2.1
+    # via hass-oidc-auth
 ecdsa==0.19.0
     # via python-jose
 jinja2==3.1.5